Skip to main content

Moderne Recipes

This doc includes every recipe that is exclusive to users of Moderne. For a full list of all recipes, check out our recipe catalog. For more information about how to use Moderne for automating code refactoring and analysis at scale, contact us.

rewrite-android

rewrite-azul

rewrite-circleci

rewrite-codemods-ng

rewrite-compiled-analysis

rewrite-comprehension

rewrite-concourse

rewrite-cryptography

  • Find Security.setProperty(..) calls for certain properties - There is a defined set of properties that should not be set using Security.setProperty(..) as they can lead to security vulnerabilities.
  • Post quantum cryptography - This recipe searches for instances in code that may be impacted by post quantum cryptography. Applications may need to support larger key sizes, different algorithms, or use crypto agility to handle the migration. The recipe includes detection of hardcoded values that affect behavior in a post-quantum world, programmatic configuration that may prevent algorithm changes, and general cryptographic usage patterns that should be reviewed.

rewrite-dotnet

rewrite-hibernate

  • Find JPQL definitions - Find Java Persistence Query Language definitions in the codebase.
  • Fix conflicting class type annotation Hibernate 6.6 - Since Hibernate 6.6 a mapped class can have either @MappedSuperclass or @Embeddable, or @Entity. This recipe removes @Entity from classes annotated with @MappedSuperclass or @Embeddable. For the moment die combination of @MappedSuperclass or @Embeddable is advised to migrate to Single Table Inheritance but still accepted and therefore stays.
  • Migrate Session interface method calls - Migrates code using deprecated Session interface methods to their Hibernate 7.0 replacements.
  • Migrate Session save/update/delete method calls - Migrates code using deprecated Session save/update/delete methods to their Hibernate 7.0 replacements. Session#save -> Session#persist, Session#update -> Session#merge, Session#saveOrUpdate -> Session#persist or Session#merge, Session#delete -> Session#remove.
  • Migrate implicit cascade=PERSIST for @Id and @MapsId associations - Hibernate used to automatically enable cascade=PERSIST for association fields annotated @Id or @MapsId. This was undocumented and unexpected behavior, and no longer supported in Hibernate 7. Existing code which relies on this behavior will be modified by addition of explicit cascade=PERSIST to the association fields.
  • Migrate to @TargetEmbeddable - Migrates code using removed @Target to to Hibernate 7.0's @TargetEmbeddable equivalent. Removes misused @Target annotations.
  • Migrate to Hibernate 6.6.x - This recipe will apply changes commonly needed when migrating to Hibernate 6.6.x.
  • Migrate to Hibernate 7.0.x - This recipe will apply changes commonly needed when migrating to Hibernate 7.0.x.
  • Remove table from single table inherited entity - For Single Table Inherited Entities Hibernate ignores the @Table annotation on child entities. From Version 6.6 it is considered an error.

