# Java Shaded/Shadow JAR Detection

## Module
Scanner

## Status
VERIFIED

## Description
Detects Maven Shade plugin and Gradle Shadow plugin fat/uber JARs by analyzing relocated packages, service-provider rewrites, and embedded dependency manifests to attribute inner components.

## Implementation Details
- **Shaded JAR Detection**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Shading/ShadedJarDetector.cs` - `ShadedJarDetector` identifies Maven Shade and Gradle Shadow fat/uber JARs by analyzing relocated packages, service-provider rewrites, and embedded dependency manifests
- **Analysis Results**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/ShadedJarAnalysisResult.cs` - `ShadedJarAnalysisResult` model capturing detected shading details including relocated packages and embedded components
- **Language Analyzer Integration**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/JavaLanguageAnalyzer.cs` - Integrates shaded JAR detection into the analysis pipeline

## E2E Test Plan
- [ ] Scan a container image with a Maven Shade plugin-produced uber JAR and verify embedded dependencies are attributed as inner components
- [ ] Scan a Gradle Shadow plugin-produced fat JAR and verify relocated packages are detected
- [ ] Verify service-provider rewrites (META-INF/services) from shading are identified and the original component is attributed
- [ ] Verify relocated package prefixes (e.g., `com.google.common` relocated to `shaded.com.google.common`) are detected and mapped back to the original dependency
- [ ] Verify the SBOM includes both the outer shaded JAR and the inner embedded dependencies with correct attribution

---

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source files exist | PASS |
| Tier 1 - Build + code review | PASS |
| Tier 2 - Integration tests | PASS |
| Verified | 2026-02-13T18:10:00Z |