Ever wondered what system resources the library you are about to include into your software project uses?
As part of the PEAKS project we developed an inference system to detect the use of high-level capabilities in Java code. It traces the use of native calls that provide access to system resources backwards through a call graph and aggregate them to provide an accurate capability footprint of libraries or client code.
Developing software from reusable libraries lets developers face a security dilemma: Either be efficient and reuse libraries as they are or inspect them, know about their resource usage, but possibly miss deadlines as reviews are a time consuming process.
As library code runs in the same security context as application code a developer automatically entrusts the library code with the same privileges the end user has provided to the application. She implicitly transfers the users trust towards her to the developers of the library. Thus, any capability the complete application may use is available to library code as well.
Git RepositoryWe maintain the source code of the analysis as a GitHub project. You are invited to use it, build opon it, fork it or contribute to it via pull requests. However, we cannot provide any guarantee whatsoever.
Paper ArtifactAs part of the scientific publication from this project we also provided a package to reproduce our evaluation. It includes a pre-built copy of the analysis and example code to run it on.
If you want to install the latest version from git, clone the repository with
git clone https://github.com/stg-tud/peaks-capmodel.git
If you want to compile and package the source code, enter:
sbt compile sbt assembly
Afterwards, you will find the compiled application as well as a runnable JAR in the target/scala-2.11 folder.
After pulling new sources you might need to execute:
sbt clean clean-files update copyResources
Copy the PEAKS_JavaCapAnalysis.jar file from folder target/scala-2.11 to the root folder of your clone (where the resource folder is located). Then run it using Java.
mv target/scala-2.11/PEAKS_JavaCapAnalysis.jar . java -jar PEAKS_JavaCapAnalysis.jar -cp=<targetJAR or targetFolder>
If you pass a folder to the analysis every class file and jar in this folder will be included to the analysis. If you start the analysis, there will be a menu.
 Start capability analysis for libraries.  Sliced capability analysis for projects.  Help.
In order to access system functionalities a library written in Java will have to make use of the Java Native Interface (JNI) either directly or through the Java Class Library (JCL). We track those calls backwards through a call graph and can then produce an accurate footprint on the usage of those system capabilities.
Getting to Know You: Towards a Capability Model for Java.
Ben Hermann, Michael Reif, Michael Eichberg, and Mira Mezini.
To appear in Proceedings of the 10th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE’15)