Feature/lab5

[Lisoon22]

Goal

This PR delivers Lab 5: unauthenticated and authenticated OWASP ZAP DAST scans, Semgrep SAST against the matching Juice Shop v20.0.0 source tag, and a cross-tool SAST/DAST correlation analysis.

Changes

• Added submissions/lab5.md with:
  • ZAP baseline and authenticated severity counts and durations;
  • authenticated/baseline ratio analysis;
  • two authenticated-only alert deep-dives;
  • Semgrep severity and top-rule-frequency tables;
  • a concrete triage priority and false-positive sample;
  • a SAST/DAST correlation table;
  • vulnerable code, dynamic payload/evidence, and remediation for the strongest correlation.
• Ran authenticated ZAP with a real Juice Shop JWT applied through an Automation Framework request-header replacer.
• Pinned Semgrep analysis to the Juice Shop v20.0.0 source tag.
• Kept scanner reports, generated JWT plan, and the source clone out of the commit.

Testing

./scripts/lab5_install_arch.sh
./scripts/lab5_run_all.sh

bash labs/lab5/scripts/compare_zap.sh \
  labs/lab5/results/baseline-report.json \
  labs/lab5/results/auth-report.json

jq '.results | length' labs/lab5/results/semgrep.json
cat submissions/lab5.md

Verified outcomes:

• Juice Shop v20.0.0 was reachable on the isolated Docker network.
• The unauthenticated ZAP baseline report was generated.
• Juice Shop returned a valid JWT for the authenticated account.
• The ZAP Automation Framework completed spidering, active scanning, and JSON reporting.
• Semgrep scanned the exact v20.0.0 source tag.
• Tables were generated from actual JSON output rather than placeholders.
• Correlation was claimed only when compatible evidence existed in both tools.

Artifacts & Screenshots

Committed artifact:

• submissions/lab5.md

Generated locally but intentionally not committed:

• labs/lab5/results/
• labs/lab5/.work/
• labs/lab5/semgrep/juice-shop/

Checklist

• Title is clear (feat(lab5): ZAP baseline + auth + Semgrep + correlation)
• No JWT, credentials, source clone, or large scanner output committed
• Submission file exists at submissions/lab5.md
• Lab commit is SSH-signed

Lab Checklist

• Task 1 — ZAP baseline and authenticated scans completed
• Task 1 — severity tables and ratio analysis included
• Task 1 — two authenticated-only findings analyzed
• Task 2 — Semgrep scanned the pinned v20.0.0 source
• Task 2 — severity and top-10 rule tables included
• Task 2 — triage priority and false-positive sample documented
• Bonus — at least one defensible SAST/DAST correlation documented
• Bonus — code, payload/evidence, fix, and reflection included