This update adds the following

Fixes a bug where vulnerabilities were not properly resolved if there was no linked http request.
Updates Spring AI Version
Removes unused Prompts
Adds Hints to returned vulnerabilities to guide the Agent on the correct fix.
Adds Library CVE data to the stacktrace. Which gives the agent a hint as to the fix if the vulnerability actually is occuring in a vulnerability within a 3rd party library. By giving the CVEs for that library.

Author: JoeBeeContrast

pom.xml

@@ -1,11 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+		 xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>3.4.4</version>
+		<version>3.4.5</version>
 		<relativePath/> <!-- lookup parent from repository -->
 	</parent>
 	<groupId>com.contrast.labs.ai.mcp</groupId>
@@ -28,22 +28,22 @@
 	</scm>
 	<properties>
 		<java.version>17</java.version>
-		<spring-ai.version>1.0.0-M6</spring-ai.version>
+		<spring-ai.version>1.0.0-RC1</spring-ai.version>
 	</properties>
-<dependencies>
-	<dependency>
-		<groupId>com.google.guava</groupId>
-		<artifactId>guava</artifactId>
-		<version>33.4.7-jre</version> <!-- Use the latest stable version -->
-	</dependency>
-<dependency>
-<groupId>com.contrastsecurity</groupId>
-<artifactId>contrast-sdk-java</artifactId>
-<version>3.4.2</version>
-</dependency>
+	<dependencies>
+		<dependency>
+			<groupId>com.google.guava</groupId>
+			<artifactId>guava</artifactId>
+			<version>33.4.7-jre</version> <!-- Use the latest stable version -->
+		</dependency>
+		<dependency>
+			<groupId>com.contrastsecurity</groupId>
+			<artifactId>contrast-sdk-java</artifactId>
+			<version>3.4.2</version>
+		</dependency>
 		<dependency>
 			<groupId>org.springframework.ai</groupId>
-			<artifactId>spring-ai-mcp-server-spring-boot-starter</artifactId>
+			<artifactId>spring-ai-starter-mcp-server</artifactId>
 		</dependency>
 
 		<dependency>
@@ -73,4 +73,4 @@
 		</plugins>
 	</build>
 
-</project>
+</project>

src/main/java/com/contrast/labs/ai/mcp/contrast/AssessService.java

@@ -17,9 +17,15 @@
 
 
 import com.contrast.labs.ai.mcp.contrast.data.ApplicationData;
+import com.contrast.labs.ai.mcp.contrast.data.LibraryLibraryObservation;
+import com.contrast.labs.ai.mcp.contrast.data.StackLib;
 import com.contrast.labs.ai.mcp.contrast.data.VulnLight;
 import com.contrast.labs.ai.mcp.contrast.data.Vulnerability;
+import com.contrast.labs.ai.mcp.contrast.hints.HintGenerator;
+import com.contrast.labs.ai.mcp.contrast.sdkexstension.SDKExtension;
 import com.contrast.labs.ai.mcp.contrast.sdkexstension.SDKHelper;
+import com.contrast.labs.ai.mcp.contrast.sdkexstension.data.LibraryExtended;
+import com.contrast.labs.ai.mcp.contrast.sdkexstension.data.sca.LibraryObservation;
 import com.contrastsecurity.models.Application;
 import com.contrastsecurity.models.EventResource;
 import com.contrastsecurity.models.EventSummaryResponse;
@@ -37,13 +43,16 @@
 
 import java.io.IOException;
 import java.util.ArrayList;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Optional;
+import java.util.Set;
 
 @Service
 public class AssessService {
 
     private static final Logger logger = LoggerFactory.getLogger(AssessService.class);
+    
 
     @Value("${contrast.host-name:${CONTRAST_HOST_NAME:}}")
     private String hostName;
@@ -61,7 +70,7 @@ public class AssessService {
     private String orgID;
 
