Skip to content

feat(lab4): juice-shop SBOM and SCA comparison#4

Merged
Troshkins merged 1 commit into
mainfrom
feature/lab4
Jun 19, 2026
Merged

feat(lab4): juice-shop SBOM and SCA comparison#4
Troshkins merged 1 commit into
mainfrom
feature/lab4

Conversation

@Troshkins

@Troshkins Troshkins commented Jun 19, 2026

Copy link
Copy Markdown
Owner

Goal

Generate a CycloneDX/SPDX SBOM for OWASP Juice Shop v20.0.0, scan it with Grype, compare the results with Trivy, and prepare a sign-ready SBOM attestation for Lab 8.

Changes

  • Added labs/lab4/juice-shop.cdx.json — CycloneDX SBOM generated with Syft.

  • Added labs/lab4/juice-shop.spdx.json — SPDX SBOM generated with Syft.

  • Added labs/lab4/juice-shop-attestation.json — in-toto statement wrapping the CycloneDX SBOM for future Cosign attestation.

  • Added submissions/lab4.md — Lab 4 report with Syft+Grype results, Trivy comparison, and bonus attestation notes.

  • Updated .gitignore to exclude regeneratable scan outputs:

    • labs/lab4/grype-from-sbom.json
    • labs/lab4/grype-from-sbom.txt
    • labs/lab4/trivy.json
    • labs/lab4/trivy.txt

Testing

  • Verified required tools:
syft version
grype version
trivy --version
jq --version
  • Generated SBOMs:
syft bkimminich/juice-shop:v20.0.0 -o cyclonedx-json=labs/lab4/juice-shop.cdx.json
syft bkimminich/juice-shop:v20.0.0 -o spdx-json=labs/lab4/juice-shop.spdx.json

Observed output:

juice-shop.cdx.json component count: 3069
juice-shop.spdx.json package count: 909
  • Scanned CycloneDX SBOM with Grype:
grype sbom:labs/lab4/juice-shop.cdx.json -o json --file labs/lab4/grype-from-sbom.json
grype sbom:labs/lab4/juice-shop.cdx.json -o table | tee labs/lab4/grype-from-sbom.txt

Observed output:

104 vulnerability matches
7 Critical, 51 High, 35 Medium, 4 Low, 7 Negligible
89 fixed, 15 not-fixed
  • Scanned the image with Trivy:
trivy image bkimminich/juice-shop:v20.0.0 \
  --severity LOW,MEDIUM,HIGH,CRITICAL \
  --format json --output labs/lab4/trivy.json

Observed output:

5 Critical, 43 High, 39 Medium, 22 Low
  • Verified the sign-ready attestation shape:
jq '._type, .subject, .predicateType, .predicate.bomFormat, .predicate.specVersion' labs/lab4/juice-shop-attestation.json

Observed output:

"https://in-toto.io/Statement/v1"
"https://cyclonedx.org/bom/v1.6"
"CycloneDX"
"1.6"

Artifacts & Screenshots

  • labs/lab4/juice-shop.cdx.json
  • labs/lab4/juice-shop.spdx.json
  • labs/lab4/juice-shop-attestation.json
  • submissions/lab4.md

Checklist

  • Title is clear (feat(lab4): juice-shop SBOM and SCA comparison)
  • No secrets/large temp files committed
  • Submission file at submissions/lab4.md exists

@Troshkins Troshkins merged commit 4951018 into main Jun 19, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Troshkins