Lab 4 — SBOM Generation & Software Composition Analysis on Juice Shop

[Nik-ari-ai]

Goal:

Generate an SBOM of the Juice Shop image with Syft, scan it with Grype, compare against Trivy's all-in-one approach, and produce a signed-ready CycloneDX SBOM for Lab 8.

Changes

• submissions/lab04.md — full report
• labs/lab4/juice-shop.cdx.json — CycloneDX SBOM (spec 1.6)
• labs/lab4/juice-shop.spdx.json — SPDX SBOM
• labs/lab4/juice-shop-attestation.json — in-toto Statement envelope wrapping the CycloneDX SBOM
• .gitignore — exclude regeneratable grype and trivy scan outputs

Testing

• syft produced 3068 components in CycloneDX and 909 packages in SPDX
• grype: 7 critical/50 high/35 medium/4 low/(add 7 negligible) = 103
• trivy: 5 critical/42 high/39 medium/22 low = 108
• attestation has correct _type, subject.digest, predicateType cyclonedx/v1.6, predicate.specVersion 1.6

Artifacts & Screenshots

• submissions/lab04.md
• labs/lab4/juice-shop.cdx.json
• labs/lab4/juice-shop-attestation.json

Checklist

• Task 1 — Syft SBOMs + Grype scan + top-10 CVE analysis
• Task 2 — Trivy comparison + when-to-pick-each tradeoff
• Bonus — sign-ready CycloneDX attestation for Lab 8