Traditional dependency scanning tools rely heavily on metadata, making them ineffective at detecting modified or obfuscated open-source components and leading to significant underreporting of vulnerabilities. This work proposes Unshade, the first approach that integrates bytecode-level fingerprinting with metadata scanning to enhance Software Bill of Materials (SBOM) accuracy for identifying hidden or tampered dependencies in Java projects. Evaluated on 1,808 widely used Java projects, Unshade revealed that nearly 50% contain such vulnerable dependencies, with an average of over eight per project. The method uncovered 7,712 unique CVEs that were undetectable by conventional techniques, substantially improving both the coverage and precision of vulnerability detection.

Open-source software (OSS) dependencies are a dominant component of modern software code bases. Using proven and well-tested OSS components lets developers reduce development time and cost while improving quality. However, heavy reliance on open-source software also introduces significant security risks, including the incorporation of known vulnerabilities into the codebase. To mitigate these risks, metadata-based dependency scanners, which are lightweight and fast, and code-centric scanners, which enable the detection of modified dependencies hidden from metadata-based approaches, have been developed. In this paper, we present Unshade, a hybrid approach towards dependency scanning in Java that combines the efficiency of metadata-based scanning with the ability to detect modified dependencies of code-centric approaches. Unshade first augments a Java project's software bill of materials (SBOM) by identifying modified and hidden dependencies via a bytecode-based fingerprinting mechanism. This augmented SBOM is then passed to a metadata-based vulnerability scanner to identify known vulnerabilities in both declared and newly revealed dependencies. Leveraging Unshade's high scalability, we conducted a large-scale study of the 1,808 most popular open-source Java Maven projects on GitHub. The results show that nearly 50% of these projects contain at least one modified, hidden dependency associated with a known vulnerability. On average, each affected project includes more than eight such hidden vulnerable dependencies, all missed by traditional metadata-based scanners. Overall, Unshade identified 7,712 unique CVEs in hidden dependencies that would remain undetected when relying on metadata-based scanning alone.