feat: Experimental code to start java class reachability. #1480
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
oliverchang
changed the title
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #1480 +/- ##
=======================================
Coverage 66.93% 66.93%
=======================================
Files 197 197
Lines 18621 18621
=======================================
Hits 12464 12464
Misses 5471 5471
Partials 686 686 ☔ View full report in Codecov by Sentry. |
cuixq
approved these changes
Jan 13, 2025
| ) | ||
|
|
||
| // ClassFile struct represents the overall structure of a Java class file. | ||
| // This only contains the fields we care about for reachability analysis. |
There was a problem hiding this comment.
I guess this corresponds to https://docs.oracle.com/javase/specs/jvms/se7/html/jvms-4.html#jvms-4.1?
oliverchang
added a commit
that referenced
this pull request
Jan 15, 2025
Followup to #1480 This adds support for analyzing uber .jar files by: - Unpacking the .jar - Finding the main class from META-INF/MANIFEST.MF - Building a map of class -> Maven jar by extracting the list of Maven dependencies from META-INF/maven/**/pom.properties files (using OSV-Scalibr), downloading the .jar files and unpacking them to discover .class files. - Enumerating class reachability from the main class. - Determining the list of reachable Maven dependencies by using the class -> Maven jar map we built. Usage: ``` go run ./cmd/reachable -verbose /path/to/file.jar ... 2025/01/14 13:50:52 INFO Reachable dep=io.swagger.parser.v3:swagger-parser-v3 2025/01/14 13:50:52 INFO Reachable dep=com.dorkbox:Desktop 2025/01/14 13:50:52 INFO Reachable dep=ch.qos.logback:logback-core 2025/01/14 13:50:52 INFO Reachable dep=commons-io:commons-io 2025/01/14 13:50:52 INFO Not reachable dep=com.dorkbox:NetworkUtils 2025/01/14 13:50:52 INFO Not reachable dep=io.swagger.parser.v3:swagger-parser 2025/01/14 13:50:52 INFO Not reachable dep=io.swagger.parser.v3:swagger-parser-v2-converter 2025/01/14 13:50:52 INFO Not reachable dep=com.reprezen.kaizen:openapi-parser ... ```
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds the beginnings of a Java reachability analyser that recursively parses class constant pools (https://docs.oracle.com/javase/specs/jvms/se22/html/jvms-4.html#jvms-4.7) for references to other classes.
The intention is to see if this can be used to exclude transitive dependencies
from vulnerability scanning completely, if they can be proven to be
unreachable.
There's still a lot of TODOs remaining (recorded in the Go source as comments). This tool currently expects
all dependency class files to be available (passed via
--classpath).