Feature/lab10

[ph1larmon1a]

Goal

Complete Lab 10 by standing up a local OWASP DefectDojo instance, importing multi-tool vulnerability findings from prior labs, and generating a stakeholder-ready reporting and metrics package.
This PR centralizes security scanning outputs (Grype, Nuclei, Semgrep, Trivy) into a single vulnerability management workflow and produces dashboard metrics, governance artifacts, and a consolidated summary for program-level visibility.

Changes

• Installed and launched DefectDojo locally using Docker Compose
• Retrieved admin credentials and configured:
  • Product Type: Engineering
  • Product: Juice Shop
  • Engagement: Labs Security Testing
• Added automated import workflow using the provided run-imports.sh script
  • Imported Grype, Nuclei, Semgrep, and Trivy results
  • Validated importer names and auto-created engagement context
• Confirmed successful ingestion of:
  • 65 Grype findings
  • 3 Nuclei findings
  • 0 Semgrep
  • 0 Trivy
  • (ZAP not included in this data set)
• Generated governance-ready outputs under labs/lab10/report/:
  • metrics-snapshot.md - severity counts + engagement status
  • vdojo-report.pdf - human-readable executive/detailed report
  • findings.csv - sortable dataset for analysis
• Added detailed summary of severity, tool distribution, SLA status, and CWE/OWASP themes directly into submission10.md

Testing

• Manual and UI-based verification performed as part of the lab workflow:
• Confirmed Docker Compose services up and healthy
• Logged into DefectDojo and validated Product → Engagement hierarchy
• Verified each imported scan appeared under Engagement → Tests
• Confirmed finding counts matched importer JSON responses
• Reviewed dashboards:
  • Metrics tile: Critical: 8, High: 21, Medium: 23, Low: 1, Info: 15
  • Timeline graph and tool-specific test breakdown
• Checked SLA columns for overdue items — all findings show SLA windows (7/30/90/120 days) with Age = 0, no breaches
• Cross-checked findings list for CWE/OWASP recurring categories
• All artifacts exported and committed to labs/lab10/report/

Artifacts & Screenshots

• Metrics Snapshot: labs/lab10/report/metrics-snapshot.md
• Executive/Detailed Report: labs/lab10/report/dojo-report.pdf
• Findings CSV: labs/lab10/report/findings.csv
• Import responses: labs/lab10/imports/
• Dashboard screenshots (severity mix, test breakdown, SLA view) included in the conversation
• Documentation: labs/submission10.md

---

Checklist

• PR has a clear and descriptive title
• Documentation updated if needed
• No secrets or large temporary files committed
• Task 1 — Dojo setup and structure
• Task 2 — Imports completed (multi-tool)
• Task 3 — Report + metrics package