Skip to content

Feature/lab4#451

Open
ostxxp wants to merge 8 commits intoinno-devops-labs:mainfrom
ostxxp:feature/lab4
Open

Feature/lab4#451
ostxxp wants to merge 8 commits intoinno-devops-labs:mainfrom
ostxxp:feature/lab4

Conversation

@ostxxp
Copy link

@ostxxp ostxxp commented Feb 24, 2026

Goal

Generate Software Bill of Materials (SBOM) and perform Software Composition Analysis (SCA) for the OWASP Juice Shop container image using Syft, Grype, and Trivy. Compare the specialized toolchain (Syft + Grype) with the all-in-one Trivy scanner to evaluate dependency detection accuracy, vulnerability coverage, and security analysis capabilities.

Changes

  • Generated SBOM using Syft (JSON and table formats)
  • Generated SBOM and package inventory using Trivy
  • Performed vulnerability scanning using Grype based on Syft SBOM
  • Performed vulnerability scanning using Trivy directly on container image
  • Extracted and analyzed vulnerability severity distribution
  • Compared package detection overlap between Syft and Trivy
  • Compared CVE detection overlap between Grype and Trivy
  • Created analysis reports in labs/lab4/analysis/
  • Created comparison reports in labs/lab4/comparison/
  • Created submission report labs/submission4.md documenting findings and toolchain comparison

Testing

  • Successfully executed Syft SBOM generation on bkimminich/juice-shop:v19.0.0
  • Successfully executed Grype vulnerability scan using generated SBOM
  • Successfully executed Trivy package and vulnerability scanning
  • Verified output files were generated correctly in labs/lab4/syft and labs/lab4/trivy
  • Verified analysis and comparison files were generated correctly
  • Confirmed all artifacts are readable and contain expected dependency and vulnerability data

Artifacts & Screenshots

Artifacts generated and included in this PR:

SBOM artifacts:

  • labs/lab4/syft/juice-shop-syft-native.json
  • labs/lab4/syft/juice-shop-syft-table.txt
  • labs/lab4/trivy/juice-shop-trivy-detailed.json
  • labs/lab4/trivy/juice-shop-trivy-table.txt

Vulnerability scan artifacts:

  • labs/lab4/syft/grype-vuln-results.json
  • labs/lab4/syft/grype-vuln-table.txt
  • labs/lab4/trivy/trivy-vuln-detailed.json

Analysis and comparison:

  • labs/lab4/analysis/sbom-analysis.txt
  • labs/lab4/analysis/vulnerability-analysis.txt
  • labs/lab4/comparison/accuracy-analysis.txt

Submission report:

  • labs/submission4.md

Checklist

  • Clear and descriptive title
  • Documentation updated if needed
  • No secrets or temporary files included

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ostxxp