feat(lab4): SBOM generation + SCA with Syft/Grype + Trivy comparison + sign-ready attestation

[Meliman1000-7]

Goal

Generate a CycloneDX and SPDX SBOM of the Juice Shop image with Syft, scan it for CVEs with Grype, compare results against Trivy's all-in-one approach, and produce a sign-ready CycloneDX attestation for Lab 8.

Changes

• labs/lab4/juice-shop.cdx.json — CycloneDX SBOM (3068 components, specVersion 1.6)
• labs/lab4/juice-shop.spdx.json — SPDX SBOM
• labs/lab4/juice-shop-attestation.json — in-toto v1 attestation predicate for Lab 8 / Cosign
• submissions/lab4.md — full triage report: Grype severity breakdown, top-10 CVE table, Trivy comparison, sign-ready attestation writeup

Testing

Syft SBOM generation:

syft bkimminich/juice-shop:v20.0.0 -o cyclonedx-json=labs/lab4/juice-shop.cdx.json
jq '.components | length' labs/lab4/juice-shop.cdx.json
→ 3068

Grype scan via SBOM:

grype sbom:labs/lab4/juice-shop.cdx.json -o json --file labs/lab4/grype-from-sbom.json
→ 103 vulnerability matches: 7 critical, 50 high, 35 medium, 4 low, 7 negligible

Trivy direct image scan:

trivy image bkimminich/juice-shop:v20.0.0 --severity LOW,MEDIUM,HIGH,CRITICAL --format json --output labs/lab4/trivy.json
→ 5 critical, 42 high, 39 medium, 22 low (also flagged an embedded RSA private key in insecurity.js — expected Juice Shop demo content)

Attestation predicate build:

docker inspect bkimminich/juice-shop:v20.0.0 --format '{{index .RepoDigests 0}}'
→ bkimminich/juice-shop@sha256:fd58bdc9745416afce8184ee0666278a436574633ea7880365153a63bfd418b0
jq '._type, .subject, .predicateType' labs/lab4/juice-shop-attestation.json
→ "https://in-toto.io/Statement/v1" / subject with digest / "https://cyclonedx.org/bom/v1.5"

Artifacts & Screenshots

• submissions/lab4.md
• labs/lab4/juice-shop.cdx.json
• labs/lab4/juice-shop.spdx.json
• labs/lab4/juice-shop-attestation.json

Checklist

• Title is clear (feat(labN): <topic> style)
• No secrets or large temp files committed
• Submission file at submissions/lab4.md exists