pith. sign in

arxiv: 2510.20340 · v3 · submitted 2025-10-23 · 💻 cs.SE · cs.CR

Classport: Designing Runtime Dependency Introspection for Java

Serena Cofano , Daniel Williams , Aman Sharma , Martin Monperrus This is my paper

Pith reviewed 2026-05-18 05:04 UTC · model grok-4.3

classification 💻 cs.SE cs.CR
keywords Javaclass filesruntime introspectiondependenciessoftware supply chain securitydependency embedding
0
0 comments X

The pith

Classport embeds dependency information into Java class files to enable its retrieval at runtime.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Java currently provides no built-in mechanism for programs to observe which dependencies are active while they execute. Classport introduces a method to embed this dependency information directly into Java class files. Once embedded, the information becomes available for retrieval during program execution. The paper demonstrates this approach by applying Classport to six real-world Java projects and confirming that dependencies can be identified at runtime.

Core claim

Classport is a blueprint and system that embeds dependency information into Java class files, enabling the retrieval of dependency information at runtime. This addresses the lack of support in Java for runtime introspection of dependencies, which the authors identify as fundamental for Software Supply Chain security.

What carries the argument

Classport, a system for embedding dependency metadata into Java class files so that it can be queried at runtime.

If this is right

  • Java applications gain the ability to inspect their own dependency usage while running.
  • Security monitoring can track active dependencies without relying on external analysis tools.
  • The embedding works across real-world projects without requiring changes to the JVM itself.
  • Dependency information becomes part of the executable artifact rather than separate metadata.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same embedding idea could be adapted for other languages that compile to JVM bytecode.
  • Build pipelines might eventually perform the embedding automatically as part of standard compilation.
  • Production monitoring systems could use the runtime data to detect unexpected dependency loading.

Load-bearing premise

Embedding extra dependency metadata into standard Java class files will not break compatibility with existing JVMs, build tools, or performance expectations.

What would settle it

Running the six evaluated projects after Classport modification and finding that a standard JVM refuses to load the class files or that dependency identification fails during execution.

Figures

Figures reproduced from arXiv: 2510.20340 by Aman Sharma, Daniel Williams, Martin Monperrus, Serena Cofano.

Figure 1
Figure 1. Figure 1: Overview of Classport, a novel system that enables runtime dependency introspection in Java. [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
read the original abstract

Runtime introspection of dependencies, i.e., the ability to observe which dependencies are currently used during program execution, is fundamental for Software Supply Chain security. Yet, Java has no support for it. We solve this problem with Classport, a blueprint and system that embeds dependency information into Java class files, enabling the retrieval of dependency information at runtime. We evaluate Classport on six real-world projects, demonstrating the feasibility in identifying dependencies at runtime.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The manuscript presents Classport, a system and blueprint that embeds dependency information into standard Java class files as custom attributes, enabling runtime retrieval of which dependencies are in use during execution. This addresses the absence of built-in runtime dependency introspection in Java, motivated by software supply chain security needs. Feasibility is demonstrated through an evaluation on six real-world projects.

Significance. If the compatibility and performance properties hold, Classport offers a practical mechanism for runtime dependency observation in Java, which could meaningfully support supply-chain security tooling. The work is a concrete system design and implementation rather than a parameterized model; the evaluation on six real-world projects provides direct evidence of deployability on existing codebases.

major comments (2)
  1. [§5 Evaluation] §5 Evaluation: feasibility is shown via six projects, yet the section reports no quantitative metrics (e.g., class-file size increase, runtime overhead, or success rate under load), no error analysis, and no baseline comparisons, leaving the practical utility of the central claim difficult to gauge.
  2. [§4 Implementation] §4 Implementation: the claim that custom-attribute embedding preserves full compatibility with unmodified JVMs, class loaders, and build pipelines rests on JVM specification permissiveness but is not supported by an explicit compatibility matrix, tests under -Xverify:all, or experiments with common class-file rewriting tools.
minor comments (2)
  1. [Abstract] Abstract: a single sentence summarizing observed overhead or identification accuracy from the evaluation would strengthen the summary of results.
  2. [§3 Design] Notation for the embedded dependency records is introduced without an early example or diagram; a small illustrative class-file fragment in §3 would improve readability.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback. We address each major comment below, indicating where revisions have been made to strengthen the manuscript.

read point-by-point responses

  1. Referee: [§5 Evaluation] §5 Evaluation: feasibility is shown via six projects, yet the section reports no quantitative metrics (e.g., class-file size increase, runtime overhead, or success rate under load), no error analysis, and no baseline comparisons, leaving the practical utility of the central claim difficult to gauge.

