stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
822a92faeebbceea6fa005b7eddb7572a8b29b41
git.stella-ops.org/docs/modules/ui/v2-rewire/pack-07.md
master c2f13fe588 preparation for ui re-shelling
2026-02-18 23:03:07 +02:00

684 lines
39 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

## Pack 7 — Security (menu + every screen graph + ASCII mocks; keep the main IA intact)
Security stays a **root menu**. This pack reorganizes Security pages to be **release/bundle aware**, surfaces **SBOM findings + hybrid reachability (build / image-Dover / runtime)** as **second-class**, and adds clear links to **Nightly Ops Report** + **Integrations health** when data is stale.
---
# 1) Security menu graph (Mermaid)
```mermaid
flowchart TD
SEC[Security] --> SEC_OV[Overview]
SEC --> SEC_FIND[Findings]
SEC --> SEC_VULN[Vulnerabilities]
SEC --> SEC_VEX[VEX Hub]
SEC --> SEC_EXC[Exceptions]
SEC --> SEC_COV[Coverage & Analytics]
SEC --> SEC_GRAPH[SBOM Graph (Beta)]
SEC_FIND --> SEC_FIND_DETAIL[Finding Detail]
SEC_VULN --> SEC_VULN_DETAIL[Vulnerability Detail (CVE)]
SEC_VEX --> SEC_VEX_DETAIL[VEX Statement Detail]
SEC_EXC --> SEC_EXC_DETAIL[Exception Detail / Request]
```
> **Reachability (Build / Image-Dover / Runtime)** is **not** a root product menu; it is **embedded as a first-visible widget** in **Security Overview** and **a first-class facet/column** in **Findings/Vulnerabilities** (i.e., second-class across the product, not buried).
---
# 2) Security → Overview
### Previously
* **Formerly:** `Security → Overview` (`/security/overview`), showing severity counters, VEX coverage, active exceptions, etc.
* Missing: explicit **“where reachable criticals exist”** and **hybrid reachability coverage**.
### Now (Redesign)
* **Now:** `Security → Overview` (same route), but it becomes the **security posture cockpit for release decisions**:
* “Critical reachable issues” surfaced by **Region → Environment**
* **SBOM freshness** + **Reachability coverage** (build/image/runtime)
* **CVE dataset freshness** (OSV/NVD) and explicit link to **Nightly Ops Report**
* “Top affected bundles/releases” to drive hotfix decisions
### Why changed
StellaOps is about **release/hotpatch governance** + **auditable decisions**. Security Overview must answer in 10 seconds:
* “Are we safe to promote?”
* “If not, which envs/regions are blocked and why?”
* “Is the data trustworthy (feeds, scans, reachability) or are we blind?”
---
## Screen graph (Mermaid)
```mermaid
flowchart TD
A[Security Overview] --> B[Security Findings (filtered)]
A --> C[Vulnerabilities (filtered)]
A --> D[VEX Hub]
A --> E[Exceptions]
A --> F[Coverage & Analytics]
A --> G[Operations: Nightly Ops Report]
A --> H[Integrations: Security Data Sources]
A --> I[Release Control: Bundle Organizer / Hotfix]
```
---
## ASCII mock
```text
┌───────────────────────────────────────────────────────────────────────────────────────────────┐
│ SECURITY ▸ OVERVIEW [Run Scan] │
│ Formerly: Security ▸ Overview │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Scope: Region ▾ (All) Environment ▾ (All) Time ▾ (Last 7d) │
│ Data Health: CVE Feeds OSV: OK | NVD: DOWN → [Open Nightly Ops Report] [Open Integrations] │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ POSTURE (hybrid reachability aware) │
│ Critical (Reachable): 3 envs | High (Reachable): 6 envs | Medium: 12 envs │
│ Reachability sources coverage: Build 92% | Image/Dover 96% | Runtime 61% │
│ SBOM freshness: Images scanned <24h: 88% | Runtime inventory <24h: 54% │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ WHERE THE RISK IS (Region → Env) │
│ - eu-west ▸ prod-eu Critical reachable: 5 (Top: log4j, openssl) [View Findings] │
│ - us-east ▸ staging-us Critical reachable: 2 (Top: curl) [View Findings] │
│ - us-east ▸ prod-us High reachable: 7 (Top: glibc) [View Findings] │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ VEX COVERAGE EXCEPTIONS │
│ Findings w/ VEX: 14 | Awaiting VEX: 6 Active: 2 Pending: 1 Expiring<14d: 1 │
│ [Open VEX Hub] [Open Exceptions] │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ RELEASE IMPACT │
│ Hotfix candidates (bundles/releases): │
│ - Bundle: api-gateway@v2.1.0 (prod-eu) Critical reachable: 3 [Open Bundle] │
│ - Bundle: user-service@v3.0.0-rc1 High reachable: 4 [Open Bundle] │
└───────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 3) Security → Findings
### Previously
* **Formerly:** `Security → Findings` (`/security/findings`)
Table included: CVE, package, severity, CVSS, reachable, VEX, release impact, delta, environments, first seen.
