Public scan reportRepository
aquasecurity/trivy
Scanned on Jun 8, 2026
Risk score/ 100
Low risk
Summary
Trivy uses SHA-1 hashing for Java dependency identification and artifact lookup via Maven/Sonatype repositories. While SHA-1 is cryptographically broken for collision resistance, its use here for content fingerprinting and database lookups poses moderate risk as it relies on ecosystem standards. The primary concern is dependency on external SHA-1 indices that may be vulnerable to collision attacks affecting supply chain integrity.
9
0
0
0
Top findings
- CriticalSHA-1
pkg/dependency/parser/java/jar/parse.go:7
SHA-256 or SHA3-256
Raw evidence
"crypto/sha1" // nolint:gosec - CriticalSHA-1
pkg/dependency/parser/java/jar/parse.go:33
SHA-256 or SHA3-256
Raw evidence
SearchBySHA1(sha1 string) (Properties, error) - CriticalSHA-1
pkg/dependency/parser/java/jar/parse.go:129
SHA-256 or SHA3-256
Raw evidence
return nil, nil, xerrors.Errorf("failed to search by SHA1: %w", err) - CriticalSHA-1
pkg/dependency/parser/java/jar/parse.go:239
SHA-256 or SHA3-256
Raw evidence
h := sha1.New() // nolint:gosec - CriticalSHA-1
pkg/dependency/parser/java/jar/parse_test.go:264
SHA-256 or SHA3-256
Raw evidence
name: "sha1 search",
+ 4 more findings in the full report
Scan your own repository
Free. Results in ~90 seconds. CBOM + DORA/NIS2 PDF included.