git.stella-ops.org/docs/modules/web/competitive-triage-patterns.md

# Competitive Triage UI Patterns - Design Document

> **Sprint:** SPRINT_20251226_010_FE_visual_diff_enhancements
> **Task:** VD-ENH-09
> **Status:** Complete
> **Author:** Implementation Team
> **Date:** 2025-12-26

---

## Overview

This document captures competitive insights from leading vulnerability management tools and recommends patterns for adoption in StellaOps' visual diff and triage UI.

## Competitive Analysis

### Snyk — Reachability + Continuous Context

**What they do:**
- Reachability analysis builds call graphs to determine if vulnerable code is actually reachable
- Risk scores factor in reachability, not just CVSS severity
- Static program analysis combined with AI and expert curation
- Continuous monitoring tracks issues over time as projects are rescanned

**Adoption recommendation:** ✅ **Already implemented**
- `GraphDiffComponent` visualizes reachability graphs with call paths
- Hover highlighting shows connected paths from entry points to sinks
- Plain language explanations help users understand "why" a finding matters

### Anchore — Vulnerability Annotations & VEX Export

**What they do:**
- Vulnerability annotation workflows via UI or API
- Labels: "not applicable", "mitigated", "under investigation"
- Export as OpenVEX and CycloneDX VEX formats
- Curated reasoning reduces redundant triage downstream

**Adoption recommendation:** ✅ **Already implemented**
- `TriageWorkspaceComponent` provides VEX decisioning with trust levels
- `DeltaVerdict` backend exports signed VEX statements
- Attestable exception objects with expiries and audit trails

### Prisma Cloud — Runtime Defense

**What they do:**
- Runtime profiling and behavioral baselines for containers
- Process, file, and network rule enforcement
- Learning models detect anomalies
- Runtime context during operational incidents

**Adoption recommendation:** ⚠️ **Partial - Signals module**
- `Signals` module provides runtime observation correlation
- Hot symbol index tracks runtime function execution
- Integration with FuncProof links runtime observations to static analysis

---

## Recommended UI Patterns

### 1. Unified Triage Canvas

**Pattern:** Single view combining static analysis with runtime evidence

```
┌─────────────────────────────────────────────────────────────────┐
│                        TRIAGE CANVAS                             │
├──────────────────┬────────────────────┬─────────────────────────┤
│   Graph View     │   Evidence Panel   │   Decision Panel        │
│                  │                    │                         │
│  ┌─────┐         │  • SBOM Component  │  ○ Not Affected         │
│  │main │────►    │  • VEX Statement   │  ○ Under Investigation  │
│  └─────┘    │    │  • Reachability    │  ○ Affected             │
│             ▼    │  • Runtime Obs.    │  ○ Fixed                │
│       ┌─────┐    │  • Policy Match    │                         │
│       │vuln │    │                    │  [Record Decision]      │
│       └─────┘    │                    │                         │
└──────────────────┴────────────────────┴─────────────────────────┘
```

**Implementation:** Already complete via `TriageWorkspaceComponent` + `GraphDiffComponent`

### 2. Exploitability Scoring Visualization

**Pattern:** Visual risk score breakdown showing contributing factors

| Component | Weight | Score | Visualization |
|-----------|--------|-------|---------------|
| Reachability | 25% | 95 | ████████░░ |
| VEX Coverage | 20% | 90 | █████████░ |
| SBOM Completeness | 20% | 85 | ████████░░ |
| Runtime Evidence | 20% | 88 | ████████░░ |
| Policy Freshness | 15% | 92 | █████████░ |

**Implementation:** `ProofTreeComponent` displays trust score breakdown with donut chart

### 3. Attack Path Diagrams

**Pattern:** Entry point → vulnerable function path highlighting

- Color-coded paths (green=safe, red=vulnerable, amber=uncertain)
- Hop count indicators
- Confidence levels per path segment
- Interactive path exploration with zoom-to-fit

**Implementation:** `GraphDiffComponent` with `findPath()` and path highlighting

### 4. Evidence Provenance Indicators

**Pattern:** Visual indicators showing evidence source and trust level

| Indicator | Meaning |
|-----------|---------|
| 🔒 Signed | DSSE-signed evidence |
| ✓ Verified | Signature verified |
| ⚡ Runtime | Observed at runtime |
| 📋 Policy | Policy-derived |
| 👤 Manual | Human decision |

**Implementation:** `ProofTreeComponent` with evidence chunk icons

---

## Adoption Status

| Pattern | Status | Component |
|---------|--------|-----------|
| Reachability graphs | ✅ Complete | `GraphDiffComponent` |
| VEX decisioning | ✅ Complete | `TriageWorkspaceComponent` |
| Attack path visualization | ✅ Complete | `GraphDiffComponent` + path highlighting |
| Evidence provenance | ✅ Complete | `ProofTreeComponent` |
| Plain language explanations | ✅ Complete | `PlainLanguageService` |
| Runtime observation correlation | ✅ Complete | `Signals` module integration |
| Offline replay packs | ✅ Complete | Evidence bundle export |
| Trust score breakdown | ✅ Complete | `ProofTreeComponent` donut chart |

---

## Differentiation Strategy

StellaOps differentiates from competitors by unifying these patterns into a single, evidence-rich, policy-driven triage experience:

1. **Evidence-first:** Every decision is backed by cryptographic evidence
2. **Policy-driven:** VEX as core policy objects, not just export format
3. **Attestable:** Exceptions are attestable contracts with audit trails
4. **Offline-capable:** Same UI/interactions work in air-gapped environments
5. **Deterministic:** Reproducible verdicts across runs and environments

---

## References

- [Snyk Reachability Analysis](https://docs.snyk.io/manage-risk/prioritize-issues-for-fixing/reachability-analysis)
- [Anchore Vulnerability Annotations](https://docs.anchore.com/current/docs/vulnerability_management/vuln_annotations/)
- [Prisma Cloud Runtime Defense](https://docs.prismacloud.io/en/compute-edition/30/admin-guide/runtime-defense/runtime-defense-containers)