Skip to content

Feature/lab4#1157

Open
raylduk8 wants to merge 2 commits into
inno-devops-labs:mainfrom
raylduk8:feature/lab4
Open

Feature/lab4#1157
raylduk8 wants to merge 2 commits into
inno-devops-labs:mainfrom
raylduk8:feature/lab4

Conversation

@raylduk8

Copy link
Copy Markdown

Goal

Generate an SBOM of the Juice Shop image with Syft, scan it with Grype, and compare against Trivy's all-in-one approach

Changes

  • labs/lab4/juice-shop.cdx.json
  • labs/lab4/juice-shop.spdx.json
  • submissions/lab4.md

Testing

SBOM Generation via Syft

syft bkimminich/juice-shop:v20.0.0 \
  -o cyclonedx-json=labs/lab4/juice-shop.cdx.json

syft bkimminich/juice-shop:v20.0.0 \
  -o spdx-json=labs/lab4/juice-shop.spdx.json

Check That Files Exist and Have Content

ls -la labs/lab4/juice-shop.*.json
jq '.components | length' labs/lab4/juice-shop.cdx.json

Grype

grype sbom:labs/lab4/juice-shop.cdx.json \
  -o json --file labs/lab4/grype-from-sbom.json
grype sbom:labs/lab4/juice-shop.cdx.json \
  -o table | tee labs/lab4/grype-from-sbom.txt

Severity Breakdown

jq '[.matches[].vulnerability.severity] | group_by(.) | map({severity: .[0], count: length})' \
  labs/lab4/grype-from-sbom.json

Trivy

trivy image bkimminich/juice-shop:v20.0.0 \
  --severity LOW,MEDIUM,HIGH,CRITICAL \
  --format json --output labs/lab4/trivy.json

trivy image bkimminich/juice-shop:v20.0.0 \
  --severity HIGH,CRITICAL \
  --format table | tee labs/lab4/trivy.txt

Severity Breakdown

jq '[.Results[].Vulnerabilities[]? | .Severity] | group_by(.) | map({severity: .[0], count: length})' \
  labs/lab4/trivy.json

Checklist

  • Task 1 — Syft SBOMs + Grype scan + top-10 CVE analysis
  • Task 2 — Trivy comparison + when-to-pick-each tradeoff
  • Bonus — sign-ready CycloneDX attestation for Lab 8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant