stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
c2f13fe588232dd125d2b70ae9ad653b41269d5b
git.stella-ops.org/docs/modules/ui/v2-rewire/pack-19.md
master c2f13fe588 preparation for ui re-shelling
2026-02-18 23:03:07 +02:00

540 lines
36 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

## Pack 19 — Security consolidated around **release decisions + audit outputs** (preserving all PoC screens; reachability stays 2ndclass)
Below:
1. **Security menu graph (Mermaid)**
2. For **each screen**:
* **Formerly** (old name/location)
* **Why moved/reshaped**
* **Screen navigation graph (Mermaid)**
* **ASCII mock**
---
# 19.1 Security menu graph (Mermaid)
This keeps every PoC screen, but organizes them in a “Stella Ops” order: **decisioncentric first**, then exploration, then data backends, then attestations/waivers.
```mermaid
flowchart TD
SEC[Security (ROOT)] --> SEC_OV[Risk Overview]
SEC --> SEC_FIND[Findings Explorer]
SEC --> SEC_VULN[Vulnerabilities Explorer]
SEC --> SEC_SBOM[SBOM Data]
SEC_SBOM --> SEC_LAKE[SBOM Lake]
SEC_SBOM --> SEC_GRAPH[SBOM Graph]
SEC --> SEC_VEX[VEX & Exceptions]
SEC_VEX --> SEC_VEXH[VEX Hub]
SEC_VEX --> SEC_EXC[Exceptions]
%% Cross-links (no duplication)
SEC_OV -. "data confidence" .-> OPS_DI[Ops: Data Integrity]
SEC_FIND -. "open env" .-> RC_ENV[Release Control: Env Detail]
SEC_FIND -. "open bundle version" .-> BVER[Bundles: Bundle Version Detail]
SEC_FIND -. "export decision pack" .-> EVID[Evidence: Export Center]
SEC_VULN -. "graph" .-> SEC_GRAPH
SEC_EXC -. "approval gating" .-> APPR[Approvals]
SEC_VEXH -. "issuer trust" .-> TRUST[Evidence: Trust & Signing]
```
**Key consolidation rule:**
* **Findings** = “what is actually present in a specific env/bundle/digest, and is it reachable?”
* **Vulnerabilities** = “the CVE/catalog view (global), then drill down to where it hits.”
* **SBOM Lake/Graph** = storage/exploration backends (kept, but demoted under “SBOM Data”).
* **VEX/Exceptions** = disposition/waiver layer tied to approvals and audit.
---
# 19.2 Security screen — Risk Overview
### Formerly
* **Security → Overview** (`security overview.png`)
(cards and summary, not tightly tied to env/bundle decision outcomes)
### Why changed like this
This becomes the security commanders “brief”: **what blocks promotions**, **which envs have critical reachable**, **SBOM freshness/coverage**, **VEX/exceptions posture**, and **data confidence** (feeds/jobs/integrations).
Reachability is **not** promoted to a top-level area; it appears as:
* summary metrics
* filters
* drilldowns into Findings.
