Skip to main content

Moderne Recipes

This doc includes every recipe that is exclusive to users of Moderne. For a full list of all recipes, check out our recipe catalog. For more information about how to use Moderne for automating code refactoring and analysis at scale, contact us.

io.moderne.recipe

recipes-code-quality

recipes-migrate-dotnet

recipes-tunit

rewrite-ai

  • io.moderne.ai.FindAgentsInUse
    • Find AI agents configuration files
    • Scans codebases to identify usage of AI agents by looking at the agent configuration files present in the repository.
  • io.moderne.ai.FindLibrariesInUse
    • Find AI libraries in use
    • Scans codebases to identify usage of AI services. Detects AI libraries across Java dependencies. Useful for auditing and understanding AI integration patterns.
  • io.moderne.ai.FindModelsInUse
    • Find AI models in use
    • Scans codebases to identify usage of Large Language Models (LLMs). Detects model references and configuration patterns across Java classes, properties files, YAML configs... Useful for identifying model usage.

rewrite-angular

  • org.openrewrite.angular.UpgradeToAngular10
    • Upgrade to Angular 10
    • Migrates Angular 9.x applications to Angular 10. This includes removing the deprecated es5BrowserSupport option from angular.json, renaming deprecated validator/asyncValidator to their plural forms, renaming browserslist to .browserslistrc, migrating to solution-style tsconfig.json, and upgrading Angular, TypeScript, and related dependency versions.
  • org.openrewrite.angular.UpgradeToAngular11
    • Upgrade to Angular 11
    • Migrates Angular 10.x applications to Angular 11. This includes replacing ViewEncapsulation.Native with ViewEncapsulation.ShadowDom, removing the deprecated extractCss build option from angular.json, flagging deprecated string-based loadChildren and preserveQueryParams usage, and upgrading Angular, TypeScript, and related dependency versions.
  • org.openrewrite.angular.UpgradeToAngular12
    • Upgrade to Angular 12
    • Migrates Angular 11.x applications to Angular 12. This includes adding defaultConfiguration: "production" to build targets in angular.json, replacing node-sass with sass (Dart Sass), flagging deprecated async test helper and View Engine APIs, and upgrading Angular, TypeScript, and related dependency versions.
  • org.openrewrite.angular.UpgradeToAngular13
    • Upgrade to Angular 13
    • Migrates Angular 12.x applications to Angular 13. This includes updating tsconfig.json target to es2017, removing IE11 polyfills, removing defaultProject from angular.json, adding TestBed module teardown, simplifying ComponentFactoryResolver usage, and upgrading Angular, TypeScript, and related dependency versions.
  • org.openrewrite.angular.UpgradeToAngular14
    • Upgrade to Angular 14
    • Migrates Angular 13.x applications to Angular 14. This includes replacing form classes with their Untyped* equivalents for backward compatibility with typed forms, updating deprecated initialNavigation router option values, removing aotSummaries from TestBed calls, and flagging pathMatch properties that may need type narrowing.
  • org.openrewrite.angular.UpgradeToAngular15
    • Upgrade to Angular 15
    • Migrates Angular 14.x applications to Angular 15. This includes removing the relativeLinkResolution option from RouterModule.forRoot(), removing the enableIvy compiler option from tsconfig.json, flagging the deprecated DATE_PIPE_DEFAULT_TIMEZONE token and providedIn: NgModule/'any' usage, and upgrading Angular, TypeScript, and related dependency versions.
  • org.openrewrite.angular.UpgradeToAngular16
    • Upgrade to Angular 16
    • Migrates Angular 15.x applications to Angular 16. This includes removing entryComponents and moduleId from decorators, replacing RouterLinkWithHref with RouterLink, moving the XhrFactory import to @angular/common, and flagging removed APIs like ReflectiveInjector, renderModuleFactory, and BrowserTransferStateModule.
  • org.openrewrite.angular.UpgradeToAngular17
    • Upgrade to Angular 17
    • Migrates Angular 16.x applications to Angular 17. This includes updating Angular package versions, replacing legacy deep zone.js imports, flagging the removed withNoDomReuse and setupTestingRouter APIs, and upgrading TypeScript and zone.js dependencies.
  • org.openrewrite.angular.UpgradeToAngular18
    • Upgrade to Angular 18
    • Migrates Angular 17.x applications to Angular 18. This includes replacing the deprecated async test helper with waitForAsync, migrating HttpClientModule to provideHttpClient(), moving Transfer State APIs to @angular/core, and flagging removed platform APIs.
  • org.openrewrite.angular.UpgradeToAngular19
    • Upgrade to Angular 19
    • Migrates Angular 18.x applications to Angular 19. This includes updating Angular package versions, adjusting the standalone default, renaming ExperimentalPendingTasks to PendingTasks, moving the ApplicationConfig import to @angular/core, and updating zone.js.
  • org.openrewrite.angular.UpgradeToAngular20
    • Upgrade to Angular 20
    • Migrates Angular 19.x applications to Angular 20. This includes running the Angular 19 migration first, then updating Angular package versions, renaming experimental APIs promoted to stable, and upgrading TypeScript to 5.8.x.
  • org.openrewrite.angular.UpgradeToAngular21
    • Upgrade to Angular 21
    • Migrates Angular 20.x applications to Angular 21. This includes running the Angular 20 migration first, flagging Karma test runner usage for Vitest migration, deprecated NgClass, zone.js-dependent test helpers, and upgrading TypeScript to 5.9.x.
  • org.openrewrite.angular.UpgradeToAngular8
    • Upgrade to Angular 8
