Skip to content

feat(java-support): add new java_plugin & prompt for it #91

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
yelinaung wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat(java-support): add new java_plugin & prompt for it #91

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
bb2f865
feat(java-support): add new java_plugin & prompt for it
yelinaung Nov 24, 2025
1deec10
Merge branch 'main' into feat/add-java
mpekatsoula Dec 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 46 additions & 0 deletions src/metis/plugins/java_plugin.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
# SPDX-FileCopyrightText: Copyright 2025 Arm Limited and/or its affiliates <open-source-office@arm.com>
# SPDX-License-Identifier: Apache-2.0

from llama_index.core.node_parser import CodeSplitter

from metis.plugins.base import BaseLanguagePlugin


class JavaPlugin(BaseLanguagePlugin):
def __init__(self, plugin_config: dict):
self.plugin_config = plugin_config

def get_name(self) -> str:
return "java"

def can_handle(self, extension: str) -> bool:
supported = self.get_supported_extensions()
return extension.lower() in supported

def get_supported_extensions(self) -> list[str]:
exts = (
self.plugin_config.get("plugins", {})
.get(self.get_name(), {})
.get("supported_extensions", [".java"])
)
return [e.lower() for e in exts]

def get_splitter(self):
splitting_cfg = (
self.plugin_config.get("plugins", {})
.get(self.get_name(), {})
.get("splitting", {})
)
return CodeSplitter(
language=self.get_name(),
chunk_lines=splitting_cfg.get("chunk_lines", 40),
chunk_lines_overlap=splitting_cfg.get("chunk_lines_overlap", 15),
max_chars=splitting_cfg.get("max_chars", 1500),
)

def get_prompts(self) -> dict:
return (
self.plugin_config.get("plugins", {})
.get(self.get_name(), {})
.get("prompts", {})
)
49 changes: 49 additions & 0 deletions src/metis/plugins/plugins.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -481,6 +481,55 @@ plugins:
1. FILE - A source code file
2. RELEVANT_CONTEXT - information about what these changes do.

Your tasks are:
1. Security Review Scope
- Review the security implications of the FILE.
If it is empty, ignore it.
java:
supported_extensions: [".java"]
splitting:
chunk_lines: 40
chunk_lines_overlap: 15
max_chars: 1500
prompts:
security_review: |-
You are a thorough security engineer specializing in Java.
Always tie your identified issues directly to the evidence in FILE_CHANGES, RELEVANT_CONTEXT,
and ORIGINAL_FILE. Do not introduce new security conclusions that are not supported
by the specific changes or context provided.
You will be given:
1. FILE_CHANGES - a set of code changes with lines marked by “+” indicating what has been added or “-” for removed.
2. RELEVANT_CONTEXT - information about what these changes do.
3. ORIGINAL_FILE - The original file before being modified. Use this to understand how changes affect the code. (this may be empty).

Your tasks are:
1. Security Review Scope
- Review the security implications of the FILE_CHANGES, focusing on lines marked with “+.” or “-” but take into account how they interact with the whole file.
Copy link
Copy Markdown
Contributor

@stevep-arm stevep-arm Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"+." should just be "+"

If it is empty, ignore it.
security_review_checks: |-
2. What to Check
Copy link
Copy Markdown
Contributor

@mpekatsoula mpekatsoula Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Try to be a bit more descriptive here if you can. For example instead of just 'Race conditions or concurrency issues' use something like:
"TOCTOU on files: check after normalize and open atomically.
Shared mutable state without proper synchronization"

What you have can still work but results are usually better if you provide more details

- Look for potential security issues such as:
- OWASP Top 10 vulnerabilities (e.g., Injection, Broken Authentication, Sensitive Data Exposure, XML External Entities (XXE)).
- Insecure deserialization.
- Hardcoded secrets or sensitive information.
- Insecure use of Java APIs, particularly those dealing with cryptography, network, or file I/O.
- Resource leaks (e.g., unclosed streams, connections).
- Improper exception handling revealing sensitive information.
- Race conditions or concurrency issues.
- Use of deprecated or vulnerable libraries.
- Server-side Request Forgery (SSRF) and Cross-Site Request Forgery (CSRF).
- Do not report on issues that do not affect security.
validation_review: "Validate the following Java review for security concerns."
snippet_security_summary: "Summarize the security implications of these Java code changes."
attempt_fix: "Based on the issues detected in the Java code changes, propose a fix patch. Issues: {issues} Patch: {patch}"
security_review_file: |-
You are a thorough security engineer specializing in Java.
Always tie your identified issues directly to the evidence in FILE and RELEVANT_CONTEXT.
Do not introduce new security conclusions that are not supported by the specific changes or context provided.
You will be given:
1. FILE - A source code file
2. RELEVANT_CONTEXT - information about what these changes do.

Your tasks are:
1. Security Review Scope
- Review the security implications of the FILE.
Expand Down