### Screen graph (Mermaid)
```mermaid
flowchart TD
A[Security: Risk Overview] --> B[Critical reachable by environment]
A --> C[Blocked approvals due to security]
A --> D[SBOM coverage & freshness summary]
A --> E[Top CVEs impacting deployed bundles]
A --> F[VEX coverage / exceptions expiring soon]
A --> G[Data Confidence banner -> Ops Data Integrity]
A --> H[Drilldowns -> Findings Explorer]
A --> I[Drilldowns -> Vulnerabilities Explorer]
```
### ASCII mock
```text
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ SECURITY ▸ RISK OVERVIEW │
│ Formerly: Security ▸ Overview (security overview.png) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Data Confidence: WARN (NVD stale 3h; SBOM rescan FAIL; Jenkins DEGRADED; DLQ runtime 1,230) │
│ [Open Ops → Data Integrity] │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Snapshot (24h) │
│ Envs with Crit Reachable: 2 Total Crit Reachable: 3 │
│ Envs SBOM stale/missing: 3 VEX coverage: 62% │
│ Approvals blocked (security): 2 Exceptions expiring < 7d: 4 │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Critical Reachable by Environment │
│ US-East/us-prod: 2 US-East/us-uat: 1 EU-West/eu-prod: 0 APAC/apac-prod: 0 │
│ [Open Findings filtered to Crit Reachable] │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Top drivers (click to drill) │
│ CVE-2026-1234 (openssl) → affects user-service in US-East/us-prod (reachable) │
│ CVE-2026-9001 (log4j) → affects api-gateway (not reachable; VEX present) │
│ [Open Vulnerabilities Explorer] │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ SBOM posture │
│ Coverage: 98% digests scanned | Freshness: 3 envs > 24h | Pending scans: 1 digest │
│ [Open Findings] [Open SBOM Lake] │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ VEX & Exceptions │
│ VEX statements imported (24h): 12 | Exceptions active: 9 | expiring soon: 4 │
│ [Open VEX Hub] [Open Exceptions] │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 19.3 Security screen — Findings Explorer
### Formerly
* **Security → Findings** (`findings.png`)
(global list; in PoC the table looked empty / placeholder)
### Why changed like this
Findings are what matter for release decisions. This screen becomes the primary explorer with **first-class filters**:
* Region / Env / Env type
* Bundle version (manifest digest)
* Component digest
* Severity
* **Reachability class** (reachable / not reachable / unknown)
* **Hybrid evidence presence** (B/I/R) as filters/columns (2nd-class, but not buried)
* SBOM freshness status (ok/stale/missing/pending)
It also shows a **Data Confidence banner** so you never misread stale results as “clean”.
### Screen graph (Mermaid)
```mermaid
flowchart TD
A[Findings Explorer] --> B[Finding Detail]
A --> C[Filter to Environment -> Env Detail]
A --> D[Filter to Bundle Version -> Bundle Version Detail]
A --> E[Open Vulnerability Detail]
A --> F[Open VEX Hub (statement for CVE)]
A --> G[Open Exceptions (waiver scope)]
A --> H[Export filtered set -> Evidence Export]
A --> I[Data Confidence -> Ops Data Integrity]
```
### ASCII mock
```text
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ SECURITY ▸ FINDINGS EXPLORER │
│ Formerly: Security ▸ Findings (findings.png) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Data Confidence: WARN (NVD stale 3h; SBOM rescan FAIL) [Open Data Integrity] │
│ Filters: Region ▾ Env ▾ EnvType ▾ BundleVersion ▾ Severity ▾ Reachability ▾ SBOM ▾ │
│ Hybrid evidence: Build ✓/✗ Image ✓/✗ Runtime ✓/✗ Time window ▾ (24h/7d/30d) │
│ Actions: [Export filtered findings] [Open as Evidence Attachment] │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Findings (envcontext) │
│ ┌──────────────┬──────────────┬─────────────┬──────────────┬──────────┬─────────┬───────────┐ │
│ │ Env │ Component │ CVE │ Package │ Severity │ Reach │ B/I/R │ │
│ ├──────────────┼──────────────┼─────────────┼──────────────┼──────────┼─────────┼───────────┤ │
│ │ us-prod │ user-service │ 2026-1234 │ openssl │ CRIT │ YES │ 0/1/0 │ │
│ │ us-uat │ user-service │ 2026-2222 │ glibc │ CRIT │ YES │ 0/1/0 │ │
│ │ us-prod │ api-gateway │ 2026-9001 │ log4j │ HIGH │ NO │ 1/1/1 │ │
│ └──────────────┴──────────────┴─────────────┴──────────────┴──────────┴─────────┴───────────┘ │
│ Click a row → Finding Detail │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 19.4 Security screen — Finding Detail (new, minimal but necessary)
### Formerly
* No explicit “Finding Detail” screen shown; users would pivot:
* Vulnerabilities list
* SBOM Graph
* VEX Hub
* Exceptions
…without a single “case file.”
