Feature/lab4

.github/pull_request_template.md

@@ -0,0 +1,19 @@
+## Goal
+<!-- Describe the objective of this PR. What problem are you solving or what feature are you implementing? -->
+
+## Changes
+<!-- List the main changes made in this PR -->
+- 
+- 
+- 
+
+## Testing
+<!-- Describe how you tested your changes. What scenarios did you verify? -->
+
+## Artifacts & Screenshots
+<!-- Attach any screenshots, logs, or artifacts that demonstrate the work -->
+
+## Checklist
+- [ ] Clear, descriptive PR title
+- [ ] Documentation updated if needed
+- [ ] No secrets, API keys, or large temporary files committed

labs/lab3_secret_test.txt

@@ -0,0 +1,2 @@
+This file was used for local secret-scanning tests.
+All sensitive test patterns were removed.

labs/lab4/analysis/license-risk-metrics.txt

@@ -0,0 +1,25 @@
+=== License Risk Metrics (from trivy-licenses.json) ===
+
+Data source: labs/lab4/trivy/trivy-licenses.json
+Count semantics: number of license entries (.Results[].Licenses[]), not unique license names.
+
+Queries:
+- GPL-family: ^(AGPL|GPL)
+- LGPL-family: ^LGPL
+- WTFPL strict: ^WTFPL$
+- WTFPL contains: /WTFPL/
+- ad-hoc strict: ^ad-hoc$
+
+Results:
+- Total license entries: 1114
+- GPL-family entries: 9
+- LGPL-family entries: 21
+- WTFPL strict entries: 1
+- WTFPL-containing entries: 4
+- ad-hoc entries: 1
+
+WTFPL-containing records (Name|PkgName):
+- (MIT OR WTFPL)|expand-template
+- WTFPL OR ISC|sanitize-filename
+- WTFPL|truncate-utf8-bytes
+- (WTFPL OR MIT)|utf8-byte-length

labs/lab4/analysis/sbom-analysis.txt

@@ -0,0 +1,80 @@
+=== SBOM Component Analysis ===
+
+Syft Package Counts:
+   1 binary
+  10 deb
+1128 npm
+
+Trivy Package Counts:
+1125 Node.js - unknown
+  10 bkimminich/juice-shop:v19.0.0 (debian 12.11) - unknown
+
+=== License Analysis ===
+
+Syft Licenses:
+   1 (BSD-2-Clause OR MIT OR Apache-2.0)
+   2 (MIT OR Apache-2.0)
+   1 (MIT OR WTFPL)
+   1 (WTFPL OR MIT)
+   1 0BSD
+  15 Apache-2.0
+   1 Apache2
+   5 Artistic
+   1 BSD
+  12 BSD-2-Clause
+  16 BSD-3-Clause
+   5 BlueOak-1.0.0
+   4 GFDL-1.2
+   5 GPL
+   1 GPL-1
+   1 GPL-1+
+   6 GPL-2
+   1 GPL-2.0
+   4 GPL-3
+ 143 ISC
+   4 LGPL
+   1 LGPL-2.1
+  19 LGPL-3.0
+ 890 MIT
+   2 MIT/X11
+   2 MPL-2.0
+   2 Unlicense
+   1 WTFPL
+   1 WTFPL OR ISC
+   1 ad-hoc
+   1 public-domain
+   2 sha256:cb992345949ccd6e8394b2cd6c465f7b897c864f845937dbf64e8997f389e164
+
+Trivy Licenses (OS Packages):
+   1 Apache-2.0
+   2 Artistic-2.0
+   1 GFDL-1.2-only
+   1 GPL-1.0-only
+   1 GPL-1.0-or-later
+   3 GPL-2.0-only
+   2 GPL-2.0-or-later
+   1 GPL-3.0-only
+   1 LGPL-2.0-or-later
+   1 LGPL-2.1-only
+   1 ad-hoc
+   1 public-domain
+
+Trivy Licenses (Node.js):
+   1 (BSD-2-Clause OR MIT OR Apache-2.0)
+   2 (MIT OR Apache-2.0)
+   1 (MIT OR WTFPL)
+   1 (WTFPL OR MIT)
+   1 0BSD
+  12 Apache-2.0
+  12 BSD-2-Clause
+  14 BSD-3-Clause
+   5 BlueOak-1.0.0
+   1 GPL-2.0-only
+ 143 ISC
+  19 LGPL-3.0-only
+ 878 MIT
+   2 MIT/X11
+   2 MPL-2.0
+   2 Unlicense
+   1 WTFPL
+   1 WTFPL OR ISC

labs/lab4/analysis/vulnerability-analysis.txt

@@ -0,0 +1,19 @@
+=== Vulnerability Analysis ===
+
+Grype Vulnerabilities by Severity:
+  11 Critical
+  88 High
+   3 Low
+  32 Medium
+  12 Negligible
+
+Trivy Vulnerabilities by Severity:
+  10 CRITICAL
+  81 HIGH
+  18 LOW
+  34 MEDIUM
+
+=== License Analysis Summary ===
+Tool Comparison:
+- Syft found       32 unique license types
+- Trivy found       28 unique license types

labs/lab4/comparison/accuracy-analysis-expanded.txt

@@ -0,0 +1,17 @@
+=== CVE Overlap Methodology Comparison ===
+
+Raw method (lab baseline):
+- Grype CVEs (primary IDs only): 95
+- Trivy CVEs: 91
+- Common CVEs: 26
+- Jaccard overlap: 0.1625
+
+Expanded method (bonus):
+- Grype CVEs (primary + relatedVulnerabilities): 93
+- Trivy CVEs: 91
+- Common CVEs: 85
+- Jaccard overlap: 0.8586
+
+Interpretation:
+- Raw overlap underestimates agreement due to GHSA-vs-CVE identifier mismatch.
+- Expanded overlap is better for fair cross-tool comparison.

labs/lab4/comparison/accuracy-analysis.txt

@@ -0,0 +1,9 @@
+=== Package Detection Comparison ===
+Packages detected by both tools:     1126
+Packages only detected by Syft:       13
+Packages only detected by Trivy:        9
+
+=== Vulnerability Detection Overlap ===
+CVEs found by Grype:       95
+CVEs found by Trivy:       91
+Common CVEs:       26