### Now (Redesign)
* **Now:** `Security → Findings` stays, but becomes **hybrid reachability first-visible**:
* Replace single “Reachable” with:
* **Hybrid Reachable** (computed)
* **Build Reachable / Image(Dover) Reachable / Runtime Reachable**
* Add **Region** + **Environment** filters (region-first model)
* Add **Bundle / Release** filters (release governance model)
* Add **Dataset provenance** (which CVE snapshot + SBOM snapshot the decision used)
### Why changed
Reachability is part of “what is exploitable for us” and must not be buried. Also, findings must route to **Release Bundles** and evidence.
---
## Screen graph (Mermaid)
```mermaid
flowchart TD
A[Security Findings] --> B[Finding Detail]
A --> C[Vulnerability Detail (CVE)]
A --> D[VEX Hub (filtered by CVE)]
A --> E[Exceptions (filtered)]
A --> F[Release Control: Bundle Organizer (filtered)]
A --> G[Operations: Nightly Ops Report (data health)]
A --> H[Evidence & Audit: Proof Chain (for decision)]
```
---
## ASCII mock
```text
┌───────────────────────────────────────────────────────────────────────────────────────────────┐
│ SECURITY ▸ FINDINGS [Export CSV] │
│ Formerly: Security ▸ Findings │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Filters: Severity ▾ Hybrid Reachable ▾ Reach Source ▾(Any/Build/Image/Runtime) VEX ▾ │
│ Region ▾ Environment ▾ Bundle/Release ▾ Time ▾ │
│ Banner: NVD feed stale → reachability/score may be incomplete [Open Nightly Ops Report] │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ CVE Package Sev CVSS Hybrid Build Image Runtime VEX Bundle Impact First │
│-------------------------------------------------------------------------------------------------│
│ CVE-XXXX openssl CRIT 9.8 YES NO YES YES Await api-gateway@2.1.0 2d │
│ CVE-YYYY log4j CRIT 10.0 YES YES YES NO NotAff user-svc@3.0.0 1d │
│ CVE-ZZZZ curl HIGH 8.1 NO NO NO NO - none 7d │
│ Actions per row: [View Finding] [View CVE] [Request Exception] [Open Bundle] │
└───────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 4) Security → Finding Detail (new explicit drill-down)
### Previously
* **Formerly:** implicit (row in Findings table, no dedicated “decision page”).