### Why changed like this
This is the decision artifact:
* “Is it reachable?” and **why** (and with what hybrid evidence)
* What envs/bundles are impacted
* Whether VEX exists / whether an exception exists
* Links to approvals blocked by this finding
### Screen graph (Mermaid)
```mermaid
flowchart TD
A[Finding Detail] --> B[Reachability evidence (B/I/R) + age]
A --> C[Impacted envs + bundle versions]
A --> D[Related CVE record -> Vulnerability Detail]
A --> E[VEX statements -> VEX Hub]
A --> F[Exceptions -> Exceptions]
A --> G[Blocked approvals -> Approvals]
A --> H[Export case -> Evidence Export]
```
### ASCII mock
```text
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ FINDING DETAIL │
│ Formerly: implicit drilldowns from Findings/Vulnerabilities/SBOM Graph (no unified “case file”) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ CVE: CVE-2026-1234 Package: openssl Severity: CRITICAL │
│ Component: user-service v3.0.0-rc1 digest sha256:2222... │
│ Environment: US-East/us-prod │
│ Reachability: REACHABLE (confidence: MEDIUM) │
│ Hybrid evidence: Build ✗ (missing) | Image ✓ (1h) | Runtime ✗ (26h stale) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Impact │
│ - Environments: us-prod (crit reachable), us-uat (crit reachable) │
│ - Bundle versions: Platform 1.3.0-rc1 (manifest sha256:beef...) │
│ - Approvals blocked: 1 [Open approvals filtered] │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Disposition │
│ VEX: none found | Exceptions: none active │
│ Actions: [Create Exception Request] [Search/Import VEX] [Export as Evidence] │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 19.5 Security screen — Vulnerabilities Explorer
### Formerly
* **Security → Vulnerabilities** (`vulnerabilities.png`)
(CVE catalog list)
### Why changed like this
This remains the catalog view, but becomes **release-relevant** by adding:
* “impacted environments count”
* “crit reachable envs count”
* “affected bundle versions count”
* quick filters: “only affecting prod”, “only reachable”, “only without VEX”, “only with expiring exception”.
Reachability remains **2nd-class**: its derived from correlated findings, not a separate domain.
### Screen graph (Mermaid)
```mermaid
flowchart TD
A[Vulnerabilities Explorer] --> B[Vulnerability Detail]
A --> C[Open Findings (filtered by CVE)]
A --> D[Open VEX Hub (statements for CVE)]
A --> E[Open Exceptions (scoped to CVE)]
A --> F[Open SBOM Graph (package path)]
A --> G[Export report -> Evidence Export]
```
### ASCII mock
```text
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ SECURITY ▸ VULNERABILITIES EXPLORER │
│ Formerly: Security ▸ Vulnerabilities (vulnerabilities.png) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Filters: Severity ▾ Has VEX ▾ Has Exception ▾ Reachable in Prod ▾ Window ▾ │
│ Data Confidence banner (if stale): WARN (NVD stale 3h) [Open Data Integrity] │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ ┌──────────────┬──────────┬──────────────┬───────────────┬──────────────┬───────────────────┐ │
│ │ CVE │ Severity │ Package │ Impacted envs │ CritR envs │ Disposition │ │
│ ├──────────────┼──────────┼──────────────┼───────────────┼──────────────┼───────────────────┤ │
│ │ 2026-1234 │ CRIT │ openssl │ 2 │ 2 │ no VEX / no exc │ │
│ │ 2026-9001 │ HIGH │ log4j │ 4 │ 0 │ VEX present │ │
│ └──────────────┴──────────┴──────────────┴───────────────┴──────────────┴───────────────────┘ │
│ Click a CVE → Vulnerability Detail │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 19.6 Security screen — Vulnerability Detail (new, minimal but necessary)
### Formerly
* No explicit detail page shown; users used SBOM graph or external CVE pages and then filtered Findings.
