Skip to content

B4ckslash/jar-verifier

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

121 Commits
.github/workflows
.github/workflows
 
 
data
data
 
 
src
src
 
 
testdata
testdata
 
 
tools
tools
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

JAR Verifier

A utility to check Java JAR libraries for any unsatisfied dependencies by checking their imported classes and used methods.

Building

Debug build:

cargo build

Release build:

cargo build --release

It is possible to embed information about Java SE libraries directly into the executable. This can be useful if you can't (or don't want to) distribute this information alongside the executable. To do this, simply append -F embedded_classinfo to the build command.

Usage

jar_verifier [OPTIONS] <CLASSPATH> <JDK_CLASSINFO>
Arguments:
  <CLASSPATH>      Classpath of JARs to be checked
  <JDK_CLASSINFO>  A file listing the available classes and methods of the relevant JDK
Options:
  -t, --threads <THREADS>          The number of threads to use [default: 1]
  -o, --output-file <OUTPUT_FILE>  The output file path. Prints to stdout if not set
  -h, --help                       Print help
  -V, --version                    Print version

The CLASSPATH must be a list of .jar files, separated by a semicolon (;).

Shell and glob expansions are supported, so you can give a path like path/to/lib/dir/*.jar or ~/path/to/jars/lib.jar. Globbing is done by the program itself, so any path with globs should be put in single quotes ('), otherwise the shell will expand it itself and mess up the input.

The output file given with the -o flag will be overwritten if it already exists.

Class information files for OpenJDK 11, 17, 21, and 25 are available in the data/ directory. These get embedded when the feature flag is specified during build.

Output

The output can be roughly described by the following grammar:

ClassRequirements := ClassName Requirement+
Requirement       := <TAB>(ClassImport|MethodImport)
ClassImport       := "Class " ClassName
MethodImport      := ("ClassMethod "|"IfaceMethod ") MethodSpec
MethodSpec        := ClassName "#" MethodName MethodDescriptor

ClassName, MethodName and MethodDescriptor are described by the JVM class file format spec: Names MethodDescriptor

An example of the output can be found in the test data.

Creating .classinfo files

There is a tool to create .classinfo files in the tools/jdk_class_reader directory which works by reading the module file of your JDK via the jimage program.

Prerequisites

  • JDK newer than Java 9

Usage

cd tools/jdk_class_reader
./gradlew run --args 'path/to/module/file path/to/output/classinfo'

EXAMPLE:
./gradlew run --args '/usr/lib/jvm/java-17/lib/modules /tmp/17.classinfo'

The module file MUST be a JImage file. You can check this by running jimage verify <path>.

Afterwards, you can find a file specifying the class information at the given output path. To prevent any mismatches in classes, you may want to adjust the Java version specified in app/build.gradle.kts to align with the Java version that you want to process.

The above command will download a Gradle distribution ZIP file if you do not have Gradle installed.

About

A tool to check Java JAR files' dependencies

Resources

Readme

License

MPL-2.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 4

v0.4.0 Latest
Dec 1, 2025
+ 3 releases

Packages

No packages published

Languages