Skip to content
Stephan Markwalder edited this page Apr 23, 2019 · 5 revisions


Command line

  • Option --group <scope> to chose whether issues should be grouped by Java class or only by JAR file, like a level of detail.
  • Option --level <level> to set issue severity threshold to "error", "warn", or "info". (Prerequisite: categorization of all issues)
  • Option --release <number> to specify the Java release (for correct handling of multi-release JAR files).
  • Option --debug or --verbose to generate more detailed output.

Class loading

  • Load and analyze Java class files found in WAR files under WEB-INF/classes/.
  • Compile and analyze JSP files found in WAR files.
  • Support individual *.class files on the classpath (cobine them into an artificial "classes.jar").
  • Correct handling of multi-release JAR files (requires option --release <number>)


  • Blacklist: Add option "--blacklist " to pass a file with blacklist patterns.
  • Blacklist: Use of native code (declaration of or calls to native methods).
  • Blacklist: Use of System.gc(), Thread.stop(), Collection.parallelStream(), BaseStream.parallel(), ...
  • API similarity: Calculate similarity level as percentage value. If two classes have a different API, calculate "how different" they are.
  • New analyzer: Detect class files for non-Java languages (Kotlin, ...). Is there a way to detect whether a class has been generated from another language?
  • New analyzer: "JPMS Module Dependencies" (requires, exports, opens, ...).
  • Binary Compatibility: Check annotation references (does the annotation exist, are all mandatory parameters present, is the target class accessible, etc.)
  • Binary Compatibility: Is overriding of a method allowed?
  • JAR Dependencies: Include "soft" dependencies through constant strings containing Java class names (potential use of reflection).
  • JAR Dependencies: Include dependencies from metadata, e.g., service provider configuration in META-INF/services/, etc.
  • JAR Dependencies: Add a "dependency weight" by the number of references.
  • JAR Dependencies: Report circular dependencies.
  • JAR Files: Report code signing information (certificate, subject, ...). Validate signrature.


  • JAR Files: Add link to Maven Central using SHA-1 checksum of a JAR file (HTML report only).
  • Add an "Overview" section listing the number of issues (errors, warnings, infos) found in every section.
  • Report Format: Make implementations self-describing: getType() returns "text" or "html", getExtensions() returns "txt" or "html", etc. Goal: The factory can decide automatically which implementation to use based on command line arguments.
  • Support generation of multiple reports (text AND HTML) at the same time.

Misc ideas

  • GUI: Create a minimal graphical user interface which can be used instead of the command line.
  • Create various plugins: Maven, Gradle, Ant, IntelliJ, Eclipse, TeamCity, SonarQube, ...


  • Packages: Do not report "split package" issue because of duplicate classes.
  • Fix --remove-version and --use-artifact-name for nested JAR files.
  • Implement consistent sorting of JAR files in report sections (some are case-sensitive, some case-insensitive).

Technical debts

  • Optimize memory usage. Maybe intern frequently used Strings like class names?
  • Declare "features" an analyzer depends on to minimize/optimize classpath loading.
  • Code redesign: Main (static entry point) -> Application (command line application) -> Engine ( "core", reused in plugins etc.)
  • Maven: Split into multi-module project? jarhc-core, jarhc-cli, jarhc-jmh, jarhc-gui, jarhc-maven-plugin, jarhc-gradle-plugin, jarhc-intellij-plugin, jarhc-sonar-plugin, jarhc-ant-task, ...
  • Maven: Deploy site to GitHub Pages (use GitHub Maven Plugin?)
  • Maven: Integrate FindBugs, Checkstyle, etc
  • Tests: Remove dependency on junit-pioneer after migration to JUnit 5.4+. Migrate to new TempDirectory extension added in JUnit 5.4.


  • Motivation: Write some good use cases.
  • Better documentation of individual report sections with good examples.
  • Document local cache directory ".jarhc".
You can’t perform that action at this time.