    • Migrates Angular 7.x applications to Angular 8. This includes adding the now-required static: false to @ViewChild and @ContentChild decorators, moving the DOCUMENT import from @angular/platform-browser to @angular/common, removing rxjs-compat and flagging any remaining RxJS 5-style imports, flagging removed @angular/http imports, converting deprecated string-based loadChildren to dynamic imports, and upgrading Angular, TypeScript, and related dependency versions.
  • org.openrewrite.angular.UpgradeToAngular9
    • Upgrade to Angular 9
    • Migrates Angular 8.x applications to Angular 9. This includes removing the now-default static: false from view query decorators, replacing TestBed.get() with TestBed.inject(), adding generic type parameters to ModuleWithProviders, enabling AOT compilation in angular.json, updating tsconfig.json module settings for Ivy, flagging removed View Engine APIs (Renderer, RenderComponentType, RootRenderer), and upgrading Angular, TypeScript, and related dependency versions.
  • org.openrewrite.angular.migration.add-default-configuration
    • Add defaultConfiguration to build targets
    • Adds "defaultConfiguration": "production" to build architect targets in angular.json. Angular 12 changed ng build to produce production bundles by default.
  • org.openrewrite.angular.migration.add-localize-polyfill
    • Add @angular/localize/init polyfill import
    • Adds import '@angular/localize/init' to polyfills.ts. Angular 9 introduced the $localize runtime API for i18n. Projects using internationalization must import this polyfill or the application will fail at runtime with $localize is not defined. The @angular/localize package must also be added as a dependency.
  • org.openrewrite.angular.migration.add-module-with-providers-generic
    • Add generic type to ModuleWithProviders
    • Adds the required generic type parameter to bare ModuleWithProviders return types. Angular 10 requires ModuleWithProviders<T> where T is the NgModule type. The module type is inferred from the ngModule property in the return statement.
  • org.openrewrite.angular.migration.add-static-false-to-view-queries
    • Add static: false to view queries
    • Adds static: false to @ViewChild and @ContentChild decorators that don't have the static property. Angular 8 requires an explicit static flag for view query decorators. Using static: false preserves the Angular 7 default behavior (queries resolved after change detection).
  • org.openrewrite.angular.migration.add-testbed-teardown
    • Add TestBed module teardown
    • Adds \{ teardown: \{ destroyAfterEach: true \} \} as the third argument to TestBed.initTestEnvironment() calls. Angular 13 changed the default teardown behavior, and this ensures explicit opt-in for module teardown after each test.
  • org.openrewrite.angular.migration.enable-aot-build
    • Enable AOT compilation in angular.json
    • Adds "aot": true to build options in angular.json. Angular 9 made AOT compilation the default, and projects upgrading from Angular 8 should enable it explicitly.
  • org.openrewrite.angular.migration.explicit-standalone-flag
    • Make standalone flag explicit
    • Adds standalone: false to non-standalone Angular components, directives, and pipes, and removes redundant standalone: true since it became the default in Angular 19.
  • org.openrewrite.angular.migration.migrate-constructor-to-inject
    • Migrate constructor injection to inject()
    • Converts constructor parameter properties in Angular classes to field declarations using the inject() function. For example, constructor(private svc: MyService) \{\} becomes private svc = inject(MyService);.
  • org.openrewrite.angular.migration.migrate-input-to-signal
    • Migrate @Input() to signal-based input()
    • Converts @Input() decorated properties in Angular classes to signal-based input() declarations. For example, @Input() name: string becomes name = input<string>(), and @Input(\{ required: true \}) name!: string becomes name = input.required<string>().
  • org.openrewrite.angular.migration.migrate-output-to-signal
    • Migrate @Output() to signal-based output()
    • Converts @Output() decorated properties using EventEmitter in Angular classes to signal-based output() declarations. For example, @Output() clicked = new EventEmitter<void>() becomes clicked = output<void>().
  • org.openrewrite.angular.migration.migrate-query-to-signal
    • Migrate query decorators to signal-based functions
    • Converts @ViewChild(), @ViewChildren(), @ContentChild(), and @ContentChildren() decorated properties to signal-based query functions. For example, @ViewChild('ref') el: ElementRef becomes el = viewChild<ElementRef>('ref').
  • org.openrewrite.angular.migration.migrate-to-solution-style-tsconfig
    • Migrate to solution-style tsconfig
    • Migrates a project to use a solution-style tsconfig.json. The original tsconfig.json content is moved to tsconfig.base.json (with project-specific fields removed), and tsconfig.json is replaced with a solution-style config that references the project's TypeScript configurations. Other tsconfig files that extend ./tsconfig.json are updated to extend ./tsconfig.base.json.
  • org.openrewrite.angular.migration.move-document-import
    • Move DOCUMENT import to @angular/core
    • Moves the DOCUMENT import from older Angular modules to @angular/core.
  • org.openrewrite.angular.migration.remove-aot-summaries
    • Remove aotSummaries from TestBed
    • Removes the aotSummaries property from TestBed.configureTestingModule() and TestBed.initTestEnvironment() calls. The aotSummaries parameter was removed in Angular 14 as it was only needed for the View Engine compiler.
  • org.openrewrite.angular.migration.remove-browser-module-with-server-transition
