How do I check if a particular class or a method of a class is being called or not?

Question

There are multiple libraries/jar files that our project depends upon directly or indirectly. How can we check if out of all the jars which classes and which methods of those classes are getting called by our code? Considering that the codebase is huge and manually this is not possible to trace each method call, is there a tool or a way to do such an analysis?

The reason I am looking for such a tool is that when new vulnerabilities are discovered in a direct dependency or transitive dependency we try to upgrade that to the latest version which does not have the discovered vulnerability without checking if that is applicable to us or not?

We can check for direct vulnerabilities by seeing if we are calling a particular method of a particular class or not but that is not possible to do that for calls made to the classes made within the library. I am sure many people would have faced this problem and there should be tools that do this, please share how you achieve this and if there are tools which can do this.

Any help is highly appreciated?

Answer 1

There is absolutely no way to do this 100% accurately. At least at the point when you think about reflection it is game over. There is simply no way to predict based on code what will be called, as this turns to be decided at runtime. And some of the frameworks will use code generated at runtime and reflection to wide degree.

But lets think about it more and go deeper. What if we check what is used in runtime? Even assuming code instrumentation is possible (just like the profilers do), not all code paths will always be used. And you would need to check the business logic in all possible directions to say, if a library/class/method is used or not. This is simply impossible in a non-trivial system.

The best you have I believe are library dependencies and manual code analysis.