JarHC is a static analysis tool to help you find your way through "JAR hell" or "classpath hell".
Its main purpose is to analyze a set of JAR files (.jar), WAR files (.war), and JMOD files (*.jmod) and check whether they are compatible on a binary level, and whether they contain any "unpleasant surprises" for you.
If you don't know what JAR hell is, check out these articles:
The input to JarHC is a set of JAR files, called the "classpath". This is usually a bunch of third-party libraries used in a Java project. JarHC analyzes these JAR files and generates a report for various aspects.
List of JAR files found in classpath with the following information:
- File size
- Number of Java classes in JAR file
- Number of Resources in JAR file
- Is JAR file a multi-release JAR?
- Is JAR file a JPMS module? If yes, what is the module name?
- SHA-1 checksum
- Maven artifact coordinates (if checksum is found on Maven Central)
Extract JPMS module information from all JAR files from
module-info.class files. If there is no such information, look for a JAR manifest attribute "Automatic-Module-Name". Otherwise, auto-generate module name based on file name.
Java versions for which the Java classes in the JAR files have been compiled. This allows you to find the "minimum Java version" required to run all classes.
Lists dependencies between JAR files ("uses" and "used by"). This report is based on actual usage of classes, methods and fields in Java code.
Lists direct dependencies as declared in POM files and analyzes whether these dependencies are satisfied (available on the classpath).
- List of packages per JAR file.
- Checks for split packages: packages found in multiple JAR files.
- Checks for "fat JARs": JARs with a mix of very different packages, potentially because multiple JAR files have been merged.
- Java classes found in more than one JAR file of the classpath.
- Java classes found in classpath shadowing provided or runtime Java classes (JRE/JDK).
- Resources (files other than Java class files) found in more than one JAR file under the exact same path and name.
Also checks how "similar" duplicate and shadowed Java classes are (exact copy, same API, or different API).
Validates superclass and interface contracts, method calls, and field access. Reports missing classes, methods, or fields, and validates access permissions.
Reports use of dangerous, unsafe, unstable, or deprecated classes and methods:
Checks for executable files bundled as resources:
Information about the Java Runtime (JRE or JDK) used to run JarHC.