Skip to main content

OSERA Risk Navigator

About OSERA: Risk Navigator prioritizes software supply-chain remediation work.

The prototype combines open vulnerability intelligence, dependency inventory, and upgrade-path analysis into a static viewer that can be cloned, rebuilt, and served without a backend.

What is included

  • A static single-file viewer at tool/risk-navigator.html.
  • A reproducible sample dataset at data/finos-sample-platform.json.
  • A second SBOM-derived demo dataset at data/finos-sbom-demo.json.
  • A larger public FINOS org snapshot at data/finos-github-org.json.
  • Python pipeline scripts under scripts/.
  • Validation tests under tests/.
  • The authoritative build contract in SPEC.md.
  • Data shape and pipeline documentation in Data Pipeline and Formats.

SPEC.md is the source of truth for requirements. The docs site summarizes and operationalizes that contract; spec changes should update the relevant docs page in the same change.

Try it from the docs site

The published Docusaurus site includes the interactive viewer and sample datasets:

https://risknav.osera.finos.org/tools/risk-navigator.html

On local and custom-domain deployments the same viewer is served from /tools/risk-navigator.html. On the GitHub Pages project site, the repository base path /risk-navigator/ is part of the URL.

Use the dataset selector to explore the OSERA curated sample, the FINOS SBOM scan demo, or the larger FINOS GitHub org snapshot directly in the browser.

Core workflows

  1. Build or load a scope dataset.
  2. Filter by severity, exploitability, project group, namespace, and dependency type.
  3. Review prioritized upgrade, backpatch, amplifier, and framework actions.
  4. Add Maven direct dependencies to the OpenRewrite cart.
  5. Export YAML or generate impact-analysis prompts.

Data pipeline

See Data Pipeline and Formats for the viewer JSON contract, raw CSV inputs, CycloneDX SBOM import path, and how the bundled sample datasets are produced.

Local start

npm install
python3 -m venv .venv
source .venv/bin/activate
python -m pip install -r requirements-dev.txt
npm run build:all
npm run build:all:finos-sbom-demo
npm run build:all:finos-org:full-osv
npm run dev

Open the tool at http://127.0.0.1:5173/tool/risk-navigator.html.