rewrite-java-security

  • Dependency insight for C# - Finds dependencies in *.csproj and packages.config.
  • Enable CSRF attack prevention - Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user's web browser to perform an unwanted action on a trusted site when the user is authenticated. See the full OWASP cheatsheet.
  • Find AWS secrets - Locates AWS secrets stored in plain text in code.
  • Find Artifactory secrets - Locates Artifactory secrets stored in plain text in code.
  • Find Azure secrets - Locates Azure secrets stored in plain text in code.
  • Find Discord secrets - Locates Discord secrets stored in plain text in code.
  • Find Facebook secrets - Locates Facebook secrets stored in plain text in code.
  • Find GitHub secrets - Locates GitHub secrets stored in plain text in code.
  • Find Google secrets - Locates Google secrets stored in plain text in code.
  • Find Heroku secrets - Locates Heroku secrets stored in plain text in code.
  • Find JWT secrets - Locates JWTs stored in plain text in code.
  • Find Jackson default type mapping enablement - ObjectMapper#enableTypeMapping(..) can lead to vulnerable deserialization.
  • Find MailChimp secrets - Locates MailChimp secrets stored in plain text in code.
  • Find Mailgun secrets - Locates Mailgun secrets stored in plain text in code.
  • Find NPM secrets - Locates NPM secrets stored in plain text in code.
  • Find PGP secrets - Locates PGP secrets stored in plain text in code.
  • Find PayPal secrets - Locates PayPal secrets stored in plain text in code.
  • Find Picatic secrets - Locates Picatic secrets stored in plain text in code.
  • Find RSA private keys - Locates RSA private keys stored in plain text in code.
  • Find SSH secrets - Locates SSH secrets stored in plain text in code.
  • Find SendGrid secrets - Locates SendGrid secrets stored in plain text in code.
  • Find Slack secrets - Locates Slack secrets stored in plain text in code.
  • Find Square secrets - Locates Square secrets stored in plain text in code.
  • Find Stripe secrets - Locates Stripe secrets stored in plain text in code.
  • Find Telegram secrets - Locates Telegram secrets stored in plain text in code.
  • Find Twilio secrets - Locates Twilio secrets stored in plain text in code.
  • Find Twitter secrets - Locates Twitter secrets stored in plain text in code.
  • Find and fix vulnerable Nuget dependencies - This software composition analysis (SCA) tool detects and upgrades dependencies with publicly disclosed vulnerabilities. This recipe both generates a report of vulnerable dependencies and upgrades to newer versions with fixes. This recipe only upgrades to the latest patch version. If a minor or major upgrade is required to reach the fixed version, this recipe will not make any changes. Vulnerability information comes from the GitHub Security Advisory Database, which aggregates vulnerability data from several public databases, including the National Vulnerability Database maintained by the United States government. Dependencies following Semantic Versioning will see their patch version updated where applicable.
  • Find and fix vulnerable dependencies - This software composition analysis (SCA) tool detects and upgrades dependencies with publicly disclosed vulnerabilities. This recipe both generates a report of vulnerable dependencies and upgrades to newer versions with fixes. This recipe by default only upgrades to the latest patch version. If a minor or major upgrade is required to reach the fixed version, this can be controlled using the maximumUpgradeDelta option. Vulnerability information comes from the GitHub Security Advisory Database, which aggregates vulnerability data from several public databases, including the National Vulnerability Database maintained by the United States government. Upgrades dependencies versioned according to Semantic Versioning. Last updated: 2025-08-11T1102.
  • Find generic secrets - Locates generic secrets stored in plain text in code.
  • Find hard-coded loopback IPv4 addresses - Locates mentions of hard-coded IPv4 addresses from the loopback IP range. The loopback IP range includes 127.0.0.0 to 127.255.255.255. This detects the entire localhost/loopback subnet range, not just the commonly used 127.0.0.1.
  • Find hard-coded private IPv4 addresses - Locates mentions of hard-coded IPv4 addresses from private IP ranges. Private IP ranges include: * 192.168.0.0 to 192.168.255.255 * 10.0.0.0 to 10.255.255.255 * 172.16.0.0 to 172.31.255.255 It is not detecting the localhost subnet 127.0.0.0 to 127.255.255.255.
  • Find licenses in use in third-party dependencies - Locates and reports on all licenses in use.
  • Find passwords used in URLs - Locates URLs that contain passwords in plain text.
  • Find secrets - Locates secrets stored in plain text in code.
  • Find secrets with regular expressions - A secret is a literal that matches any one of the provided patterns.
  • Find sensitive API endpoints - Find data models exposed by REST APIs that contain sensitive information like PII and secrets.
  • Find text-direction changes - Finds unicode control characters which can change the direction text is displayed in. These control characters can alter how source code is presented to a human reader without affecting its interpretation by tools like compilers. So a malicious patch could pass code review while introducing vulnerabilities. Note that text direction-changing unicode control characters aren't inherently malicious. These characters can appear for legitimate reasons in code written in or dealing with right-to-left languages. See: https://trojansource.codes/ for more information.
  • Find vulnerable uses of Jackson @JsonTypeInfo - Identify where attackers can deserialize gadgets into a target field.
  • Fix CWE-338 with SecureRandom - Use a cryptographically strong pseudo-random number generator (PRNG).
  • Improper privilege management - Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it.