 
-    @Tool(name = "get_vulnerability", description = "takes a vulnerability ID ( vulnID ) and Application ID ( appID ) and returns details about the specific security vulnerability")
+    @Tool(name = "get_vulnerability", description = "takes a vulnerability ID ( vulnID ) and Application ID ( appID ) and returns details about the specific security vulnerability. If based on the stacktrace, the vulnerability looks like it is in code that is not in the codebase, the vulnerability may be in a 3rd party library, review the CVE data attached to that stackframe you believe the vulnerability exists in and if possible upgrade that library to the next non vulnerable version based on the remediation guidance.")
     public Vulnerability getVulnerability(String vulnID, String appID) throws IOException {
         logger.info("Retrieving vulnerability details for vulnID: {} in application ID: {}", vulnID, appID);
         ContrastSDK contrastSDK = SDKHelper.getSDK(hostName, apiKey, serviceKey, userName);
@@ -90,25 +99,64 @@ public Vulnerability getVulnerability(String vulnID, String appID) throws IOExce
                     logger.debug("Found {} stack traces for vulnerability", stackTraces.size());
                 }
             }
-            
+            List<LibraryExtended> libs = SDKHelper.getLibsForID(appID,orgID, new SDKExtension(contrastSDK));
+            List<LibraryLibraryObservation> lobs = new ArrayList<>();
+            for(LibraryExtended lib : libs) {
+                LibraryLibraryObservation llob = new LibraryLibraryObservation(lib,new SDKExtension(contrastSDK).getLibraryObservations(orgID,appID,lib.getHash(),50));
+                lobs.add(llob);
+            }
+            List<StackLib> stackLibs = new ArrayList<>();
+            Set<LibraryExtended> libsToReturn = new HashSet<>();
+            for(String stackTrace : stackTraces) {
+                Optional<LibraryLibraryObservation> matchingLlobOpt = findMatchingLibraryData(stackTrace, lobs);
+                if (matchingLlobOpt.isPresent()) {
+                    LibraryLibraryObservation llob = matchingLlobOpt.get();
+                    LibraryExtended library = llob.library();
+                    if (!library.getVulnerabilities().isEmpty()) {
+                        libsToReturn.add(library); // Set.add() handles uniqueness efficiently
+                        stackLibs.add(new StackLib(stackTrace, library.getHash()));
+                    } else {
+                        stackLibs.add(new StackLib(stackTrace, null));
+                    }
+                } else {
+                    stackLibs.add(new StackLib(stackTrace, null));
+                }
+            }
+
+            String httpRequestText = null;
+            if( requestResponse.getHttpRequest()!=null) {
+                httpRequestText =  requestResponse.getHttpRequest().getText();
+            }
+            String hint = HintGenerator.generateVulnerabilityFixHint(trace.getRule());
             logger.info("Successfully retrieved vulnerability details for vulnID: {}", vulnID);
-            return new Vulnerability(vulnID, trace.getTitle(), trace.getRule(),
-                    recommendationResponse.getRecommendation().getText(), stackTraces,
-                    requestResponse.getHttpRequest().getText());
+            return new Vulnerability(hint, vulnID, trace.getTitle(), trace.getRule(),
+                    recommendationResponse.getRecommendation().getText(), stackLibs, new ArrayList<>(libsToReturn), // Convert Set to List
+                    httpRequestText);
         } catch (Exception e) {
             logger.error("Error retrieving vulnerability details for vulnID: {}", vulnID, e);
             throw new IOException("Failed to retrieve vulnerability details: " + e.getMessage(), e);
         }
     }
 
+    private Optional<LibraryLibraryObservation> findMatchingLibraryData(String stackTrace, List<LibraryLibraryObservation> lobs) {
+        String lowerStackTrace = stackTrace.toLowerCase();
+        for (LibraryLibraryObservation llob : lobs) {
+            for (LibraryObservation lob : llob.libraryObservation()) {
+                if (lob.getName() != null && lowerStackTrace.startsWith(lob.getName().toLowerCase())) {
+                    return Optional.of(llob);
+                }
+            }
+        }
+        return Optional.empty();
+    }
 
