Fix overzealous URL decoding in file mode

.gitignore

@@ -3,6 +3,7 @@
 .idea/
 /target
 /jbom
+/demo
 dependency-reduced-pom.xml
 test.sh
 sbom.json

README.md

@@ -3,30 +3,27 @@
 <p align="center"><b>
 <br>
 <br>
-jbom generates SBOMs for all JVMs running on a host
+jbom generates Runtime and Static SBOMs for local and remote Java apps
 <br>
 <br>
 </b></p>
 
 Every project should create a Software Bill of Materials (SBOM) and make it available, so that people know what ingredients are inside.  You've got a few options for generating SBOMs:
 
 1) __Scan a source code repo__ - This works fine, but you'll miss runtime libraries from appservers and runtime platforms. You'll also include libraries that don't matter like test frameworks.  You'll also have no idea which libraries are actually active in the running application.
-3) __Scan a filesystem for binaries__ - You'll still miss parts, because code can be located in a variety of different places. And you'll also probably include libraries that don't matter but happen to be on the filesystem.
-4) __Analyze a running application__ - This is the most accurate approach as it captures the exact libraries used by the application, even if they are in the platform, appserver, plugins, or anywhere else. This approach can also include details of which libraries are active.
+2) __Scan a filesystem for binaries__ - You'll still miss parts, because code can be located in a variety of different places. And you'll also probably include libraries that don't matter but happen to be on the filesystem.
+3) __Analyze a running application__ - This is the most accurate approach as it captures the exact libraries used by the application, even if they are in the platform, appserver, plugins, or anywhere else. This approach can also include details of services invoked and which libraries are active.
 
 Advantages:
 * very fast, complete, and accurate
 * produces standard CycloneDX SBOM in JSON format
 * works on both running apps/APIs and binaries
 * finds all libraries, including platform, appserver, plug-in, and dynamic sources.
 * doesn't report test or other libraries not present at runtime
-* handles nested jar, war, ear, and zip files
+* handles nested jar, war, ear, and zip files (including Spring)
+* handles jars using common shaded and relocation techniques
 * no source code required
 
-Notice:
-* shaded or relocated classes can't be tracked back to their original jar (suggestions?)
-
-
 ![jbom-screenshot](https://github.com/Contrast-Security-OSS/jbom/blob/main/resources/jbom-screenshot.png?raw=true)
 
 
@@ -54,35 +51,35 @@ Download the [latest release](https://github.com/Contrast-Security-OSS/jbom/rele
 
 Generate an SBOM for all Java processes running locally
   ```shell
-  java -jar:jbom-1.1.jar
+  java -jar:jbom-1.2.jar
   ```
 
 Generate an SBOM for all Java processes on a remote host
   ```shell
-  java -jar:jbom-1.1.jar -h 192.168.1.42
+  java -jar:jbom-1.2.jar -h 192.168.1.42
   ```
 
 Generate an SBOM for a local archive file (.jar, .war, .ear, .zip)
   ```shell
-  java -jar:jbom-1.1.jar -f mywebapp.jar
+  java -jar:jbom-1.2.jar -f mywebapp.jar
   ```
 
 Generate an SBOM for all archive files in a directory
   ```shell
-  java -jar:jbom-1.1.jar -f mywebapp
+  java -jar:jbom-1.2.jar -f mywebapp
   ```
 
 Generate an SBOM for all archive files in a remote directory
   ```shell
-  java -jar:jbom-1.1.jar -h 192.168.1.42 -d /var/tomcat/webapps
+  java -jar:jbom-1.2.jar -h 192.168.1.42 -d /var/tomcat/webapps
   ```
 
 
 
 ## Usage
 
 ```
-Usage: java -jar sbom-1.1.jar [-D] [-d=<dir>] [-f=<file>] [-h=<host>] [-o=<outputDir>]
+Usage: java -jar sbom-1.2.jar [-D] [-d=<dir>] [-f=<file>] [-h=<host>] [-o=<outputDir>]
                     [-p=<pid>] [-P=<pass>] [-r=<remoteDir>] [-t=<tag>]
                     [-U=<user>] [-x=<exclude>]
   -d, --dir=<dir>              Directory to be scanned
@@ -107,7 +104,7 @@ We welcome pull requests and issues. Thanks!
    ```shell
    git clone 
    mvn clean install
-   java -jar target/jbom-x.x.x.jar
+   java -jar target/jbom-1.2.jar
    ``` 
 
 

pom.xml

@@ -5,7 +5,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>com.contrastsecurity</groupId>
 	<artifactId>jbom</artifactId>
-	<version>1.1</version>
+	<version>1.2</version>
 
 	<name>jbom</name>
 

src/main/java/com/contrastsecurity/Agent.java

@@ -2,6 +2,7 @@
 
 import java.lang.instrument.Instrumentation;
 import java.net.URL;
+import java.net.URLDecoder;
 import java.security.CodeSource;
 import java.security.ProtectionDomain;
 
@@ -46,7 +47,8 @@ public static void transform(String args, Instrumentation inst) {
 							URL url = cs.getLocation();
 							if ( url != null ) {
 								String codesource = url.toString();
-								libs.addAllLibraries( clazz, codesource );
+								String decoded = URLDecoder.decode( codesource, "UTF-8" );
+								libs.addAllLibraries( clazz, decoded );
 							}
 						}
 					}

src/main/java/com/contrastsecurity/Libraries.java

@@ -62,8 +62,7 @@ public void addAllLibraries( Class clazz, String codesource ) {
         }
 
         try {
-            String decoded = URLDecoder.decode( codesource, "UTF-8" );
-            String filepath = decoded.substring( decoded.lastIndexOf(":") + 1);
+            String filepath = codesource.substring( codesource.lastIndexOf(":") + 1);
             String parts[] = filepath.split( "!/" );
             String path = parts[0];
             if(File.separator.equals("\\")) {