Skip to content

feat(lab4): juice-shop SBOM + Grype/Trivy comparison + sign-ready attestation#1074

Open
lashmanovSergey wants to merge 2 commits into
inno-devops-labs:mainfrom
lashmanovSergey:feature/lab4
Open

feat(lab4): juice-shop SBOM + Grype/Trivy comparison + sign-ready attestation#1074
lashmanovSergey wants to merge 2 commits into
inno-devops-labs:mainfrom
lashmanovSergey:feature/lab4

Conversation

@lashmanovSergey

@lashmanovSergey lashmanovSergey commented Jun 18, 2026

Copy link
Copy Markdown

Goal

Generate SBOMs for Juice Shop, compare Syft+Grype with Trivy

Changes

  • Added submissions/lab4.md with SBOM statistics, severity breakdowns, comparison, and attestation explanation
  • Added labs/lab4/juice-shop.cdx.json — CycloneDX SBOM for Juice Shop
  • Added labs/lab4/juice-shop.spdx.json — SPDX SBOM for Juice Shop

Testing

# Generate CycloneDX SBOM
syft bkimminich/juice-shop:v20.0.0 \
  -o cyclonedx-json=labs/lab4/juice-shop.cdx.json

# Generate SPDX SBOM
syft bkimminich/juice-shop:v20.0.0 \
  -o spdx-json > labs/lab4/juice-shop.spdx.json

# Check component counts
jq '.components | length' labs/lab4/juice-shop.cdx.json     # 3068 components
jq '.packages | length' labs/lab4/juice-shop.spdx.json      # 909 packages

PR checklist body

  • Task 1 — Syft SBOMs + Grype scan + top-10 CVE analysis
  • Task 2 — Trivy comparison + when-to-pick-each tradeoff
  • Bonus — sign-ready CycloneDX attestation for Lab 8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lashmanovSergey