Java transitive search (#130)

* Java transitive search

Signed-off-by: Theodor Mihalache <tmihalac@tmihalac-thinkpadp1gen7.rmtusfl.csb>

Author: tmihalac

.tekton/on-pull-request.yaml

@@ -178,6 +178,23 @@ spec:
                 print_banner "INSTALLING DEPENDENCIES"
                 uv sync
                 
+                # Install Java
+                JAVA_ARCH="x64"
+                JDK_URL="https://github.com/adoptium/temurin22-binaries/releases/download/jdk-22.0.2%2B9/OpenJDK22U-jdk_${JAVA_ARCH}_linux_hotspot_22.0.2_9.tar.gz"
+                JDK_DIR="jdk-22.0.2+9"
+          
+                echo ">> Downloading $JDK_URL"
+                mkdir -p /tekton/home/jdk
+                curl -fsSL -o /tekton/home/jdk/jdk.tgz "$JDK_URL"
+                tar -C /tekton/home/jdk -xzf /tekton/home/jdk/jdk.tgz
+                rm -f /tekton/home/jdk/jdk.tgz
+          
+                export JAVA_HOME="/tekton/home/jdk/${JDK_DIR}"
+                export PATH="$JAVA_HOME/bin:$PATH"
+                
+                echo "Java version:"
+                java -version || true
+                
                 # Install Go
                 print_banner "Installing Go"
 
@@ -190,6 +207,24 @@ spec:
                 echo "Go version:"
                 go version
 
+                # Install Maven
+                print_banner "Installing Maven"
+                
+                MAVEN_VERSION="3.9.11"
+                ARCHIVE="apache-maven-${MAVEN_VERSION}-bin.tar.gz"
+                URL="https://archive.apache.org/dist/maven/maven-3/${MAVEN_VERSION}/binaries/${ARCHIVE}"
+                
+                curl -s -L -o "${ARCHIVE}" "${URL}"
+                mkdir -p "$HOME/maven-sdk"
+                tar -C "$HOME/maven-sdk" -xzf "${ARCHIVE}"
+                
+                export MAVEN_HOME="$HOME/maven-sdk/apache-maven-${MAVEN_VERSION}"
+                export M2_HOME="$MAVEN_HOME"
+                export PATH="$MAVEN_HOME/bin:$PATH"
+                
+                echo "Maven version:"
+                mvn -v
+                
                 print_banner "RUNNING LINTER"
                 # Add the current directory to git's safe directories to avoid ownership errors.
                 git config --global --add safe.directory /workspace/source

Dockerfile

@@ -44,6 +44,27 @@ RUN curl -L -X GET https://go.dev/dl/go1.24.1.linux-amd64.tar.gz -o /tmp/go1.24.
     && tar -C /usr/local -xzf /tmp/go1.24.1.linux-amd64.tar.gz \
     && rm /tmp/go1.24.1.linux-amd64.tar.gz
 
+# --- Temurin JDK 22 (amd64/x86_64) ---
+ARG JDK_URL="https://github.com/adoptium/temurin22-binaries/releases/download/jdk-22.0.2%2B9/OpenJDK22U-jdk_x64_linux_hotspot_22.0.2_9.tar.gz"
+ARG JDK_DIR="jdk-22.0.2+9"
+RUN mkdir -p /opt/jdk \
+ && curl -fsSL -o /tmp/jdk.tgz "${JDK_URL}" \
+ && tar -C /opt/jdk -xzf /tmp/jdk.tgz \
+ && rm -f /tmp/jdk.tgz
+ENV JAVA_HOME=/opt/jdk/${JDK_DIR}
+ENV PATH="${JAVA_HOME}/bin:${PATH}"
+
+# --- Maven 3.9.11 (optional) ---
+ARG MVN_VER=3.9.11
+RUN curl -fsSL -o /tmp/maven.tgz \
+      "https://archive.apache.org/dist/maven/maven-3/${MVN_VER}/binaries/apache-maven-${MVN_VER}-bin.tar.gz" \
+ && tar -C /opt -xzf /tmp/maven.tgz \
+ && rm -f /tmp/maven.tgz
+ENV PATH="/opt/apache-maven-${MVN_VER}/bin:${PATH}"
+
+# Verify
+RUN java -version && mvn -v
+
 # Set SSL environment variables
 ENV REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
 ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt

