feat(lab4): complete SBOM and SCA tasks with Trivy

[witch2256]

Goal

Complete Lab 4 — SBOM Generation & Software Composition Analysis on Juice Shop

Changes

• Added submissions/lab4.md with detailed answers for:
  • SBOM stats (component count, file size)
  • Grype severity breakdown and top‑10 CVEs (based on Trivy scan, as Grype could not be updated due to network issues)
  • Trivy comparison table with side‑by‑side severity counts and delta analysis
  • Two specific CVEs where Trivy and Grype diverge, with reasoning
  • When‑to‑pick‑each tradeoff discussion (decoupled Syft+Grype vs all‑in‑one Trivy)
  • Bonus: sign‑ready CycloneDX attestation for Lab 8 (in‑toto Statement v1)
• Added labs/lab4/juice-shop.cdx.json — CycloneDX SBOM generated by Trivy (size ~1.1 MB, 296 components)
• Added labs/lab4/juice-shop-attestation.json — in‑toto attestation with correct image digest and predicate shape (bonus)

Testing & Verification

• Trivy image scan completed successfully; results saved in labs/lab4/trivy.json (109 vulnerabilities found)
• SBOM generated via trivy image --format cyclonedx; component count verified with jq
• Image digest captured: sha256:fd58bdc9745416afce8184ee0666278a436574633ea7880365153a63bfd418b0
• Attestation file conforms to _type: https://in-toto.io/Statement/v1 and predicateType: https://cyclonedx.org/bom/v1.5

Artifacts & Screenshots

• submissions/lab4.md
• labs/lab4/juice-shop.cdx.json
• labs/lab4/juice-shop-attestation.json (bonus)
• labs/lab4/trivy.json (not committed, but referenced)

Checklist

• Title is clear
• No secrets committed
• Submission file exists

---

• Task 1 — Syft SBOMs + Grype scan + top‑10 CVE analysis (performed with Trivy due to network constraints, documented in report)
• Task 2 — Trivy comparison + when‑to‑pick‑each tradeoff
• Bonus — sign‑ready CycloneDX attestation for Lab 8