### Now
* **Now:** `Security → Findings → Finding Detail`
### Why changed
A finding needs an **auditable explanation page**:
* What data was used (SBOM snapshot, CVE dataset version)
* Reachability per source (build/image/runtime)
* Impacted **bundles/releases** and environments
* Associated **VEX** and **exceptions**
* Deep links to **Proof Chain / Evidence Bundle**
---
## Screen graph (Mermaid)
```mermaid
flowchart TD
A[Finding Detail] --> B[Vulnerability Detail (CVE)]
A --> C[VEX Statement Detail]
A --> D[Exception Detail / Request]
A --> E[Release Control: Bundle Organizer (affected bundles)]
A --> F[Evidence & Audit: Proof Chains]
A --> G[Evidence & Audit: Replay/Verify]
A --> H[Operations: Nightly Ops Report (if stale inputs)]
```
---
## ASCII mock
```text
┌───────────────────────────────────────────────────────────────────────────────────────────────┐
│ SECURITY ▸ FINDING DETAIL: CVE-XXXX in openssl │
│ Formerly: Security ▸ Findings (row drilldown) │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Severity: CRITICAL CVSS: 9.8 EPSS: (if available) KEV: (if available) │
│ Data provenance: SBOM snapshot: 2026-02-18T02:00Z | CVE dataset: OSV-2026.02.18.01 | NVD: stale │
│ │
│ REACHABILITY (HYBRID) │
│ Hybrid Reachable: YES (because Image/Dover=YES OR Runtime=YES) │
│ ┌───────────────────────────────────────────────────────────────────────────────────────────┐ │
│ │ Source Coverage Result Evidence link │ │
│ │ Build 92% NO [build reach report] │ │
│ │ Image/Dover96% YES [image reach report] │ │
│ │ Runtime 61% YES [runtime reach report] │ │
│ └───────────────────────────────────────────────────────────────────────────────────────────┘ │
│ │
│ AFFECTED (Region → Env) │
│ - eu-west ▸ prod-eu reachable=YES first seen=2d bundle: api-gateway@2.1.0 [Open Bundle] │
│ - us-east ▸ staging-us reachable=YES first seen=1d bundle: api-gateway@2.1.0 [Open Bundle] │
│ │
│ CONTROLS │
│ VEX: Awaiting VEX → [Open VEX Hub] Exceptions: none → [Request Exception] │
│ Evidence: [Open Proof Chain] [Replay/Verify] [Export Evidence Bundle snapshot] │
└───────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 5) Security → Vulnerabilities (CVE Catalog)
### Previously
* **Formerly:** `Security → Vulnerabilities` (`/security/vulnerabilities`) but it was a placeholder (“pending data integration”).
### Now
* **Now:** `Security → Vulnerabilities` becomes the **CVE catalog** view:
* CVE metadata + source freshness (OSV/NVD/vendor)
* “In our estate” counts: findings total + reachable total
* Drill-down to CVE detail
### Why changed
You need both:
* **Findings** = concrete occurrences in your envs/bundles
* **Vulnerabilities** = global CVE view with intelligence + provenance
---
## Screen graph (Mermaid)
```mermaid
flowchart TD
A[Vulnerabilities (Catalog)] --> B[Vulnerability Detail (CVE)]
A --> C[Security Findings (filtered by CVE)]
A --> D[Integrations: Security Data Sources]
A --> E[Operations: Nightly Ops Report (feed failures)]
```
---
## ASCII mock
```text
┌───────────────────────────────────────────────────────────────────────────────────────────────┐
│ SECURITY ▸ VULNERABILITIES (CVE CATALOG) │
│ Formerly: Security ▸ Vulnerabilities (pending integration) │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Filters: Severity ▾ In-Our-Estate ▾(Any/Yes) Reachable ▾(Any/Yes) Source ▾(OSV/NVD/Vendor) │
│ Data freshness: OSV OK | NVD DOWN → [Open Integrations] [Open Nightly Ops Report] │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ CVE Sev CVSS Sources In our estate Reachable Top bundles impacted │
│-------------------------------------------------------------------------------------------------│
│ CVE-XXXX CRIT 9.8 OSV,NVD* 12 findings 7 api-gateway@2.1.0, web@2.0.0 │
│ CVE-YYYY HIGH 8.1 OSV 3 findings 0 none │
│ Actions: [View CVE] [View Findings] │
│ *NVD stale indicator │
└───────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 6) Vulnerability Detail (CVE) — new
### Previously
* **Formerly:** none (catalog didnt exist).
