Java transitive search

Signed-off-by: Theodor Mihalache <[email protected]>

Author: tmihalac

.tekton/on-pull-request.yaml

@@ -178,6 +178,23 @@ spec:
                 print_banner "INSTALLING DEPENDENCIES"
                 uv sync
                 
+                # Install Java
+                JAVA_ARCH="x64"
+                JDK_URL="https://github.com/adoptium/temurin22-binaries/releases/download/jdk-22.0.2%2B9/OpenJDK22U-jdk_${JAVA_ARCH}_linux_hotspot_22.0.2_9.tar.gz"
+                JDK_DIR="jdk-22.0.2+9"
+          
+                echo ">> Downloading $JDK_URL"
+                mkdir -p /tekton/home/jdk
+                curl -fsSL -o /tekton/home/jdk/jdk.tgz "$JDK_URL"
+                tar -C /tekton/home/jdk -xzf /tekton/home/jdk/jdk.tgz
+                rm -f /tekton/home/jdk/jdk.tgz
+          
+                export JAVA_HOME="/tekton/home/jdk/${JDK_DIR}"
+                export PATH="$JAVA_HOME/bin:$PATH"
+                
+                echo "Java version:"
+                java -version || true
+                
                 # Install Go
                 print_banner "Installing Go"
 
@@ -190,6 +207,24 @@ spec:
                 echo "Go version:"
                 go version
 
+                # Install Maven
+                print_banner "Installing Maven"
+                
+                MAVEN_VERSION="3.9.11"
+                ARCHIVE="apache-maven-${MAVEN_VERSION}-bin.tar.gz"
+                URL="https://archive.apache.org/dist/maven/maven-3/${MAVEN_VERSION}/binaries/${ARCHIVE}"
+                
+                curl -s -L -o "${ARCHIVE}" "${URL}"
+                mkdir -p "$HOME/maven-sdk"
+                tar -C "$HOME/maven-sdk" -xzf "${ARCHIVE}"
+                
+                export MAVEN_HOME="$HOME/maven-sdk/apache-maven-${MAVEN_VERSION}"
+                export M2_HOME="$MAVEN_HOME"
+                export PATH="$MAVEN_HOME/bin:$PATH"
+                
+                echo "Maven version:"
+                mvn -v
+                
                 print_banner "RUNNING LINTER"
                 # Add the current directory to git's safe directories to avoid ownership errors.
                 git config --global --add safe.directory /workspace/source

Dockerfile

@@ -44,6 +44,27 @@ RUN curl -L -X GET https://go.dev/dl/go1.24.1.linux-amd64.tar.gz -o /tmp/go1.24.
     && tar -C /usr/local -xzf /tmp/go1.24.1.linux-amd64.tar.gz \
     && rm /tmp/go1.24.1.linux-amd64.tar.gz
 
+# --- Temurin JDK 22 (amd64/x86_64) ---
+ARG JDK_URL="https://github.com/adoptium/temurin22-binaries/releases/download/jdk-22.0.2%2B9/OpenJDK22U-jdk_x64_linux_hotspot_22.0.2_9.tar.gz"
+ARG JDK_DIR="jdk-22.0.2+9"
+RUN mkdir -p /opt/jdk \
+ && curl -fsSL -o /tmp/jdk.tgz "${JDK_URL}" \
+ && tar -C /opt/jdk -xzf /tmp/jdk.tgz \
+ && rm -f /tmp/jdk.tgz
+ENV JAVA_HOME=/opt/jdk/${JDK_DIR}
+ENV PATH="${JAVA_HOME}/bin:${PATH}"
+
+# --- Maven 3.9.11 (optional) ---
+ARG MVN_VER=3.9.11
+RUN curl -fsSL -o /tmp/maven.tgz \
+      "https://archive.apache.org/dist/maven/maven-3/${MVN_VER}/binaries/apache-maven-${MVN_VER}-bin.tar.gz" \
+ && tar -C /opt -xzf /tmp/maven.tgz \
+ && rm -f /tmp/maven.tgz
+ENV PATH="/opt/apache-maven-${MVN_VER}/bin:${PATH}"
+
+# Verify
+RUN java -version && mvn -v
+
 # Set SSL environment variables
 ENV REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
 ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt

src/vuln_analysis/tools/tests/test_transitive_code_search.py

@@ -13,6 +13,7 @@
 from vuln_analysis.tools.tests.mock_documents import (python_script_example, python_init_function_example,
                                                       python_full_document_example, python_parse_function_example,
                                                       python_mock_function_in_use, python_mock_file)
+from vuln_analysis.utils.dep_tree import Ecosystem
 
 from vuln_analysis.utils.source_rpm_downloader import RPMDependencyManager
 
@@ -99,8 +100,8 @@ async def test_transitive_search_golang_6():
     result = await transitive_code_search_runner_coroutine("net/http,ListenAndServe")
     (path_found, list_path) = result
     print(result)
-    assert path_found is False
-    assert len(list_path) is 0
+    assert path_found is True
+    assert len(list_path) is 2
 
 
 def set_input_for_next_run(git_repository: str, git_ref: str, included_extensions: list[str],
@@ -152,9 +153,7 @@ def mock_file_open(*args, **kwargs):
     mock_file = MagicMock()
     mock_file.__enter__ = MagicMock(return_value=mock_file)
     mock_file.__exit__ = MagicMock(return_value=None)
-    if 'ecosystem_data.txt' in str(file_path):
-        mock_file.read.return_value = "PYTHON"
-    elif 'requirements.txt' in str(file_path):
+    if 'requirements.txt' in str(file_path):
         mock_file.__iter__ = MagicMock(return_value=iter([
             "flask==2.0.1\n",
             "werkzeug==2.0.1\n",
@@ -190,8 +189,9 @@ def mock_file_open(*args, **kwargs):
     }
 ])
 @patch('vuln_analysis.utils.dep_tree.run_command', return_value=python_dependency_tree_mock_output)
+@patch('vuln_analysis.utils.transitive_code_searcher_tool.TransitiveCodeSearcher.get_ecosystem', return_value=Ecosystem.PYTHON)
 @patch('builtins.open', side_effect=mock_file_open)
-async def test_transitive_search_python_parameterized(mock_open, mock_run_command,test_case):
+async def test_transitive_search_python_parameterized(mock_open, mock_run_command, mock_get_ecosystem, test_case):
     """Parameterized test that runs all existing test cases with their respective configurations."""
     transitive_code_search_runner_coroutine = await get_transitive_code_runner_function()
     logging.basicConfig(level=logging.DEBUG)
@@ -299,4 +299,53 @@ async def test_c_transitive_search_2():
     print(f"DEBUG: list_path = {list_path}")
     print(f"DEBUG: len(list_path) = {len(list_path)}")
     assert len(list_path) == 1
-    assert path_found == False
+    assert path_found == False
+
+@pytest.mark.asyncio
+async def test_transitive_search_java_1():
+    transitive_code_search_runner_coroutine = await get_transitive_code_runner_function()
+    set_input_for_next_run(git_repository="https://github.com/cryostatio/cryostat",
+                           git_ref="8f753753379e9381429b476aacbf6890ef101438",
+                           included_extensions=["**/*.java"],
+                           excluded_extensions=["target/**/*",
+                                                "build/**/*",
+                                                "*.class",
+                                                ".gradle/**/*",
+                                                ".mvn/**/*",
+                                                ".gitignore",
+                                                "test/**/*",
+                                                "tests/**/*",
+                                                "src/test/**/*",
+                                                "pom.xml",
+                                                "build.gradle"])
+    result = await transitive_code_search_runner_coroutine("commons-beanutils:commons-beanutils:1.9.4,org.apache.commons.beanutils.PropertyUtilsBean.getProperty")
+    (path_found, list_path) = result
+    print(result)
+    assert path_found is False
+    assert len(list_path) is 1
+
+@pytest.mark.asyncio
+async def test_transitive_search_java_2():
+    transitive_code_search_runner_coroutine = await get_transitive_code_runner_function()
+    set_input_for_next_run(git_repository="https://github.com/cryostatio/cryostat",
+                           git_ref="8f753753379e9381429b476aacbf6890ef101438",
+                           included_extensions=["**/*.java"],
+                           excluded_extensions=["target/**/*",
+                                                "build/**/*",
+                                                "*.class",
+                                                ".gradle/**/*",
+                                                ".mvn/**/*",
+                                                ".gitignore",
+                                                "test/**/*",
+                                                "tests/**/*",
+                                                "src/test/**/*",
+                                                "pom.xml",
+                                                "build.gradle"])
+    result = await transitive_code_search_runner_coroutine("org.apache.commons:commons-lang3:3.14.0,org.apache.commons.lang3.StringUtils.isBlank")
+    (path_found, list_path) = result
+    print(result)
+    assert path_found is True
+    assert len(list_path) is 2
+    document = list_path[1]
+    assert 'src/main/java/io/cryostat' in document.metadata['source']
+    assert 'StringUtils.isBlank(' in document.page_content

