Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions .github/PULL_REQUEST_TEMPLATE.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
## Goal
<!-- what does this PR deliver? (1 sentence) -->

## Changes
<!-- bullet list of artifacts added/modified -->
-

## Testing
<!-- how you verified it works (commands + observed output) -->
- Commands:
- Observed output:


## Artifacts & Screenshots
<!-- links to files in this PR, image embeds where useful -->
-

## Checklist
- [ ] Title is clear (feat(labN): <topic> style)
- [ ] No secrets/large temp files committed
- [ ] Submission file at `submissions/labN.md` exists
12 changes: 12 additions & 0 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
repos:
- repo: https://github.com/gitleaks/gitleaks
rev: v8.30.1
hooks:
- id: gitleaks

- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v5.0.0
hooks:
- id: detect-private-key
- id: check-added-large-files
args: ['--maxkb=5120']
36 changes: 36 additions & 0 deletions submissions/lab7.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
# Lab 7 — Submission

## Task 1: Trivy Image + Config Scan

### Image scan severity breakdown
| Severity | Total | With fix available |
|----------|------:|------------------:|
| Critical | 4 | 4 |
| High | 6 | 6 |
| **Total** | 10 | 10 |

### Top 10 CVEs with fixes
| CVE | Severity | Package | Installed | Fix |
|-----|----------|---------|-----------|-----|
| CVE-2023-46233 | CRITICAL | crypto-js | 3.3.0 | 4.2.0 |
| CVE-2015-9235 | CRITICAL | jsonwebtoken | 0.1.0 | 4.2.2 |
| CVE-2015-9235 | CRITICAL | jsonwebtoken | 0.4.0 | 4.2.2 |
| CVE-2019-10744 | CRITICAL | lodash | 2.4.2 | 4.17.12 |
| CVE-2026-45447 | HIGH | libssl3t64 | 3.5.5-1~deb13u2 | 3.5.6-1~deb13u2 |
| NSWG-ECO-428 | HIGH | base64url | 0.0.6 | >=3.0.0 |
| CVE-2020-15084 | HIGH | express-jwt | 0.1.3 | 6.0.0 |
| CVE-2022-25881 | HIGH | http-cache-semantics | 3.8.1 | 4.1.1 |
| CVE-2022-23539 | HIGH | jsonwebtoken | 0.1.0 | 9.0.0 |
| NSWG-ECO-17 | HIGH | jsonwebtoken | 0.1.0 | >=4.2.2 |

### Compared to Lab 4's Grype scan
Look back at your Lab 4 Grype results on the same image. Pick **two CVEs**:
1. One that BOTH Grype and Trivy found : CVE-2019-10744, CRITICAL, lodash, installed 2.4.2 and fix 4.17.12
2. One that ONE tool found and the OTHER missed
For each: explain why the tools differ (DB freshness? Different package matching?
EPSS scoring? Lecture 7 + Lecture 4 give context.) (2-3 sentences per CVE.):
**Grype found, Trivy missed**
GHSA-5mrr-rgp6-x4gr, Critical, marsdb, installed 0.6.11 with no fix. Trivy and Grype use different databaseses. This vulnerability is maybe only present in GitHub security advisory database.

**Trivy found, Grype missed**
CVE-2026-45447, High, libssl3t64 v3.5.5-1~deb13u2, fix 3.5.6-1~deb13u2. In Grype results, this vulnerability was maybe not in the latest update of databases Grype uses. And Trivy may have had already updated databasese.