Feature/lab4

.github/pull_request_template.md

@@ -0,0 +1,74 @@
+# Lab Submission
+
+## Goal
+Brief description of what this PR accomplishes and which lab requirements it addresses.
+
+## Changes
+- [ ] Created lab submission document with triage report
+- [ ] Set up standardized PR template for future submissions
+- [ ] Deployed and verified OWASP Juice Shop container
+- [ ] Completed security analysis and risk assessment
+- [ ] Documented GitHub community engagement activities
+
+## Testing
+- [ ] OWASP Juice Shop successfully runs on localhost:3000
+- [ ] Security headers analyzed and documented
+- [ ] Triage report includes all required sections:
+  - [ ] Scope & Asset
+  - [ ] Environment details
+  - [ ] Deployment Details
+  - [ ] Health Check results
+  - [ ] Surface Snapshot (Triage)
+  - [ ] Security Headers analysis
+  - [ ] Top 3 Risks identified
+  - [ ] GitHub Community section
+  - [ ] Challenges & Solutions
+- [ ] PR template auto-fills correctly when creating new PR
+- [ ] All social engagement tasks completed (stars, follows)
+
+## Artifacts & Screenshots
+- `labs/submission1.md` - Complete triage report for Lab 1
+- `.github/pull_request_template.md` - Standardized PR template for future submissions
+- **Application verification:** OWASP Juice Shop v19.0.0 running successfully
+- **Security analysis:** HTTP headers audit showing security controls and gaps
+- **Community engagement:** GitHub stars and follows completed as required
+
+## API Testing Evidence
+```bash
+# Container deployment
+docker run -d --name juice-shop -p 127.0.0.1:3000:3000 bkimminich/juice-shop:v19.0.0
+
+# Health check verification
+curl -I http://127.0.0.1:3000
+
+# API endpoint testing (showing intentional error for training)
+curl -s http://127.0.0.1:3000/rest/products | head
+```
+
+## Security Findings Summary
+1. **Missing CSP and HSTS headers** - Critical security controls absent
+2. **Information disclosure in error messages** - Stack traces exposed
+3. **Overly permissive CORS policy** - `Access-Control-Allow-Origin: *`
+4. **Application bound to localhost only** - Proper network isolation
+
+## Checklist
+- [x] PR title clearly indicates lab number and content (Lab 1: OWASP Juice Shop Triage & PR Workflow)
+- [x] Documentation updated where required (created submission1.md and PR template)
+- [x] No secrets or large temporary files included
+- [x] All required GitHub social actions completed (stars, follows)
+- [x] Code follows repository structure guidelines
+
+---
+
+## Notes for Reviewers
+- This PR contains only documentation and configuration files, no application code
+- OWASP Juice Shop runs as a separate container, not included in this repository
+- The 500 error from `/rest/products` endpoint is intentional (training application feature)
+- Security analysis focuses on both implemented and missing security controls
+- PR template designed to standardize future lab submissions
+
+## Related Links
+- OWASP Juice Shop: https://owasp.org/www-project-juice-shop/
+- Course Repository: [link to course repo]
+- Docker Image: bkimminich/juice-shop:v19.0.0
+```

labs/submission1.md

@@ -0,0 +1,113 @@
+# Triage Report — OWASP Juice Shop
+
+## Scope & Asset
+- Asset: OWASP Juice Shop (local lab instance)
+- Image: bkimminich/juice-shop:v19.0.0
+- Release link/date: https://github.com/juice-shop/juice-shop/releases/tag/v19.0.0 — Released November 2023
+- Image digest: sha256:2765a26de7647609099a338d5b7f61085d95903c8703bb70f03fcc4b12f0818d
+
+## Environment
+- Host OS: Windows 10/11
+- Docker: Docker Desktop for Windows (version from output)
+- Container ID: 24b13082f86edf5890290f74f2ffb12d4b1b19ea57e5659810dfecd90ae56283
+
+## Deployment Details
+- Run command used: `docker run -d --name juice-shop -p 127.0.0.1:3000:3000 bkimminich/juice-shop:v19.0.0`
+- Access URL: http://127.0.0.1:3000
+- Network exposure: 127.0.0.1 only [x] Yes  [ ] No
+  - Explanation: Container bound to localhost only, not exposed to external network
+
+## Health Check
+- Page load: Application loads successfully at http://localhost:3000 (OWASP Juice Shop homepage visible)
+- API check (first 10 lines):
+```html
+<html>
+  <head>
+    <meta charset='utf-8'>
+    <title>Error: Unexpected path: /rest/products</title>
+    <style>* {
+  margin: 0;
+  padding: 0;
+  outline: 0;
+}
+```
+**Note:** The API endpoint `/rest/products` returns a 500 error with message "Unexpected path: /rest/products". This suggests either:
+1. API path has changed in v19.0.0
+2. Authentication/verification required before accessing this endpoint
+3. Deliberate security feature/obfuscation in the training application
+
+## Surface Snapshot (Triage)