    • Remove BrowserModule.withServerTransition
    • Replaces BrowserModule.withServerTransition(\{ appId: '...' \}) with BrowserModule and adds \{ provide: APP_ID, useValue: '...' \} to the NgModule providers. The withServerTransition method was removed in Angular 19.
  • org.openrewrite.angular.migration.remove-component-factory-resolver
    • Remove ComponentFactoryResolver
    • Replaces resolver.resolveComponentFactory(Component) with just Component and removes the ComponentFactoryResolver import. Since Ivy, ViewContainerRef.createComponent accepts the component class directly. ComponentFactoryResolver was deprecated in Angular 13 and removed in Angular 16.
  • org.openrewrite.angular.migration.remove-default-project
    • Remove defaultProject from angular.json
    • Removes the deprecated defaultProject property from angular.json. The defaultProject option was deprecated in Angular 13 and the CLI infers the default project from the workspace.
  • org.openrewrite.angular.migration.remove-empty-ng-on-init
    • Remove empty ngOnInit lifecycle hooks
    • Removes empty ngOnInit lifecycle hook methods and OnInit interface from Angular components.
  • org.openrewrite.angular.migration.remove-enable-ivy
    • Remove enableIvy compiler option
    • Removes the enableIvy option from angularCompilerOptions in tsconfig.json. Ivy is the only rendering engine since Angular 12, and the option was removed in Angular 15.
  • org.openrewrite.angular.migration.remove-entry-components
    • Remove entryComponents
    • Removes the entryComponents property from @NgModule and @Component decorators, and removes the ANALYZE_FOR_ENTRY_COMPONENTS import. These were removed in Angular 16 as they served no purpose since Ivy.
  • org.openrewrite.angular.migration.remove-es5-browser-support
    • Remove es5BrowserSupport from angular.json
    • Removes the deprecated es5BrowserSupport option from angular.json. es5BrowserSupport was deprecated in Angular 7.3 and removed in Angular 10. Differential loading is now handled automatically by the Angular CLI based on the project's browserslist configuration.
  • org.openrewrite.angular.migration.remove-extract-css
    • Remove extractCss from angular.json
    • Removes the deprecated extractCss build option from angular.json. In Angular 11, CSS extraction became the default behavior for production builds and the option was deprecated.
  • org.openrewrite.angular.migration.remove-ie-polyfills
    • Remove IE11 polyfills
    • Removes IE11-specific polyfill imports (core-js, classlist.js, web-animations-js) from polyfills.ts and angular.json. Angular 13 dropped IE11 support, making these polyfills unnecessary.
  • org.openrewrite.angular.migration.remove-module-id
    • Remove moduleId
    • Removes the moduleId property from @Component and @Directive decorators. moduleId was deprecated in Angular 16 and removed in Angular 17 as it served no purpose since Ivy.
  • org.openrewrite.angular.migration.remove-relative-link-resolution
    • Remove relativeLinkResolution
    • Removes the relativeLinkResolution option from RouterModule.forRoot() calls. This option was deprecated in Angular 14 and removed in Angular 15.
  • org.openrewrite.angular.migration.remove-standalone-true
    • Remove redundant standalone: true
    • Removes the standalone: true property from Angular component, directive, and pipe decorators since standalone is the default in Angular 19+.
  • org.openrewrite.angular.migration.remove-static-false
    • Remove static: false from view queries
    • Removes static: false from @ViewChild, @ContentChild, @ViewChildren, and @ContentChildren decorators. In Angular 9 with Ivy, static: false became the default behavior, making the explicit option unnecessary.
  • org.openrewrite.angular.migration.remove-zone-js-polyfill
    • Remove zone.js polyfill from angular.json
    • Removes zone.js entries from the polyfills array in angular.json. Angular 20 supports zoneless change detection via provideZonelessChangeDetection(), making the zone.js polyfill unnecessary.
  • org.openrewrite.angular.migration.rename-after-render
    • Rename afterRender to afterEveryRender
    • Renames afterRender to afterEveryRender in imports and usages. The afterRender function was renamed to afterEveryRender in Angular 20, and Angular provides no migration schematic for this change.
  • org.openrewrite.angular.migration.rename-check-no-changes
    • Rename provideExperimentalCheckNoChangesForDebug to provideCheckNoChangesForDebug
    • Renames provideExperimentalCheckNoChangesForDebug to provideCheckNoChangesForDebug in imports and usages. The experimental API was promoted to developer preview in Angular 20.
  • org.openrewrite.angular.migration.rename-file
    • Rename file
    • Renames files matching a glob pattern to a new file name, preserving the directory.
  • org.openrewrite.angular.migration.rename-pending-tasks
    • Rename ExperimentalPendingTasks to PendingTasks
    • Renames ExperimentalPendingTasks to PendingTasks in imports and usages. ExperimentalPendingTasks was renamed in Angular 19.
  • org.openrewrite.angular.migration.rename-zoneless-provider
    • Rename provideExperimentalZonelessChangeDetection to provideZonelessChangeDetection
    • Renames provideExperimentalZonelessChangeDetection to provideZonelessChangeDetection in imports and usages. The experimental API was promoted to developer preview in Angular 20.
  • org.openrewrite.angular.migration.replace-async-with-wait-for-async
    • Replace async with waitForAsync
    • Replaces the removed async test helper from @angular/core/testing with waitForAsync. The async function was deprecated in Angular 11 and removed in Angular 18.
  • org.openrewrite.angular.migration.replace-deep-zone-js-imports