src/vuln_analysis/tools/transitive_code_search.py

@@ -13,7 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-import os
 
 from vuln_analysis.runtime_context import ctx_state
 from vuln_analysis.utils.transitive_code_searcher_tool import TransitiveCodeSearcher
@@ -26,13 +25,16 @@
 from langchain.docstore.document import Document
 
 from vuln_analysis.data_models.state import AgentMorpheusEngineState
-from ..utils.chain_of_calls_retriever import ChainOfCallsRetriever
-from vuln_analysis.utils.dep_tree import Ecosystem
 from vuln_analysis.utils.document_embedding import DocumentEmbedding
+from ..data_models.input import SourceDocumentsInfo
+from ..utils.chain_of_calls_retriever_base import ChainOfCallsRetrieverBase
+from ..utils.chain_of_calls_retriever_factory import get_chain_of_calls_retriever
 from ..utils.function_name_extractor import FunctionNameExtractor
 from ..utils.function_name_locator import FunctionNameLocator
 
 from vuln_analysis.logging.loggers_factory import LoggingFactory
+from ..utils.java_chain_of_calls_retriever import JavaChainOfCallsRetriever
+
 logger = LoggingFactory.get_agent_logger(__name__)
 
 
@@ -53,29 +55,34 @@ class PackageAndFunctionLocatorToolConfig(FunctionBaseConfig, name="package_and_
     Package and function locator tool used to validate package names and find function names using fuzzy matching.
     """
 
-
-def get_call_of_chains_retriever(documents_embedder, si):
+def get_call_of_chains_retriever(documents_embedder, si, query: str):
     documents: list[Document]
     git_repo = None
+    code_source_info: SourceDocumentsInfo
     for source_info in si:
         if source_info.type == "code":
+            code_source_info = source_info
             git_repo = documents_embedder.get_repo_path(source_info)
             documents = documents_embedder.collect_documents(source_info)
     if git_repo is None:
         raise ValueError("No code source info found")
-    with open(os.path.join(git_repo, 'ecosystem_data.txt'), 'r', encoding='utf-8') as file:
-        ecosystem = file.read()
-    ecosystem = Ecosystem[ecosystem]
-    coc_retriever = ChainOfCallsRetriever(documents=documents, ecosystem=ecosystem, manifest_path=git_repo)
+    ecosystem = TransitiveCodeSearcher.get_ecosystem(git_repo)
+    coc_retriever = get_chain_of_calls_retriever(ecosystem,
+                                                 documents,
+                                                 git_repo,
+                                                 query,
+                                                 code_source_info)
     return coc_retriever
 
-
-def get_transitive_code_searcher():
+def get_transitive_code_searcher(query: str):
     state: AgentMorpheusEngineState = ctx_state.get()
-    if state.transitive_code_searcher is None:
+    if state.transitive_code_searcher is None or isinstance(state.transitive_code_searcher.chain_of_calls_retriever, JavaChainOfCallsRetriever):
         si = state.original_input.input.image.source_info
         documents_embedder = DocumentEmbedding(embedding=None)
-        coc_retriever = get_call_of_chains_retriever(documents_embedder, si)
+        if state.transitive_code_searcher is not None and isinstance(state.transitive_code_searcher.chain_of_calls_retriever, JavaChainOfCallsRetriever):
+            coc_retriever = get_call_of_chains_retriever(documents_embedder, si, query)
+        else:
+            coc_retriever = get_call_of_chains_retriever(documents_embedder, si, query)
         transitive_code_searcher = TransitiveCodeSearcher(chain_of_calls_retriever=coc_retriever)
         state.transitive_code_searcher = transitive_code_searcher
     return state.transitive_code_searcher
@@ -87,7 +94,7 @@ async def transitive_search(config: TransitiveCodeSearchToolConfig,
 
