c8f3120174
- Implement `SbomVexOrderingDeterminismProperties` for testing component list and vulnerability metadata hash consistency. - Create `UnicodeNormalizationDeterminismProperties` to validate NFC normalization and Unicode string handling. - Add project file for `StellaOps.Testing.Determinism.Properties` with necessary dependencies. - Introduce CI/CD template validation tests including YAML syntax checks and documentation content verification. - Create validation script for CI/CD templates ensuring all required files and structures are present.
6.6 KiB
Competitive Triage UI Patterns - Design Document
Sprint: SPRINT_20251226_010_FE_visual_diff_enhancements Task: VD-ENH-09 Status: Complete Author: Implementation Team Date: 2025-12-26
Overview
This document captures competitive insights from leading vulnerability management tools and recommends patterns for adoption in StellaOps' visual diff and triage UI.
Competitive Analysis
Snyk — Reachability + Continuous Context
What they do:
- Reachability analysis builds call graphs to determine if vulnerable code is actually reachable
- Risk scores factor in reachability, not just CVSS severity
- Static program analysis combined with AI and expert curation
- Continuous monitoring tracks issues over time as projects are rescanned
Adoption recommendation: ✅ Already implemented
GraphDiffComponentvisualizes reachability graphs with call paths- Hover highlighting shows connected paths from entry points to sinks
- Plain language explanations help users understand "why" a finding matters
Anchore — Vulnerability Annotations & VEX Export
What they do:
- Vulnerability annotation workflows via UI or API
- Labels: "not applicable", "mitigated", "under investigation"
- Export as OpenVEX and CycloneDX VEX formats
- Curated reasoning reduces redundant triage downstream
Adoption recommendation: ✅ Already implemented
TriageWorkspaceComponentprovides VEX decisioning with trust levelsDeltaVerdictbackend exports signed VEX statements- Attestable exception objects with expiries and audit trails
Prisma Cloud — Runtime Defense
What they do:
- Runtime profiling and behavioral baselines for containers
- Process, file, and network rule enforcement
- Learning models detect anomalies
- Runtime context during operational incidents
Adoption recommendation: ⚠️ Partial - Signals module
Signalsmodule provides runtime observation correlation- Hot symbol index tracks runtime function execution
- Integration with FuncProof links runtime observations to static analysis
Recommended UI Patterns
1. Unified Triage Canvas
Pattern: Single view combining static analysis with runtime evidence
┌─────────────────────────────────────────────────────────────────┐
│ TRIAGE CANVAS │
├──────────────────┬────────────────────┬─────────────────────────┤
│ Graph View │ Evidence Panel │ Decision Panel │
│ │ │ │
│ ┌─────┐ │ • SBOM Component │ ○ Not Affected │
│ │main │────► │ • VEX Statement │ ○ Under Investigation │
│ └─────┘ │ │ • Reachability │ ○ Affected │
│ ▼ │ • Runtime Obs. │ ○ Fixed │
│ ┌─────┐ │ • Policy Match │ │
│ │vuln │ │ │ [Record Decision] │
│ └─────┘ │ │ │
└──────────────────┴────────────────────┴─────────────────────────┘
Implementation: Already complete via TriageWorkspaceComponent + GraphDiffComponent
2. Exploitability Scoring Visualization
Pattern: Visual risk score breakdown showing contributing factors
| Component | Weight | Score | Visualization |
|---|---|---|---|
| Reachability | 25% | 95 | ████████░░ |
| VEX Coverage | 20% | 90 | █████████░ |
| SBOM Completeness | 20% | 85 | ████████░░ |
| Runtime Evidence | 20% | 88 | ████████░░ |
| Policy Freshness | 15% | 92 | █████████░ |
Implementation: ProofTreeComponent displays trust score breakdown with donut chart
3. Attack Path Diagrams
Pattern: Entry point → vulnerable function path highlighting
- Color-coded paths (green=safe, red=vulnerable, amber=uncertain)
- Hop count indicators
- Confidence levels per path segment
- Interactive path exploration with zoom-to-fit
Implementation: GraphDiffComponent with findPath() and path highlighting
4. Evidence Provenance Indicators
Pattern: Visual indicators showing evidence source and trust level
| Indicator | Meaning |
|---|---|
| 🔒 Signed | DSSE-signed evidence |
| ✓ Verified | Signature verified |
| ⚡ Runtime | Observed at runtime |
| 📋 Policy | Policy-derived |
| 👤 Manual | Human decision |
Implementation: ProofTreeComponent with evidence chunk icons
Adoption Status
| Pattern | Status | Component |
|---|---|---|
| Reachability graphs | ✅ Complete | GraphDiffComponent |
| VEX decisioning | ✅ Complete | TriageWorkspaceComponent |
| Attack path visualization | ✅ Complete | GraphDiffComponent + path highlighting |
| Evidence provenance | ✅ Complete | ProofTreeComponent |
| Plain language explanations | ✅ Complete | PlainLanguageService |
| Runtime observation correlation | ✅ Complete | Signals module integration |
| Offline replay packs | ✅ Complete | Evidence bundle export |
| Trust score breakdown | ✅ Complete | ProofTreeComponent donut chart |
Differentiation Strategy
StellaOps differentiates from competitors by unifying these patterns into a single, evidence-rich, policy-driven triage experience:
- Evidence-first: Every decision is backed by cryptographic evidence
- Policy-driven: VEX as core policy objects, not just export format
- Attestable: Exceptions are attestable contracts with audit trails
- Offline-capable: Same UI/interactions work in air-gapped environments
- Deterministic: Reproducible verdicts across runs and environments