    • Replace deep zone.js imports
    • Replaces legacy deep imports from zone.js such as zone.js/dist/zone or zone.js/bundles/zone-testing.js with the standard zone.js or zone.js/testing imports, in both TypeScript files and angular.json polyfills. Deep imports are no longer allowed in Angular 17.
  • org.openrewrite.angular.migration.replace-http-client-module
    • Replace HttpClientModule with provideHttpClient()
    • Replaces deprecated HttpClientModule, HttpClientJsonpModule, HttpClientXsrfModule, and HttpClientTestingModule with their functional equivalents: provideHttpClient() with feature functions and provideHttpClientTesting().
  • org.openrewrite.angular.migration.replace-initial-navigation
    • Replace initialNavigation option values
    • Replaces deprecated initialNavigation router option values: 'legacy_enabled' and true become 'enabledBlocking', 'legacy_disabled' and false become 'disabled', and 'enabled' becomes 'enabledNonBlocking'. The legacy values were removed in Angular 11; 'enabled' was renamed in Angular 14.
  • org.openrewrite.angular.migration.replace-inject-flags
    • Replace InjectFlags with options object
    • Replaces deprecated InjectFlags enum usage in inject() calls with the corresponding options object. For example, inject(MyService, InjectFlags.Optional) becomes inject(MyService, \{ optional: true \}).
  • org.openrewrite.angular.migration.replace-load-children-string
    • Replace string-based loadChildren with dynamic import()
    • Converts the deprecated string-based loadChildren: 'path#Module' syntax to dynamic imports: loadChildren: () => import('path').then(m => m.Module).
  • org.openrewrite.angular.migration.replace-node-sass-with-sass
    • Replace node-sass with sass
    • Replaces the deprecated node-sass package with sass (Dart Sass). Angular 12 requires Dart Sass; node-sass is no longer supported.
  • org.openrewrite.angular.migration.replace-router-link-with-href
    • Replace RouterLinkWithHref with RouterLink
    • Replaces RouterLinkWithHref with RouterLink in imports and usages. RouterLinkWithHref was merged into RouterLink in Angular 16.
  • org.openrewrite.angular.migration.replace-testbed-get-with-inject
    • Replace TestBed.get() with TestBed.inject()
    • Replaces deprecated TestBed.get() calls with TestBed.inject(). TestBed.get() was deprecated in Angular 9 and removed in Angular 13.
  • org.openrewrite.angular.migration.replace-untyped-forms
    • Replace form classes with untyped variants
    • Renames FormControl, FormGroup, FormArray, and FormBuilder to their Untyped* equivalents in imports and usages. Angular 14 introduced strictly typed forms, requiring existing untyped usages to migrate to the Untyped* aliases.
  • org.openrewrite.angular.migration.replace-validator-with-validators
    • Replace validator/asyncValidator with plural forms
    • Renames the deprecated singular validator and asyncValidator property names to validators and asyncValidators (plural). Angular 10 deprecated the singular forms in favor of AbstractControlOptions.
  • org.openrewrite.angular.migration.replace-view-encapsulation-native
    • Replace ViewEncapsulation.Native with ViewEncapsulation.ShadowDom
    • Replaces ViewEncapsulation.Native with ViewEncapsulation.ShadowDom. ViewEncapsulation.Native was deprecated in Angular 6 and removed in Angular 11.
  • org.openrewrite.angular.migration.update-component-template-url
    • Update component templateUrl
    • Updates the templateUrl property value in Angular @Component decorators. Useful for refactoring template file paths or standardizing path conventions.
  • org.openrewrite.angular.migration.update-tsconfig-module
    • Update tsconfig.json module settings for Ivy
    • Updates compilerOptions.module to esnext and compilerOptions.moduleResolution to node in tsconfig.json. Angular 9's Ivy compiler requires ES module format. Already-current values like es2020, node16, nodenext, or bundler are left unchanged.
  • org.openrewrite.angular.migration.update-tsconfig-target
    • Update tsconfig.json target to es2017
    • Updates the compilerOptions.target in tsconfig.json from es5, es2015, or es2016 to es2017. Angular 13 dropped IE11 support and requires at least ES2017.
  • org.openrewrite.angular.search.FindAngularComponent
    • Find Angular component
    • Locates usages of Angular components across the codebase including template elements and other references. If componentName is null, finds all Angular components.
  • org.openrewrite.angular.search.find-analyze-for-entry-components-usage
    • Find deprecated ANALYZE_FOR_ENTRY_COMPONENTS usage
    • Finds usages of the deprecated ANALYZE_FOR_ENTRY_COMPONENTS injection token from @angular/core. ANALYZE_FOR_ENTRY_COMPONENTS was deprecated in Angular 9 and removed in Angular 13.
  • org.openrewrite.angular.search.find-angular-decorator
    • Find Angular decorators
    • Finds all Angular decorators like @Component, @Directive, @Injectable, etc.
  • org.openrewrite.angular.search.find-angular-http-usage
    • Find removed @angular/http usage
    • Finds imports from the @angular/http module, which was deprecated in Angular 5 and removed in Angular 8. Use @angular/common/http (HttpClient, HttpClientModule) instead.
  • org.openrewrite.angular.search.find-animation-driver-matches-element
    • Find AnimationDriver.matchesElement usage
    • Finds imports of AnimationDriver from @angular/animations/browser, which had its matchesElement method removed in Angular 18.
  • org.openrewrite.angular.search.find-async-test-helper-usage
    • Find deprecated async test helper usage
    • Finds usages of the deprecated async test helper from @angular/core/testing. The async function was deprecated in Angular 11 and should be replaced with waitForAsync.
