Skip to content

Comments

docs(lab4): Lab 04 submission - SBOM generation and SCA comparison#453

Open
3llimi wants to merge 18 commits intoinno-devops-labs:mainfrom
3llimi:feature/lab4
Open

docs(lab4): Lab 04 submission - SBOM generation and SCA comparison#453
3llimi wants to merge 18 commits intoinno-devops-labs:mainfrom
3llimi:feature/lab4

Conversation

@3llimi
Copy link

@3llimi 3llimi commented Feb 24, 2026

Goal

Complete Lab 4 — SBOM Generation & Software Composition Analysis for OWASP Juice Shop bkimminich/juice-shop:v19.0.0. Generate SBOMs using Syft and Trivy, perform vulnerability scanning with Grype and Trivy, and produce a comprehensive toolchain comparison across package detection, vulnerability coverage, license analysis, and secrets scanning.

Changes

  • labs/submission4.md — full lab report covering all 3 tasks
  • labs/lab4/syft/juice-shop-syft-native.json — Syft SBOM in native JSON format (3.6 MB, 1,001 packages)
  • labs/lab4/syft/juice-shop-syft-table.txt — Syft human-readable package table
  • labs/lab4/syft/grype-vuln-results.json — Grype vulnerability scan results (117 findings)
  • labs/lab4/syft/grype-vuln-table.txt — Grype human-readable vulnerability table
  • labs/lab4/trivy/juice-shop-trivy-detailed.json — Trivy full scan JSON (116 findings)
  • labs/lab4/trivy/juice-shop-trivy-table.txt — Trivy human-readable table
  • labs/lab4/trivy/trivy-secrets.txt — Trivy secrets scan (2 findings: RSA private key + JWT token)
  • labs/lab4/trivy/trivy-licenses.json — Trivy license scan (28 unique license types)
  • labs/lab4/analysis/sbom-analysis.txt — Package and license count analysis
  • labs/lab4/analysis/vulnerability-analysis.txt — Vulnerability severity breakdown
  • labs/lab4/comparison/accuracy-analysis.txt — Package and CVE overlap comparison
  • labs/lab4/comparison/grype-cves.txt — Grype unique CVE list (90 IDs)
  • labs/lab4/comparison/trivy-cves.txt — Trivy unique CVE list (88 IDs)
  • labs/lab4/comparison/syft-packages.txt — Syft package list for diff
  • labs/lab4/comparison/trivy-packages.txt — Trivy package list for diff

Testing

  • Verified all SBOM files generated successfully with Get-Item and file size checks
  • Confirmed package counts via PowerShell and jq queries against generated JSON files
  • Validated vulnerability results by parsing grype-vuln-results.json and juice-shop-trivy-detailed.json with ConvertFrom-Json
  • Cross-referenced CVE overlap using PowerShell set comparison (-contains) on extracted ID lists
  • Confirmed secrets scan output by reading trivy-secrets.txt
  • Verified analysis files populated correctly with Get-Content

Artifacts & Screenshots

  • Grype found 117 vulnerabilities (11 Critical, 60 High, 31 Medium, 3 Low, 12 Negligible)
  • Trivy found 116 vulnerabilities (10 Critical, 55 High, 33 Medium, 18 Low)
  • Only 26 CVEs in common between tools (~17% overlap) — confirming complementary database coverage
  • Trivy secrets scan found 2 hardcoded secrets: RSA private key in lib/insecurity.ts and JWT token in test spec
  • Syft detected 1,001 packages (990 npm, 10 deb, 1 binary); Trivy detected 997 packages
  • 988 packages in common between tools; divergence caused by Debian version string formatting differences

Checklist

  • PR title is clear and descriptive
  • Documentation updated if needed
  • No secrets or large temporary files committed

3llimi and others added 18 commits February 9, 2026 04:02
@3llimi
Create pull_request_template.md
9646946
@3llimi
Merge pull request #1 from 3llimi/main
0ebb633 
Create pull_request_template.md
@3llimi
Lab01 Submission
7876238
@3llimi
Path Name Fix
615e719
@3llimi
Merge pull request #2 from 3llimi/lab01
9ad1832 
docs(lab1): OWASP Juice Shop deployment and security triage
@3llimi
Lab02 Submission
c3a0118
@3llimi
Comment fixes
11eba21
@3llimi
added pictures of the data flow
a4168bd
@3llimi
Command fixes
c641639
@3llimi
Merge pull request #3 from 3llimi/feature/lab02
423d612 
docs(lab2): complete lab2 threat modeling with Threagile analysis
@3llimi
test: this should be blocked
d1145de
@3llimi
test: this should be blocked
20b674e
@3llimi
test: clean commit should pass
300c9d5
@3llimi
docs: add lab3 submission
9619586
@3llimi
docs: edit lab3 submission
edd06ff
@3llimi
docs: add verified badge screenshot
2ee3a8f
@3llimi
Merge pull request #4 from 3llimi/feature/lab3
21265c0 
feat: Lab 3 — SSH commit signing and pre-commit secret scanning
@3llimi
docs: add lab4 submission - SBOM generation and SCA comparison
2fa2978
@3llimi 3llimi changed the title docs: Lab4 submission - SBOM generation and SCA comparison docs(lab4): Lab 04 submission - SBOM generation and SCA comparison Feb 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@3llimi