Feature/lab4

[Dart-NEW]

Goal

Complete Lab 4 by generating SBOMs and SCA findings for bkimminich/juice-shop:v19.0.0, then compare Syft+Grype vs Trivy with quantitative analysis and recommendations.

Changes

• Added lab report:
  • labs/submission4.md
• Added generated SBOM and SCA artifacts:
  • labs/lab4/syft/*
  • labs/lab4/trivy/*
  • labs/lab4/analysis/*
  • labs/lab4/comparison/*
• Included:
  • SBOM package/license analysis (Syft vs Trivy)
  • Vulnerability analysis (Grype vs Trivy)
  • Top critical findings with remediation guidance
  • Toolchain accuracy/coverage overlap and operational recommendations

Testing

Executed all lab-required Docker scans and analysis commands successfully:

• Syft SBOM JSON + table generation
• Trivy package inventory (JSON + table)
• Grype scan from Syft SBOM (JSON + table)
• Trivy vuln/secret/license scans
• jq-based aggregation for:
  • package overlap
  • CVE overlap
  • severity counts
  • license summaries

Validation outcomes:

• Branch contains committed artifacts and report
• Working tree clean after commit/push
• feature/lab4 pushed and tracking origin/feature/lab4

Artifacts & Screenshots

Key outputs:

• labs/submission4.md
• labs/lab4/analysis/sbom-analysis.txt
• labs/lab4/analysis/vulnerability-analysis.txt
• labs/lab4/comparison/accuracy-analysis.txt
• labs/lab4/syft/grype-vuln-results.json
• labs/lab4/trivy/trivy-vuln-detailed.json
• labs/lab4/trivy/trivy-secrets.txt
• labs/lab4/trivy/trivy-licenses.json

Checklist

• Clear title

• Docs updated

• No secrets in code

• Task 1 done — SBOM Generation with Syft and Trivy

• Task 2 done — SCA with Grype and Trivy

• Task 3 done — Comprehensive Toolchain Comparison