{"id":26633512,"url":"https://github.com/chains-project/classport","last_synced_at":"2025-03-24T15:15:13.422Z","repository":{"id":229851928,"uuid":"777658073","full_name":"chains-project/classport","owner":"chains-project","description":"Passports for Java class files","archived":false,"fork":false,"pushed_at":"2024-05-22T09:41:13.000Z","size":91,"stargazers_count":0,"open_issues_count":5,"forks_count":0,"subscribers_count":6,"default_branch":"main","last_synced_at":"2024-05-22T12:09:02.521Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/chains-project.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-03-26T09:19:21.000Z","updated_at":"2024-05-28T00:38:51.688Z","dependencies_parsed_at":"2024-05-28T00:38:48.653Z","dependency_job_id":"9e003dbf-1b39-48c2-8d83-b6e721f5dd0b","html_url":"https://github.com/chains-project/classport","commit_stats":null,"previous_names":["chains-project/classport"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chains-project%2Fclassport","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chains-project%2Fclassport/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chains-project%2Fclassport/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chains-project%2Fclassport/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/chains-project","download_url":"https://codeload.github.com/chains-project/classport/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245294720,"owners_count":20591909,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-03-24T15:15:12.941Z","updated_at":"2025-03-24T15:15:13.414Z","avatar_url":"https://github.com/chains-project.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Classport\n\n**Classport** is a tool to enable accurate runtime inspection of the supply chain in Maven Java programs. \n\nClassport's main objective is to make software supply chain information available at runtime.\n\nTo reach this goal it:\n\n* **Embeds** supply chain metadata in each class file that is to be part of the application during build time.\n* **Monitors** the class loaded by the running application and **extracts** the embedded Software Supply Chain information from the loaded classes. \n\nIn this way, Classport is able to accurately connect the loaded classes to their corresponding upstream dependencies and build a runtime representation of the application’s code-related supply chain.\n\nSee [The Embedding and Retrieval of Software Supply Chain Information in Java Applications (Master's thesis Daniel Williams, KTH, 2024)](https://kth.diva-portal.org/smash/record.jsf?dswid=7855\u0026pid=diva2%3A1905606\u0026c=1\u0026searchType=SIMPLE\u0026language=en\u0026query=The+Embedding+and+Retrieval+of+Software+Supply+Chain+Information+in+Java+Applications\u0026af=%5B%5D\u0026aq=%5B%5B%5D%5D\u0026aq2=%5B%5B%5D%5D\u0026aqe=%5B%5D\u0026noOfRows=50\u0026sortOrder=author_sort_asc\u0026sortOrder2=title_sort_asc\u0026onlyFullText=false\u0026sf=all)\n\n\n## Structure\n\n![classport overview](./resources/imgs/classport-overview.png)\n\nThe picture gives an overview of the structure of Classport. The structure is divided into two phases: **Embedding phase** and **Extracting Phase**.\n\n### Embedding Phase\n\nThe inputs of this phase are the dependency JARs and the project source files.\nThe embedder is responsible for embedding the supply chain information in the form of Java Annotations into the class files.\nThis feature is implemented by the Maven plugin that\nmodifies the JAR files during the build process and is contained in the `classport.commons` module.\n\nThe embedded class files can be packaged together with the application, or just added to the classpath in place of the \"regular\" versions of the class files. \n### Extracting Phase\n\nThis is the phase in which the supply chain information is extracted.  \nIt can be done dynamically or statically.\n\n#### Dynamic Analyser\n\nThe `classport.agent`\npackage contains a Java agent that can be run alongside the Classport-ified JAR.\nThis agent logs all the supply-chain data for classes that get loaded,\nand prints a dependency tree from these at the end. This way, the dependency tree\nwill consist of only those dependencies that were actually used at runtime.\n\n#### Static Analyser\n\nThe `classport.analyser` package contains two tools for statically analysing\nand modifying JAR files.\n\n\n## Usage\n\nPackage all the modules. From the root of the Classport project:\n\n```console \nmvn package\n```\n\nUse the Maven plugin to embed supply chain information into the class files of the project using the `embed` goal. From the root directory of the analysed Maven project:\n\n```console\nmvn io.github.chains-project:classport-maven-plugin:0.1.0-SNAPSHOT:embed\n```\nThe `embed` goal of the Maven plugin retrieves a list of project dependencies and their corresponding JAR files, embeds the annotation into all class files within each JAR, and recreates what can be seen as a dependency-only Maven local repository in the `classport-files` directory.\n\nThe JAR files from within there can then be included in the class path with the `-cp` flag as per usual.\n\nFor projects that get packaged into an Uber-JAR:\n\n```console\nmvn package -Dmaven.repo.local=classport-files\n```\n\nFor multi-module projects, package each project separately as dependency properties\nmay differ (e.g. a direct dependency for one module is a transitive one for another).\n\n### Dynamic analysis\nUse the agent to detect the used classes:\n\n```console\njava -javaagent:\u003cpath-to-agent-jar\u003e -jar \u003cpath-to-app-jar\u003e\n```\n\nThis command outputs the **runtime representation** of the software supply chain of the analysed project:\n- `classport-deps-list` --\u003e flat list of dependencies\n- `classport-deps-tree` --\u003e tree of dependnecies\n\n### Static analysis\n\nThis is the command to perform static analysis:\n```console\njava -jar \u003cpath-to-analyzer-jar\u003e -\u003cprintList|printTree|generateTestJar\u003e \u003cjarFile\u003e [classes-to-be-ignored]\n```\n\nThe available flags are:\n* `-printList`, for statically generating a flat list of dependencies. Below is an example of the command output on a simple Java application with only one dependency.\n\n```\norg.apache.commons:commons-lang3:jar:3.17.0\n```\n* `-printTree`, for staticaly generating a dependencies tree. Below is an example of the command output on a simple Java application with only one dependency.\n\n```\norg.example:hello:jar:0.1.0\n\\- org.apache.commons:commons-lang3:jar:3.17.0\n```\n\n\n\n* `-generateTestJar`, for generating a JAR file where the main class has been modified to force-load classes from all dependencies.\n\n## Requirements\n\n* Maven \n* Java \u003e= 17\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchains-project%2Fclassport","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchains-project%2Fclassport","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchains-project%2Fclassport/lists"}