Classport: Designing Runtime Dependency Introspection for Java

2026-06-12 · Source: cs.SE updates on arXiv.org · Field: Technology & Digital — Software Development & Engineering, Cybersecurity & Data Privacy, Emerging Technologies & Innovation · Depth: Expert, extended

Summary

Classport, a novel system, addresses the critical lack of runtime dependency introspection in Java, a capability fundamental for Software Supply Chain security. It embeds dependency information, specifically Group ID, Artifact ID, and Version (GAV coordinates), directly into Java class files during the build process using bytecode instrumentation. This information is then retrieved at runtime via a Java agent. Evaluated on six real-world open-source Java projects, Classport successfully embedded all dependencies and class files, for example, 12 dependencies and 7,914 class files for PDFBox. The system introduced a moderate build time overhead ranging from 0.51 to 18.86 seconds and a disk space overhead of 10% to 29%. Runtime introspection accurately identified executed dependencies with a low overhead of 0.74% to 4.27% and preserved application functional correctness. Classport enables crucial use cases like runtime permissions per dependency and enhanced vulnerability detection.

Key takeaway

For Software Engineers managing Java application security, Classport provides crucial runtime dependency introspection, a feature previously unavailable. You can accurately identify which third-party libraries are actively used, enabling precise vulnerability management and the removal of unused dependencies to reduce attack surface. Consider integrating Classport to implement granular runtime permissions and enhance your software supply chain's integrity.

Key insights

Classport enables runtime dependency introspection in Java by embedding GAV metadata into class files and dynamically extracting it.

Principles

• Runtime dependency visibility enhances supply chain security.
• Static SBOMs do not reflect actual runtime usage.
• Bytecode instrumentation can embed metadata.

Method

Classport's Embedder uses a Maven plugin and ASM library to inject GAV coordinates as Java annotations into class files at build time. The Introspector, a Java agent, dynamically extracts these annotations during execution.

In practice

• Implement runtime permissions per dependency.
• Improve vulnerability detection accuracy.
• Reduce attack surface by identifying unused dependencies.

Topics

• Java Software Supply Chain
• Runtime Dependency Introspection
• Software Bill of Materials
• Bytecode Instrumentation
• Java Agents
• Application Security

Code references

• chains-project/classport
• chains-project/classport-experiments
• apache/pdfbox
• openjdk/jmh
• eclipse-steady/steady

Best for: CTO, VP of Engineering/Data, Software Engineer, AI Security Engineer, Research Scientist

Related on AIssential

• google / osv-scanner — OSV-Scanner identifies project dependency vulnerabilities using the comprehensive, open OSV.dev database.
• I Built an Open-Source Service Fingerprinter — Here’s What It Finds — Nerva rapidly identifies services on open ports across diverse protocols, filling a critical gap in reconnaissance tooling.
• BellSoft Survey Finds Container Security Practices Are Undermining Developers’ Own Goals — Current container security practices often increase attack surfaces and lead to frequent breaches due to human error and complex tooling.
• The State of the SBOM Tool Ecosystems: A Comparative Analysis of SPDX and CycloneDX — SPDX and CycloneDX SBOM tool ecosystems exhibit distinct, complementary strengths in maturity, engagement, and use case support.
• Your Laptop Is the New Perimeter: The Real Lesson of the 2026 Supply-Chain Attacks — Supply-chain attacks now target developer environments and build systems, shifting the security perimeter from traditional datacenters.
• MOLOT System Card: Malicious Operational Logic Observation Transformer — Static behavior-sequence modeling offers accurate, explainable, and deployable malicious-code detection for modern DevSecOps.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by cs.SE updates on arXiv.org.