aquasecurity/trivy

Escaneado el 8 jun 2026

Puntuación de riesgo/ 100

Riesgo bajo

Resumen

Trivy uses SHA-1 hashing for Java dependency identification and artifact lookup via Maven/Sonatype repositories. While SHA-1 is cryptographically broken for collision resistance, its use here for content fingerprinting and database lookups poses moderate risk as it relies on ecosystem standards. The primary concern is dependency on external SHA-1 indices that may be vulnerable to collision attacks affecting supply chain integrity.

Crítico

Alto

Medio

Bajo

Hallazgos principales

CríticoSHA-1
pkg/dependency/parser/java/jar/parse.go:7
SHA-256 or SHA3-256
Evidencia
```
"crypto/sha1" // nolint:gosec
```
CríticoSHA-1
pkg/dependency/parser/java/jar/parse.go:33
SHA-256 or SHA3-256
Evidencia
```
SearchBySHA1(sha1 string) (Properties, error)
```
CríticoSHA-1
pkg/dependency/parser/java/jar/parse.go:129
SHA-256 or SHA3-256
Evidencia
```
return nil, nil, xerrors.Errorf("failed to search by SHA1: %w", err)
```
CríticoSHA-1
pkg/dependency/parser/java/jar/parse.go:239
SHA-256 or SHA3-256
Evidencia
```
h := sha1.New() // nolint:gosec
```
CríticoSHA-1
pkg/dependency/parser/java/jar/parse_test.go:264
SHA-256 or SHA3-256
Evidencia
```
name: "sha1 search",
```

+ 4 hallazgos más en el reporte completo

Escanea tu propio repositorio

Gratis. Resultados en ~90 segundos. CBOM + PDF DORA/NIS2 incluidos.

Iniciar un escaneo gratis