This issue was automatically created by Allstar.

Security Policy Violation Project is out of compliance with Binary Artifacts policy: binaries present in source code

Rule Description Binary Artifacts are an increased security risk in your repository. Binary artifacts cannot be reviewed, allowing the introduction of possibly obsolete or maliciously subverted executables. For more information see the Security Scorecards Documentation for Binary Artifacts.

Remediation Steps To remediate, remove the generated executable artifacts from the repository.

Artifacts Found

• ClassySharkWS/gradle/wrapper/gradle-wrapper.jar
• third_party/asmdex-1.0.jar
• third_party/java-binutils.jar
• third_party/util-2.0.6.jar

Additional Information This policy is drawn from Security Scorecards, which is a tool that scores a project's adherence to security best practices. You may wish to run a Scorecards scan directly on this repository for more details.

Allstar has been installed on all Google managed GitHub orgs. Policies are gradually being rolled out and enforced by the GOSST and OSPO teams. Learn more at http://go/allstar

This issue will auto resolve when the policy is in compliance.

Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

Currently this repository became very old, and we can use most of it on Android Studio anyway.

Please update it, and offer to to get de-obfuscation of APK files, including ability to run it even on Android itself.

I was playing around with Classyshark and noticed that it crashes when attempting to analyze my Godot Engine game Carpe Diem.

apk is available at https://www.inventati.org/1337gallery/games/carpediem/carpediem.html

Source: https://github.com/ATryder/CarpeDiem

Thanks for all the work on this project! :) I noticed some minor issues (mostly clean-up) in the XmlDecompressor. In summary, I removed unused imports and fixed typos in various comments and variable names.

Hello, I have added org.altbeacon:android-beacon-library gradle dependency. I have multidex turned on in my project. APK Analyzer in Android Studio shows org.altbeacon.beacon.powersave gradle in classes.dex. However, ClassyShark doesn't show the same in the classes folder.

Do you know what could be causing this?

Thank you, Igor

Hi Team,

The latest build seems to be only working on java 8. is it intentional or by mistake.

Can i assume going forward all builds will be on java 8 only.

BTW just so you are aware. We package and make available classyshark in AndroidTamer as well as on androidtamer debian compatible repository "https://repo.androidtamer.com/"

I'm trying to extract the manifest from an APK. I imagine that after I open the APK, I could click on AndroidManifest.xml and then on the Export toolbar icon, but nothing happens when I click on it.

Thanks https://github.com/Dorvaryn

Steps:

1. Read the mappings file
2. Add callback here https://github.com/google/android-classyshark/blob/master/ClassySharkWS/src/com/google/classyshark/silverghost/translator/java/JavaTranslator.java

Dex-method-count will count all methods include defined methods and referenced methods. Note that referenced methods count against the 64K method limit too.

Will Classyshark count the referenced method?

Seem that most of the ui functions are not working in mac, like

• changing the theme color
• export file
• expand method (all the text inside the method now become dot dot dot, not sure if it is the problem of using mac or not. Below is the sample display)

import android.content.Context;
import java.lang.String;
import org.apache.http.Header;
import org.apache.http.client.CookieStore;

public class HttpCookies extends Object
{
    //======================== F I E L D S ==================


      public static String baseurl;
      private static Header[] httpHeader;
      private static String httpProxyStr;
      private static int pageSize;
      private static CookieStore uCookie;
       Context context;

    //======================== C O N S T R U C T O R S ======

    public HttpCookies(Context) { ... }

    //======================== M E T H O D S ================

    static void <clinit>() { ... }
    public Header[] getHttpHeader() { ... }
    public String getHttpProxyStr() { ... }
    public int getPageSize() { ... }
    public CookieStore getuCookie() { ... }
    public void initHTTPProxy() { ... }
    public void setPageSize(int) { ... }
    public void setuCookie(CookieStore) { ... }

} 

The numbers of method in the UI component and those reported using -methodcounts flag report different numbers. Is this expected? Does the -methodcounts not report the dex method count?

I've started ClassyShark using the command referenced in the README file, and in the left-hand tree, I'll click on a folder or file, then click the export button, and I get this error:

java.lang.ArrayIndexOutOfBoundsException: 6392800
	at org.ow2.asmdex.lowLevelUtils.DexFileReader.getStringItemFromStringIndex(DexFileReader.java:104)
	at org.ow2.asmdex.ApplicationReader.readAnnotationElement(ApplicationReader.java:1493)
	at org.ow2.asmdex.ApplicationReader.readEncodedAnnotation(ApplicationReader.java:1518)
	at org.ow2.asmdex.ApplicationReader.readEncodedValue(ApplicationReader.java:861)
	at org.ow2.asmdex.ApplicationReader.readAnnotationElement(ApplicationReader.java:1494)
	at org.ow2.asmdex.ApplicationReader.parseSpecificAnnotations(ApplicationReader.java:1473)
	at org.ow2.asmdex.ApplicationReader.readDefaultAnnotations(ApplicationReader.java:1271)
	at org.ow2.asmdex.ApplicationReader.visitClass(ApplicationReader.java:561)
	at org.ow2.asmdex.ApplicationReader.accept(ApplicationReader.java:437)
	at org.ow2.asmdex.ApplicationReader.accept(ApplicationReader.java:338)
	at com.google.classyshark.silverghost.translator.dex.DexMethodsDumper.fillAnalysis(DexMethodsDumper.java:106)
	at com.google.classyshark.silverghost.translator.dex.DexMethodsDumper.dumpMethods(DexMethodsDumper.java:84)
	at com.google.classyshark.silverghost.exporter.Exporter.writeMethods(Exporter.java:89)
	at com.google.classyshark.silverghost.exporter.Exporter.writeArchive(Exporter.java:47)
	at com.google.classyshark.gui.panel.ClassySharkPanel$3.doInBackground(ClassySharkPanel.java:207)
	at com.google.classyshark.gui.panel.ClassySharkPanel$3.doInBackground(ClassySharkPanel.java:202)
	at javax.swing.SwingWorker$1.call(SwingWorker.java:295)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at javax.swing.SwingWorker.run(SwingWorker.java:334)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)

Based on the stacktrace, it looks like the error is occurring somewhere around here: https://github.com/google/android-classyshark/blob/9c61d6df79c971a0b6c83795e7a91f2a375585cf/ClassySharkWS/src/com/google/classyshark/silverghost/translator/dex/DexMethodsDumper.java#L84

ASMdex.jar which is a local jar dependency for this project is created using asmdex project Only known reference of it that i can find is this https://gitlab.ow2.org/asm/asmdex archived project. suffice to say the project is dead for a long time. Is there any alternative or is classyshark going to keep using the old project. if yes then it might be a better idea to restore the jar file in the repository as there is no other simpler way for someone to compile the project.

While i am trying to compile it is simply looking for the jar in local folder. Any specific reason why last 4-5 commits deleted jar files including gradle-wrapper.jar these are all esential for building jar from source if someone wants to.

https://github.com/google/android-classyshark/blob/9c61d6df79c971a0b6c83795e7a91f2a375585cf/ClassySharkWS/build.gradle#L42

CVE-2018-20200

Recommended upgrade version：3.12.1

https://github.com/google/android-classyshark/blob/9c61d6df79c971a0b6c83795e7a91f2a375585cf/ClassySharkWS/build.gradle#L41

CVE-2018-10237 CVE-2020-8908

Recommended upgrade version：24.1.1.jre