  • org.openrewrite.angular.search.find-bare-module-with-providers
    • Find ModuleWithProviders without generic type
    • Finds imports of ModuleWithProviders from @angular/core. Starting in Angular 10, ModuleWithProviders requires a generic type parameter (e.g. ModuleWithProviders<MyModule>). Ensure all usages specify the module type.
  • org.openrewrite.angular.search.find-browser-transfer-state-module-usage
    • Find BrowserTransferStateModule usage
    • Finds usages of BrowserTransferStateModule from @angular/platform-browser which was removed in Angular 16. TransferState can be used directly without this module.
  • org.openrewrite.angular.search.find-common-module-usage
    • Find CommonModule usage
    • Finds imports of CommonModule from @angular/common. Since Angular 19, standalone components are the default and CommonModule is no longer needed in component imports arrays. Built-in directives and pipes are available automatically.
  • org.openrewrite.angular.search.find-compiler-factory-usage
    • Find View Engine API usage
    • Finds usages of View Engine APIs from @angular/core (CompilerFactory, Compiler, CompilerOptions, ModuleWithComponentFactories, NgModuleFactory, NgModuleFactoryLoader) which were deprecated in Angular 13.
  • org.openrewrite.angular.search.find-date-pipe-default-timezone-usage
    • Find DATE_PIPE_DEFAULT_TIMEZONE usage
    • Finds usages of DATE_PIPE_DEFAULT_TIMEZONE which was deprecated in Angular 15. Use DATE_PIPE_DEFAULT_OPTIONS with a \{timezone: '...'\} object value instead.
  • org.openrewrite.angular.search.find-effect-timing-usage
    • Find effect() usage affected by Angular 19 timing changes
    • Finds effect() calls from @angular/core. In Angular 19, effects triggered outside change detection now run as part of the change detection process instead of as a microtask, and effects triggered during change detection run earlier, before the component's template.
  • org.openrewrite.angular.search.find-empty-projectable-nodes
    • Find createComponent calls with empty projectableNodes
    • Finds createComponent() calls that pass empty arrays in projectableNodes. In Angular 19, passing an empty array now renders the default ng-content fallback content. To suppress fallback content, pass [document.createTextNode('')] instead.
  • org.openrewrite.angular.search.find-fake-async-usage
    • Find zone.js-dependent test helper usage
    • Finds fakeAsync(), tick(), and waitForAsync() calls from @angular/core/testing. These zone.js-dependent test helpers are incompatible with Vitest, the default test runner in Angular 21. Migrate to native async/await patterns instead.
  • org.openrewrite.angular.search.find-hammer-js-usage
    • Find HammerJS usage
    • Finds HammerModule imports and HammerJS references. Angular has deprecated HammerJS support and it will be removed in Angular 21.
  • org.openrewrite.angular.search.find-i18n-usage
    • Find i18n usage
    • Finds i18n usage indicators: legacy i18n configuration in angular.json (i18nLocale, i18nFile, i18nFormat, i18nMissingTranslation), $localize tagged template literals, and @angular/localize imports. Projects with these markers need @angular/localize installed and import '@angular/localize/init' in polyfills.ts for Angular 9+.
  • org.openrewrite.angular.search.find-karma-usage
    • Find Karma test runner usage
    • Finds Karma test runner configuration in package.json dependencies and angular.json test builder. Angular 21 replaces Karma with Vitest as the default test runner.
  • org.openrewrite.angular.search.find-load-children-string-usage
    • Find deprecated string-based loadChildren usage
    • Finds usages of the deprecated string-based loadChildren syntax (e.g. loadChildren: './path/to/module#ModuleName'). String-based lazy loading was deprecated in Angular 8 and removed in Angular 11. Use dynamic imports instead: loadChildren: () => import('./path/to/module').then(m => m.ModuleName).
  • org.openrewrite.angular.search.find-missing-injectable
    • Find classes with DI dependencies but missing @Injectable()
    • Finds classes that have constructor parameters (suggesting dependency injection) but lack an @Injectable() or other Angular class-level decorator. Angular 9 with Ivy requires an explicit @Injectable() decorator for all services that use dependency injection.
  • org.openrewrite.angular.search.find-ng-class-usage
    • Find NgClass usage
    • Finds imports of NgClass from @angular/common. The ngClass directive is soft deprecated in Angular 21 in favor of native [class.*] bindings.
  • org.openrewrite.angular.search.find-ng-style-usage
    • Find NgStyle usage
    • Finds imports of NgStyle from @angular/common. The ngStyle directive is soft deprecated in Angular 21 in favor of native [style.*] bindings.
  • org.openrewrite.angular.search.find-path-match-type-usage
    • Find pathMatch route properties that may need type narrowing
    • Finds pathMatch property assignments in route configurations. In Angular 14, the pathMatch type was narrowed from string to 'full' | 'prefix'. Routes defined as plain objects without explicit Route or Routes typing may fail type checking.
  • org.openrewrite.angular.search.find-platform-dynamic-server-usage
    • Find platformDynamicServer usage
    • Finds usages of the removed platformDynamicServer API from @angular/platform-server. In Angular 18, replace with platformServer and add import '@angular/compiler'.
  • org.openrewrite.angular.search.find-platform-webworker-usage
    • Find removed @angular/platform-webworker usage
    • Finds imports from @angular/platform-webworker and @angular/platform-webworker-dynamic, which were removed in Angular 8 with no direct replacement.