src/vuln_analysis/tools/tests/test_transitive_code_search.py

@@ -300,3 +300,77 @@ async def test_c_transitive_search_2():
     print(f"DEBUG: len(list_path) = {len(list_path)}")
     assert len(list_path) == 1
     assert path_found == False
+
+@pytest.mark.asyncio
+async def test_transitive_search_java_1():
+    transitive_code_search_runner_coroutine = await get_transitive_code_runner_function()
+    set_input_for_next_run(git_repository="https://github.com/cryostatio/cryostat",
+                           git_ref="8f753753379e9381429b476aacbf6890ef101438",
+                           included_extensions=["**/*.java"],
+                           excluded_extensions=["target/**/*",
+                                                "build/**/*",
+                                                "*.class",
+                                                ".gradle/**/*",
+                                                ".mvn/**/*",
+                                                ".gitignore",
+                                                "test/**/*",
+                                                "tests/**/*",
+                                                "src/test/**/*",
+                                                "pom.xml",
+                                                "build.gradle"])
+    result = await transitive_code_search_runner_coroutine("commons-beanutils:commons-beanutils:1.9.4,org.apache.commons.beanutils.PropertyUtilsBean.getProperty")
+    (path_found, list_path) = result
+    print(result)
+    assert path_found is False
+    assert len(list_path) is 1
+
+@pytest.mark.asyncio
+async def test_transitive_search_java_2():
+    transitive_code_search_runner_coroutine = await get_transitive_code_runner_function()
+    set_input_for_next_run(git_repository="https://github.com/cryostatio/cryostat",
+                           git_ref="8f753753379e9381429b476aacbf6890ef101438",
+                           included_extensions=["**/*.java"],
+                           excluded_extensions=["target/**/*",
+                                                "build/**/*",
+                                                "*.class",
+                                                ".gradle/**/*",
+                                                ".mvn/**/*",
+                                                ".gitignore",
+                                                "test/**/*",
+                                                "tests/**/*",
+                                                "src/test/**/*",
+                                                "pom.xml",
+                                                "build.gradle"])
+    result = await transitive_code_search_runner_coroutine("org.apache.commons:commons-lang3:3.14.0,org.apache.commons.lang3.StringUtils.isBlank")
+    (path_found, list_path) = result
+    print(result)
+    assert path_found is True
+    assert len(list_path) is 2
+    document = list_path[1]
+    assert 'src/main/java/io/cryostat' in document.metadata['source']
+    assert 'StringUtils.isBlank(' in document.page_content
+
+# @pytest.mark.asyncio
+# async def test_transitive_search_java_3():
+#     transitive_code_search_runner_coroutine = await get_transitive_code_runner_function()
+#     set_input_for_next_run(git_repository="https://github.com/cryostatio/cryostat",
+#                            git_ref="8f753753379e9381429b476aacbf6890ef101438",
+#                            included_extensions=["**/*.java"],
+#                            excluded_extensions=["target/**/*",
+#                                                 "build/**/*",
+#                                                 "*.class",
+#                                                 ".gradle/**/*",
+#                                                 ".mvn/**/*",
+#                                                 ".gitignore",
+#                                                 "test/**/*",
+#                                                 "tests/**/*",
+#                                                 "src/test/**/*",
+#                                                 "pom.xml",
+#                                                 "build.gradle"])
+#     result = await transitive_code_search_runner_coroutine(",java.net.URLEncoder.encode")
+#     (path_found, list_path) = result
+#     print(result)
+#     assert path_found is True
+#     assert len(list_path) > 1
+#     document = list_path[-1]
+#     assert 'src/main/java/io/cryostat' in document.metadata['source']

