Skip to content

QuantumScan

aquasecurity/trivy

aquasecurity/trivy
35
risk score
9 findings · 200 files scanned

Trivy uses SHA-1 hashing in its Java JAR dependency parser for artifact identification via checksum matching against Maven repositories. While SHA-1 is cryptographically broken for collision resistance, the usage here is limited to non-cryptographic artifact lookup and integrity verification in the dependency resolution pipeline. The primary risk is collision-based supply chain attacks where malicious artifacts could be substituted if attackers generate SHA-1 collisions.

Recent findings
FileAlgorithmSeverity
pkg/dependency/parser/java/jar/sonatype/sonatype.go:117SHA-1criticalBusiness impact 70
pkg/dependency/parser/java/jar/sonatype/sonatype.go:124SHA-1criticalBusiness impact 70
pkg/dependency/parser/java/jar/sonatype/sonatype.go:138SHA-1criticalBusiness impact 70
pkg/dependency/parser/java/jar/parse.go:239SHA-1criticalBusiness impact 60
pkg/dependency/parser/java/jar/sonatype/sonatype.go:109SHA-1criticalBusiness impact 58
pkg/dependency/parser/java/jar/parse.go:7SHA-1criticalBusiness impact 55
pkg/dependency/parser/java/jar/parse.go:33SHA-1criticalBusiness impact 55
pkg/dependency/parser/java/jar/parse.go:129SHA-1criticalBusiness impact 55
pkg/dependency/parser/java/jar/parse_test.go:264SHA-1criticalBusiness impact 15
Exposure by language
Go9 · 100%
Compliance mapping
DORA
OK
NIS2
OK
NIST PQC
OK
Exports for compliance
Share read-only link

Anyone with this link can view the risk score and top findings — no sign-in required. Source code stays private.

https://quantumscan.io/en/share/355f28b9-9a78-4f0f-8013-f9e87edb3bb5
Add a badge to your README

Show your project's post-quantum readiness in the README. The badge updates automatically after every new scan.

Preview

Post-Quantum Readiness
Markdown
[![Post-Quantum Readiness](https://quantumscan.io/api/badge/aquasecurity/trivy.svg)](https://github.com/aquasecurity/trivy)
HTML
<a href="https://github.com/aquasecurity/trivy"><img src="https://quantumscan.io/api/badge/aquasecurity/trivy.svg" alt="Post-Quantum Readiness" /></a>

Add badge to your README

Show your quantum-safety score directly on GitHub.

QuantumScan badge preview
[![QuantumScan](https://quantumscan.io/api/badge/aquasecurity/trivy.svg)](https://quantumscan.io/en/scan/355f28b9-9a78-4f0f-8013-f9e87edb3bb5)

Save your results & track future changes

Create a free account to get drift alerts, compliance PDF exports, and scan history.

  • Weekly drift alerts when new vulnerabilities appear
  • Track risk score over time across all your repos
  • Export DORA / NIS2 compliance PDF for auditors

Free forever for design partners · No credit card