  • org.openrewrite.angular.search.find-platform-worker-usage
    • Find isPlatformWorkerUi and isPlatformWorkerApp usage
    • Finds usages of the removed isPlatformWorkerUi and isPlatformWorkerApp APIs from @angular/common. These were removed in Angular 18 with no replacement, as they served no purpose since the removal of the WebWorker platform.
  • org.openrewrite.angular.search.find-preserve-fragment-usage
    • Find deprecated preserveFragment usage
    • Finds usages of the deprecated preserveFragment navigation option. preserveFragment was deprecated in Angular 4 and removed in Angular 11. Fragments are now preserved by default.
  • org.openrewrite.angular.search.find-preserve-query-params-usage
    • Find deprecated preserveQueryParams usage
    • Finds usages of the deprecated preserveQueryParams navigation option. preserveQueryParams was deprecated in Angular 4 and removed in Angular 11. Use queryParamsHandling: 'preserve' instead.
  • org.openrewrite.angular.search.find-provided-in-deprecated-usage
    • Find deprecated providedIn values
    • Finds usages of providedIn: 'any' and providedIn: NgModule in @Injectable and InjectionToken declarations. These were deprecated in Angular 15. Use providedIn: 'root' or add the service to NgModule.providers instead.
  • org.openrewrite.angular.search.find-reflective-injector-usage
    • Find ReflectiveInjector usage
    • Finds usages of ReflectiveInjector which was removed in Angular 16. Use Injector.create as a replacement.
  • org.openrewrite.angular.search.find-render-application-usage
    • Find renderApplication usage
    • Finds usages of renderApplication from @angular/platform-server. In Angular 16 the signature changed: it no longer accepts a root component as the first argument. Use a bootstrapping function that returns Promise<ApplicationRef> instead.
  • org.openrewrite.angular.search.find-render-component-type-usage
    • Find deprecated RenderComponentType usage
    • Finds imports of the deprecated RenderComponentType from @angular/core. RenderComponentType was part of the View Engine API, deprecated in Angular 4, and removed in Angular 9.
  • org.openrewrite.angular.search.find-render-module-factory-usage
    • Find renderModuleFactory usage
    • Finds usages of renderModuleFactory from @angular/platform-server which was removed in Angular 16. Use renderModule instead.
  • org.openrewrite.angular.search.find-renderer-usage
    • Find deprecated Renderer usage
    • Finds imports of the deprecated Renderer from @angular/core. Renderer was deprecated in Angular 4 and removed in Angular 9. Users should use Renderer2 instead.
  • org.openrewrite.angular.search.find-resource-cache-provider-usage
    • Find RESOURCE_CACHE_PROVIDER usage
    • Finds usages of the removed RESOURCE_CACHE_PROVIDER from @angular/platform-browser-dynamic. This unused API was removed in Angular 18.
  • org.openrewrite.angular.search.find-root-renderer-usage
    • Find deprecated RootRenderer usage
    • Finds imports of the deprecated RootRenderer from @angular/core. RootRenderer was part of the View Engine API, deprecated in Angular 4, and removed in Angular 9. Use RendererFactory2 instead.
  • org.openrewrite.angular.search.find-rxjs-compat-usage
    • Find RxJS 5-style imports requiring rxjs-compat
    • Finds imports using RxJS 5-style deep import paths (e.g. rxjs/Observable, rxjs/add/operator/map) that require the rxjs-compat package. These should be migrated to RxJS 6+ import paths before removing rxjs-compat.
  • org.openrewrite.angular.search.find-server-transfer-state-module-usage
    • Find ServerTransferStateModule usage
    • Finds usages of the removed ServerTransferStateModule from @angular/platform-server. In Angular 18, TransferState works without providing this module.
  • org.openrewrite.angular.search.find-setup-testing-router-usage
    • Find setupTestingRouter usage
    • Finds usages of the removed setupTestingRouter function from @angular/router/testing. This function was removed in Angular 17. Use RouterModule.forRoot or provideRouter to set up the Router for tests instead.
  • org.openrewrite.angular.search.find-testability-pending-request-usage
    • Find removed Testability pending request methods
    • Finds imports of Testability from @angular/core, which had increasePendingRequestCount, decreasePendingRequestCount, and getPendingRequestCount removed in Angular 18. These are now tracked with zones.
  • org.openrewrite.angular.search.find-undecorated-angular-class
    • Find undecorated classes with Angular features
    • Finds classes that use Angular member decorators (@Input, @Output, @ViewChild, etc.) or implement lifecycle hooks (ngOnInit, ngOnDestroy, etc.) but lack a class-level Angular decorator. Angular 9 with Ivy requires all classes using Angular features to have an explicit decorator.
  • org.openrewrite.angular.search.find-with-no-dom-reuse-usage
    • Find withNoDomReuse usage
    • Finds usages of the removed withNoDomReuse function from @angular/platform-browser. This function was removed in Angular 17. To disable hydration, remove the provideClientHydration() call from your providers or use the ngSkipHydration attribute on specific components.
  • org.openrewrite.angular.search.find-wrapped-value-usage
    • Find deprecated WrappedValue usage
    • Finds usages of the deprecated WrappedValue from @angular/core. WrappedValue was deprecated in Angular 11 and removed in Angular 13.
  • org.openrewrite.angular.search.find-zone-js-usage
    • Find zone.js usage
    • Finds zone.js imports and NgZone references. Angular 20 supports zoneless change detection via provideZonelessChangeDetection(), making zone.js optional.