src/vuln_analysis/tools/transitive_code_search.py

@@ -12,7 +12,6 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
 import os
 
 from vuln_analysis.runtime_context import ctx_state
@@ -26,14 +25,18 @@
 from langchain.docstore.document import Document
 
 from vuln_analysis.data_models.state import AgentMorpheusEngineState
-from ..utils.chain_of_calls_retriever import ChainOfCallsRetriever
-from vuln_analysis.utils.dep_tree import Ecosystem
 from vuln_analysis.utils.document_embedding import DocumentEmbedding
+from ..data_models.input import SourceDocumentsInfo
+from ..utils.chain_of_calls_retriever_base import ChainOfCallsRetrieverBase
+from ..utils.chain_of_calls_retriever_factory import get_chain_of_calls_retriever
+from ..utils.dep_tree import Ecosystem
 from ..utils.error_handling_decorator import catch_pipeline_errors_async, catch_tool_errors
 from ..utils.function_name_extractor import FunctionNameExtractor
 from ..utils.function_name_locator import FunctionNameLocator
 
 from vuln_analysis.logging.loggers_factory import LoggingFactory
+from ..utils.java_chain_of_calls_retriever import JavaChainOfCallsRetriever
+
 
 PACKAGE_AND_FUNCTION_LOCATOR_TOOL_NAME = "package_and_function_locator"
 
@@ -60,29 +63,33 @@ class PackageAndFunctionLocatorToolConfig(FunctionBaseConfig, name=("%s" % PACKA
     Package and function locator tool used to validate package names and find function names using fuzzy matching.
     """
 
-
-def get_call_of_chains_retriever(documents_embedder, si):
+def get_call_of_chains_retriever(documents_embedder, si, query: str):
     documents: list[Document]
     git_repo = None
+    code_source_info: SourceDocumentsInfo
     for source_info in si:
         if source_info.type == "code":
+            code_source_info = source_info
             git_repo = documents_embedder.get_repo_path(source_info)
             documents = documents_embedder.collect_documents(source_info)
     if git_repo is None:
         raise ValueError("No code source info found")
     with open(os.path.join(git_repo, 'ecosystem_data.txt'), 'r', encoding='utf-8') as file:
         ecosystem = file.read()
     ecosystem = Ecosystem[ecosystem]
-    coc_retriever = ChainOfCallsRetriever(documents=documents, ecosystem=ecosystem, manifest_path=git_repo)
+    coc_retriever = get_chain_of_calls_retriever(ecosystem=ecosystem,
+                                                 documents=documents,
+                                                 manifest_path=git_repo,
+                                                 query=query,
+                                                 code_source_info=code_source_info)
     return coc_retriever
 
-
-def get_transitive_code_searcher():
+def get_transitive_code_searcher(query: str):
     state: AgentMorpheusEngineState = ctx_state.get()
-    if state.transitive_code_searcher is None:
+    if state.transitive_code_searcher is None or isinstance(state.transitive_code_searcher.chain_of_calls_retriever, JavaChainOfCallsRetriever):
         si = state.original_input.input.image.source_info
         documents_embedder = DocumentEmbedding(embedding=None)
-        coc_retriever = get_call_of_chains_retriever(documents_embedder, si)
+        coc_retriever = get_call_of_chains_retriever(documents_embedder, si, query)
         transitive_code_searcher = TransitiveCodeSearcher(chain_of_calls_retriever=coc_retriever)
         state.transitive_code_searcher = transitive_code_searcher
     return state.transitive_code_searcher
@@ -108,16 +115,22 @@ async def transitive_search(config: TransitiveCodeSearchToolConfig,
     @catch_tool_errors(TRANSITIVE_CODE_SEARCH_TOOL_NAME)
     async def _arun(query: str) -> tuple:
         transitive_code_searcher: TransitiveCodeSearcher
-        transitive_code_searcher = get_transitive_code_searcher()
+        transitive_code_searcher = get_transitive_code_searcher(query)
         result = transitive_code_searcher.search(query)
         return result
 