    Authors: We agree that quantitative metrics would better support assessment of practical utility. The evaluation in §5 demonstrates successful runtime dependency identification on six real-world projects to establish feasibility. In the revised manuscript we will add class-file size overhead measurements, basic runtime overhead figures under representative loads, an error analysis of identification accuracy, and a baseline comparison against static dependency analysis tools. revision: yes

  2. Referee: [§4 Implementation] §4 Implementation: the claim that custom-attribute embedding preserves full compatibility with unmodified JVMs, class loaders, and build pipelines rests on JVM specification permissiveness but is not supported by an explicit compatibility matrix, tests under -Xverify:all, or experiments with common class-file rewriting tools.

    Authors: The compatibility argument relies on the JVM specification explicitly allowing unknown custom attributes to be ignored. We have revised §4 to include an explicit compatibility matrix for major JVM versions and common class loaders, plus results from tests with standard build pipelines. We did not run exhaustive verification under -Xverify:all or against every rewriting tool, as these fall outside typical deployment; this limitation is now noted in the text. revision: partial

Circularity Check

0 steps flagged

No circularity: Classport is a concrete system design and implementation with no derivation chain

full rationale

The paper describes a system for embedding dependency metadata into Java class files via custom attributes and evaluates feasibility on six projects. No equations, fitted parameters, predictions, or first-principles derivations are present that could reduce to inputs by construction. Claims rest on the JVM specification's allowance for custom attributes (an external standard) and direct implementation/evaluation rather than self-referential definitions or load-bearing self-citations. The contribution is self-contained engineering work, not a mathematical or predictive chain.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The design rests on the assumption that class-file attributes can be extended without violating the JVM specification or existing tooling expectations; no free parameters or new physical entities are introduced.

axioms (1)
  • domain assumption Java class files can accept additional custom attributes that are ignored by standard JVMs and build tools.
    Required for the embedding step to remain compatible.

pith-pipeline@v0.9.0 · 5590 in / 1001 out tokens · 25417 ms · 2026-05-18T05:04:01.213290+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

32 extracted references · 32 canonical work pages

  1. [1]

    Amusuo, Kyle A

    Paschal C. Amusuo, Kyle A. Robinson, Tanmay Singla, Huiyun Peng, Aravind Machiry, Santiago Torres-Arias, Laurent Simon, and James C. Davis. 2024. ZTD𝐽 𝐴𝑉 𝐴: Mitigating Software Supply Chain Vulnerabilities via Zero-Trust Dependencies. arXiv:2310.14117 [cs.CR] https://arxiv.org/abs/2310.14117

    work page arXiv 2024

  2. [2]

    Musard Balliu, Benoit Baudry, Sofia Bobadilla, Mathias Ekstedt, Martin Monper- rus, Javier Ron, Aman Sharma, Gabriel Skoglund, César Soto-Valero, and Martin Wittlinger. 2023. Challenges of Producing Software Bill of Materials for Java. IEEE Security & Privacy21, 6 (2023), 12–23. https://doi.org/10.1109/MSEC.2023. 3302956

    work page doi:10.1109/msec.2023 2023

  3. [3]

    Nicholas Boucher and Ross Anderson. 2023. Automatic Bill of Materials. arXiv:2310.09742 [cs.CR] https://arxiv.org/abs/2310.09742

    work page arXiv 2023

  4. [4]

    Carmine Cesarano, Martin Monperrus, and Roberto Natella. 2025. GoLeash: Miti- gating Golang Software Supply Chain Attacks with Runtime Policy Enforcement. arXiv:2505.11016 [cs.CR] https://arxiv.org/abs/2505.11016

    work page arXiv 2025

  5. [5]

    Serena Cofano, Giacomo Benedetti, and Matteo Dell’Amico. 2024. SBOM Gener- ation Tools in the Python Ecosystem: an In-Detail Analysis. In2024 IEEE 23rd International Conference on Trust, Security and Privacy in Computing and Com- munications (TrustCom). IEEE, 427–434. https://doi.org/10.1109/TrustCom63139. 2024.00077

    work page doi:10.1109/trustcom63139 2024

  6. [6]

