Existing Java dependency scanners struggle to identify vulnerable components that have been recompiled, repackaged, or otherwise modified—leading to ineffective security detection. This paper introduces Jaralyzer, the first bytecode-based dependency vulnerability detection tool that operates independently of source code or metadata. By jointly leveraging vulnerability-specific pattern matching and fine-grained binary fingerprinting, Jaralyzer achieves precise identification of tampered or transformed dependencies. Evaluated on 56 widely used open-source components, Jaralyzer detects 28 additional real-world vulnerabilities compared to state-of-the-art tools (e.g., Snyk, Dependabot), reduces false positives by 29, and remains the only solution capable of comprehensively handling diverse dependency modification scenarios—including obfuscation, repackaging, and partial recompilation. This work overcomes fundamental limitations of metadata-driven approaches and establishes a new paradigm for software supply chain security analysis.

On average, 71% of the code in typical Java projects comes from open-source software (OSS) dependencies, making OSS dependencies the dominant component of modern software code bases. This high degree of OSS reliance comes with a considerable security risk of adding known security vulnerabilities to a code base. To remedy this risk, researchers and companies have developed various dependency scanners, which try to identify inclusions of known-to-be-vulnerable OSS dependencies. However, there are still challenges that modern dependency scanners do not overcome, especially when it comes to dependency modifications, such as re-compilations, re-bundlings or re-packagings, which are common in the Java ecosystem. To overcome these challenges, we present Jaralyzer, a bytecode-centric dependency scanner for Java. Jaralyzer does not rely on the metadata or the source code of the included OSS dependencies being available but directly analyzes a dependency's bytecode. Our evaluation across 56 popular OSS components demonstrates that Jaralyzer outperforms other popular dependency scanners in detecting vulnerabilities within modified dependencies. It is the only scanner capable of identifying vulnerabilities across all the above mentioned types of modifications. But even when applied to unmodified dependencies, Jaralyzer outperforms the current state-of-the-art code-centric scanner Eclipse Steady by detecting 28 more true vulnerabilities and yielding 29 fewer false warnings.