     yield FunctionInfo.from_fn(
         _arun,
         description=("""
-    Checks if a function from a package is reachable from application code through the call chain. 
-    Input format: 'package_name,function_name'.
-    Example: 'urllib,parse'.
+    Checks if a function from a package is reachable from application code through the call chain.
+    Make sure the input format is matching exactly one of the following formats:
+    
+    Input format 1: 'package_name,function_name'.
+    Example 1: 'urllib,parse'.
+    
+    Input format 2(java): 'maven_gav,class_name.function_name'.
+    Example 2(java): 'commons-beanutils:commons-beanutils:1.0.0,PropertyUtilsBean.setSimpleProperty'.
+    
     Returns: (is_reachable: bool, call_hierarchy_path: list).
 """))
 
@@ -131,9 +144,9 @@ async def functions_usage_search(config: CallingFunctionNameExtractorToolConfig,
     """
     @catch_tool_errors(FUNCTION_NAME_EXTRACTOR_TOOL_NAME)
     async def _arun(query: str) -> list:
-        coc_retriever: ChainOfCallsRetriever
+        coc_retriever: ChainOfCallsRetrieverBase
         transitive_code_searcher: TransitiveCodeSearcher
-        transitive_code_searcher = get_transitive_code_searcher()
+        transitive_code_searcher = get_transitive_code_searcher(query)
         coc_retriever = transitive_code_searcher.chain_of_calls_retriever
         function_name_extractor = FunctionNameExtractor(coc_retriever)
         result = function_name_extractor.fetch_list(query)
@@ -154,33 +167,38 @@ async def package_and_function_locator(config: PackageAndFunctionLocatorToolConf
                                       builder: Builder):  # pylint: disable=unused-argument
     """
     Function Locator tool used to validate package names and find function names using fuzzy matching.
-    Mandatory first step for code path analysis. 
+    Mandatory first step for code path analysis.
     """
 
     @catch_tool_errors(PACKAGE_AND_FUNCTION_LOCATOR_TOOL_NAME)
     async def _arun(query: str) -> dict:
-        coc_retriever: ChainOfCallsRetriever
+        coc_retriever: ChainOfCallsRetrieverBase
         transitive_code_searcher: TransitiveCodeSearcher
-        transitive_code_searcher = get_transitive_code_searcher()
+        transitive_code_searcher = get_transitive_code_searcher(query)
         coc_retriever = transitive_code_searcher.chain_of_calls_retriever
         locator = FunctionNameLocator(coc_retriever)
         result = await locator.locate_functions(query)
         pkg_msg = "Package is valid."
-        if not locator.is_package_valid and not locator.is_std_package:        
-            pkg_msg = "Package is not valid."            
-        
-        
+        if not locator.is_package_valid and not locator.is_std_package:
+            pkg_msg = "Package is not valid."
+
         return {
             "ecosystem": coc_retriever.ecosystem.name,
-            "package_msg": pkg_msg,            
+            "package_msg": pkg_msg,
             "result": result
         }
 
     yield FunctionInfo.from_fn(
         _arun,
         description=("""
     Mandatory first step for code path analysis. Validates package names, locates functions using fuzzy matching, and provides ecosystem type (GO/Python/Java/JavaScript/C/C++).
-    Input format: 'package_name,function_name' or 'package_name,class_name.method_name'
-    Example: 'libxml2,xmlParseDocument'
+    Make sure the input format is matching exactly one of the following formats:
+    
+    Input format 1: 'package_name,function_name' or 'package_name,class_name.method_name'.
+    Example 1: 'libxml2,xmlParseDocument'.
+    
+    Input format 2(java): 'maven_gav,class_name.method_name'.
+    Example 2(java): 'commons-beanutils:commons-beanutils:1.0.0,PropertyUtilsBean.setSimpleProperty'.
+    
     Returns: {'ecosystem': str, 'package_msg': str, 'result': [function_names]}.
 """))