### Why changed like this
This is the “CVE dossier” inside Stella:
* shows where it hits (envs/bundles/components)
* reachability distribution
* VEX statements and exceptions status
* links to SBOM Graph paths and evidence export
### Screen graph (Mermaid)
```mermaid
flowchart TD
A[Vulnerability Detail] --> B[Impacted envs/bundles/components]
A --> C[Reachability distribution]
A --> D[VEX statements]
A --> E[Exceptions / waivers]
A --> F[SBOM Graph path explorer]
A --> G[Export as evidence report]
```
### ASCII mock
```text
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ VULNERABILITY DETAIL: CVE-2026-1234 │
│ Formerly: inferred via Vulnerabilities list + Findings filters + external CVE lookup │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Package: openssl Severity: CRITICAL EPSS/KEV: (if present via feeds) │
│ Data confidence: WARN (NVD stale 3h) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Impact summary │
│ Impacted envs: 2 (Prod impacted: 1) │
│ Findings: 3 total | Reachable: 3 | Not reachable: 0 | Unknown: 0 │
│ Affected components: user-service sha256:2222... │
│ Affected bundle versions: Platform 1.3.0-rc1 (sha256:beef...) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Disposition │
│ VEX: none | Exceptions: none │
│ Actions: [Open Findings] [Open SBOM Graph] [Create Exception] [Export Report] │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 19.7 Security screen — SBOM Lake
### Formerly
* **Security → SBOM Lake** (`sbom lake.png`)
(raw SBOM index / ingestion storage view)
### Why changed like this
Keep it intact, but reframe it as **backend exploration**:
* clearly marked as “data plane”
* supports filtering by digest / component / bundle version / env
* adds a “Used in decisions” panel (which approvals/promotions reference this SBOM snapshot)
### Screen graph (Mermaid)
```mermaid
flowchart TD
A[SBOM Lake] --> B[SBOM Record Detail (by digest)]
A --> C[Pivot to Findings (derived)]
A --> D[Pivot to SBOM Graph (relationships)]
A --> E[Pivot to Bundle Version Detail]
A --> F[Export SBOM snapshot -> Evidence]
```
### ASCII mock
```text
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ SECURITY ▸ SBOM DATA ▸ SBOM LAKE │
│ Formerly: Security ▸ SBOM Lake (sbom lake.png) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Purpose: raw SBOM store / index (data plane). Use Findings/Vulns for decision views. │
│ Filters: Digest ▾ Component ▾ BundleVersion ▾ Env ▾ Freshness ▾ │
│ Actions: [Export SBOM snapshot] [Open derived Findings] │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ SBOM Records │
│ sha256:1111... api-gateway generated: 2h ago format: SPDX status: OK │
│ sha256:2222... user-service generated: 26h ago format: SPDX status: OK (STALE) │
│ sha256:4444... worker generated: — format: — status: PENDING │
│ Click record → SBOM Record Detail │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 19.8 Security screen — SBOM Graph
### Formerly
* **Security → SBOM Graph** (`sbom graph.png`)
(graph traversal of dependencies)
### Why changed like this
Keep intact, but make it **decision-connected**:
* start from **bundle version** or **env deployed digest** as entry points
* show “paths to vulnerable package”
* add “show reachable paths only” as an overlay (2nd-class reachability filter)
### Screen graph (Mermaid)
```mermaid
flowchart TD
A[SBOM Graph] --> B[Select root: env/bundle/digest/package]
A --> C[Graph view + path explorer]
A --> D[Overlay: highlight vulnerable packages]
A --> E[Overlay: reachable-only / evidence source]
A --> F[Pivot: open Finding / Vulnerability detail]
```
### ASCII mock
```text
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ SECURITY ▸ SBOM DATA ▸ SBOM GRAPH │
│ Formerly: Security ▸ SBOM Graph (sbom graph.png) │
├───────────────────────────────────────────────────────────────────────────────┬──────────────┤
│ Entry point (choose one): │ Overlays │
│ (•) Deployed env: US-East/us-prod │ [x] highlight│
│ ( ) Bundle version: Platform 1.3.0-rc1 │ CVEs │
│ ( ) Digest: sha256:2222... │ [ ] reachable│
│ ( ) Package: openssl │ only │
├───────────────────────────────────────────────────────────────────────────────┴──────────────┤
│ Graph view (nodes: packages/components; edges: depends-on) │