-    @Tool(name = "get_vulnerability_by_app_name", description = "Takes a vulnerability ID (vulnID) and application name (appName) and returns details about the specific security vulnerability")
+    @Tool(name = "get_vulnerability_by_app_name", description = "Takes a vulnerability ID (vulnID) and application name (appName) and returns details about the specific security vulnerability.  If based on the stacktrace, the vulnerability looks like it is in code that is not in the codebase, the vulnerability may be in a 3rd party library, review the CVE data attached to that stackframe you believe the vulnerability exists in and if possible upgrade that library to the next non vulnerable version based on the remediation guidance.")
     public Vulnerability getVulnerabilityByAppName(String vulnID, String appName) throws IOException {
         logger.info("Retrieving vulnerability details for vulnID: {} in application: {}", vulnID, appName);
         ContrastSDK contrastSDK = SDKHelper.getSDK(hostName, apiKey, serviceKey, userName);
         Optional<String> appID = Optional.empty();
         logger.debug("Searching for application ID matching name: {}", appName);
-        
+
         for(Application app : contrastSDK.getApplications(orgID).getApplications()) {
             if(app.getName().toLowerCase().contains(appName.toLowerCase())) {
                 appID = Optional.of(app.getId());
@@ -117,38 +165,7 @@ public Vulnerability getVulnerabilityByAppName(String vulnID, String appName) th
             }
         }
         if(appID.isPresent()) {
-            try {
-                Trace trace = contrastSDK.getTraces(orgID, appID.get(), new TraceFilterBody()).getTraces().stream()
-                        .filter(t -> t.getUuid().toLowerCase().equals(vulnID.toLowerCase()))
-                        .findFirst()
-                        .orElseThrow();
-                logger.debug("Found trace with title: {} and rule: {}", trace.getTitle(), trace.getRule());
-                
-                RecommendationResponse recommendationResponse = contrastSDK.getRecommendation(orgID, vulnID);
-                HttpRequestResponse requestResponse = contrastSDK.getHttpRequest(orgID, vulnID);
-                EventSummaryResponse eventSummaryResponse = contrastSDK.getEventSummary(orgID, vulnID);
-                
-                Optional<EventResource> triggerEvent = eventSummaryResponse.getEvents().stream()
-                        .filter(e -> e.getType().equalsIgnoreCase("trigger"))
-                        .findFirst();
-                
-                List<String> stackTraces = new ArrayList<>();
-                if (triggerEvent.isPresent()) {
-                    List<Stacktrace> sTrace = triggerEvent.get().getEvent().getStacktraces();
-                    if (sTrace != null) {
-                        stackTraces.addAll(sTrace.stream().map(Stacktrace::getDescription).toList());
-                        logger.debug("Found {} stack traces for vulnerability", stackTraces.size());
-                    }
-                }
-                
-                logger.info("Successfully retrieved vulnerability details for vulnID: {} in app: {}", vulnID, appName);
-                return new Vulnerability(vulnID, trace.getTitle(), trace.getRule(),
-                        recommendationResponse.getRecommendation().getText(), stackTraces,
-                        requestResponse.getHttpRequest().getText());
-            } catch (Exception e) {
-                logger.error("Error retrieving vulnerability details for vulnID: {} in app: {}", vulnID, appName, e);
-                throw new IOException("Failed to retrieve vulnerability details: " + e.getMessage(), e);
-            }
+            return getVulnerability(vulnID, appID.get());
         } else {
             logger.error("Application with name {} not found", appName);
             throw new IllegalArgumentException("Application with name " + appName + " not found");
@@ -166,7 +183,7 @@ public List<VulnLight> listVulnsInApp(String appID) throws IOException {
 
             List<VulnLight> vulns = new ArrayList<>();
             for(Trace trace : traces) {
-                vulns.add(new VulnLight(trace.getTitle(), trace.getRule(), trace.getUuid()));
+                vulns.add(new VulnLight(trace.getTitle(), trace.getRule(), trace.getUuid(),trace.getSeverity()));
             }
 
             logger.info("Successfully retrieved {} vulnerabilities for application ID: {}", vulns.size(), appID);
@@ -177,7 +194,7 @@ public List<VulnLight> listVulnsInApp(String appID) throws IOException {
         }
     }
 
