aquasecurity/trivy

feat: add SHA-512 hash support for SBOM formats (CycloneDX and SPDX)

Closed

#9094 opened on Jun 30, 2025

View on GitHub
 (10 comments) (0 reactions) (1 assignee)Go (35,000 stars) (371 forks)batch import
good first issuehelp wantedkind/featurescan/sbom

Description

Description

This is a feature request to add SHA-512 hash algorithm support to Trivy's SBOM parsing capabilities. Currently, Trivy only supports SHA-1, SHA-256, and MD5 hash algorithms when processing SBOM files.

Some tools, particularly NPM's SBOM generation (npm sbom), use SHA-512 hashes for package integrity verification. Adding SHA-512 support would enable Trivy to fully process these SBOMs and preserve important security metadata.

Current limitations:

  • CycloneDX: SHA-512 hashes are ignored and the hashes field becomes null
  • SPDX: SHA-512 checksums are completely omitted from the output

Current Behavior

CycloneDX

In pkg/sbom/cyclonedx/unmarshal.go:251-268, the unmarshalHashes function only supports:

  • SHA1
  • SHA256
  • MD5

Any other algorithm (including SHA-512) logs a warning but still creates a digest with an empty algorithm prefix (e.g., :hashvalue instead of sha512:hashvalue), resulting in malformed digest strings.

SPDX

In pkg/sbom/spdx/marshal.go:501-522, the spdxChecksums function has the same limitation, returning nil for unsupported algorithms.

Root Cause

The limitation stems from pkg/digest/digest.go which only defines three algorithms:

const (
    SHA1   Algorithm = "sha1"
    SHA256 Algorithm = "sha256"
    MD5    Algorithm = "md5"
)

Desired Behavior

Trivy should support SHA-512 hash algorithm alongside the existing SHA-1, SHA-256, and MD5 support. This would enable Trivy to:

  • Preserve SHA-512 hashes when processing SBOMs from NPM and other tools
  • Generate SBOMs with SHA-512 hashes when appropriate
  • Maintain full compatibility with CycloneDX and SPDX specifications

Impact

  • Loss of package integrity verification data
  • Generated SBOMs may be invalid or incomplete
  • Affects tools that rely on SHA-512 for security validation

Proposed Solution

  1. Add SHA512 constant to pkg/digest/digest.go:

    const (
    SHA1   Algorithm = "sha1"
    SHA256 Algorithm = "sha256"
    SHA512 Algorithm = "sha512"
    MD5    Algorithm = "md5"
)

  2. Add SHA-512 calculation support in the digest package

  3. Update unmarshalHashes in CycloneDX:

    case cdx.HashAlgoSHA512:
    alg = digest.SHA512

  4. Update spdxChecksums in SPDX:

    case digest.SHA512:
    alg = spdx.SHA512

References

Test Data

CycloneDX Example

{
  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "components": [
    {
      "bom-ref": "lodash@4.17.21",
      "type": "library",
      "name": "lodash",
      "version": "4.17.21",
      "hashes": [
        {
          "alg": "SHA-512",
          "content": "bf690311ee7b95e713ba568322e3533f2dd1cb880b189e99d4edef13592b81764daec43e2c54c61d5c558dc5cfb35ecb85b65519e74026ff17675b6f8f916f4a"
        }
      ]
    }
  ]
}

SPDX Example

{
  "spdxVersion": "SPDX-2.3",
  "packages": [
    {
      "name": "lodash",
      "SPDXID": "SPDXRef-Package-lodash-4.17.21",
      "checksums": [
        {
          "algorithm": "SHA512",
          "checksumValue": "bf690311ee7b95e713ba568322e3533f2dd1cb880b189e99d4edef13592b81764daec43e2c54c61d5c558dc5cfb35ecb85b65519e74026ff17675b6f8f916f4a"
        }
      ]
    }
  ]
}

Discussed in https://github.com/aquasecurity/trivy/discussions/9082

Contributor guide

Tech stack
go
Domain
securitytooling
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
active
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Go programmingFamiliarity with SBOM formats (CycloneDX, SPDX)Understanding of hash algorithms
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
70
Research direction
The issue requests adding SHA 512 hash support to Trivy's digest package and SBOM parsers. Key files are pkg/digest/digest.go to add the SHA512 constant, pkg/sbom/cyclonedx/unmarshal.go to handle CycloneDX SHA 512 hashes (around line 251-268), and pkg/sbom/spdx/marshal.go for SPDX checksums (around line 501-522). The proposed solution is explicitly outlined in the issue. The discussion thread at https://github.com/aquasecurity/trivy/discussions/9082 may provide additional context. The contributor should also ensure tests are added for the new algorithm.