rewrite-cryptography

  • io.moderne.cryptography.FindCryptoVulnerabilitiesPipeline
    • Find cryptographic vulnerability chains
    • Detects cryptographic vulnerabilities that span multiple operations, tracking flow from hardcoded algorithms through key material to encryption operations.
  • io.moderne.cryptography.FindDirectSSLConfigurationEditing
    • Find direct SSL configuration editing
    • Detects direct configuration of protocols or cipher suites on SSL objects like SSLSocket, SSLServerSocket, or SSLEngine. This pattern makes SSL/TLS configuration scattered throughout the codebase and prevents centralized security policy management, hindering crypto-agility.
  • io.moderne.cryptography.FindHardcodedAlgorithmChoice
    • Find hardcoded algorithm choices
    • Detects hardcoded algorithm choices in cryptographic operations. Hardcoded algorithms prevent easy migration to stronger or quantum-resistant algorithms when needed. This is a critical crypto-agility issue that makes systems vulnerable to future attacks.
  • io.moderne.cryptography.FindHardcodedAlgorithmParameters
    • Find hardcoded algorithm-specific parameters
    • Detects hardcoded algorithm-specific parameters like RSA public exponents or EC curve parameters. These hardcoded values prevent algorithm agility and may use weak or non-standard parameters that compromise security.
  • io.moderne.cryptography.FindHardcodedCertificate
    • Find hardcoded certificates
    • Detects hardcoded certificates in the code, including certificates that are hardcoded as strings and used to generate X509Certificate instances via CertificateFactory. Hardcoded certificates can lead to security issues when they expire or need to be revoked.
  • io.moderne.cryptography.FindHardcodedCiphersuiteChoice
    • Find hardcoded cipher suite choices
    • Detects hardcoded cipher suite choices used in SSL/TLS configurations. Hardcoded cipher suites prevent easy updates when cipher suites become weak or need to be changed for compliance reasons.
  • io.moderne.cryptography.FindHardcodedKeyLength
    • Find hardcoded cryptographic key lengths
    • Detects hardcoded key lengths used in cryptographic operations like KeyGenerator.init(), KeyPairGenerator.initialize(), RSAKeyGenParameterSpec, and PBEKeySpec. Hardcoded key lengths reduce flexibility and may not meet changing security requirements.
  • io.moderne.cryptography.FindHardcodedPrivateKey
    • Find hardcoded private keys
    • Detects hardcoded private keys in the code, including PEM-encoded keys that flow into KeyFactory.generatePrivate() calls. Hardcoded private keys are a severe security vulnerability as they compromise the entire cryptographic system.
  • io.moderne.cryptography.FindHardcodedProtocolChoice
    • Find hardcoded SSL/TLS protocol choices
    • Detects hardcoded SSL/TLS protocol choices like 'TLSv1.2', 'SSLv3' used in SSLContext.getInstance() and setProtocols() calls. Hardcoded protocols prevent easy updates when protocols become obsolete or insecure.
  • io.moderne.cryptography.FindHardcodedProviderName
    • Find hardcoded cryptographic provider names
    • Detects hardcoded cryptographic provider names (like 'BC', 'SunJCE') used in getInstance() calls. Hardcoding provider names reduces portability and can cause issues when the provider is not available on different systems.
  • io.moderne.cryptography.FindProgrammaticProviderEditing
    • Find programmatic security provider editing
    • Detects programmatic modifications to the Java Security Provider list through Security.addProvider(), insertProviderAt(), or removeProvider() calls. Modifying providers at runtime makes the security configuration unpredictable and prevents crypto-agility by hardcoding provider dependencies.
  • io.moderne.cryptography.FindRSAKeyGenParameters
    • Find RSA key generation parameters
    • Finds RSAKeyGenParameterSpec instantiations and extracts their parameter values into a data table.
  • io.moderne.cryptography.FindSSLContextSetDefault
    • Find SSLContext.setDefault() usage
    • Detects calls to SSLContext.setDefault() which sets the system-wide default SSL context. This is problematic because it affects all SSL/TLS connections in the JVM, potentially overriding security configurations set by other parts of the application or libraries. It also prevents crypto-agility as the configuration becomes global.
  • io.moderne.cryptography.FindSSLSocketParameters
    • Find SSL socket configuration parameters
    • Finds SSLSocket setter method invocations and extracts their parameter values into a data table.
  • io.moderne.cryptography.FindSecurityModifications
    • Find Security class modifications
    • Finds invocations of java.security.Security methods that modify security configuration such as removeProvider, addProvider, insertProviderAt, setProperty, and removeProperty.
  • io.moderne.cryptography.FindSecuritySetProperties
    • Find Security.setProperty(..) calls for certain properties
    • There is a defined set of properties that should not be set using Security.setProperty(..) as they can lead to security vulnerabilities.
  • io.moderne.cryptography.PostQuantumCryptography
    • Post quantum cryptography
    • This recipe searches for instances in code that may be impacted by post quantum cryptography. Applications may need to support larger key sizes, different algorithms, or use crypto agility to handle the migration. The recipe includes detection of hardcoded values that affect behavior in a post-quantum world, programmatic configuration that may prevent algorithm changes, and general cryptographic usage patterns that should be reviewed.

