Related papers: Classport: Designing Runtime Dependency Introspection for Java

Classport: Designing Runtime Dependency Introspection for Java

URL: http://arxiv.org/abs/2510.20340v1
Date: Thu, 23 Oct 2025 08:39:30 GMT
Title: Classport: Designing Runtime Dependency Introspection for Java
Authors: Serena Cofano, Daniel Williams, Aman Sharma, Martin Monperrus,
Abstract summary: introspection, i.e., the ability to observe which dependencies are currently used during program execution is fundamental for Software Supply Chain security.<n>We solve this problem with Classport, a system that embeds dependency information into Java class files, enabling the retrieval of dependency information at runtime.<n>We evaluate Classport on six real-world projects, demonstrating the feasibility in identifying dependencies at runtime.
Score: 8.337857900646346
License: http://creativecommons.org/licenses/by-sa/4.0/
Abstract: Runtime introspection of dependencies, i.e., the ability to observe which dependencies are currently used during program execution, is fundamental for Software Supply Chain security. Yet, Java has no support for it. We solve this problem with Classport, a system that embeds dependency information into Java class files, enabling the retrieval of dependency information at runtime. We evaluate Classport on six real-world projects, demonstrating the feasibility in identifying dependencies at runtime. Runtime dependency introspection with Classport opens important avenues for runtime integrity checking.

Related papers

Analyzing the Availability of E-Mail Addresses for PyPI Libraries [89.21869606965578]
81.6% of libraries include at least one valid e-mail address, with PyPI serving as the primary source.<n>We identify over 698,000 invalid entries, primarily due to missing fields.
arXiv Detail & Related papers (2026-01-20T14:54:58Z)
Exploring the SECURITY.md in the Dependency Chain: Preliminary Analysis of the PyPI Ecosystem [3.202418533433693]
Security policies, such as SECURITY.md files, are now common in open-source projects.<n>This study explores the relationship between security policies and dependency management in PyPI projects.
arXiv Detail & Related papers (2025-11-27T07:51:48Z)
Maven-Lockfile: High Integrity Rebuild of Past Java Releases [8.004632448033531]
Maven is one of the most important package managers in the Java ecosystem.<n>We present Maven-Lockfile to generate and update lockfiles with support for rebuilding projects from past versions.<n>Our evaluation shows that Maven-Lockfile can reproduce builds from historical commits and is able to detect tampered artifacts.
arXiv Detail & Related papers (2025-10-01T10:14:32Z)
Analyzing the Usage of Donation Platforms for PyPI Libraries [91.97201077607862]
This study analyzes the adoption of donation platforms in the PyPI ecosystem.<n> GitHub Sponsors is the dominant platform, though many PyPI-listed links are outdated.
arXiv Detail & Related papers (2025-03-11T10:27:31Z)
Maven-Hijack: Software Supply Chain Attack Exploiting Packaging Order [9.51794475707891]
We present Maven-Hijack, a novel attack that exploits the order in which Maven packages dependencies.<n>By injecting a malicious class with the same fully qualified name as a legitimate one into a dependency that is packaged earlier, an attacker can silently override core application behavior.<n>We evaluate three mitigation strategies, such as sealed JARs, Java Modules, and the Maven Enforcer plugin.
arXiv Detail & Related papers (2024-07-26T14:17:47Z)
Analyzing Maintenance Activities of Software Libraries [55.2480439325792]
Industrial applications heavily integrate open-source software libraries nowadays.<n>I want to introduce an automatic monitoring approach for industrial applications to identify open-source dependencies that show negative signs regarding their current or future maintenance activities.
arXiv Detail & Related papers (2023-06-09T16:51:25Z)
Hexatagging: Projective Dependency Parsing as Tagging [63.5392760743851]
We introduce a novel dependency, the hexatagger, that constructs dependency trees by tagging the words in a sentence with elements from a finite set of possible tags. Our approach is fully parallelizable at training time, i.e., the structure-building actions needed to build a dependency parse can be predicted in parallel to each other. We achieve state-of-the-art performance of 96.4 LAS and 97.4 UAS on the Penn Treebank test set.
arXiv Detail & Related papers (2023-06-08T18:02:07Z)
Analysis of Library Dependency Networks of Package Managers Used in iOS Development [3.46067608522128]
The library dependency network in the Swift ecosystem encompasses libraries from CocoaPods, Carthage and Swift Package Manager (PM) Although CocoaPods is the package manager with the biggest set of libraries, the difference to other package managers is not as big as expected. Swift PM is becoming more and more popular, resulting in a gradual slow-down of the growth of the other two package managers.
arXiv Detail & Related papers (2023-05-18T12:14:19Z)
SequeL: A Continual Learning Library in PyTorch and JAX [50.33956216274694]
SequeL is a library for Continual Learning that supports both PyTorch and JAX frameworks. It provides a unified interface for a wide range of Continual Learning algorithms, including regularization-based approaches, replay-based approaches, and hybrid approaches. We release SequeL as an open-source library, enabling researchers and developers to easily experiment and extend the library for their own purposes.
arXiv Detail & Related papers (2023-04-21T10:00:22Z)
Automatic Specialization of Third-Party Java Dependencies [3.7973152331947815]
Large-scale code reuse significantly reduces both development costs and time. Massive share of third-party code in software projects poses new challenges, especially in terms of maintenance and security. We propose a novel technique to specialize dependencies of Java projects, based on their actual usage.
arXiv Detail & Related papers (2023-02-16T15:37:49Z)
Code Librarian: A Software Package Recommendation System [65.05559087332347]
We present a recommendation engine called Librarian for open source libraries. A candidate library package is recommended for a given context if: 1) it has been frequently used with the imported libraries in the program; 2) it has similar functionality to the imported libraries in the program; 3) it has similar functionality to the developer's implementation, and 4) it can be used efficiently in the context of the provided code.
arXiv Detail & Related papers (2022-10-11T12:30:05Z)

This list is automatically generated from the titles and abstracts of the papers in this site.