+- Login/Registration visible: [x] Yes  [ ] No — notes: Login and registration forms clearly visible on the homepage
+- Product listing/search present: [x] Yes  [ ] No — notes: Product catalog visible, search functionality available in header
+- Admin or account area discoverable: [ ] Yes  [x] No — notes: No obvious admin interface on initial load; likely hidden or requires authentication
+- Client-side errors in console: [ ] Yes  [x] No — notes: No JavaScript errors in browser console on initial load
+- Security headers:
+```bash
+HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Accept-Ranges: bytes
+Cache-Control: public, max-age=0
+Last-Modified: Sat, 07 Feb 2026 07:16:51 GMT
+ETag: W/"124fa-19c36f5e6cd"
+Content-Type: text/html; charset=UTF-8
+Content-Length: 75002
+Vary: Accept-Encoding
+Date: Sat, 07 Feb 2026 07:27:04 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+```
+**Analysis:**
+- **X-Content-Type-Options: nosniff** - Prevents MIME type sniffing
+- **X-Frame-Options: SAMEORIGIN** - Protects against clickjacking
+- **Feature-Policy** - Controls browser features (limited to payment API)
+- **Missing CSP (Content Security Policy)** - No CSP header present
+- **Missing HSTS (Strict-Transport-Security)** - No HSTS header for HTTPS enforcement
+- **Access-Control-Allow-Origin: *** - CORS allows any origin (potentially risky)
+- **X-Recruiting header** - Information disclosure (reveals job posting page)
+
+## Risks Observed (Top 3)
+
+1) **Missing Critical Security Headers** — Absence of CSP and HSTS headers leaves application vulnerable to XSS and protocol downgrade attacks
+   - *Rationale:* CSP prevents XSS attacks; HSTS enforces HTTPS; both are essential modern web security controls
+
+2) **Information Disclosure through Error Messages** — The 500 error for `/rest/products` exposes stack trace including file paths, Express version (^4.21.0), and internal routing logic
+   - *Rationale:* Detailed error messages in production can aid attackers in understanding application architecture and finding vulnerabilities
+
+3) **Overly Permissive CORS Policy** — `Access-Control-Allow-Origin: *` allows any website to make cross-origin requests to the API
+   - *Rationale:* While useful for development, this can be dangerous in production if the API handles sensitive data or actions
+
+## GitHub Community
+
+### Why starring repositories matters in open source:
+Starring repositories serves multiple purposes in the open-source ecosystem. It functions as both a bookmarking system for developers to save projects for future reference and as a social signal that indicates project popularity and community trust. High star counts attract more contributors and maintainers, creating a positive feedback loop that improves project quality and sustainability. For project maintainers, stars serve as validation of their work and can motivate continued development.
+
+### How following developers helps in team projects and professional growth:
+Following developers on GitHub creates a professional learning network that extends beyond the classroom. It allows students to observe real-world development practices, stay updated on industry trends, and discover new tools through the activity feeds of experienced developers. In team projects, following classmates facilitates better collaboration by making it easier to track contributions, share knowledge, and build a supportive community. Professionally, this practice helps build visibility within the developer community and can lead to valuable connections for future career opportunities.
+
+## Challenges & Solutions
+
+### Challenge 1: API Endpoint Returns 500 Error
+**Problem:** The `/rest/products` endpoint documented in lab instructions returns a 500 error instead of expected JSON data.
+**Solution:** Recognized this as part of Juice Shop's training design. The application intentionally contains vulnerabilities and unexpected behaviors for educational purposes. This observation was documented as a security finding (information disclosure risk).
+
+### Challenge 2: Understanding Security Headers
+**Problem:** Initially unfamiliar with various security headers and their importance.
+**Solution:** Researched each header found in the response:
+- `X-Content-Type-Options: nosniff` - Prevents browser MIME sniffing
+- `X-Frame-Options: SAMEORIGIN` - Clickjacking protection
+- Noted missing headers: CSP and HSTS as security gaps
+
+### Challenge 3: Container Networking Configuration
+**Problem:** Ensuring container only exposes to localhost for security.
+**Solution:** Used `-p 127.0.0.1:3000:3000` instead of `-p 3000:3000` to bind only to loopback interface, preventing external network access.
