From bb2f86577cfb776ac0ac24096d1c7a221589e370 Mon Sep 17 00:00:00 2001
From: Ye Lin Aung <me@yelinaung.com>
Date: Mon, 24 Nov 2025 21:34:35 +0800
Subject: [PATCH] feat(java-support): add new java_plugin & prompt for it

---
 src/metis/plugins/java_plugin.py | 46 ++++++++++++++++++++++++++++++
 src/metis/plugins/plugins.yaml   | 49 ++++++++++++++++++++++++++++++++
 2 files changed, 95 insertions(+)
 create mode 100644 src/metis/plugins/java_plugin.py

diff --git a/src/metis/plugins/java_plugin.py b/src/metis/plugins/java_plugin.py
new file mode 100644
index 00000000..ff392fd9
--- /dev/null
+++ b/src/metis/plugins/java_plugin.py
@@ -0,0 +1,46 @@
+# SPDX-FileCopyrightText: Copyright 2025 Arm Limited and/or its affiliates <open-source-office@arm.com>
+# SPDX-License-Identifier: Apache-2.0
+
+from llama_index.core.node_parser import CodeSplitter
+
+from metis.plugins.base import BaseLanguagePlugin
+
+
+class JavaPlugin(BaseLanguagePlugin):
+    def __init__(self, plugin_config: dict):
+        self.plugin_config = plugin_config
+
+    def get_name(self) -> str:
+        return "java"
+
+    def can_handle(self, extension: str) -> bool:
+        supported = self.get_supported_extensions()
+        return extension.lower() in supported
+
+    def get_supported_extensions(self) -> list[str]:
+        exts = (
+            self.plugin_config.get("plugins", {})
+            .get(self.get_name(), {})
+            .get("supported_extensions", [".java"])
+        )
+        return [e.lower() for e in exts]
+
+    def get_splitter(self):
+        splitting_cfg = (
+            self.plugin_config.get("plugins", {})
+            .get(self.get_name(), {})
+            .get("splitting", {})
+        )
+        return CodeSplitter(
+            language=self.get_name(),
+            chunk_lines=splitting_cfg.get("chunk_lines", 40),
+            chunk_lines_overlap=splitting_cfg.get("chunk_lines_overlap", 15),
+            max_chars=splitting_cfg.get("max_chars", 1500),
+        )
+
+    def get_prompts(self) -> dict:
+        return (
+            self.plugin_config.get("plugins", {})
+            .get(self.get_name(), {})
+            .get("prompts", {})
+        )
diff --git a/src/metis/plugins/plugins.yaml b/src/metis/plugins/plugins.yaml
index 4a841b0a..2ece98c0 100644
--- a/src/metis/plugins/plugins.yaml
+++ b/src/metis/plugins/plugins.yaml
@@ -432,6 +432,55 @@ plugins:
         1. FILE - A source code file
         2. RELEVANT_CONTEXT - information about what these changes do.
 
+        Your tasks are:
+        1. Security Review Scope
+           - Review the security implications of the FILE.
+        If it is empty, ignore it.
+  java:
+    supported_extensions: [".java"]
+    splitting:
+      chunk_lines: 40
+      chunk_lines_overlap: 15
+      max_chars: 1500
+    prompts:
+      security_review: |-
+        You are a thorough security engineer specializing in Java.
+        Always tie your identified issues directly to the evidence in FILE_CHANGES, RELEVANT_CONTEXT,
+        and ORIGINAL_FILE. Do not introduce new security conclusions that are not supported
+        by the specific changes or context provided.
+        You will be given:
+        1. FILE_CHANGES - a set of code changes with lines marked by “+” indicating what has been added or “-” for removed.
+        2. RELEVANT_CONTEXT - information about what these changes do.
+        3. ORIGINAL_FILE - The original file before being modified. Use this to understand how changes affect the code. (this may be empty).
+
+        Your tasks are:
+        1. Security Review Scope
+           - Review the security implications of the FILE_CHANGES, focusing on lines marked with “+.” or “-” but take into account how they interact with the whole file.
+        If it is empty, ignore it.
+      security_review_checks: |-
+        2. What to Check
+           - Look for potential security issues such as:
+             - OWASP Top 10 vulnerabilities (e.g., Injection, Broken Authentication, Sensitive Data Exposure, XML External Entities (XXE)).
+             - Insecure deserialization.
+             - Hardcoded secrets or sensitive information.
+             - Insecure use of Java APIs, particularly those dealing with cryptography, network, or file I/O.
+             - Resource leaks (e.g., unclosed streams, connections).
+             - Improper exception handling revealing sensitive information.
+             - Race conditions or concurrency issues.
+             - Use of deprecated or vulnerable libraries.
+             - Server-side Request Forgery (SSRF) and Cross-Site Request Forgery (CSRF).
+           - Do not report on issues that do not affect security.
+      validation_review: "Validate the following Java review for security concerns."
+      snippet_security_summary: "Summarize the security implications of these Java code changes."
+      attempt_fix: "Based on the issues detected in the Java code changes, propose a fix patch. Issues: {issues} Patch: {patch}"
+      security_review_file: |-
+        You are a thorough security engineer specializing in Java.
+        Always tie your identified issues directly to the evidence in FILE and RELEVANT_CONTEXT.
+        Do not introduce new security conclusions that are not supported by the specific changes or context provided.
+        You will be given:
+        1. FILE - A source code file
+        2. RELEVANT_CONTEXT - information about what these changes do.
+
         Your tasks are:
         1. Security Review Scope
            - Review the security implications of the FILE.