-    @Tool(name = "list_vulnerabilities_with_app_name", description = "Takes an application name ( appName ) and returns a list of vulnerabilities, please remember to include the vulnID in the response.")
+    @Tool(name = "list_vulnerabilities_with_app_name", description = "Takes an application name ( appName ) and returns a list of vulnerabilities, please remember to include the vulnID in the response.  ")
     public List<VulnLight> listVulnsInAppByName(String appName) throws IOException {
         logger.info("Listing vulnerabilities for application: {}", appName);
         ContrastSDK contrastSDK = SDKHelper.getSDK(hostName, apiKey, serviceKey, userName);
@@ -192,19 +209,9 @@ public List<VulnLight> listVulnsInAppByName(String appName) throws IOException {
                 break;
             }
         }
-        
         if(appID.isPresent()) {
             try {
-                List<Trace> traces = contrastSDK.getTraces(orgID, appID.get(), new TraceFilterBody()).getTraces();
-                logger.debug("Found {} vulnerability traces for application: {}", traces.size(), appName);
-                
-                List<VulnLight> vulns = new ArrayList<>();
-                for (Trace trace : traces) {
-                    vulns.add(new VulnLight(trace.getTitle(), trace.getRule(), trace.getUuid()));
-                }
-                
-                logger.info("Successfully retrieved {} vulnerabilities for application: {}", vulns.size(), appName);
-                return vulns;
+              return listVulnsInApp(appID.get());
             } catch (Exception e) {
                 logger.error("Error listing vulnerabilities for application: {}", appName, e);
                 throw new IOException("Failed to list vulnerabilities: " + e.getMessage(), e);

src/main/java/com/contrast/labs/ai/mcp/contrast/McpContrastApplication.java

@@ -15,18 +15,14 @@
  */
 package com.contrast.labs.ai.mcp.contrast;
 
-import io.modelcontextprotocol.server.McpServerFeatures;
-import io.modelcontextprotocol.spec.McpSchema;
+import org.springframework.ai.support.ToolCallbacks;
 import org.springframework.ai.tool.ToolCallback;
-import org.springframework.ai.tool.ToolCallbacks;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.context.annotation.Bean;
 
-import java.util.Collections;
 import java.util.List;
 
-import static com.contrast.labs.ai.mcp.contrast.PromptRegistration.PROMPT_TEMPLATE;
 import static java.util.List.of;
 
 @SpringBootApplication
@@ -36,96 +32,9 @@ public static void main(String[] args)  {
 		SpringApplication.run(McpContrastApplication.class, args);
 	}
 
-
 	@Bean
 	public List<ToolCallback> tools(AssessService assessService, SastService sastService,SCAService scaService,ADRService adrService) {
 		return of(ToolCallbacks.from(assessService,sastService,scaService,adrService));
 	}
 