  • Insecure JMS deserialization - JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage#getObject is called. Deserialization of untrusted data can lead to security flaws.
  • Insecure cookies - Check for use of insecure cookies. Cookies should be marked as secure. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks.
  • Java security best practices - Applies security best practices to Java code.
  • Partial path traversal vulnerability - Replaces dir.getCanonicalPath().startsWith(parent.getCanonicalPath(), which is vulnerable to partial path traversal attacks, with the more secure dir.getCanonicalFile().toPath().startsWith(parent.getCanonicalFile().toPath()). To demonstrate this vulnerability, consider "/usr/outnot".startsWith("/usr/out"). The check is bypassed although /outnot is not under the /out directory. It's important to understand that the terminating slash may be removed when using various String representations of the File object. For example, on Linux, println(new File("/var")) will print /var, but println(new File("/var", "/") will print /var/; however, println(new File("/var", "/").getCanonicalPath()) will print /var.
  • Prevent clickjacking - The frame-ancestors directive can be used in a Content-Security-Policy HTTP response header to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid Clickjacking attacks by ensuring that their content is not embedded into other sites.
  • Regular Expression Denial of Service (ReDOS) - ReDoS is a Denial of Service attack that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). See the OWASP description of this attack here for more details.
  • Remediate OWASP A01:2021 Broken access control - OWASP A01:2021 describes failures related to broken access control.
  • Remediate OWASP A02:2021 Cryptographic failures - OWASP A02:2021 describes failures related to cryptography (or lack thereof), which often lead to exposure of sensitive data. This recipe seeks to remediate these vulnerabilities.
  • Remediate OWASP A03:2021 Injection - OWASP A03:2021 describes failures related to user-supplied data being used to influence program state to operate outside of its intended bounds. This recipe seeks to remediate these vulnerabilities.
  • Remediate OWASP A05:2021 Security misconfiguration - OWASP A05:2021 describes failures related to security misconfiguration.
  • Remediate OWASP A06:2021 Vulnerable and outdated components - OWASP A06:2021 describes failures related to vulnerable and outdated components.
  • Remediate OWASP A08:2021 Software and data integrity failures - OWASP A08:2021 software and data integrity failures.
  • Remediate vulnerabilities from the OWASP Top Ten - OWASP publishes a list of the most impactful common security vulnerabilities. These recipes identify and remediate vulnerabilities from the OWASP Top Ten.
  • Remove unused dependencies - Scans through source code collecting references to types and methods, removing any dependencies that are not used from Maven or Gradle build files. This recipe takes reflective access into account: When reflective access to a class is made unambiguously via a string literal, such as: Class.forName("java.util.List") that is counted correctly. When reflective access to a class is made ambiguously via anything other than a string literal no dependencies will be removed. This recipe takes transitive dependencies into account: When a direct dependency is not used but a transitive dependency it brings in is in use the direct dependency is not removed.
  • Secure Spring service exporters - The default Java deserialization mechanism is available via ObjectInputStream class. This mechanism is known to be vulnerable. If an attacker can make an application deserialize malicious data, it may result in arbitrary code execution. Spring’s RemoteInvocationSerializingExporter uses the default Java deserialization mechanism to parse data. As a result, all classes that extend it are vulnerable to deserialization attacks. The Spring Framework contains at least HttpInvokerServiceExporter and SimpleHttpInvokerServiceExporter that extend RemoteInvocationSerializingExporter. These exporters parse data from the HTTP body using the unsafe Java deserialization mechanism. See the full blog post by Artem Smotrakov on CVE-2016-1000027 from which the above description is excerpted.
  • Secure random - Use cryptographically secure Pseudo Random Number Generation in the "main" source set. Replaces instantiation of java.util.Random with java.security.SecureRandom.
  • Secure the use of Jackson default typing - See the blog post on this subject.
  • Secure the use of SnakeYAML's constructor - See the paper on this subject.
  • SecureRandom seeds are not constant or predictable - Remove SecureRandom#setSeed(*) method invocations having constant or predictable arguments.
  • Software bill of materials - Produces a software bill of materials (SBOM) for a project. An SBOM is a complete list of all dependencies used in a project, including transitive dependencies. The produced SBOM is in the CycloneDX XML format. Supports Gradle and Maven. Places a file named sbom.xml adjacent to the Gradle or Maven build file.
  • Upgrade C# dependency versions - Upgrades dependencies in *.csproj and packages.config.
  • Use Files#createTempDirectory - Use Files#createTempDirectory when the sequence File#createTempFile(..)->File#delete()->File#mkdir() is used for creating a temp directory.
  • Use secure temporary file creation - java.io.File.createTempFile() has exploitable default file permissions. This recipe migrates to the more secure java.nio.file.Files.createTempFile().
  • XML parser XXE vulnerability - Avoid exposing dangerous features of the XML parser by updating certain factory settings.
  • Zip slip - Zip slip is an arbitrary file overwrite critical vulnerability, which typically results in remote command execution. A fuller description of this vulnerability is available in the Snyk documentation on it.