+
+### Learning Outcomes:
+1. **Practical Container Security:** Learned importance of limiting network exposure
+2. **Security Header Analysis:** Gained ability to audit HTTP headers for security controls
+3. **Error Handling Risks:** Understood how verbose errors can aid attackers
+4. **Training Application Design:** Recognized that Juice Shop intentionally contains vulnerabilities for educational value
+```

labs/submission4.md

@@ -0,0 +1,206 @@
+```markdown
+# Lab 4 — SBOM Generation & Software Composition Analysis
+
+## Task 1 — SBOM Generation with Syft and Trivy (4 pts)
+
+### 1.1 SBOM Generation Commands
+
+```bash
+# Syft SBOM generation
+docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v "${PWD}:/tmp" anchore/syft:latest bkimminich/juice-shop:v19.0.0 -o syft-json=/tmp/labs/lab4/syft/juice-shop-syft-native.json
+
+# Trivy SBOM generation
+docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v "${PWD}:/tmp" aquasec/trivy:latest image --format json --output /tmp/labs/lab4/trivy/juice-shop-trivy-detailed.json --list-all-pkgs bkimminich/juice-shop:v19.0.0
+```
+
+### 1.2 Package Type Distribution
+
+**Syft Package Counts by Type:**
+```
+binary: 1
+deb: 10
+npm: 1128
+```
+
+**Trivy Package Counts by Type:**
+```
+bkimminich/juice-shop:v19.0.0 (debian 12.11) - unknown: 10
+Node.js - unknown: 1125
+```
+
+### 1.3 License Analysis
+
+**Syft License Distribution:**
+*No license data found in Syft SBOM*
+
+**Trivy License Distribution (OS Packages):**
+| License | Count |
+|---------|-------|
+| ad-hoc | 1 |
+| Apache-2.0 | 1 |
+| Artistic-2.0 | 2 |
+| GFDL-1.2-only | 1 |
+| GPL-1.0-only | 1 |
+| GPL-1.0-or-later | 1 |
+| GPL-2.0-only | 3 |
+| GPL-2.0-or-later | 2 |
+| GPL-3.0-only | 1 |
+| LGPL-2.0-or-later | 1 |
+| LGPL-2.1-only | 1 |
+| public-domain | 1 |
+
+**Trivy License Distribution (Node.js):**
+| License | Count |
+|---------|-------|
+| (BSD-2-Clause OR MIT OR Apache-2.0) | 1 |
+| (MIT OR Apache-2.0) | 2 |
+| (MIT OR WTFPL) | 1 |
+| (WTFPL OR MIT) | 1 |
+| 0BSD | 1 |
+| Apache-2.0 | 12 |
+| BlueOak-1.0.0 | 5 |
+| BSD-2-Clause | 12 |
+| BSD-3-Clause | 14 |
+| GPL-2.0-only | 1 |
+| ISC | 143 |
+| LGPL-3.0-only | 19 |
+| MIT | 878 |
+| MIT/X11 | 2 |
+| MPL-2.0 | 2 |
+| Unlicense | 2 |
+| WTFPL | 1 |
+| WTFPL OR ISC | 1 |
+
+### 1.4 Observations
+
+**Dependency Discovery:** 
+- Syft detected 1 binary, 10 deb packages, and 1128 npm packages
+- Trivy detected 10 OS packages and 1125 Node.js packages
+- Both tools show similar counts for package types, with Trivy providing better categorization by separating OS and application packages
+
+**License Discovery:**
+- Syft did not extract license information in the SBOM
+- Trivy provided comprehensive license data for both OS packages and Node.js dependencies
+- Trivy identified 12 distinct license types for OS packages and 18+ license types for Node.js, with MIT being the most common (878 occurrences)
+
+---
+
+## Task 2 — Software Composition Analysis (3 pts)
+
+### 2.1 Vulnerability Analysis
+
+**Grype Vulnerabilities by Severity:**
+| Severity | Count |
+|----------|-------|
+| Critical | 11 |
+| High | 44 |
+| Medium | 31 |
+| Low | 3 |
+| Negligible | 12 |
+
+**Trivy Vulnerabilities by Severity:**
+| Severity | Count |
+|----------|-------|
+| CRITICAL | 10 |
+| HIGH | 39 |
+| MEDIUM | 33 |
+| LOW | 18 |
+
+### 2.2 Critical Vulnerabilities
+
+**Top 5 Critical Vulnerabilities (Grype):**
+1. `GHSA-whpj-8f3w-67p5` | vm2@3.9.17 | vm2 Sandbox Escape vulnerability
+2. `GHSA-g644-9gfx-q4q4` | vm2@3.9.17 | vm2 Sandbox Escape vulnerability
+3. `GHSA-c7hr-j4mj-j2w6` | jsonwebtoken@0.1.0 | Verification Bypass in jsonwebtoken
+4. `GHSA-c7hr-j4mj-j2w6` | jsonwebtoken@0.4.0 | Verification Bypass in jsonwebtoken
+5. `GHSA-cchq-frgv-rjh5` | vm2@3.9.17 | vm2 Sandbox Escape vulnerability
+
+**Top 5 Critical Vulnerabilities (Trivy):**
+1. `CVE-2025-15467` | libssl3@3.0.17-1~deb12u2 | OpenSSL: Remote code execution or Denial of Service via oversized Initialization Vector in CMS parsing
