Skip to content

feat(lab4): SBOM and SCA on Juice Shop#1149

Open
L10nff wants to merge 2 commits into
inno-devops-labs:mainfrom
L10nff:feature/lab4
Open

feat(lab4): SBOM and SCA on Juice Shop#1149
L10nff wants to merge 2 commits into
inno-devops-labs:mainfrom
L10nff:feature/lab4

Conversation

@L10nff

@L10nff L10nff commented Jun 19, 2026

Copy link
Copy Markdown

Goal

This PR delivers Lab 4: SBOM Generation & Software Composition Analysis on Juice Shop.

Changes

  • Added submissions/lab4.md
  • Added CycloneDX SBOM: labs/lab4/juice-shop.cdx.json
  • Added SPDX SBOM: labs/lab4/juice-shop.spdx.json
  • Added sign-ready in-toto/CycloneDX attestation: labs/lab4/juice-shop-attestation.json
  • Documented Syft SBOM stats, Grype severity breakdown, top-10 findings, Trivy comparison, and Lab 8 attestation usage
  • Added .pre-commit-config.yaml from Lab 3 with a narrow exception for required Lab 4 SBOM artifacts
  • Added generated Grype/Trivy scan outputs to .gitignore so regenerable large reports are not committed

Testing

Commands used:

syft version
grype version
trivy --version
jq --version

syft bkimminich/juice-shop:v20.0.0 -o "cyclonedx-json@1.5=labs/lab4/juice-shop.cdx.json"
syft bkimminich/juice-shop:v20.0.0 -o spdx-json=labs/lab4/juice-shop.spdx.json

jq '.components | length' labs/lab4/juice-shop.cdx.json
jq '.packages | length' labs/lab4/juice-shop.spdx.json

grype db update
grype sbom:labs/lab4/juice-shop.cdx.json -o json --file labs/lab4/grype-from-sbom.json
grype sbom:labs/lab4/juice-shop.cdx.json -o table

trivy image --download-db-only
trivy image bkimminich/juice-shop:v20.0.0 --severity LOW,MEDIUM,HIGH,CRITICAL --format json --output labs/lab4/trivy.json
trivy image bkimminich/juice-shop:v20.0.0 --severity HIGH,CRITICAL --format table

jq empty labs/lab4/juice-shop.cdx.json
jq empty labs/lab4/juice-shop.spdx.json
jq empty labs/lab4/juice-shop-attestation.json

docker inspect bkimminich/juice-shop:v20.0.0 --format '{{index .RepoDigests 0}}'

git diff --cached --check
pre-commit run --all-files

Observed output:

CycloneDX component count: 3068
SPDX package count: 909
CycloneDX SBOM size: 1.7M

Grype findings:
Critical: 7
High: 51
Medium: 35
Low: 4
Negligible: 7
Total: 104

Trivy findings:
Critical: 5
High: 43
Medium: 39
Low: 22
Total: 109

CycloneDX schema:
specVersion: 1.5
bomFormat: CycloneDX

Image digest:
bkimminich/juice-shop@sha256:fd58bdc9745416afce8184ee0666278a436574633ea7880365153a63bfd418b0

pre-commit:
Detect hardcoded secrets... Passed
detect private key... Passed
check for added large files... Passed

Artifacts & Screenshots

  • Submission file: submissions/lab4.md
  • CycloneDX SBOM: labs/lab4/juice-shop.cdx.json
  • SPDX SBOM: labs/lab4/juice-shop.spdx.json
  • Sign-ready attestation: labs/lab4/juice-shop-attestation.json
  • Scan evidence is documented in submissions/lab4.md
  • Raw Grype/Trivy reports are intentionally not committed because they are regenerable and large

Checklist

  • Title is clear (feat(lab4): SBOM and SCA on Juice Shop style)
  • No secrets/large temp files committed
  • Submission file at submissions/lab4.md exists

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@L10nff