rewrite-kubernetes

  • Add Kubernetes configuration - Add default required configuration when it is missing.
  • Add RBAC rules - Add RBAC rules to ClusterRoles or namespaced Roles.
  • Cap exceeds resource value - Cap resource values that exceed a specific maximum.
  • Change Kubernetes API version - Change the Kubernetes API version in a resource.
  • Ensure CPU limits are set - A system without managed quotas could eventually collapse due to inadequate resources for the tasks it bares.
  • Ensure CPU request is set - If a container is created in a namespace that has a default CPU limit, and the container does not specify its own CPU limit, then the container is assigned the default CPU limit.
  • Ensure image pull policy is Always - Ensures the latest version of a tag is deployed each time.
  • Ensure lifecycle rule on StorageBucket - When defining a rule, you can specify any set of conditions for any action. The following configuration defines a rule to delete all objects older than 7 days in a bucket.
  • Ensure liveness probe is configured - The kubelet uses liveness probes to know when to schedule restarts for containers. Restarting a container in a deadlock state can help to make the application more available, despite bugs.
  • Ensure memory limits are set - With no limit set, kubectl allocates more and more memory to the container until it runs out.
  • Ensure memory request is set - A container is guaranteed to have as much memory as it requests, but is not allowed to use more memory than the limit set. This configuration may save resources and prevent an attack on an exploited container.
  • Ensure readiness probe is configured - Using the Readiness Probe ensures teams define what actions need to be taken to prevent failure and ensure recovery in case of unexpected errors.
  • Find annotation - Find annotations that optionally match a given regex.
  • Find annotation - Find annotations that optionally match a given value.
  • Find disallowed image tags - The set of image tags to find which are considered disallowed.
  • Find exceeds resource limit - Find resource manifests that have limits set beyond a specific maximum.
  • Find exceeds resource ratio - Find resource manifests that have requests to limits ratios beyond a specific maximum.
  • Find hardcoded IP addresses - Find hardcoded IP address anywhere in text-based files.
  • Find image by name - The image name to search for in containers and initContainers.
  • Find label - Find labels that optionally match a given regex.
  • Find missing configuration - Find Kubernetes resources with missing configuration.
  • Find missing image digest - Find instances of a container name that fails to specify a digest.
  • Find non-TLS Ingresses - Find Ingress resources that don't disallow HTTP or don't have TLS configured.
  • Find uses of externalIP - Find any Service whose externalIP list contains, or does not contain, one of a list of IPs.
  • Kubernetes best practices - Applies best practices to Kubernetes manifests.
  • Limit root capabilities in a container - Limiting the admission of containers with capabilities ensures that only a small number of containers have extended capabilities outside the default range.
  • Migrate to Kubernetes API v1.16 - This recipe will apply changes commonly needed when migrating to Kubernetes API v1.16.
  • Migrate to Kubernetes API v1.22 - This recipe will apply changes commonly needed when migrating to Kubernetes API v1.22.
  • Migrate to Kubernetes API v1.25 - This recipe will apply changes commonly needed when migrating to Kubernetes API v1.25.
  • Migrate to Kubernetes API v1.26 - This recipe will apply changes commonly needed when migrating to Kubernetes API v1.26.
  • Migrate to Kubernetes API v1.27 - This recipe will apply changes commonly needed when migrating to Kubernetes API v1.27.
  • Migrate to Kubernetes API v1.29 - This recipe will apply changes commonly needed when migrating to Kubernetes API v1.29.
  • Migrate to Kubernetes API v1.32 - This recipe will apply changes commonly needed when migrating to Kubernetes API v1.32.
  • No host IPC sharing - Preventing sharing of host PID/IPC namespace, networking, and ports ensures proper isolation between Docker containers and the underlying host.
  • No host network sharing - When using the host network mode for a container, that container’s network stack is not isolated from the Docker host, so the container shares the host’s networking namespace and does not get its own IP-address allocation.
  • No host process ID sharing - Sharing the host process ID namespace breaks the isolation between container images and can make processes visible to other containers in the pod. This includes all information in the /proc directory, which can sometimes include passwords or keys, passed as environment variables.
  • No privilege escalation - Does not allow a process to gain more privileges than its parent process.
  • No privileged containers - Privileged containers are containers that have all of the root capabilities of a host machine, allowing access to resources that are not accessible in ordinary containers.
  • No root containers - Containers that run as root frequently have more permissions than their workload requires which, in case of compromise, could help an attacker further their exploits.
  • Read-only root filesystem - Using an immutable root filesystem and a verified boot mechanism prevents against attackers from "owning" the machine through permanent local changes.
  • Service type - Type of Kubernetes Service to find.
  • Update Service externalIP - Swap out an IP address with another one in Service externalIP settings.
  • Update image name - Search for image names that match patterns and replace the components of the name with new values.

