Skip to content

Home

Jump to bottom
smarkwal edited this page Apr 18, 2019 · 11 revisions

JarHC - JAR Health Check

JarHC is a static analysis tool to help you find your way through "JAR hell" or "classpath hell".

Its main purpose is to analyze a set of JAR files (*.jar) and check whether they are compatible on a binary level, and whether they contain any "unpleasant surprises" for you.

Motivation

If you don't know what JAR hell is, check out these articles:

How JarHC works

The input to JarHC is a set of JAR files, called the "classpath". This is usually a bunch of third-party libraries used in a Java project. JarHC analyzes these JAR files and generates a report for various aspects.

Report sections

JAR Files

List of JAR files found in classpath with the following information:

  • File size
  • Number of Java classes in JAR file
  • Number of Resources in JAR file
  • Is JAR file a multi-release JAR?
  • Is JAR file a JPMS module? If yes, what is the module name?
  • SHA-1 checksum
  • Maven artifact coordinates (if checksum is found on Maven Central)

JAR Files

Class Versions

Java versions for which the Java classes in the JAR files have been compiled. This allows you to find the "minimum Java version" required to run all classes.

JAR Files

JAR Dependencies

Lists dependencies between JAR files ("uses" and "used by").

JAR Files

Packages

  • List of packages per JAR file.
  • Checks for split packages: packages found in multiple JAR files.
  • Checks for "fat JARs": JARs with a mix of very different packages, potentially because multiple JAR files have been merged.

JAR Files

Duplicate Classes

  • Java classes found in more than one JAR file of the classpath.
  • Java classes found in classpath shadowing provided or runtime Java classes (JRE/JDK).
  • Resources (files other than Java class files) found in more than one JAR file under the exact same path and name.

Also checks how "similar" duplicate and shadowed Java classes are (exact copy, same API, or different API).

Binary Compatibility

Validates superclass and interface contracts, method calls, and field access. Reports missing classes, methods, or fields, and validates access permissions.

Blacklist

Reports use of dangerous, unsafe, unstable, or deprecated classes and methods:

  • sun.misc.Unsafe
  • System.exit(...), Runtime.exit(...), or Runtime.halt(...)
  • System.load(...), System.loadLibrary(...), Runtime.load(...), or Runtime.loadLibrary(...)
  • Runtime.exec(...)
  • @Deprecated, @VisibleForTesting, @Beta, @DoNotCall,

Java Runtime

Information about the Java Runtime (JRE or JDK) used to run JarHC.

JAR Files

JarHC - JAR Health Check | jarhc.org

JarHC - JAR Health Check

Clone this wiki locally