d63af51f84
Some checks failed
api-governance / spectral-lint (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
oas-ci / oas-validate (push) Has been cancelled
SDK Publish & Sign / sdk-publish (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Policy Simulation / policy-simulate (push) Has been cancelled
devportal-offline / build-offline (push) Has been cancelled
52 lines
3.1 KiB
Markdown
52 lines
3.1 KiB
Markdown
# Vulnerability Explorer
|
|
|
|
> **Imposed rule:** Any exported or shared view must include the data sources and overlays applied (VEX, policy, reachability) to avoid out-of-context remediation decisions.
|
|
|
|
The Vulnerability Explorer provides deterministic tables and grouping to triage, explain, and act on vulns across SBOM graph data and VEX claims.
|
|
|
|
## Table anatomy
|
|
- Default columns: CVE/alias, package (PURL), version, severity, exploitability (EPSS/KEV), reachability, VEX status, fix version, policy verdict, last seen.
|
|
- Sorting: primary by severity (desc), secondary by exploitability score, tertiary by PURL; ties broken by CVE.
|
|
- Pagination: server-driven with stable cursors; page size defaults to 50, override via `?limit=`.
|
|
|
|
## Grouping & pivots
|
|
- Group by **package**, **CVE**, **image**, or **tenant**. Each group shows counts by severity and VEX disposition.
|
|
- “Why am I seeing this?” drawer explains grouping rules and shows upstream data sources for the group.
|
|
- Export follows the active grouping; NDJSON includes `group_key`, `items[]`, and overlay metadata.
|
|
|
|
## Filters
|
|
- **Severity**: critical/high/medium/low/none.
|
|
- **Exploitability**: KEV flag, EPSS bucket, exploit maturity.
|
|
- **Reachability**: reachable, conditionally reachable, unreachable, unknown.
|
|
- **VEX**: affected, not_affected, under_investigation, disputed, contested.
|
|
- **Fix availability**: has fix, no fix, downgrade available.
|
|
- **Policy verdict**: allow, review, deny, staged verdicts (simulator).
|
|
- **Staleness**: SBOM age, advisory feed age, VEX claim age.
|
|
|
|
## Why drawer
|
|
- Provides a structured explanation showing: data sources (SBOM digest, overlay epochs), policy inputs, VEX claims contributing to the verdict, and reachability evidence. Includes correlation IDs for API traces.
|
|
- Always shows tenant and `graph_cache_epoch` to keep exports/audits reproducible.
|
|
|
|
## Fix suggestions
|
|
- Per-row “Fix” chip suggests the nearest patched version and source (vendor vs upstream), plus link to remediation doc if provided by advisory.
|
|
- Bulk fix export produces an actions file: `{purl, vuln, recommended_version, source, rationale}` with SHA-256 manifest.
|
|
- UI warns when fixes rely on contested VEX claims or stale advisories.
|
|
|
|
## Actions & triage
|
|
- Multi-select with bulk actions: create ticket, generate VEX waiver request, export SBOM diff, or open policy simulator with selected rows.
|
|
- Policy simulator opens with current overlays and generates a simulated verdict for the selection; results can be saved as a “staged policy” view.
|
|
|
|
## Accessibility
|
|
- Keyboard shortcuts: `g` to toggle grouping, `f` to focus filters, `w` to open Why drawer on selected row, `/` to focus search.
|
|
- Screen reader labels announce VEX and reachability state; focus order matches visual order; table rows support row headers.
|
|
|
|
## Air-gap posture
|
|
- All exports include overlays and cache epochs; offline bundles can be loaded via `Import view` to replay triage without network.
|
|
- No live CVE enrichment calls from the UI; it relies solely on backend-provided overlays.
|
|
|
|
## Related docs
|
|
- `docs/ui/sbom-graph-explorer.md`
|
|
- `docs/api/graph.md`
|
|
- `docs/api/vuln.md`
|
|
- `docs/modules/graph/architecture-index.md`
|