### Now
* **Now:** `Security → Vulnerabilities → Vulnerability Detail`
### Why changed
You need a single place to explain the vulnerability and tie it to:
* findings + reachability + bundles
* VEX statements
* evidence snapshot (dataset versions)
---
## Screen graph (Mermaid)
```mermaid
flowchart TD
A[Vulnerability Detail (CVE)] --> B[Security Findings (filtered)]
A --> C[Finding Detail]
A --> D[VEX Statement Detail]
A --> E[Exceptions (filtered)]
A --> F[Release Control: Bundle Organizer]
A --> G[Evidence & Audit: Proof Chains (dataset attestation)]
```
---
## ASCII mock
```text
┌───────────────────────────────────────────────────────────────────────────────────────────────┐
│ SECURITY ▸ CVE DETAIL: CVE-XXXX │
│ Formerly: (new) │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Severity: CRITICAL CVSS: 9.8 │
│ Sources: OSV (fresh) | NVD (stale) | Vendor advisory (optional) │
│ Affected: openssl < 3.0.2 (example) Fixed: 3.0.2+ (example) │
│ Dataset evidence: OSV snapshot 2026.02.18.01 [Export dataset attestation] │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ IN OUR ESTATE │
│ Findings: 12 | Hybrid reachable: 7 │
│ Reachability breakdown: Build 2 | Image/Dover 6 | Runtime 5 │
│ Top impacted bundles: api-gateway@2.1.0, web-frontend@2.0.0 │
│ [View Findings] [Open Bundle Organizer filtered] │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ CONTROLS │
│ VEX statements: 1 Not-Affected, 1 Under-Investigation → [Open VEX Hub filtered] │
│ Exceptions: 2 active (prod-eu) → [Open Exceptions filtered] │
└───────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 7) Security → VEX Hub
### Previously
* **Formerly:** `Security → VEX Hub` (`/security/vex`) but showing error and limited utility.
### Now
* **Now:** `Security → VEX Hub` becomes the **exploitability statement center**:
* Search statements by CVE/component/bundle
* Show statement validity (issuer, signature, scope, expiry)
* Directly explain policy effect (“blocks/unblocks approvals”)
### Why changed
VEX is essential to **reduce noise** and to make decisions **auditable**. It must be adjacent to findings.
---
## Screen graph (Mermaid)
```mermaid
flowchart TD
A[VEX Hub] --> B[VEX Statement Detail]
A --> C[Security Findings (filtered by CVE/component)]
A --> D[Integrations: VEX Sources]
A --> E[Evidence & Audit: Trust & Signing]
A --> F[Release Control: Governance & Policy (how VEX affects gates)]
```
---
## ASCII mock
```text
┌───────────────────────────────────────────────────────────────────────────────────────────────┐
│ SECURITY ▸ VEX HUB [ + Search Statements ]│
│ Formerly: Security ▸ VEX Hub │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Banner: VEX source error → [Retry] (if feeds/integration failing) │
│ Coverage: Findings with VEX: 14 | Awaiting VEX: 6 │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Statement ID Issuer Scope (bundle/env) Status Validity Actions │
│-------------------------------------------------------------------------------------------------│
│ vex-001 VendorA api-gateway@2.1.0 NOT_AFFECTED signed [View] │
│ vex-002 InternalSec prod-eu / web@2.0.0 INVESTIGATING signed [View] │
│ vex-003 VendorB openssl component-wide AFFECTED signed [View] │
└───────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 8) VEX Statement Detail — new
### Previously
* **Formerly:** implicit.
### Now
* **Now:** `Security → VEX Hub → Statement Detail`
### Why changed
You need a **decision artifact** that auditors can read:
* statement content + signature chain
* scope (which bundle/env/component)
* policy effect
---
## Screen graph (Mermaid)
```mermaid
flowchart TD
A[VEX Statement Detail] --> B[Trust & Signing (issuer, cert)]
A --> C[Security Findings (affected)]
A --> D[Vulnerability Detail (CVE)]
A --> E[Evidence & Audit: Proof Chain]
A --> F[Release Control: Governance & Policy]
```
---
## ASCII mock
```text
┌───────────────────────────────────────────────────────────────────────────────────────────────┐
│ SECURITY ▸ VEX STATEMENT DETAIL: vex-001 │
│ Formerly: VEX Hub (statement row) │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Issuer: VendorA Signature: VALID Rekor entry: present [View in Trust & Signing] │
│ Scope: Bundle api-gateway@2.1.0 | Regions: eu-west, us-east | Envs: prod, staging │
│ CVEs: CVE-XXXX, CVE-AAAA │
│ Status: NOT_AFFECTED Reason: component not reachable in shipped configuration (example) │
│ Policy Effect: allows approvals to proceed for scoped bundles (per governance rules) │
│ Evidence: [Open Proof Chain] [Export to Evidence Bundle] │
└───────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 9) Security → Exceptions
### Previously
* **Formerly:** `Security → Exceptions` (`/security/exceptions`)
### Now
* **Now:** `Security → Exceptions` remains, but:
* exceptions are tied to **Finding/CVE + Region/Env + Bundle/Release**
* includes **expiry + mitigation** as first-visible fields
* links to **Release Control → Exception Workflow** (configuration lives there now)
### Why changed
Exceptions are part of **release governance** and must be traceable to **what was accepted**, **where**, and **until when**.
