JarHC - JAR Health Check
License: Apache License 2.0
JarHC is a static analysis tool to help you find your way through "JAR hell" or "classpath hell".
Its main purpose is to analyze a set of JAR files (*.jar) and check whether they are compatible on a binary level, and whether they contain any "unpleasant surprises" for you.
It is available as Gradle plugin, or as standalone Java application run from the command line:
java -jar jarhc-with-deps.jar [options] <artifact> [<artifact>]*
More information can be found in the wiki.
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
Add a "dependency weight" by:
List missing classes, grouped by package.
Mark annotation classes (low issue).
Show number of usages.
List JAR files using the missing class.
Two states: "class missing" vs. "package missing".
Auto-suggest missing dependencies based on missing classes or packages.
Prerequisite: Some service to find a dependency (Maven artifact) given a class name or package name.
Create a minimal graphical user interface which can be used instead of the command line.
Add an option --group <scope> to chose whether issues should be grouped by Java class or only by JAR file, like a level of detail.
Implement consistent sorting of JAR files in report sections (some are case-sensitive, some case-insensitive).
Update
Idea: Add a command line option to control the order: --sort-jars classpath, --sort-jars name, etc.
Open questions:
Update 1
Currently, a SonarQube scan can be started by passing additional Gradle options when starting the Build workflow manually:
Additional Gradle options: sonarqube
To be reviewed:
The SonarQube task seems to download plugins from the SonarQube server. It seems as if they are stored in a 'user cache'. A line from the task output:
User cache: /home/runner/.sonar/cache
If this observation is true, we should check whether this directory can be cached between workflow runs.
Update 2
The path to the above user cache directory can be set with the environment variable SONAR_USER_HOME. Example run:
export SONAR_USER_HOME=/tmp
./gradlew sonarqube --info
...
User cache: /tmp/cache
Add option "--blacklist " to pass a file with blacklist patterns.
Support generation of multiple reports (text AND HTML) at the same time.
Get the build artifacts.
Prepare a matrix build on different Java versions and operating systems:
Run all JUnit tests using build artifacts:
jarhc-<version>.jarjarhc-<version>-tests.jarjarhc-<version>-test-libs.zipSonarQube only shows unit tests (271), but the Gradle build also runs ~ 90 integration tests. The results from these integration tests do not seem to be uploaded to SonarCloud.
Links:
Lines 148 to 158 in b998ce5
Try to capture and verify log output during unit and integration tests.
Test for "expected" exceptions instead of logging stacktraces.
Detect class files for non-Java languages (Kotlin, ...).
Open question:
Is there a way to detect whether a class has been generated from another language?
Include dependencies from metadata, e.g., service provider configuration in META-INF/services/, etc.
Create various plugins: Maven, Gradle, Ant, IntelliJ, Eclipse, TeamCity, SonarQube, ...
Options:
org.ow2.asm:asm:7.0:jar and replace them with links to Maven Central.Include "soft" dependencies through constant strings containing Java class names (potential use of reflection).
Calculate API similarity level as percentage value. If two classes have a different API, calculate "how different" they are.
Add an option --level <level> to set issue severity threshold to "error", "warn", or "info".
Prerequisite: Categorization of all issues.
Gradle command:
./gradlew dependencyCheckAnalyze
Requirements:
Report use of native code (declaration of or calls to native methods).
Compile and analyze JSP files found in WAR files.
After building JarHC, run it "on itself" to check if the build artifacts are valid.
--help and --version.Validation:
Check annotation references (does the annotation exist, are all mandatory parameters present, is the target class accessible, etc.)
Update
Add a field target to AnnotationRef, holding an instance of java.lang.annotation.ElementType to remember the type of element the annotation is attached to. Check whether this is a valid target.
Update 2
Keep information about name/value pairs of annotations.
Example: @SomeAnnotation(a = 1, b = true, c = "Hello", d = List.class, e = {1.0, 2.0, 3.5})
This requires a much more complex model in AnnotationRef.
Once this is supported, @Target annotations with an ElementType[] and ElementType enum values can be parsed. This is required to later check if an annotation is valid to be attached to a target element.
Example: The annotation SomeAnnotation must only be attached to fields or methods, but it is attached to a class:
@Target({ElementType.METHOD,ElementType.FIELD})
@interface SomeAnnotation {}
@SomeAnnotation
public class SomeClass {
...
Analyze module dependencies (satisfied, missing, services, etc.)
with(tasks.jar.get() as CopySpec)Better documentation of individual report sections with good examples.
Analyze and optimize memory usage.
Ideas:
intern() frequently used Strings like class names.Support individual *.class files on the classpath and combine them into an artificial "classes.jar".
Make implementations self-describing: getType() returns "text" or "html", getExtensions() returns "txt" or "html", etc.
Goal: The factory can decide automatically which implementation to use based on command line arguments.
Report code signing information (certificate, subject, ...).
Try to validate signature.
A provides…with module directive specifies that a module provides a service implementation — making the module a service provider. The provides part of the directive specifies an interface or abstract class listed in a module’s uses directive and the with part of the directive specifies the name of the service provider class that implements the interface or extends the abstract class.
A uses module directive specifies a service used by this module — making the module a service consumer. A service is an object of a class that implements the interface or extends the abstract class specified in the uses directive.
Include a new section "Security Vulnerabilities" with information about known security vulnerabilities found in JAR files.
Prerequisite:
A service to get vulnerabilities given Maven artifact coordinates.
Declare "features" an analyzer depends on to minimize/optimize classpath loading.
Add an "Overview" section listing the number of issues (errors, warnings, infos) found in every section.
Implement a workflow to create a new release.
Draft process:
-SNAPSHOT.-SNAPSHOT.Report use of the following methods:
System.gc()Thread.stop()Collection.parallelStream() and BaseStream.parallel()Code redesign: Main (static entry point) -> Application (command line application) -> Engine ( "core", reused in plugins etc.)
Split into multi-module project:
Load and analyze Java class files found in WAR files under WEB-INF/classes/.
Example output with JarHC version 1.4-SNAPSHOT:
jetty-util-9.4.20.v20190813.jar | org.eclipse.jetty.util.ModuleLocation
| • Method not found: java.lang.Object java.lang.invoke.MethodHandle.invoke(java.lang.Class)
| > java.lang.invoke.MethodHandle (method not found)
| > java.lang.Object (method not found)
| • Method not found: java.lang.Object java.lang.invoke.MethodHandle.invoke(java.lang.Object)
| > java.lang.invoke.MethodHandle (method not found)
| > java.lang.Object (method not found)
The class MethodHandle does indeed not contain a method "invoke" with a single parameter of type Class or Object. Instead, there is such a method with parameter type Object[] (vararg).
It seems as if the bytecode produced for calling the "invoke" method does not have to match the actual signature of this method. The same is probably true for the methods "invokeExact" and "invokeWithArguments".
For information about MethodHandle, see Javadoc:
https://docs.oracle.com/javase/8/docs/api/java/lang/invoke/MethodHandle.html
Sometimes integration tests fail due to timeouts when accessing external services like Maven Central.
Ideas:
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.