Skip to content

Feature/lab4#493

Open
ellilin wants to merge 6 commits intoinno-devops-labs:mainfrom
ellilin:feature/lab4
Open

Feature/lab4#493
ellilin wants to merge 6 commits intoinno-devops-labs:mainfrom
ellilin:feature/lab4

Conversation

@ellilin
Copy link

@ellilin ellilin commented Mar 2, 2026

Goal

Complete Lab 4 - SBOM Generation & Software Composition Analysis for
OWASP Juice Shop v19.0.0. Generate comprehensive SBOMs using Syft and
Trivy, perform SCA with Grype and Trivy, and compare toolchain
capabilities.

Changes

  • Generated SBOMs with Syft (native JSON + table format) - 1,139
    packages detected
  • Generated SBOMs with Trivy (detailed JSON + table format) - 1,135
    packages detected
  • Performed SCA with Grype - 146 vulnerabilities found (11 Critical, 88
    High)
  • Performed SCA with Trivy - 143 vulnerabilities found (10 Critical, 81
    High)
  • Ran Trivy secrets and license compliance scanning
  • Conducted quantitative toolchain comparison (98.9% package overlap,
    27.4% CVE overlap)
  • Documented critical vulnerabilities with remediation strategies
  • Created comprehensive submission report in labs/submission4.md

Testing

  • All Docker commands executed successfully using anchore/syft:latest,
    anchore/grype:latest, and aquasec/trivy:latest images
  • SBOM generation verified with both JSON and table output formats
  • Vulnerability scans completed and results validated against both tools
  • License extraction and comparison performed with jq analysis
  • Pre-commit hooks passed (TruffleHog + Gitleaks secrets scanning)

Artifacts & Screenshots

SBOM Files:

  • labs/lab4/syft/juice-shop-syft-native.json - Syft native JSON SBOM
  • labs/lab4/trivy/juice-shop-trivy-detailed.json - Trivy detailed JSON

Vulnerability Reports:

  • labs/lab4/syft/grype-vuln-results.json - Grype vulnerability scan
  • labs/lab4/trivy/trivy-vuln-detailed.json - Trivy vulnerability scan

Analysis Files:

  • labs/lab4/analysis/sbom-analysis.txt - Package and license analysis
  • labs/lab4/analysis/vulnerability-analysis.txt - Vulnerability
    severity breakdown
  • labs/lab4/comparison/accuracy-analysis.txt - Tool comparison metrics

Key Findings:

Metric Syft+Grype Trivy
Packages 1,139 1,135
CVEs 95 91
License Types 32 28
Critical 11 10

Checklist

  • Clear title following conventional commits (e.g., feat:, fix:,
    docs:)
  • Documentation updated if needed
  • No secrets or large temporary files included

ellilin and others added 6 commits February 9, 2026 15:45
@ellilin
docs: add PR template for lab submissions
d7a621f 
Add a standardized pull request template with sections for Goal,
Changes, Testing, and Artifacts & Screenshots. Includes a checklist
to ensure quality submissions (conventional commits, documentation
updates, and no secrets/temporary files).
@ellilin
docs(lab1): add OWASP Juice Shop triage report
1992b29 
Complete triage report for OWASP Juice Shop deployment including:
- Scope & Asset information (v19.0.0)
- Environment details (macOS, Docker 28.3.3)
- Deployment verification with health checks
- Surface snapshot analysis
- Top 3 security risks identified
- PR template setup documentation
- GitHub community engagement section
@ellilin
docs: add lab2 submission - threat modeling with Threagile
2b89dec
@ellilin
docs: add lab3 submission
98e6866
@ellilin
docs: update submission3 with correct key information
3d97235
@ellilin @claude
docs: add lab4 submission - SBOM generation and SCA comparison
adb8c0f 
- Generate SBOMs with Syft and Trivy for OWASP Juice Shop v19.0.0
- Perform SCA with Grype and Trivy vulnerability scanning
- Compare toolchain capabilities: accuracy, coverage, features
- Analyze 1139 packages, 146 vulnerabilities, 32 license types
- Document critical vulnerabilities and remediation strategies

Co-Authored-By: Claude (glm-5) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ellilin