---
## Screen graph (Mermaid)
```mermaid
flowchart TD
A[Security Exceptions] --> B[Exception Detail / Request]
A --> C[Security Findings (filtered)]
A --> D[Release Control: Governance & Policy (exception workflow)]
A --> E[Evidence & Audit: Evidence Bundle (for exception record)]
```
---
## ASCII mock
```text
┌───────────────────────────────────────────────────────────────────────────────────────────────┐
│ SECURITY ▸ EXCEPTIONS [ + Request Exception ]│
│ Formerly: Security ▸ Exceptions │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Filters: Status ▾ Region ▾ Environment ▾ Bundle/Release ▾ Expiring soon ▾ │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Exception ID Finding/CVE Scope (region/env) Bundle Reason Expires Status │
│-------------------------------------------------------------------------------------------------│
│ exc-101 CVE-XXXX eu-west/prod-eu api@2.1.0 mitigation… 14d ACTIVE │
│ exc-102 CVE-YYYY us-east/staging-us user@3.0.0 rollback… 2d PENDING │
│ Actions: [View] [Extend] [Revoke] [Export evidence] │
│ Workflow config: Release Control ▸ Governance & Policy ▸ Exception Workflow [Open] │
└───────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 10) Exception Detail / Request — new explicit page
### Previously
* **Formerly:** implied; request button existed but no structured “audit-grade” view.
### Now
* **Now:** `Security → Exceptions → Detail/Request`
### Why changed
This is the artifact auditors will ask for:
* what risk accepted, scope, mitigation, approvals, expiry
* evidence attachments / signatures
---
## Screen graph (Mermaid)
```mermaid
flowchart TD
A[Exception Detail] --> B[Finding Detail]
A --> C[Vulnerability Detail (CVE)]
A --> D[Evidence & Audit: Proof Chain]
A --> E[Evidence & Audit: Export Center]
A --> F[Release Control: Governance & Policy (workflow)]
```
---
## ASCII mock
```text
┌───────────────────────────────────────────────────────────────────────────────────────────────┐
│ SECURITY ▸ EXCEPTION DETAIL: exc-101 │
│ Formerly: Security ▸ Exceptions (row) │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Finding: CVE-XXXX in openssl Severity: CRITICAL Hybrid reachable: YES │
│ Scope: eu-west ▸ prod-eu | Bundle: api-gateway@2.1.0 │
│ Reason: customer outage risk if patched immediately (example) │
│ Mitigation: WAF rule + restricted egress + monitoring │
│ Expires: 2026-03-04 Approvers: security-lead, release-manager │
│ Evidence: [Attach] [Open Proof Chain] [Export to Evidence Bundle] │
└───────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 11) Security → Coverage & Analytics (SBOM Lake moved)
### Previously
* **Formerly:** `Analytics → SBOM Lake` (`/analytics/sbom-lake`)
### Now
* **Now:** `Security → Coverage & Analytics`
(and cross-linked from **Evidence & Audit** because it measures attestation coverage)
### Why changed
SBOM Lake is not “generic analytics.” It directly answers:
* “Do we have enough SBOM + reachability + VEX + policy-decision attestations to trust promotions?”
* “Which regions/envs are blind or stale?”
That is **security posture** and must live under Security.
