feat(lab4): juice-shop SBOM + Grype/Trivy comparison + sign-ready att…

[StefFashka]

Goal

This PR completes Lab 4, focusing on SBOM generation and Software Composition Analysis (SCA) for the Juice Shop container. It establishes a software inventory, performs vulnerability scanning using Syft, Grype, and Trivy, and prepares a sign-ready attestation for future supply-chain security tasks.

Changes

• submissions/lab4.md — Final report including SBOM statistics, CVE analysis, and a comparison between decoupled (Syft+Grype) and all-in-one (Trivy) scanning models.
• labs/lab4/juice-shop.cdx.json — CycloneDX (v1.6) SBOM generated with Syft.
• labs/lab4/juice-shop.spdx.json — SPDX format SBOM for compliance use cases.
• labs/lab4/juice-shop-attestation.json — (Bonus) formatted statement containing the CycloneDX predicate and image digest for Lab 8 signing.
• .gitignore - for this lab

Testing

Verified SBOM integrity and vulnerability distributions using syft, grype, and trivy. Results were parsed and validated via jq.
Grype SCA Results (105 total):
code

# Severity breakdown from labs/lab4/grype-from-sbom.json
# Output: Critical: 7, High: 52, Medium: 4, Low: 35, Negligible: 7

Trivy SCA Results (109 total):
code

# Severity breakdown from labs/lab4/trivy.json
# Output: Critical: 5, High: 43, Medium: 22, Low: 39

SBOM Validation:
Component count (CycloneDX): 1846
SpecVersion: 1.6
Image Digest: sha256:fd58bdc9745416afce8184ee0666278a436574633ea7880365153a63bfd418b0

• Task 1 — Syft SBOMs + Grype scan + top-10 CVE analysis
• Task 2 — Trivy comparison + when-to-pick-each tradeoff
• Bonus — sign-ready CycloneDX attestation for Lab 8

Artifacts & Screenshots

All findings, including the comparison table and the sign-ready JSON structure, are documented in submissions/lab4.md.