feat(lab4): juice-shop SBOM + Grype/Trivy comparison + sign-ready attestation#1057
Open
RII6 wants to merge 2 commits into
Open
feat(lab4): juice-shop SBOM + Grype/Trivy comparison + sign-ready attestation#1057RII6 wants to merge 2 commits into
RII6 wants to merge 2 commits into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Goal
Generate a comprehensive Software Bill of Materials (SBOM) for the OWASP Juice Shop container, perform a decoupled Software Composition Analysis (SCA) using Grype, compare the findings against Trivy's all-in-one scanning approach, and prepare a cryptographically verifiable
in-totoattestation envelope for Lab 8.Changes
submissions/lab4.md— Contains the full SCA report, top-10 CVE triage analysis, and the Grype vs. Trivy deep-dive comparison.labs/lab4/juice-shop.cdx.json&juice-shop.spdx.json— Generated SBOMs via Syft.labs/lab4/juice-shop-attestation.json— Bonus attestation envelope natively wrapping the CycloneDX 1.6 predicate..pre-commit-config.yaml— Updatedcheck-added-large-fileshook argument to--maxkb=5000to legitimately allow tracking the heavy SBOM artifacts (~3 MB).Testing & Results
Task 1 — Syft + Grype (Decoupled SCA)
grype sbom:...scan resulted in 97 total vulnerabilities (7 Critical, 48 High).jsonwebtoken,lodash, andcrypto-js.Task 2 — Trivy (All-in-one SCA)
CVE-2026-5450(libc6) because Debian marked it as "won't fix", while Grype reported it strictly based on the SBOM.lodashPrototype Pollution, Grype reported the NPM-nativeGHSA-jf85-cpcp-j695, whereas Trivy reported the NVD-standardCVE-2019-10744.AsymmetricPrivateKey(RSA key) embedded ininsecurity.ts, demonstrating the advantage of its broad image-scanning scope over Grype's pure SBOM analysis.Bonus — Sign-Ready Attestation
sha256digest usingdocker inspect.jqpipeline to generate thehttps://in-toto.io/Statement/v1envelope natively binding the Juice Shop digest to thehttps://cyclonedx.org/bom/v1.5predicate.Checklist