git.stella-ops.org/docs/features/checked/scanner/exploit-path-grouping-service.md

# Exploit Path Grouping Service (Attack Chain Triage)

## Module
Scanner

## Status
VERIFIED

## Description
Groups vulnerability findings into exploit paths based on (artifact, package, vulnerable symbol, entry point) tuples with deterministic SHA-256 path IDs. Correlates reachability evidence, VEX status, and active exceptions per path. Falls back to package-level grouping when no reachability data is available. Sorted by aggregated risk score.

## Implementation Details
- **Core Service**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Triage/Services/IExploitPathGroupingService.cs` - Interface for exploit path grouping
  - `src/Scanner/__Libraries/StellaOps.Scanner.Triage/Models/ExploitPath.cs` - Exploit path model with deterministic SHA-256 path IDs
- **API Integration**:
  - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/Triage/TriageInboxEndpoints.cs` - Triage inbox with exploit path grouping
  - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/Triage/ProofBundleEndpoints.cs` - Proof bundle endpoints including exploit path summaries (`ExploitPathSummary`)

## E2E Test Plan
- [ ] Scan an image with multiple vulnerabilities sharing the same entry point and verify they are grouped into a single exploit path
- [ ] Verify exploit path IDs are deterministic SHA-256 hashes of (artifact, package, vulnerable symbol, entry point) tuples
- [ ] Verify each exploit path correlates reachability evidence, VEX status, and active exceptions
- [ ] Verify fallback to package-level grouping when no reachability data is available
- [ ] Verify exploit paths are sorted by aggregated risk score (highest first)
- [ ] Query the triage inbox via API and verify grouped findings are returned

---

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source files exist | PASS |
| Tier 1 - Build + code review | PASS |
| Tier 2 - Integration tests | PASS |
| Verified | 2026-02-13T18:10:00Z |