This project is a Quarkus + React web application implemented to interact with ExploitIQ service for sending requests to evaluate vulnerabilities on specific SBOMs.
For product documentation and deeper context, see the Exploit Intelligence documentation.
Check this other documents for:
- Configuration
- Development
- Tests — REST
@QuarkusTestnotes and CI test image for pipelines
On the Home page, you will find a central dashboard designed to manage your exploitability analysis workflow and monitor recent system performance.
Get Started with ExploitIQ
In this section, you will find quick-access links to the core functions of the application: Request Analysis, View Reports, and Learn More.
Last Week Metrics
In this section, you will find a summary of system performance from the past seven days.
The Request Analysis dialog lets you choose an input type with SBOM or Single Repository, then enter a CVE ID to analyze.
- SBOM: Upload a JSON SBOM file. Supported formats: SPDX 2.3 and CycloneDX 1.6 JSON.
- Single Repository: Provide a source repository URL and a commit ID instead of an SBOM file.
For private repositories, enable Private repository and enter an Authentication secret (SSH private key or Personal Access Token; the form auto-detects the type).
The user name will be automatically added as a metadata parameter.
Once you have filled in the required fields for your chosen mode (SBOM file or repository and commit) and the CVE ID, you will be able to submit the request
After submitting the request, you will be redirected to the Report page. Once the analysis is complete, you will find a detailed report featuring the Agent's results for your request along with additional data insights.
- Direct Links: You will find that the Repository Name links directly to the git repository, while the Commit ID links to the specific commit used in the analysis.
Note: There is a configurable pool of concurrent requests. Any request that is submitted when the pool is full will be queued. If after a certain time a callback response is not received, the report will be expired (failed).
By clicking on the CVE link:
you will navigate to the CVE Details page where you can find details about a specific CVE.
The Reports area is split into two tabs: SBOMs and Single Repositories. Use the tab that matches how the analysis was submitted to browse, sort, filter, and open results for each report type.
Report Organization: Each row represents a report for that tab’s context (SBOM-based products or single-repository analyses), which may reflect one component or many depending on the original request.
You will be able to sort, filter, and organize the reports table to quickly locate specific data.
After clicking a ID link, you will find one of two views depending on the request type:
-
Single Component: You will be taken directly to the detailed report page as described above.
-
Multiple Components: You will be directed to an SBOM overview page that provides a high-level summary of results across all components.
On this page, you will find:
-
Report Details: You will see general information about the report, including overview statuses such as Repository Analysis Distribution and a CVE Status Summary, which provide high-level data on the SBOM and its associated CVEs. When there are excluded components, the Excluded components field links to a dedicated page that lists component name, package URL, and error for each item that was left out of analysis.
-
Component Table: Below the summary data, you will find a table listing all components included in the SBOM:
You will be able to sort, filter, and organize the reports to quickly locate specific data.
- ID link: Finally, By clicking the ID link, you will be taken to the detailed report page for that specific repository, the same page you would access directly for a single-component SBOM.
A blue Download button is available on the repository report page, providing access to download either the VEX (Vulnerability Exploitability eXchange) data or the complete report as JSON files. The VEX option is only available when the component is in a vulnerable status and is automatically disabled otherwise.
The flowchart below is a high-level map of what happens after you submit an analysis request. It is meant for operators, integrators, and anyone tracing why a report ended up queued, sent, failed, excluded, or in a given finding state.
The diagram is rendered here for GitHub readers. To iterate on layout or wording, edit docs/analysis-pipeline-workflow.mmd and paste the updated flowchart (and %%{init: ...}%% line if present) into the block below.
%%{init: {"htmlLabels": true}}%%
flowchart TB
classDef error fill:#fecaca,stroke:#b91c1c,stroke-width:2px,color:#450a0a
classDef timeout fill:#fde68a,stroke:#b45309,stroke-width:2px,color:#78350f
classDef terminal fill:#e5e7eb,stroke:#374151,stroke-width:2px,color:#111827
classDef progress fill:#dbeafe,stroke:#1d4ed8,stroke-width:2px,color:#1e3a8a
classDef ok fill:#bbf7d0,stroke:#15803d,stroke-width:2px,color:#14532d
classDef caption fill:#f8fafc,stroke:#94a3b8,stroke-width:1px,color:#334155
HEADER["<b>Exploit Intelligence -<br/>Analysis Pipeline</b>"]
class HEADER caption
START([User request analysis])
SPLIT([Which flow? <br/>CVE ID + SPDX SBOM = Product <br/>CVE ID + Repository URL & Commit ID / CycloneDX SBOM = Single component<br/>])
subgraph PRODUCT["<b>Path A — Product (multi-component)</b>"]
direction TB
P_PARSE[Parse product — parsing level]
P_PARSE_ERR[[Parsing failed<br/>no preprocessing, no agent<br/>analysis state: error]]
P_OK[Parse OK → create product<br/>user navigates to product page]
subgraph PER_COMP[" "]
direction TB
PER_CAPTION["For each component in array — async, parallel.<br/>Each component supplies an image only."]
