Feature/lab4

[pepegx]

Summary

This PR adds the full Lab 4 deliverable for OWASP Juice Shop (bkimminich/
juice-shop:v19.0.0), including SBOM generation, SCA, and a toolchain
comparison between Syft+Grype and Trivy.

What was completed

• Generated SBOMs with Syft and Trivy (JSON + table outputs).
• Performed SCA with Grype (from Syft SBOM) and Trivy (image scan).
• Added Trivy secret scan and license scan results.
• Built quantitative comparison artifacts for package and CVE overlap.
• Prepared a full written submission with analysis, risk prioritization, and
  remediation guidance.
• Added bonus methodology for CVE identifier normalization (GHSA vs CVE) to
  improve fairness of overlap comparison.

Key findings (high level)

• Package detection overlap is high: 1126 common packages.
• Vulnerability profile is consistently high-risk across tools (large Critical
  • High counts).
• Secret scan found 4 findings (2 High, 2 Medium) in Juice Shop source/test
  content.
• License risk metrics are explicitly separated:
  • WTFPL strict (Name == "WTFPL"): 1
  • WTFPL-containing expressions: 4
• Bonus CVE overlap:
  • Raw method common CVEs: 26
  • Expanded normalized method common CVEs: 85

Reproducibility note

Trivy and Syft were re-run successfully.
Grype may fail in some environments when downloading DB updates (TLS handshake
timeout), but the committed Grype JSON is valid and contains fresh DB metadata
(built: 2026-03-02, valid: true).

Checklist

• Task 1 done — SBOM Generation with Syft and Trivy
• Task 2 done — SCA with Grype and Trivy
• Task 3 done — Comprehensive Toolchain Comparison