QuantumScan
aquasecurity/trivy
Trivy uses SHA-1 hashing in its Java JAR dependency parser for artifact identification via checksum matching against Maven repositories. While SHA-1 is cryptographically broken for collision resistance, the usage here is limited to non-cryptographic artifact lookup and integrity verification in the dependency resolution pipeline. The primary risk is collision-based supply chain attacks where malicious artifacts could be substituted if attackers generate SHA-1 collisions.
| File | Algorithm | Severity | |
|---|---|---|---|
| pkg/dependency/parser/java/jar/sonatype/sonatype.go:117 | SHA-1 | criticalBusiness impact 70 | |
| pkg/dependency/parser/java/jar/sonatype/sonatype.go:124 | SHA-1 | criticalBusiness impact 70 | |
| pkg/dependency/parser/java/jar/sonatype/sonatype.go:138 | SHA-1 | criticalBusiness impact 70 | |
| pkg/dependency/parser/java/jar/parse.go:239 | SHA-1 | criticalBusiness impact 60 | |
| pkg/dependency/parser/java/jar/sonatype/sonatype.go:109 | SHA-1 | criticalBusiness impact 58 | |
| pkg/dependency/parser/java/jar/parse.go:7 | SHA-1 | criticalBusiness impact 55 | |
| pkg/dependency/parser/java/jar/parse.go:33 | SHA-1 | criticalBusiness impact 55 | |
| pkg/dependency/parser/java/jar/parse.go:129 | SHA-1 | criticalBusiness impact 55 | |
| pkg/dependency/parser/java/jar/parse_test.go:264 | SHA-1 | criticalBusiness impact 15 |
Anyone with this link can view the risk score and top findings — no sign-in required. Source code stays private.
https://quantumscan.io/en/share/355f28b9-9a78-4f0f-8013-f9e87edb3bb5Show your project's post-quantum readiness in the README. The badge updates automatically after every new scan.
[](https://github.com/aquasecurity/trivy)<a href="https://github.com/aquasecurity/trivy"><img src="https://quantumscan.io/api/badge/aquasecurity/trivy.svg" alt="Post-Quantum Readiness" /></a>Add badge to your README
Show your quantum-safety score directly on GitHub.
[](https://quantumscan.io/en/scan/355f28b9-9a78-4f0f-8013-f9e87edb3bb5)Save your results & track future changes
Create a free account to get drift alerts, compliance PDF exports, and scan history.
- Weekly drift alerts when new vulnerabilities appear
- Track risk score over time across all your repos
- Export DORA / NIS2 compliance PDF for auditors
Free forever for design partners · No credit card