SYFT[Syft → CycloneDX JSON]
SYFT_FAIL[[Syft failed<br/>submission failure / excluded]]
CYCLONE_VAL["Parse & validate CycloneDX<br/>from Syft output"]
CYCLONE_FAIL[[CycloneDX parse / validation failed<br/>submission failure / excluded]]
TO_AGENT["Save report & submit for analysis<br/>Morpheus queue"]
PER_CAPTION --> SYFT
end
P_PARSE -->|success| P_OK
P_PARSE -->|failed| P_PARSE_ERR
P_OK --> PER_CAPTION
SYFT -->|success| CYCLONE_VAL
SYFT -->|failed| SYFT_FAIL
CYCLONE_VAL -->|success| TO_AGENT
CYCLONE_VAL -->|failed| CYCLONE_FAIL
end
subgraph SINGLE["<b>Path B — Single component</b><br/>(repository / CycloneDX)"]
direction TB
SC_START[Single-component intake<br/>skips product & per-image Syft path]
SC_CYCLONE["Parse & validate CycloneDX<br/>uploaded SBOM"]
SC_CYCLONE_ERR[[CycloneDX parse failed<br/>immediate error to client]]
end
subgraph AGENT["<b>Shared — Submit & agent pipeline</b><br/>(RequestQueueService → Morpheus)"]
direction TB
QUEUE_GATE["Is queue full?<br/>active reports >= max active"]
PEND_CAP[Pending queue<br/>below max size?]
QUEUED[Queued<br/>Finding: in progress]
A_Q_OVERFLOW[[Queue exceeded<br/>Finding: Failed]]
A_SENT[Sent to agent<br/>State: sent<br/>Finding: in progress]
A_CLONE_FAIL[[Clone failed<br/>State: excluded<br/>Finding: Failed]]
A_T1[[Timeout<br/>State: expired<br/>Finding: Failed]]
A_ANAL[Agent analysis<br/>Finding: in progress<br/>many internal steps…]
A_STEP_FAIL[[Any analysis step failed<br/>State: completed<br/>Finding: Uncertain]]
A_T2[[Timeout<br/>State: expired<br/>Finding: Failed]]
A_DONE[Completed<br/>State: completed]
A_RESULT{Vulnerability conclusion}
A_VULN([Finding: Vulnerable])
A_SAFE([Finding: Not vulnerable])
A_UNCERT([Finding: Uncertain])
end
HEADER --> START
START --> SPLIT
SPLIT -->|product| P_PARSE
SPLIT -->|single component| SC_START
SC_START --> SC_CYCLONE
SC_CYCLONE -->|success| QUEUE_GATE
SC_CYCLONE -->|failed| SC_CYCLONE_ERR
TO_AGENT --> QUEUE_GATE
QUEUE_GATE -->|no| A_SENT
QUEUE_GATE -->|yes| PEND_CAP
PEND_CAP -->|yes| QUEUED
PEND_CAP -->|no| A_Q_OVERFLOW
QUEUED -->|capacity available| A_SENT
A_SENT -->|success| A_ANAL
A_SENT -->|clone failed| A_CLONE_FAIL
A_SENT -->|timeout| A_T1
A_ANAL -->|all steps OK| A_DONE
A_ANAL -->|timeout| A_T2
A_ANAL -->|step failure| A_STEP_FAIL
A_DONE --> A_RESULT
A_RESULT --> A_VULN & A_SAFE & A_UNCERT
class P_PARSE_ERR,SYFT_FAIL,CYCLONE_FAIL,SC_CYCLONE_ERR,A_CLONE_FAIL,A_STEP_FAIL,A_Q_OVERFLOW error
class A_T1,A_T2 timeout
class A_VULN,A_SAFE,A_UNCERT terminal
class QUEUE_GATE,PEND_CAP,QUEUED,A_SENT,A_ANAL,A_RESULT progress
class P_OK,A_DONE,TO_AGENT ok
class PER_CAPTION caption