1. User Authentication Flow

Objective: Allow users to sign up, log in, and gain secure access to their personalized data.

• Step 1: User visits the application via HTTPS
  Users start by navigating to the Delve web interface.

• Step 2: User registers or logs in
  The user either signs up for a new account or logs in using their credentials.
  • The AWS Cognito service handles the user authentication, ensuring secure login.

• Step 3: Token Generation
  Upon successful authentication, AWS Cognito issues an access token to the user, which will be used for accessing resources associated with their account.

• Step 4: User gains access to the dashboard
  The user is granted access to their personal dashboard, where they can view and manage their files, vulnerability reports, and SBOM data.

2. File Upload and Processing Flow

Objective: Enable users to submit source code, containers, or SBOM files for vulnerability analysis and generate SBOMs.

• Step 1: User uploads a file (source code, container, or SBOM)
  • The user selects and uploads a file through the web interface.
  • The file is passed to the API hosted on the backend processing server (via Express).
• Step 2: Data processing on the backend
  • The backend processes the file using Syft (for SBOM generation) and Grype (for vulnerability scanning).
  • A DynamoDB entry is created with metadata about the file, including the vulnerabilities detected.
• Step 3: Output file and report creation
  • After processing, the output (SBOM file and/or vulnerability report) is saved to S3.
  • The user’s DynamoDB entry is updated with links to the results (SBOM file, report, etc.).
• Step 4: Notification of completion
  • The user receives a notification that their file has been processed and the results are ready.

3. Viewing and Downloading Results Flow

Objective: Allow users to retrieve and view processed results, such as vulnerability reports or SBOM files.

• Step 1: User navigates to the results page
  The user clicks on a link within their dashboard to view the results of their uploaded file.

• Step 2: User views vulnerability reports
  • The user is presented with a detailed vulnerability report that lists all detected issues within the software dependencies.
  • Each issue includes additional information like severity, description, and recommendations for fixing the vulnerability.
• Step 3: User downloads SBOM or report
  • If the user wants to download their SBOM file or vulnerability report, they can click on a download link.
  • The S3 bucket serves the requested file securely.

4. User Data Management Flow

Objective: Allow users to manage their files and vulnerabilities over time.

• Step 1: User uploads new or additional files
  The user uploads additional files for analysis or revisits previous results to check for updates.

• Step 2: User manages or deletes files
  • The user can choose to delete or archive older files and reports from their dashboard, ensuring they only have relevant data available.
  • Deleting files from the dashboard will remove entries from S3 and DynamoDB.
• Step 3: User accesses historical data
  The user can view historical reports and SBOMs at any time by navigating through their dashboard, which presents a timeline of previously uploaded files and generated reports.

5. Authentication and Authorization for File Access Flow

Objective: Ensure that users can only access their own files and data securely.

• Step 1: Authentication via AWS Cognito
  Users authenticate using AWS Cognito, which ensures they have proper credentials to access the application.

• Step 2: File access control using user-specific tokens
  When requesting files or data, the access token attached to the user’s session will be checked.
  • The token ensures the user can only retrieve their files stored in S3 and related entries in DynamoDB.
  • If the user attempts to access someone else’s data, the request will be denied with an error response.
• Step 3: Data Access on the Frontend
  Once the user has been authenticated, the frontend will request data from the DynamoDB database and S3, but only for the files associated with their user ID.

User Flow Diagram

To visualize these flows, here is a diagram that shows the interaction between the key components of the system:

These user flows provide a clear, step-by-step guide for users interacting with Delve. From signing up and uploading files to accessing processed reports and managing their data, Delve ensures a streamlined, secure, and efficient experience for managing software vulnerabilities.

For the initial testing phase of my project, I focused on setting up the necessary AWS infrastructure to process and parse application source code, while serving the results over an API.

I started by testing the infrastructure with Flask to ensure proper configuration, but have since migrated to a Node.js API for scalability and flexibility.

🖥️ Server Setup

The EC2 instance, which acts as both the Processing and API Server, has the following binaries installed:

• Syft — For generating SBOMs from source code, artifacts, and containers.
• Grype — For scanning SBOMs for known vulnerabilities.
• Delve — My custom vulnerability management interface.
• Node.js & NPM
  • pm2 — Process manager to keep the Node.js API running smoothly.
  • Express — Web framework to handle API requests.
  • dotenv — Securely managing environment variables.
  • path — Path utilities for file handling.