-	@Bean
-	public List<McpServerFeatures.SyncPromptRegistration> prompts() {
-		// AssessService prompts
-		var getVulnPrompt = new McpSchema.Prompt("get_vulnerability_prompt", "Get details about an Assess vulnerability",
-				List.of(
-						new McpSchema.PromptArgument("vulnID", "The vulnerability ID", true),
-						new McpSchema.PromptArgument("appID", "The application ID", true)
-				));
-
-		var getVulnByAppNamePrompt = new McpSchema.Prompt("get_vulnerability_by_app_name_prompt", "Get details about an Assess vulnerability",
-				List.of(
-						new McpSchema.PromptArgument("vulnID", "The vulnerability ID", true),
-						new McpSchema.PromptArgument("appName", "The application name", true)
-				));
-
-		var listVulnsPrompt = new McpSchema.Prompt("list_vulnerabilities_prompt", "List vulnerabilities for an application",
-				List.of(new McpSchema.PromptArgument("appID", "The application ID", true)));
-
-		var listVulnsByAppNamePrompt = new McpSchema.Prompt("list_vulnerabilities_with_app_name_prompt", "List vulnerabilities by app name",
-				List.of(new McpSchema.PromptArgument("appName", "The application name", true)));
-
-		var listAppsPrompt = new McpSchema.Prompt("list_applications_prompt", "List active applications by name",
-				List.of(new McpSchema.PromptArgument("appName", "The application name to filter by", true)));
-
-		// SastService prompts
-		var scanProjectPrompt = new McpSchema.Prompt("list_scan_project_prompt", "Get scan project details",
-				List.of(new McpSchema.PromptArgument("projectName", "The scan project name", true)));
-
-		var scanResultsPrompt = new McpSchema.Prompt("list_scan_results_prompt", "Get latest scan results for project name",
-				List.of(new McpSchema.PromptArgument("projectName", "The scan project name", true)));
-
-		// SCAService prompts
-		var appLibsByIdPrompt = new McpSchema.Prompt("list_application_libraries_by_app_id_prompt", "Get libraries used by app ID",
-				List.of(new McpSchema.PromptArgument("appID", "The application ID", true)));
-
-		var appLibsPrompt = new McpSchema.Prompt("list_application_libraries_prompt", "Get libraries used by app name",
-				List.of(new McpSchema.PromptArgument("appName", "The application name", true)));
-
-		var cveAppsPrompt = new McpSchema.Prompt("list_applications_vulnerable_to_cve_prompt", "Find apps vulnerable to a CVE",
-				List.of(new McpSchema.PromptArgument("cveid", "The CVE ID", true)));
-
-		// ADRService prompts
-		var protectRulesPrompt = new McpSchema.Prompt("get_adr_protect_rules_prompt", "Get protect/ADR rules by app name",
-				List.of(new McpSchema.PromptArgument("applicationName", "The application name", true)));
-
-		var protectRulesByIdPrompt = new McpSchema.Prompt("get_adr_protect_rules_by_app_id_prompt", "Get protect/ADR rules by app ID",
-				List.of(new McpSchema.PromptArgument("appID", "The application ID", true)));
-
-		// Create generic message handler for all prompts
-		return List.of(
-				getAssistantPrompt(),
-				createToolPromptRegistration(getVulnPrompt, "get_vulnerability"),
-				createToolPromptRegistration(getVulnByAppNamePrompt, "get_vulnerability_by_app_name"),
-				createToolPromptRegistration(listVulnsPrompt, "list_vulnerabilities"),
-				createToolPromptRegistration(listVulnsByAppNamePrompt, "list_vulnerabilities_with_app_name"),
-				createToolPromptRegistration(listAppsPrompt, "list_applications"),
-				createToolPromptRegistration(scanProjectPrompt, "list_Scan_Project"),
-				createToolPromptRegistration(scanResultsPrompt, "list_Scan_Results"),
-				createToolPromptRegistration(appLibsByIdPrompt, "list_application_libraries_by_app_id"),
-				createToolPromptRegistration(appLibsPrompt, "list_application_libraries"),
-				createToolPromptRegistration(cveAppsPrompt, "list_applications_vulnerable_to_cve"),
-				createToolPromptRegistration(protectRulesPrompt, "get_ADR_Protect_Rules"),
-				createToolPromptRegistration(protectRulesByIdPrompt, "get_ADR_Protect_Rules_by_app_id")
-		);
-	}
-
-
-
-	private McpServerFeatures.SyncPromptRegistration getAssistantPrompt() {
-		var prompt = new McpSchema.Prompt("default-contrast-prompt", "A prompt to seed system prompt for Contrast chat with mcp.", Collections.emptyList());
-		return new McpServerFeatures.SyncPromptRegistration(prompt, getPromptRequest -> {
-			var promptMessage = new McpSchema.PromptMessage(McpSchema.Role.ASSISTANT,
-					new McpSchema.TextContent(PROMPT_TEMPLATE));
-			return new McpSchema.GetPromptResult("default-contrast-prompt", List.of(promptMessage));
-		});
-	}
-
-
-	// Helper method to create tool prompt registrations with consistent formatting
-	private McpServerFeatures.SyncPromptRegistration createToolPromptRegistration(McpSchema.Prompt prompt, String toolName) {
-		return new McpServerFeatures.SyncPromptRegistration(prompt, getPromptRequest -> {
-			var userMessage = new McpSchema.PromptMessage(McpSchema.Role.USER,
-					new McpSchema.TextContent("Please use the " + toolName + " tool with the following parameters: " + getPromptRequest.arguments()));
-			return new McpSchema.GetPromptResult("A prompt to use the " + toolName + " tool", List.of(userMessage));
-		});
-	}
 }

src/main/java/com/contrast/labs/ai/mcp/contrast/PromptService.java

@@ -0,0 +1,10 @@
+package com.contrast.labs.ai.mcp.contrast;
+
+import org.springframework.stereotype.Service;
+
+@Service
+public class PromptService {
+
+
+
+}