Runtime Library Intelligence
for Production JVMs

Stop guessing which dependencies your services *really* use. JLib Inspector captures a precise, low‑overhead inventory of loaded JARs & classes so you can shrink images, prioritize CVE fixes, and eliminate dependency drift.

Get Started GitHub Latest Release 1.0.0

Why It Matters

Trim Bloat

Identify JARs never loaded in production to reduce image size and attack surface, and speed up startup.

Prioritize CVEs

Focus remediation on libraries actually resident in memory, not just declared.

SBOM Reality Check

Compare runtime inventory with build‑time SBOM to catch drift & shading surprises.

Audit Evidence

Produce timestamped runtime snapshots for compliance & forensic review.

Architecture (High Level)

[ JVM + Agent ] -- snapshots --> [ Inspector Server ] -- REST --> [ UI / Integrations ] | | +-- load events (coalesced) -- + Hashing (optional) · Version heuristics · Timestamping

Key principles:

Passive & low overhead: no bytecode weaving required.
Leverages existing, official APIs in Java SE (Instrumentation).
Extensible: future exporters (CycloneDX, OpenTelemetry events, etc.).

Data Captured

Dimension	Notes
JARs in Classpath	Shows JARs that may have not been loaded
Loaded JARs	List of JARs actually loaded by classloaders
JAR Path	Full path on disk (if available)
Nested JARs	Supports Spring Boot, One-JAR, etc.
JAR Manifest	Extracts content from the file MANIFEST.mf in each JAR.
JAR Hash	SHA-256 for integrity / SBOM correlation.

Quick Start (Docker Desktop)

You can get everything (server, frontend, sample app with agent) running with a single command using the provided Compose setup.

1. Clone & Launch


git clone https://github.com/brunoborges/jlib-inspector.git
cd jlib-inspector/docker
./start-docker.sh

This builds the Java modules, starts the Inspector server (port 8080), the frontend UI (port 3000), WebSocket (3001), and a launches a sample Spring app instrumented with the agent to push data to the server.

2. Explore


# Open the UI
http://localhost:3000

# Check server health
curl -s http://localhost:8080/health

# List registered apps
curl -s http://localhost:8080/api/apps | jq

3. Add Your App
Run your JVM process pointing the agent at the running server:

java 
  -javaagent:/absolute/path/to/agent/ \
  jlib-inspector-agent-1.0-SNAPSHOT-shaded.jar=server:8080 \
  -jar your-app.jar

It will appear in the UI within seconds when classes start loading.

Optional: Rebuild After Code Changes

Inside the repo root:

docker compose down
docker compose up --build

UI Screenshots

Inventory of Applications — Applications

Roadmap (Snapshot)

OpenTelemetry exporter (spans / events for classload anomalies)
CycloneDX runtime delta export
Historical diff view across deploys
CLI summarizer for CI gating (fail on growth of unused libs)

Contributing

Issues & PRs welcome. Try to reproduce with the sample app first; include JVM version & environment details for runtime discrepancies.

Toggle theme with the moon icon in the nav. Screenshots open in a lightbox; press ESC or click × to dismiss.

Runtime Library Intelligencefor Production JVMs