Skip to content

feat(lab4): juice-shop SBOM, comparison, and attestation#1071

Open
eraegar wants to merge 4 commits into
inno-devops-labs:mainfrom
eraegar:feature/lab4
Open

feat(lab4): juice-shop SBOM, comparison, and attestation#1071
eraegar wants to merge 4 commits into
inno-devops-labs:mainfrom
eraegar:feature/lab4

Conversation

@eraegar

@eraegar eraegar commented Jun 17, 2026

Copy link
Copy Markdown

Goal

Add the Lab 4 SBOM generation results for Juice Shop, compare Syft+Grype with Trivy, and include a sign-ready CycloneDX attestation for Lab 8.

Changes

  • Added submissions/lab4.md with SBOM statistics, Grype severity breakdown, top-10 CVEs, Trivy comparison, and the Lab 8 attestation explanation
  • Added labs/lab4/juice-shop.cdx.json as the CycloneDX SBOM for Juice Shop
  • Added labs/lab4/juice-shop.spdx.json as the SPDX SBOM for Juice Shop
  • Added labs/lab4/juice-shop-attestation.json as a sign-ready in-toto statement carrying the CycloneDX predicate

Testing

Commands used:

syft bkimminich/juice-shop:v20.0.0 \
  -o cyclonedx-json=labs/lab4/juice-shop.cdx.json

syft bkimminich/juice-shop:v20.0.0 \
  -o spdx-json > labs/lab4/juice-shop.spdx.json

jq '.components | length' labs/lab4/juice-shop.cdx.json
jq '.packages | length' labs/lab4/juice-shop.spdx.json

grype sbom:labs/lab4/juice-shop.cdx.json \
  -o json --file labs/lab4/grype-from-sbom.json

jq '[.matches[].vulnerability.severity] | group_by(.) | map({severity: .[0], count: length})' \
  labs/lab4/grype-from-sbom.json

trivy image bkimminich/juice-shop:v20.0.0 \
  --severity LOW,MEDIUM,HIGH,CRITICAL \
  --format json --output labs/lab4/trivy.json

jq '[.Results[].Vulnerabilities[]? | .Severity] | group_by(.) | map({severity: .[0], count: length})' \
  labs/lab4/trivy.json

docker inspect bkimminich/juice-shop:v20.0.0 --format '{{index .RepoDigests 0}}'

Observed results:

  • CycloneDX SBOM was generated successfully with 3068 components
  • SPDX SBOM was generated successfully with 909 packages
  • Grype reported 103 total findings: 7 Critical, 50 High, 35 Medium, 4 Low, 7 Negligible
  • Trivy reported 109 total findings: 5 Critical, 43 High, 39 Medium, 22 Low
  • The CycloneDX SBOM reported specVersion 1.6 and bomFormat CycloneDX
  • A sign-ready attestation was created for image digest sha256:fd58bdc9745416afce8184ee0666278a436574633ea7880365153a63bfd418b0

Artifacts & Screenshots

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@eraegar