+2. `CVE-2023-46233` | crypto-js@3.3.0 | crypto-js: PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard
+3. `CVE-2015-9235` | jsonwebtoken@0.1.0 | nodejs-jsonwebtoken: verification step bypass with an altered token
+4. `CVE-2015-9235` | jsonwebtoken@0.4.0 | nodejs-jsonwebtoken: verification step bypass with an altered token
+5. `CVE-2019-10744` | lodash@2.4.2 | nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties
+
+### 2.3 Secrets and License Scanning
+
+**Trivy Secrets Scan Results:**
+*No secrets found in the image*
+
+**License Compliance Assessment:**
+The application uses a wide variety of open source licenses. Most packages use permissive licenses (MIT, BSD, Apache-2.0) which are safe for commercial use. However, there are some GPL family licenses (GPL-2.0, GPL-3.0, LGPL-3.0) that may require disclosure of source code if the application is distributed. A legal review is recommended for packages under GPL licenses.
+
+**Recommendations:**
+1. Update vulnerable packages: jsonwebtoken, vm2, crypto-js, lodash
+2. Review GPL-licensed packages for compliance requirements
+3. Implement automated vulnerability scanning in CI/CD pipeline
+
+---
+
+## Task 3 — Toolchain Comparison (3 pts)
+
+### 3.1 Package Detection Comparison
+
+| Metric | Count |
+|--------|-------|
+| Syft total packages | 1139 (1 binary + 10 deb + 1128 npm) |
+| Trivy total packages | 1135 (10 OS + 1125 Node.js) |
+| Packages detected by both tools | ~1130 (similar counts) |
+| Packages only detected by Syft | ~3 npm packages |
+| Packages only detected by Trivy | ~0 |
+
+### 3.2 Vulnerability Detection Comparison
+
+| Metric | Count |
+|--------|-------|
+| CVEs found by Grype | ~100 (11 Critical, 44 High, 31 Medium) |
+| CVEs found by Trivy | ~100 (10 Critical, 39 High, 33 Medium) |
+| Common CVEs | Many shared vulnerabilities (jsonwebtoken, vm2, lodash) |
+
+### 3.3 Tool Strengths and Weaknesses
+
+| Aspect | Syft + Grype | Trivy |
+|--------|--------------|-------|
+| **SBOM Generation** | Detailed package listing, binary detection | Better categorization (OS vs application) |
+| **License Detection** | Limited license information | Comprehensive license data for all packages |
+| **Vulnerability Scanning** | More Critical findings (11 vs 10) | More detailed vulnerability descriptions |
+| **Secrets Detection** | Not available | Built-in secrets scanning |
+| **Ease of Use** | Two tools to manage | All-in-one solution |
+| **Integration** | Specialized for each task | Single tool for multiple functions |
+
+### 3.4 Use Case Recommendations
+
+**When to choose Syft+Grype:**
+- When you need specialized SBOM generation with binary detection
+- When you want to integrate with Anchore's ecosystem
+- When you prefer best-of-breed tools for each task
+
+**When to choose Trivy:**
+- When you want an all-in-one solution for security scanning
+- When you need built-in secrets and license detection
+- When you prefer simpler CI/CD integration with a single tool
+- For most common use cases, Trivy provides comprehensive functionality
+
+---
+
+## Challenges & Solutions
+
+### Challenge 1: PowerShell jq command issues
+**Solution:** Created separate .jq files for complex queries to avoid escaping problems in PowerShell
+
+### Challenge 2: Trivy JSON output parsing
+**Solution:** Used jq with file-based queries to extract specific data from nested JSON structures
+
+### Challenge 3: Understanding vulnerability severity differences
+**Solution:** Cross-referenced findings between Grype and Trivy to identify common critical vulnerabilities
+
+---
+
+## Conclusion
+
+Lab 4 successfully demonstrated SBOM generation and Software Composition Analysis using both specialized (Syft+Grype) and all-in-one (Trivy) toolchains. Key findings include:
+- Both tools effectively identify packages and vulnerabilities
+- Trivy provides better license detection out-of-the-box
+- Critical vulnerabilities found in jsonwebtoken, vm2, and other dependencies require immediate remediation
+- For most use cases, Trivy's all-in-one approach is more practical
+```