feat(lab4): juice-shop SBOM + Grype/Trivy comparison + sign-ready attestation

[Muratich]

Goal

Add the Juice Shop SBOM, vulnerability scan results, Trivy comparison, and a sign-ready CycloneDX attestation for Lab 4.

Changes

• Added / updated:
  • submissions/lab4.md
  • labs/lab4/juice-shop.cdx.json
  • labs/lab4/juice-shop.spdx.json
  • labs/lab4/juice-shop-attestation.json
• Other changes:
  • Generated CycloneDX and SPDX SBOMs with Syft
  • Scanned the CycloneDX SBOM with Grype
  • Ran Trivy image scan and compared results against Grype
  • Prepared a Cosign-ready in-toto attestation predicate for Lab 8

Testing

• Commands run:
  • syft bkimminich/juice-shop:v20.0.0 -o cyclonedx-json@1.5=labs/lab4/juice-shop.cdx.json
  • syft bkimminich/juice-shop:v20.0.0 -o spdx-json=labs/lab4/juice-shop.spdx.json
  • grype sbom:labs/lab4/juice-shop.cdx.json -o json --file labs/lab4/grype-from-sbom.json
  • trivy image bkimminich/juice-shop:v20.0.0 --severity LOW,MEDIUM,HIGH,CRITICAL --format json --output labs/lab4/trivy.json
  • docker inspect bkimminich/juice-shop:v20.0.0 --format '{{index .RepoDigests 0}}'
• Observed output:
  • CycloneDX SBOM generated successfully with specVersion: 1.5
  • Grype scan produced vulnerability results with severity breakdown and top CVEs
  • Trivy scan produced vulnerability results for comparison
  • Image digest was captured successfully for the attestation subject

Artifacts & Screenshots

• submissions/lab4.md
• labs/lab4/juice-shop.cdx.json
• labs/lab4/juice-shop.spdx.json
• labs/lab4/juice-shop-attestation.json

Checklist

• Title is clear (feat(lab4): <topic> style)
• No secrets or large temp files are committed
• Submission file at submissions/lab4.md exists
• Task 1 — Syft SBOMs + Grype scan + top-10 CVE analysis
• Task 2 — Trivy comparison + when-to-pick-each tradeoff
• Bonus — sign-ready CycloneDX attestation for Lab 8