rewrite-nodejs

rewrite-program-analysis

  • Find LDAP injection vulnerabilities - Finds LDAP injection vulnerabilities by tracking tainted data flow from user input to LDAP queries.
  • Find PII exposure in logs and external APIs - Detects when Personally Identifiable Information (PII) is exposed through logging statements or sent to external APIs without proper sanitization. This helps prevent data leaks and ensures compliance with privacy regulations like GDPR and CCPA.
  • Find SQL injection vulnerabilities - Detects potential SQL injection vulnerabilities where user input flows to SQL execution methods without proper sanitization.
  • Find XSS vulnerabilities - Detects potential cross-site scripting vulnerabilities where user input flows to output methods without proper sanitization.
  • Find XXE vulnerabilities - Locates XML parsers that are not configured to prevent XML External Entity (XXE) attacks.
  • Find command injection vulnerabilities - Detects when user-controlled input flows into system command execution methods like Runtime.exec() or ProcessBuilder, which could allow attackers to execute arbitrary commands.
  • Find cyclomatic complexity - Calculates the cyclomatic complexity of methods and produces a data table containing the class name, method name, argument types, complexity value, and complexity threshold.
  • Find dead stores - Identifies variable assignments whose values are never used before being overwritten or going out of scope.
  • Find null pointer issues - Detects potential null pointer dereferences using path-sensitive analysis to distinguish between definite NPEs, possible NPEs, and safe dereferences.
  • Find path traversal vulnerabilities - Detects potential path traversal vulnerabilities where user input flows to file system operations without proper validation.
  • Find security vulnerabilities using taint analysis - Identifies potential security vulnerabilities where untrusted data from sources flows to sensitive sinks without proper sanitization.
  • Find unencrypted PII storage - Identifies when personally identifiable information (PII) is stored in databases, files, or other persistent storage without encryption.
  • Find unreachable code - Uses control flow analysis to identify statements that can never be executed.
  • Find unused variable definitions - Identifies variable assignments whose values are never used before being overwritten.
  • Track data lineage - Tracks the flow of data from database sources (JDBC queries, JPA entities) to API sinks (REST endpoints, GraphQL mutations) to understand data dependencies and support compliance requirements.

rewrite-reactive-streams

rewrite-spring

rewrite-sql

rewrite-terraform

rewrite-vulncheck

  • Use VulnCheck Exploit Intelligence to fix vulnerabilities - This software composition analysis (SCA) tool detects and upgrades dependencies with publicly disclosed vulnerabilities. This recipe both generates a report of vulnerable dependencies and upgrades to newer versions with fixes. This recipe by default only upgrades to the latest patch version. If a minor or major upgrade is required to reach the fixed version, this can be controlled using the maximumUpgradeDelta option. Vulnerability information comes from VulnCheck Vulnerability Intelligence. The recipe has an option to limit fixes to only those vulnerabilities that have evidence of exploitation at various levels of severity.