docs(lab5): Security Analysis: SAST & DAST of OWASP Juice Shop

.github/pull_request_template.md

@@ -0,0 +1,27 @@
+## Goal
+
+<!-- What is the purpose of this PR? Which lab/task does it address? -->
+
+## Changes
+
+<!-- List the specific changes made in this PR -->
+
+- 
+
+## Testing
+
+<!-- How did you verify your changes? Include commands run, endpoints tested, etc. -->
+
+- 
+
+## Artifacts & Screenshots
+
+<!-- Attach or embed any screenshots, command outputs, or supporting evidence -->
+
+- 
+
+## Checklist
+
+- [ ] PR has a clear, descriptive title (e.g., `docs(lab1): add triage report`)
+- [ ] Documentation is updated if needed
+- [ ] No secrets, credentials, or large temporary files are included in this PR

labs/lab4/analysis/sbom-analysis.txt

@@ -0,0 +1,80 @@
+=== SBOM Component Analysis ===
+
+Syft Package Counts:
+   1 binary
+  10 deb
+1128 npm
+
+Trivy Package Counts:
+1125 Node.js - unknown
+  10 bkimminich/juice-shop:v19.0.0 (debian 12.11) - unknown
+
+=== License Analysis ===
+
+Syft Licenses:
+   1 (BSD-2-Clause OR MIT OR Apache-2.0)
+   2 (MIT OR Apache-2.0)
+   1 (MIT OR WTFPL)
+   1 (WTFPL OR MIT)
+   1 0BSD
+  15 Apache-2.0
+   1 Apache2
+   5 Artistic
+   1 BSD
+  12 BSD-2-Clause
+  16 BSD-3-Clause
+   5 BlueOak-1.0.0
+   4 GFDL-1.2
+   5 GPL
+   1 GPL-1
+   1 GPL-1+
+   6 GPL-2
+   1 GPL-2.0
+   4 GPL-3
+ 143 ISC
+   4 LGPL
+   1 LGPL-2.1
+  19 LGPL-3.0
+ 890 MIT
+   2 MIT/X11
+   2 MPL-2.0
+   2 Unlicense
+   1 WTFPL
+   1 WTFPL OR ISC
+   1 ad-hoc
+   1 public-domain
+   2 sha256:cb992345949ccd6e8394b2cd6c465f7b897c864f845937dbf64e8997f389e164
+
+Trivy Licenses (OS Packages):
+   1 Apache-2.0
+   2 Artistic-2.0
+   1 GFDL-1.2-only
+   1 GPL-1.0-only
+   1 GPL-1.0-or-later
+   3 GPL-2.0-only
+   2 GPL-2.0-or-later
+   1 GPL-3.0-only
+   1 LGPL-2.0-or-later
+   1 LGPL-2.1-only
+   1 ad-hoc
+   1 public-domain
+
+Trivy Licenses (Node.js):
+   1 (BSD-2-Clause OR MIT OR Apache-2.0)
+   2 (MIT OR Apache-2.0)
+   1 (MIT OR WTFPL)
+   1 (WTFPL OR MIT)
+   1 0BSD
+  12 Apache-2.0
+  12 BSD-2-Clause
+  14 BSD-3-Clause
+   5 BlueOak-1.0.0
+   1 GPL-2.0-only
+ 143 ISC
+  19 LGPL-3.0-only
+ 878 MIT
+   2 MIT/X11
+   2 MPL-2.0
+   2 Unlicense
+   1 WTFPL
+   1 WTFPL OR ISC

labs/lab4/analysis/vulnerability-analysis.txt

@@ -0,0 +1,19 @@
+=== Vulnerability Analysis ===
+
+Grype Vulnerabilities by Severity:
+  11 Critical
+  88 High
+   3 Low
+  32 Medium
+  12 Negligible
+
+Trivy Vulnerabilities by Severity:
+  10 CRITICAL
+  81 HIGH
+  18 LOW
+  34 MEDIUM
+
+=== License Analysis Summary ===
+Tool Comparison:
+- Syft found       32 unique license types
+- Trivy found       28 unique license types

labs/lab4/comparison/accuracy-analysis.txt

@@ -0,0 +1,9 @@
+=== Package Detection Comparison ===
+Packages detected by both tools:     1126
+Packages only detected by Syft:       13
+Packages only detected by Trivy:        9
+
+=== Vulnerability Detection Overlap ===
+CVEs found by Grype:       95
+CVEs found by Trivy:       91
+Common CVEs:       26