│ Path explorer: user-service → openssl → … │
│ Click node → [Open Vulnerability] [Open Findings] [Open SBOM record] │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 19.9 Security screen — VEX Hub
### Formerly
* **Security → VEX Hub** (`vex hub.png`)
(statement ingestion/management)
### Why changed like this
Keep intact, but align to governance:
* show “statements affecting blocked approvals”
* show issuer trust status (links to Evidence → Trust & Signing)
* provide “apply VEX to finding” workflow as a controlled action (audited)
### Screen graph (Mermaid)
```mermaid
flowchart TD
A[VEX Hub] --> B[VEX Statement Detail]
A --> C[Filter by CVE/package/component/env]
A --> D[Issuer trust -> Trust & Signing]
A --> E[Apply statement -> affects Findings]
A --> F[Export VEX set -> Evidence]
```
### ASCII mock
```text
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ SECURITY ▸ VEX & EXCEPTIONS ▸ VEX HUB │
│ Formerly: Security ▸ VEX Hub (vex hub.png) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Filters: Issuer ▾ CVE ▾ Component ▾ Env ▾ Status ▾ │
│ Summary: Statements imported (24h): 12 | affecting blocked approvals: 1 │
│ Issuer trust: 2 trusted / 1 untrusted [Open Trust & Signing] │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Statements │
│ VendorA CVE-2026-9001 status: not affected scope: api-gateway evidence: signed ✓ │
│ InternalSec CVE-2026-1234 status: under investigation scope: user-service signed ✓ │
│ Actions: [Import] [Validate signatures] [Export] │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 19.10 Security screen — Exceptions
### Formerly
* **Security → Exceptions** (`exceptions.png`)
(likely waivers, policy exceptions, risk acceptances)
### Why changed like this
Keep it intact, but force “release governance shape”:
* exceptions are **time-bound**, **scoped** (env/bundle/component/CVE), and **audited**
* shows “exceptions expiring soon” prominently
* links to approvals using this exception (so you see operational dependency)
### Screen graph (Mermaid)
```mermaid
flowchart TD
A[Exceptions] --> B[Exception Detail]
A --> C[Create exception request]
A --> D[Link to Approval / Promotion]
A --> E[Link to Finding / Vulnerability]
A --> F[Export exception ledger -> Evidence]
```
### ASCII mock
```text
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ SECURITY ▸ VEX & EXCEPTIONS ▸ EXCEPTIONS │
│ Formerly: Security ▸ Exceptions (exceptions.png) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Filters: Status ▾ Expiring <7d ▾ Env ▾ BundleVersion ▾ CVE ▾ Owner ▾ │
│ Summary: Active: 9 | Expiring soon: 4 | Used by pending approvals: 1 │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Exceptions (waivers / risk acceptance) │
│ ┌──────────────┬───────────────┬──────────────┬───────────┬───────────────┬─────────────────┐ │
│ │ Scope │ CVE/Issue │ Reason │ Expires │ Approvers │ Used by │ │
│ ├──────────────┼───────────────┼──────────────┼───────────┼───────────────┼─────────────────┤ │
│ │ us-prod │ CVE-2026-9001 │ VEX says not │ 2026-03-01│ sec+relmgr │ 0 approvals │ │
│ │ eu-prod │ policy override│ hotfix window │ 2026-02-20│ sec+relmgr │ 1 approval │ │
│ └──────────────┴───────────────┴──────────────┴───────────┴───────────────┴─────────────────┘ │
│ Actions: [+ Request Exception] [Export ledger] │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
## What this consolidation fixes (in practical terms)
* **Decision-first navigation**: security starts with “what blocks releases / where CritR exists”, not raw SBOM tooling.
* **Reachability is second-class but visible**: its a column/filter everywhere it matters (Findings/Vulns/Detail), not a buried third-class afterthought.
* **Audit friendliness**: each screen has explicit export hooks into Evidence (decision packets, exception ledger, filtered findings sets).
* **No feature loss**: SBOM Lake/Graph, VEX Hub, Exceptions remain exactly as capabilities—just grouped and linked to approvals/releases/environment context.
---
If you want the next pack, **Pack 20** can do the same consolidation for **Evidence & Audit** (Evidence Bundles, Export Center, Replay/Verify, Trust & Signing) so audit outputs are “release/bundle/env centric” and still preserve all PoC screens.
Reference in New Issue View Git Blame Copy Permalink