Overview

It was discovered that the jar callgraph logic doesn’t account for creating all the appropriate edges for interfaces. Looking at the dependency mvn+com.squareup.okio_okio$1.15.0 we can see where our current jar callgraph logic fails to create the edges for interfaces.

Acceptance criteria

• Properly create edges for interfaces

• Update all code paths that use jar-callgraph.jar

  • jar-callgraph

  • fossa-cli

  • core

Testing plan

Manual testing plan:

• checkout this branch
• cd scripts
• Run: java -jar jar-callgraph-1.0.2.jar /path/to/example/jar
  • I was testing against this okio jar

Look at the output and see that we now edges for:

Makes edges for interface methods and the classes that implement them

M:okio.Source:timeout() (M)okio.Okio$2:timeout()
M:okio.Source:read(okio.Buffer,long) (M)okio.Okio$2:read(okio.Buffer,long)
M:okio.Source:close() (M)okio.Okio$2:close()
M:okio.Source:timeout() (M)okio.Pipe$PipeSource:timeout()
M:okio.Source:read(okio.Buffer,long) (M)okio.Pipe$PipeSource:read(okio.Buffer,long)
M:okio.Source:close() (M)okio.Pipe$PipeSource:close()
M:okio.Source:timeout() (M)okio.InflaterSource:timeout()
M:okio.Source:read(okio.Buffer,long) (M)okio.InflaterSource:read(okio.Buffer,long)
M:okio.Source:close() (M)okio.InflaterSource:close()
M:okio.Source:timeout() (M)okio.GzipSource:timeout()
M:okio.Source:read(okio.Buffer,long) (M)okio.GzipSource:read(okio.Buffer,long)
M:okio.Source:close() (M)okio.GzipSource:close()
M:okio.Source:timeout() (M)okio.AsyncTimeout$2:timeout()
M:okio.Source:read(okio.Buffer,long) (M)okio.AsyncTimeout$2:read(okio.Buffer,long)
M:okio.Source:close() (M)okio.AsyncTimeout$2:close()
M:okio.Source:timeout() (M)okio.ForwardingSource:timeout()
M:okio.Source:read(okio.Buffer,long) (M)okio.ForwardingSource:read(okio.Buffer,long)

Previously, we only had an edge like: M:okio.Buffer:writeAll(okio.Source) (I)okio.Source:read(okio.Buffer,long)
for interface method calls. Because we are calling an interface method, it is also possible to call of the classes that implement the interface depending on implementation. These are the newly added edges after the update.

M:okio.Buffer:writeAll(okio.Source) (I)okio.BufferedSource:read(okio.Buffer,long)
M:okio.Buffer:writeAll(okio.Source) (I)okio.Pipe$PipeSource:read(okio.Buffer,long)
M:okio.Buffer:writeAll(okio.Source) (I)okio.ForwardingSource:read(okio.Buffer,long)
M:okio.Buffer:writeAll(okio.Source) (I)okio.GzipSource:read(okio.Buffer,long)
M:okio.Buffer:writeAll(okio.Source) (I)okio.InflaterSource:read(okio.Buffer,long)
M:okio.Buffer:writeAll(okio.Source) (I)okio.AsyncTimeout$2:read(okio.Buffer,long)
M:okio.Buffer:writeAll(okio.Source) (I)okio.Okio$2:read(okio.Buffer,long)

Risks

Metrics

References

• ANE-1865
• jar callgraph pr

Checklist

• I added tests for this PR's change (or explained in the PR description why tests don't make sense).
• If this PR introduced a user-visible change, I added documentation into docs/.
• If this PR added docs, I added links as appropriate to the user manual's ToC in docs/README.ms and gave consideration to how discoverable or not my documentation is.
• If this change is externally visible, I updated Changelog.md. If this PR did not mark a release, I added my changes into an # Unreleased section at the top.
• If I made changes to .fossa.yml or fossa-deps.{json.yml}, I updated docs/references/files/*.schema.json AND I have updated example files used by fossa init command. You may also need to update these if you have added/removed new dependency type (e.g. pip) or analysis target type (e.g. poetry).
• If I made changes to a subcommand's options, I updated docs/references/subcommands/<subcommand>.md.