     async def _arun(query: str) -> tuple:
         transitive_code_searcher: TransitiveCodeSearcher
-        transitive_code_searcher = get_transitive_code_searcher()
+        transitive_code_searcher = get_transitive_code_searcher(query)
         result = transitive_code_searcher.search(query)
         return result
 
@@ -127,9 +134,9 @@ async def functions_usage_search(config: CallingFunctionNameExtractorToolConfig,
                                  builder: Builder):  # pylint: disable=unused-argument
 
     async def _arun(query: str) -> list:
-        coc_retriever: ChainOfCallsRetriever
+        coc_retriever: ChainOfCallsRetrieverBase
         transitive_code_searcher: TransitiveCodeSearcher
-        transitive_code_searcher = get_transitive_code_searcher()
+        transitive_code_searcher = get_transitive_code_searcher(query)
         coc_retriever = transitive_code_searcher.chain_of_calls_retriever
         function_name_extractor = FunctionNameExtractor(coc_retriever)
         result = function_name_extractor.fetch_list(query)
@@ -175,20 +182,20 @@ async def package_and_function_locator(config: PackageAndFunctionLocatorToolConf
                                       builder: Builder):  # pylint: disable=unused-argument
 
     async def _arun(query: str) -> dict:
-        coc_retriever: ChainOfCallsRetriever
+        coc_retriever: ChainOfCallsRetrieverBase
         transitive_code_searcher: TransitiveCodeSearcher
-        transitive_code_searcher = get_transitive_code_searcher()
+        transitive_code_searcher = get_transitive_code_searcher(query)
         coc_retriever = transitive_code_searcher.chain_of_calls_retriever
         locator = FunctionNameLocator(coc_retriever)
         result = await locator.locate_functions(query)
         pkg_msg = "Package is valid."
-        if not locator.is_package_valid and not locator.is_std_package:        
-            pkg_msg = "Package is not valid."            
-        
-        
+        if not locator.is_package_valid and not locator.is_std_package:
+            pkg_msg = "Package is not valid."
+
+
         return {
             "ecosystem": coc_retriever.ecosystem.name,
-            "package_msg": pkg_msg,            
+            "package_msg": pkg_msg,
             "result": result
         }
 
@@ -199,11 +206,12 @@ async def _arun(query: str) -> dict:
         FIRST STEP in code analysis. Validates packages, locates functions via fuzzy matching, provides ecosystem type.
     </tool_identity>
     <requires>
-        Input format: 'package_name,function_name' or 'package_name,class_name.method_name'
+        Input format: 'package_name,function_name' or 'package_name,class_name.method_name' or maven_gav(groupId:artifactId:version),fully_qualified_class_name.method_name
         <examples>
             <example>libxml2,xmlParseDocument</example>
             <example>requests,Session.get</example>
             <example>numpy,array.reshape</example>
+            <example>commons-beanutils:commons-beanutils:1.0.0,org.apache.commons.beanutils.PropertyUtilsBean.setSimpleProperty</example>
         </examples>
     </requires>
     <guide_lines>
@@ -218,6 +226,9 @@ async def _arun(query: str) -> dict:
             <input>requests,Session.get</input>
             <output>["Session.get", "Session.post", "Session.put", "Session.delete"]</output>
             <conclusion>Found class method "Session.get"</conclusion>
+            <input>commons-beanutils:commons-beanutils:1.0.0,org.apache.commons.beanutils.PropertyUtilsBean.setSimpleProperty</input>
+            <output>["PropertyUtilsBean.setSimpleProperty"]</output>
+            <conclusion>Found class method "PropertyUtilsBean.setSimpleProperty"</conclusion>
         </examples>
     </guide_lines>
     <output>