🚀 Initial Testing & Results

During this phase, I was able to successfully:

1. Communicate with the API hosted on AWS from my local machine.
2. Upload source code or dependencies for processing.
3. Retrieve the results from the API, including SBOMs and vulnerability reports.

This was a promising start, demonstrating that the infrastructure was working as expected and the API was responding correctly.

🔐 Next Steps: Adding Authentication

While the testing phase has been successful, the next step is to introduce authentication to the API. Specifically, each user should only be able to access and interact with the files they have personally processed.

My plan for this phase:

• Implement user authentication using AWS Cognito and JWT Bearer Tokens.
• Ensure file access control, allowing users to only retrieve files they uploaded or processed.

This will significantly enhance the security and usability of the API, allowing for safe, personalized access to the data.

💻 Early Implementation of the API

Below is an early implementation of the Node.js API for serving uploaded files:

const express = require("express");
const path = require("path");
const dotenv = require("dotenv");

dotenv.config();

const app = express();
const port = process.env.PORT || 3000;

// Directory for stored files
const FILES_DIR = path.join(__dirname, "files");

// Serve static files
app.use("/files", express.static(FILES_DIR));

// API to download a file
app.get("/download/:filename", (req, res) => {
    const filePath = path.join(FILES_DIR, req.params.filename);
    res.download(filePath, (err) => {
        if (err) {
            res.status(404).json({ error: "File not found" });
        }
    });
});

// Start the server
app.listen(port, () => {
    console.log(`File API running on port ${port}`);
});

For the next update, I’ll be looking into the authentication process and how I plan to enforce these security measures.

This diagram outlines the backend architecture of the Delve application, focusing on scalability, security, and ease of use.

High-Level Flow

1. User Access:
   • Users connect to the application over HTTPS, ensuring secure communication.
   • The traffic is first routed to an Elastic Load Balancer (ELB), which balances the workload across multiple instances to provide scalability.
2. Authentication:
   • Upon visiting the application, users will sign up or log in.
   • AWS Cognito will handle user authentication, validating their identity and issuing access tokens.
   • These access tokens are used to grant users access to their specific data and reports stored in the DynamoDB database.
3. Data Access & Retrieval:
   • When users request a specific report, the web server fetches the relevant data from DynamoDB.
   • For users requesting downloadable files (such as SBOMs or detailed reports), files are served directly from the S3 Bucket.
4. Data Submission & Processing:
   • Users can submit application source code, containers, or SBOMs to the platform.
   • These submissions are sent to the backend processing server through an Express API running on the server.
   • The user ID is passed along with the data to ensure proper association with their account.
5. Data Storage:
   • After the backend processes the user-submitted data (e.g., generating SBOMs and vulnerability reports), the resulting input and output files are saved in S3 for storage.
   • The DynamoDB database is updated with an entry containing metadata about the processed data, such as the generated SBOM and vulnerability report.
6. User Dashboard:
   • Users can access a comprehensive dashboard that displays the dependencies within their applications, helping them monitor and manage their software’s security.
   • The dashboard allows users to easily identify vulnerabilities, outdated components, and take necessary actions to maintain their applications.

🛠️ Core Objective

To empower developers with an easy-to-use tool that simplifies the process of identifying and managing vulnerabilities in their software stack.

📂 How It Works

Developers can upload any of the following:

• 📁 Raw Source Code
• 📦 Dependency Artifacts
• 🐳 Containers

Delve will then:

1. Generate a Software Bill of Materials (SBOM) using Syft — a powerful tool for extracting accurate package data from code, artifacts, and containers.
2. Scan for vulnerabilities using Grype, which cross-references known vulnerabilities against the SBOM.
3. Produce an actionable vulnerability report that highlights security risks in a clear, developer-friendly format.
4. Integrate findings into the Vulnerability Management Interface and store them in the platform’s database for ongoing tracking and remediation.

🚀 Why Delve?

• ✅ Automation-first — Reduces manual overhead in vulnerability tracking.
• ✅ Clear Reporting — Presents vulnerabilities in an easy-to-understand format.
• ✅ Unified Workflow — From SBOM generation to remediation, all in one platform.

Delve simplifies security so developers can focus on building, not fixing.