contains-oss - How To Use
contains-oss
is a Java tool to examine binary Java artifacts (e.g., *.jar, *.ear, *.war, *.class, etc)
to count the lines of code they contain, and to classify and tally each line of code as either
"Externally Developed" (a.k.a. open-source) or "Internally Developed" (a.k.a. proprietary
in-house code).
java -jar contains-oss-2022.07.07.jar <path-to-analyze>
Requirements
Requires at least Java 8.
Because contains-oss
unzips Jars completely into memory before analyzing,
it requires around twice as much RAM (Java Heap) as the largest Jar or Zip file you plan
to analyze.
Sample Output
contains-oss is quite powerful and will recursively scan any supplied paths aggressively, including zip-files-inside-zip-files-inside-zip-files, etc.
To get started, try pointing contains-oss at itself!
java -jar contains-oss-2022.07.07.jar ./contains-oss-2022.07.07.jar
The output (on February 23rd, 2022) should look something like this:
{
"args":[".\/contains-oss-2022.07.07.jar"],
"totalLines":104873,
"totalInternal":3525,
"totalExternal":101348,
"proportionExternal":0.9663879168136699,
".\/contains-oss-2022.07.07.jar!\/**\/*.class":{
"crc64":3683609628194793798,
"percentage":100.0,
"lines":104873,
"lines.internal":3525,
"lines.external":101348,
"breakdown.internal":{
"com.mergebase.strings":3525
},
"breakdown.external":{
"javassist":14079,
"javassist.bytecode":55593,
"javassist.bytecode.analysis":3515,
"javassist.bytecode.annotation":2811,
"javassist.bytecode.stackmap":2517,
"javassist.compiler":9051,
"javassist.compiler.ast":1543,
"javassist.convert":1096,
"javassist.expr":2187,
"javassist.runtime":292,
"javassist.scopedpool":829,
"javassist.tools":259,
"javassist.tools.reflect":1555,
"javassist.tools.rmi":1216,
"javassist.tools.web":1065,
"javassist.util":524,
"javassist.util.proxy":3216
}
}
}
What About *.class Files Without Debug Symbols?
If there are no debug symbols in the *.class files, contains-oss
uses the following heuristic to tally lines of code:
Each Java method counts as 17 lines of code.
In addition, contains-oss
rounds up the total lines-of-code in this case to the nearest 100 or 1000, making it
straightforward to spot this situation in the output. For example, consider the following snippet
of contains-oss
output. Notice how org.w3c.css.sac
totaled to 2,000 lines, org.w3c.dom.svg
totaled to 10,000 lines,
and org.w3c.dom.smil
totaled to 100 lines. It's very unlikely these totals came from debug symbols.
"..\/easybuggy\/target\/easybuggy.jar!\/.war!\/WEB-INF\/lib\/xml-apis-ext-1.3.04.jar":{
"crc64":169152488317647960,
"percentage":0.24,
"lines":12100,
"lines.internal":0,
"lines.external":12100,
"breakdown.internal":{},
"breakdown.external":{
"org.w3c.css.sac":2000,
"org.w3c.dom.smil":100,
"org.w3c.dom.svg":10000
}
},
To see this for yourself, try cloning and building https://github.com/k-tamura/easybuggy.
This is a great sample (unrelated to us) that happens to include a large number of Java artifacts
without debug symbols. Note: Easybuggy builds best using mvn package
rather than mvn install
.
names.uniq.gz
If a names.uniq.gz
file exists in the current directory, contains-oss
will use
that file to categorize Jar file contents as either "Internal" or "External". Any
names that match names inside names.uniq.gz
are considered "External".
We have pre-generated a names.uniq.gz
file and included it in our Github repo.
It contains 3,636,788 fully-qualified Java classnames that we observed across
all artifacts we know of in Maven Central (circa January 2022).
contains-oss - how to build
For convenience, we have included a pre-compiled version of contains-oss.jar
in the root
of our repository as ./contains-oss-2022.07.07.jar
, but you can also build
this tool yourself using the following sequence of commands:
mvn clean
mvn install
java -jar target/contains-oss-2022.07.07.jar