    Oscar Cornejo, Daniela Briola, Daniela Micucci, Davide Ginelli, Leonardo Mari- ani, Adrián Santos Parrilla, and Natalia Juristo. 2024. A family of experiments 8 Classport: Designing Runtime Dependency Introspection for Java about how developers perceive delayed system response time.Software Quality Journal32, 2 (2024), 567–605. https://doi.org/10.1007/s11...

    work page doi:10.1007/s11219-024-09660-w 2024

  7. [7]

    Diego Costa, Cor-Paul Bezemer, Philipp Leitner, and Artur Andrzejak. 2021. What’s Wrong with My Benchmark Results? Studying Bad Practices in JMH Benchmarks.IEEE Transactions on Software Engineering47, 7 (2021), 1452–1467. https://doi.org/10.1109/TSE.2019.2925345

    work page doi:10.1109/tse.2019.2925345 2021

  8. [8]

    Cybersecurity and Infrastructure Security Agency. 2024. Software Bill of Materi- als (SBOM). https://www.cisa.gov/sbom

    work page 2024

  9. [9]

    The Apache Software Foundation. 2025. Maven. https://maven.apache.org/

    work page 2025

  10. [10]

    Aaron Linskens. 2024. The scale of open source: Growth, challenges, and key insights. https://www.sonatype.com/blog/the-scale-of-open-source-growth- challenges-and-key-insights

    work page 2024

  11. [11]

    National Telecommunications and Information Administration. 2021. Software Bill of Materials (SBOM). https://www.ntia.gov/page/software-bill-materials

    work page 2021

  12. [12]

    Schorlemmer, Santiago Torres-Arias, and James C

    Chinenye Okafor, Taylor R. Schorlemmer, Santiago Torres-Arias, and James C. Davis. 2022. SoK: Analysis of Software Supply Chain Security by Establishing Secure Design Properties. InProceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses(Los Angeles, CA, USA) (SCORED’22). Association for Computing Machinery, ...

    work page doi:10.1145/3560835.3564556 2022

  13. [13]

    OpenSSF and The Linux Foundation. 2022. The Open Source Software Security Mobilization Plan. https://openssf.org/oss-security-mobilization-plan

    work page 2022

  14. [14]

    Oracle. 2023. Instrumentation API. https://docs.oracle.com/en/java/javase/21/ docs/api/java.instrument/java/lang/instrument/Instrumentation.html

    work page 2023

  15. [15]

    Oracle. 2023. Retention. https://docs.oracle.com/en/java/javase/11/docs/api/ java.base/java/lang/annotation/Retention.html

    work page 2023

  16. [16]

    Henrik Plate, Serena Elisa Ponta, and Antonino Sabetta. 2015. Impact assessment for vulnerabilities in open-source software libraries. In2015 IEEE International Conference on Software Maintenance and Evolution (ICSME). 411–420. https: //doi.org/10.1109/ICSM.2015.7332492

    work page doi:10.1109/icsm.2015.7332492 2015

  17. [17]

    Serena Elisa Ponta, Henrik Plate, and Antonino Sabetta. 2018. Beyond Metadata: Code-Centric and Usage-Based Analysis of Known Vulnerabilities in Open- Source Software. In2018 IEEE International Conference on Software Maintenance and Evolution (ICSME). 449–460. https://doi.org/10.1109/ICSME.2018.00054

    work page doi:10.1109/icsme.2018.00054 2018

  18. [18]

    Serena Elisa Ponta, Henrik Plate, and Antonino Sabetta. 2020. Detection, assess- ment and mitigation of vulnerabilities in open source dependencies.Empirical Software Engineering25, 5 (2020), 3175–3215. https://doi.org/10.1007/s10664- 020-09830-x

    work page doi:10.1007/s10664- 2020

  19. [19]

    Piotr Przymus and Thomas Durieux. 2025. Wolves in the Repository: A Software Engineering Analysis of the XZ Utils Supply Chain Attack. In2025 IEEE/ACM 22nd International Conference on Mining Software Repositories (MSR). IEEE, 91–102. https://doi.org/10.1109/MSR66628.2025.00026

    work page doi:10.1109/msr66628.2025.00026 2025

  20. [20]

