1.9 KiB
1.9 KiB
Version Comparison Explainability UX ("Why Fixed/Vulnerable" Popover)
Module
Scanner
Status
VERIFIED
Description
UI explainability for distro version comparisons: "Compared With" badge showing which comparator (RPM EVR, dpkg, APK, SemVer) was used, and "Why Fixed/Vulnerable" popover showing step-by-step comparison proof lines (epoch, upstream, revision). Version comparators emit human-readable proof lines showing each comparison step.
Implementation Details
- Version Comparison Evidence:
src/Scanner/__Libraries/StellaOps.Scanner.Evidence/Models/VersionComparisonEvidence.cs-VersionComparisonEvidencemodel capturing step-by-step comparison proof lines (epoch, upstream, revision) with the comparator type used
- Service Version Comparer:
src/Scanner/__Libraries/StellaOps.Scanner.ServiceSecurity/Analyzers/ServiceVersionComparer.cs-ServiceVersionComparercomparing service versions with proof line emission
E2E Test Plan
- Compare an RPM package version and verify the "Compared With" badge shows "RPM EVR" as the comparator
- Verify the "Why Fixed" popover shows step-by-step comparison proof: epoch comparison, upstream version comparison, and release/revision comparison
- Compare a dpkg package version and verify epoch, upstream-version, and debian-revision are shown separately in proof lines
- Compare an APK package version and verify the Alpine-specific version comparison rules are applied and explained
- Verify SemVer comparisons show major.minor.patch breakdown with clear fixed/vulnerable reasoning
- Verify proof lines are human-readable and explain why the installed version is fixed or vulnerable relative to the advisory range
Verification
| Check | Result |
|---|---|
| Tier 0 - Source files exist | PASS |
| Tier 1 - Build + code review | PASS |
| Tier 2 - Integration tests | PASS |
| Verified | 2026-02-13T18:10:00Z |