Check for nested JAR files in static analysis

chains-project / classport

Passports for Java class files

MIT License

0 stars 0 forks source link

Check for nested JAR files in static analysis #10

Open danielwis opened 5 months ago

danielwis commented 5 months ago

If a JAR file is packaged as-is into the Uber-JAR (i.e. instead of jar1!path/to/classfile/from/dep1 we have jar1!dep1!/path/to/classfile), the static analyser won't detect it. The nested JAR will still contain the ClassportInfo annotations for each class file within it, but the static analyser won't see them as it just sees that the JAR file is "not a class file" and moves on.

This case should be handled properly, e.g. by recursively descending into nested JAR files.

algomaster99 commented 4 months ago

This happened in project https://github.com/patrickfav/bcrypt. It is not compatible with classport so we don't need to fix it now.