Lab 4 — SBOM generation and Software Composition Analysis

[blxxdclxud]

Goal

Add Lab 4 submission — SBOM generation and Software Composition Analysis for OWASP Juice Shop using Syft, Grype, and Trivy.

Changes

• Added labs/submission4.md with full analysis covering Tasks 1–3
• Generated Syft SBOM (1139 packages) in native JSON and table formats
• Generated Trivy SBOM (1135 packages) in JSON and table formats
• Extracted license data from both tools (Syft: 32 unique licenses, Trivy: 28)
• Performed SCA with Grype (144 vulnerabilities) and Trivy (143 vulnerabilities)
• Ran Trivy secrets scan — found 4 files with embedded RSA private keys
• Ran Trivy license compliance scan
• Generated package overlap and CVE overlap comparison files
• All output files committed under labs/lab4/{syft,trivy,comparison,analysis}/

Testing

• Local testing performed
• Verified the expected behavior

All Docker commands executed successfully. Syft and Trivy both produced SBOM output. Grype scanned
the Syft SBOM and returned vulnerability results. Trivy vulnerability, secrets, and license scans
all completed. Analysis scripts ran and produced sbom-analysis.txt,
vulnerability-analysis.txt, and accuracy-analysis.txt.

Artifacts & Screenshots

Key findings:

• Packages in common between Syft and Trivy: 1126 (98%+ overlap)
• Grype CVEs: 93 unique | Trivy CVEs: 91 unique | Overlap: 26
• Top critical: vm2@3.9.17 (CVSS 10.0 sandbox escape), jsonwebtoken@0.1.0 (CVSS 9.8 JWT
  bypass), libssl3 (CVSS 9.8 RCE)
• Secrets found: 4 RSA private keys embedded in source files

---

Checklist

• PR has a clear, descriptive title
• Documentation updated if needed
• No secrets or large temp files included

---

• Task 1 done — SBOM Generation with Syft and Trivy
• Task 2 done — SCA with Grype and Trivy
• Task 3 done — Comprehensive Toolchain Comparison