    Anh Quach, Aravind Prakash, and Lok Yan. 2018. Debloating software through {Piece-Wise} compilation and loading. In27th USENIX security sym- posium (USENIX Security 18). 869–886. https://www.usenix.org/conference/ usenixsecurity18/presentation/quach

    work page 2018

  21. [21]

    Md Fazle Rabbi, Arifa Islam Champa, Costain Nachuma, and Minhaz Fahim Zibran. 2024. Sbom generation tools under microscope: A focus on the npm ecosystem. InProceedings of the 39th ACM/SIGAPP Symposium on Applied Com- puting. 1233–1241. https://doi.org/10.1145/3605098.3635927

    work page doi:10.1145/3605098.3635927 2024

  22. [22]

    Manuel Rigger, Rene Mayrhofer, Roland Schatz, Matthias Grimmer, and Hanspeter Mössenböck. 2017. Introspection for C and its applications to li- brary robustness.The Art, Science, and Engineering of Programming(2017). https://doi.org/10.22152/programming-journal.org/2018/2/4

    work page doi:10.22152/programming-journal.org/2018/2/4 2017

  23. [23]

    Bharathi Seshadri, Yongkui Han, Chris Olson, David Pollak, and Vojislav Toma- sevic. 2024. OmniBOR: A System for Automatic, Verifiable Artifact Resolution across Software Supply Chains. arXiv:2402.08980 [cs.SE] https://arxiv.org/abs/ 2402.08980

    work page arXiv 2024

  24. [24]

    Ax Sharma. 2021. What You Need to Know About the Codecov Incident: A Supply Chain Attack Gone Undetected for 2 Months. https://www.sonatype.com/blog/what-you-need-to-know-about-the- codecov-incident-a-supply-chain-attack-gone-undetected-for-2-months

    work page 2021

  25. [25]

    Aman Sharma, Benoit Baudry, and Martin Monperrus. 2025. Canonicalization for Unreproducible Builds in Java. https://doi.org/10.48550/arXiv.2504.21679 arXiv:2504.21679 [cs]

    work page doi:10.48550/arxiv.2504.21679 2025

  26. [26]

    César Soto-Valero, Thomas Durieux, Nicolas Harrand, and Benoit Baudry. 2023. Coverage-Based Debloating for Java Bytecode.ACM Trans. Softw. Eng. Methodol. 32, 2, Article 38 (April 2023), 34 pages. https://doi.org/10.1145/3546948

    work page doi:10.1145/3546948 2023

  27. [27]

    The Apache Software Foundation. 2024. Introduction to the Dependency Mechanism. https://maven.apache.org/guides/introduction/introduction-to- dependency-mechanism.html

    work page 2024

  28. [28]

    The Apache Software Foundation. 2024. Introduction to the POM. https://maven. apache.org/guides/introduction/introduction-to-the-pom.html

    work page 2024

  29. [29]

    Ilkka Turunen. 2021. Log4Shell by the numbers: Why did CVE-2021-44228 set the internet on fire? https://www.sonatype.com/blog/why-did-log4shell-set- the-internet-on-fire

    work page 2021

  30. [30]

    Laurie Williams, Giacomo Benedetti, Sivana Hamer, Ranindya Paramitha, Imra- nur Rahman, Mahzabin Tamanna, Greg Tystahl, Nusrat Zahan, Patrick Morrison, Yasemin Acar, Michel Cukier, Christian Kästner, Alexandros Kapravelos, Do- minik Wermke, and William Enck. 2025. Research Directions in Software Supply Chain Security.ACM Trans. Softw. Eng. Methodol.34, 5,...

    work page doi:10.1145/3714464 2025

  31. [31]

    Yue Xiao, Dhilung Kirat, Douglas Lee Schales, Jiyong Jang, Luyi Xing, and Xiaojing Liao. 2025. JBomAudit: Assessing the Landscape, Compliance, and Security Implications of Java SBOMs. InISOC Network and Distributed System Security Symposium. https://doi.org/10.14722/ndss.2025.240322

    work page doi:10.14722/ndss.2025.240322 2025

  32. [32]

    Sheng Yu, Wei Song, Xunchao Hu, and Heng Yin. 2024. On the correctness of metadata-based SBOM generation: A differential analysis approach. In2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 29–36. https://doi.org/10.1109/DSN58291.2024.00018 9

    work page doi:10.1109/dsn58291.2024.00018 2024