Java lacks runtime dependency introspection capabilities, hindering dynamic integrity verification in software supply chain security. To address this, we propose Classport, the first Java platform solution enabling configuration-free runtime dependency awareness. Classport leverages bytecode instrumentation to embed dependency metadata into class files at compile time and exploits the JVM’s class loading mechanism to dynamically extract and query actually loaded dependencies at runtime. This approach avoids false positives from static analysis and false negatives caused by reflection-based invocations, supporting fine-grained, on-demand dependency provenance. Evaluated on six real-world projects, Classport achieves 100% accuracy in identifying actively loaded runtime dependencies. It provides a lightweight, reliable, and deployable runtime assurance mechanism for software supply chain security—requiring no external configuration, toolchain modifications, or developer intervention.

Runtime introspection of dependencies, i.e., the ability to observe which dependencies are currently used during program execution, is fundamental for Software Supply Chain security. Yet, Java has no support for it. We solve this problem with Classport, a system that embeds dependency information into Java class files, enabling the retrieval of dependency information at runtime. We evaluate Classport on six real-world projects, demonstrating the feasibility in identifying dependencies at runtime. Runtime dependency introspection with Classport opens important avenues for runtime integrity checking.