25 lines
1.7 KiB
Markdown
25 lines
1.7 KiB
Markdown
# Version Comparison Explainability UX ("Why Fixed/Vulnerable" Popover)
|
|
|
|
## Module
|
|
Scanner
|
|
|
|
## Status
|
|
IMPLEMENTED
|
|
|
|
## Description
|
|
UI explainability for distro version comparisons: "Compared With" badge showing which comparator (RPM EVR, dpkg, APK, SemVer) was used, and "Why Fixed/Vulnerable" popover showing step-by-step comparison proof lines (epoch, upstream, revision). Version comparators emit human-readable proof lines showing each comparison step.
|
|
|
|
## Implementation Details
|
|
- **Version Comparison Evidence**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Evidence/Models/VersionComparisonEvidence.cs` - `VersionComparisonEvidence` model capturing step-by-step comparison proof lines (epoch, upstream, revision) with the comparator type used
|
|
- **Service Version Comparer**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.ServiceSecurity/Analyzers/ServiceVersionComparer.cs` - `ServiceVersionComparer` comparing service versions with proof line emission
|
|
|
|
## E2E Test Plan
|
|
- [ ] Compare an RPM package version and verify the "Compared With" badge shows "RPM EVR" as the comparator
|
|
- [ ] Verify the "Why Fixed" popover shows step-by-step comparison proof: epoch comparison, upstream version comparison, and release/revision comparison
|
|
- [ ] Compare a dpkg package version and verify epoch, upstream-version, and debian-revision are shown separately in proof lines
|
|
- [ ] Compare an APK package version and verify the Alpine-specific version comparison rules are applied and explained
|
|
- [ ] Verify SemVer comparisons show major.minor.patch breakdown with clear fixed/vulnerable reasoning
|
|
- [ ] Verify proof lines are human-readable and explain why the installed version is fixed or vulnerable relative to the advisory range
|