1.7 KiB
1.7 KiB
Java Shaded/Shadow JAR Detection
Module
Scanner
Status
IMPLEMENTED
Description
Detects Maven Shade plugin and Gradle Shadow plugin fat/uber JARs by analyzing relocated packages, service-provider rewrites, and embedded dependency manifests to attribute inner components.
Implementation Details
- Shaded JAR Detection:
src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Shading/ShadedJarDetector.cs-ShadedJarDetectoridentifies Maven Shade and Gradle Shadow fat/uber JARs by analyzing relocated packages, service-provider rewrites, and embedded dependency manifests
- Analysis Results:
src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/ShadedJarAnalysisResult.cs-ShadedJarAnalysisResultmodel capturing detected shading details including relocated packages and embedded components
- Language Analyzer Integration:
src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/JavaLanguageAnalyzer.cs- Integrates shaded JAR detection into the analysis pipeline
E2E Test Plan
- Scan a container image with a Maven Shade plugin-produced uber JAR and verify embedded dependencies are attributed as inner components
- Scan a Gradle Shadow plugin-produced fat JAR and verify relocated packages are detected
- Verify service-provider rewrites (META-INF/services) from shading are identified and the original component is attributed
- Verify relocated package prefixes (e.g.,
com.google.commonrelocated toshaded.com.google.common) are detected and mapped back to the original dependency - Verify the SBOM includes both the outer shaded JAR and the inner embedded dependencies with correct attribution