---
## Screen graph (Mermaid)
```mermaid
flowchart TD
A[Coverage & Analytics] --> B[Security Findings (filtered)]
A --> C[VEX Hub (filtered)]
A --> D[Operations: Nightly Ops Report]
A --> E[Integrations: Security Data Sources]
A --> F[Evidence & Audit: Proof Chains]
A --> G[Administration: Usage & Limits]
```
---
## ASCII mock (expanded SBOM + reachability coverage)
```text
┌───────────────────────────────────────────────────────────────────────────────────────────────┐
│ SECURITY ▸ COVERAGE & ANALYTICS │
│ Formerly: Analytics ▸ SBOM Lake │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Filters: Region ▾ Environment ▾ Min Severity ▾ Time Window ▾ │
│ Banner: Analytics API auth error (if any) → [Open System] [Open Integrations] │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ ATTESTATION COVERAGE (last 30d) │
│ SBOM: 88% | VEX: 62% | Policy Decision: 91% | Human Approval: 74% │
│ Complete Chains: 71% (SBOM+Reachability+Policy+Evidence) │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ HYBRID REACHABILITY COVERAGE │
│ Build reach coverage: 92% (fresh <24h: 90%) │
│ Image/Dover coverage: 96% (fresh <24h: 88%) │
│ Runtime coverage: 61% (fresh <24h: 54%) │
│ → gaps reduce confidence in “reachable” classification │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ APPROVAL VELOCITY / BLOCKERS │
│ - Top blocker: NVD feed stale (dataset) → [Nightly Ops Report] │
│ - Top blocker: runtime reach ingest degraded (eu-central agent) → [Worker Fleet] │
│ Exports: [Export CSV] [Export coverage attestation snapshot] │
└───────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 12) Security → SBOM Graph (Beta)
### Previously
* **Formerly:** `Security → SBOM Graph` (`/security/sbom`) but the build says “not yet available.”
### Now
* **Now:** `Security → SBOM Graph (Beta)` remains, but positioned explicitly as:
* a visualization tool for dependency relationships and component impact
* driven by **Bundles/Releases**, with region/env lens
* links back to Findings and to Bundle Organizer
### Why changed
Even if not implemented yet, the IA must reserve the place so it doesnt get shoved into random “analytics” later. Its a security tool.
---
## Screen graph (Mermaid)
```mermaid
flowchart TD
A[SBOM Graph (Beta)] --> B[Security Findings (component/CVE filtered)]
A --> C[Release Control: Bundle Organizer]
A --> D[Vulnerability Detail (CVE)]
A --> E[Coverage & Analytics]
```
---
## ASCII mock
```text
┌───────────────────────────────────────────────────────────────────────────────────────────────┐
│ SECURITY ▸ SBOM GRAPH (BETA) │
│ Formerly: Security ▸ SBOM Graph (not available) │
├───────────────────────────────────────────────────────────────────────────────────────────────┤
│ Scope: Bundle/Release ▾ Region ▾ Environment ▾ │
│ (Graph canvas) │
│ - Nodes: components/packages/images/services │
│ - Edges: dependency relationships │
│ │
│ Side panel: Selected node → vulnerabilities + reachability + affected bundles │
│ Actions: [View Findings] [View CVE] [Open Bundle Organizer] │
└───────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
## Preservation mapping (prove the reorg stays intact)
* `Security → Overview` stays **Security root**
* `Security → Findings` stays **Security root**, but now **hybrid reachability** is first-visible
* `Security → Vulnerabilities` becomes real (was placeholder)
* `Security → VEX Hub` stays under **Security root**
* `Security → Exceptions` stays under **Security root**, with workflow config linked to **Release Control**
* `Analytics → SBOM Lake` is moved to **Security → Coverage & Analytics** (and cross-linked from Evidence & Audit)
* `Security → SBOM Graph` stays, labeled **Beta**
---
If you want, Pack 8 can cover **Release Control** screens in the same format (Mermaid + ASCII + Formerly/Why) including the missing **Release Bundle Organizer** you called out (microservice digest→version, env vars from Vault/Consul, per-repo changelog, bundle composition, promotion paths).
Reference in New Issue View Git Blame Copy Permalink