Skip to content

Lab 04 solution#5

Open
ph1larmon1a wants to merge 1 commit intomainfrom
feature/lab4
Open

Lab 04 solution#5
ph1larmon1a wants to merge 1 commit intomainfrom
feature/lab4

Conversation

@ph1larmon1a
Copy link
Owner

@ph1larmon1a ph1larmon1a commented Oct 3, 2025
edited
Loading

Goal

Generate and document SBOMs for OWASP Juice Shop using Syft and Trivy. Run comprehensive SCA using Grype (from Syft SBOM) and Trivy (image scan + secrets + licenses). Compare toolchains and summarize results in labs/submission4.md.

Changes

  • Generated SBOMs with:
    • Syft: native JSON, CycloneDX JSON, SPDX JSON, human-readable table.
    • Trivy: detailed JSON (--list-all-pkgs), CycloneDX, SPDX, table.
  • Generated SBOMs with Syft (native JSON, CycloneDX, SPDX, table) and Trivy (detailed JSON, CycloneDX, SPDX, table).
  • Ran SCA with:
    • Grype (from Syft SBOM): JSON + table.
    • Trivy (image vuln scan): JSON + table; secrets and license scans.
  • Produced comparison & analysis:
    • sbom-analysis.txt (package types, licenses, dependency graph).
    • vulnerability-analysis.txt (severity tallies + unique license counts).
    • accuracy-analysis.txt (package overlap & CVE overlap).
  • Created labs/submission4.md with:
    • Package Type Distribution + Dependency Graph notes.
    • License Discovery Analysis.
    • SCA Tool Comparison (Grype vs Trivy).
    • Critical Findings (with remediation) and Secrets results.
    • Toolchain Accuracy: 1126 common packages, 13 Syft-only, 9 Trivy-only; CVEs Grype 58, Trivy 62, 15 common.

Testing

  • Ran Syft and Trivy SBOM commands and confirmed all outputs in labs/lab4/syft and labs/lab4/trivy.
  • Ran Grype and Trivy vulnerability scans and verified severities match the summary
  • Checked comparison/accuracy-analysis.txt for overlap
  • Reviewed Trivy secrets findings and added remediation notes to the report.
  • Opened SBOM JSONs and CycloneDX files to spot-check components, dependencies, and licenses.

Artifacts & Screenshots

  • Syft
    • labs/lab4/syft/juice-shop-syft-native.json
    • labs/lab4/syft/juice-shop-syft-licences.txt
    • labs/lab4/syft/juice-shop-syft-table.txt
    • labs/lab4/syft/grype-vuln-results.json
    • labs/lab4/syft/grype-vuln-table.txt
  • Trivy
    • labs/lab4/trivy/juice-shop-trivy-detailed.json
    • labs/lab4/trivy/juice-shop-trivy-table.txt
    • labs/lab4/trivy/trivy-vuln-detailed.json
    • labs/lab4/trivy/trivy-secrets.txt
    • labs/lab4/trivy/trivy-licenses.json
  • Analysis & Comparison
    • labs/lab4/analysis/sbom-analysis.txt
    • labs/lab4/analysis/vulnerability-analysis.txt
    • labs/lab4/comparison/accuracy-analysis.txt
    • labs/lab4/comparison/{syft-packages.txt,trivy-packages.txt,common-packages.txt,syft-only.txt,trivy-only.txt,grypecves.txt,trivy-cves.txt}
  • Write-up
    • labs/submission4.md (final report)

Checklist

  • PR has a clear and descriptive title
  • Documentation updated if needed
  • No secrets or large temporary files committed
  • Task 1 done — SBOM Generation with Syft and Trivy
  • Task 2 done — SCA with Grype and Trivy
  • Task 3 done — Comprehensive Toolchain Comparison

@ph1larmon1a ph1larmon1a mentioned this pull request Oct 3, 2025
Closed
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ph1larmon1a