rewrite-devcenter

rewrite-dropwizard

rewrite-elastic

  • io.moderne.elastic.elastic9.ChangeApiNumericFieldType
    • Change numeric field type with conversion
    • Adds conversion methods with null checks for numeric type changes in Elasticsearch 9 API.
  • io.moderne.elastic.elastic9.ChangeApiNumericFieldTypes
    • Change numeric field types for Elasticsearch 9
    • Handles changes between different numeric types (Long to Integer, int to Long...) in Elasticsearch 9 API responses by adding appropriate conversion methods with null checks.
  • io.moderne.elastic.elastic9.MigrateDenseVectorElementType
    • Migrate DenseVectorProperty.elementType from String to DenseVectorElementType enum
    • In Elasticsearch 9, DenseVectorProperty.elementType() returns DenseVectorElementType enum instead of String, and the builder method elementType(String) now accepts the enum type. This recipe handles both builder calls and getter calls.
  • io.moderne.elastic.elastic9.MigrateDenseVectorSimilarity
    • Migrate DenseVectorProperty.similarity from String to DenseVectorSimilarity enum
    • In Elasticsearch 9, DenseVectorProperty.similarity() returns DenseVectorSimilarity enum instead of String, and the builder method similarity(String) now accepts the enum type. This recipe handles both builder calls and getter calls.
  • io.moderne.elastic.elastic9.MigrateMatchedQueries
    • Migrate matchedQueries from List to Map
    • In Elasticsearch Java Client 9.0, Hit.matchedQueries() changed from returning List<String> to Map<String, Double>. This recipe migrates the usage by adding .keySet() for iterations and using new ArrayList<>(result.keySet()) for assignments.
  • io.moderne.elastic.elastic9.MigrateScriptSource
    • Migrate script source from String to Script/ScriptSource
    • Migrates Script.source(String) calls to use ScriptSource.scriptString(String) wrapper in Elasticsearch Java client 9.x.
  • io.moderne.elastic.elastic9.MigrateSpanTermQueryValue
    • Migrate SpanTermQuery.value() from String to FieldValue
    • In Elasticsearch 9, SpanTermQuery.value() returns a FieldValue instead of String. This recipe updates calls to handle the new return type by checking if it's a string and extracting the string value.
  • io.moderne.elastic.elastic9.MigrateToElasticsearch9
    • Migrate from Elasticsearch 8 to 9
    • This recipe performs a comprehensive migration from Elasticsearch 8 to Elasticsearch 9, addressing breaking changes, API removals, deprecations, and required code modifications.
  • io.moderne.elastic.elastic9.RenameApiField
    • Rename Elasticsearch valueBody() methods
    • In Elasticsearch Java Client 9.0, the generic valueBody() method and valueBody(...) builder methods have been replaced with specific getter and setter methods that better reflect the type of data being returned. Similarly, for GetRepositoryResponse, the result field also got altered to repositories.
  • io.moderne.elastic.elastic9.RenameApiFields
    • Rename API fields for Elasticsearch 9
    • Renames various API response fields from valueBody to align with Elasticsearch 9 specifications.
  • io.moderne.elastic.elastic9.UseNamedValueParameters
    • Use NamedValue parameters instead of Map
    • Migrates indicesBoost and dynamicTemplates parameters from Map to NamedValue in Elasticsearch Java client 9.x.

rewrite-hibernate

rewrite-jasperreports

rewrite-java-application-server

rewrite-kafka

  • io.moderne.kafka.MigrateAdminListConsumerGroups
    • Migrate Admin.listConsumerGroups() to listGroups()
    • Migrates the deprecated Admin.listConsumerGroups() method to listGroups() and updates related types for Kafka 4.1 compatibility.
  • io.moderne.kafka.MigrateAlterConfigsToIncrementalAlterConfigs
    • Migrate AdminClient.alterConfigs() to incrementalAlterConfigs()
    • Migrates the removed AdminClient.alterConfigs() method to incrementalAlterConfigs() for Kafka 4.0 compatibility.
  • io.moderne.kafka.MigrateConsumerCommittedToSet
    • Migrate KafkaConsumer.committed(TopicPartition) to committed(Set<TopicPartition>)
    • Migrates from the removed KafkaConsumer.committed(TopicPartition) to committed(Set<TopicPartition>) for Kafka 4.0 compatibility. Converts single TopicPartition arguments to Collections.singleton() calls.
  • io.moderne.kafka.MigrateConsumerGroupStateToGroupState
    • Migrate ConsumerGroupState to GroupState
    • Migrates from the deprecated ConsumerGroupState to GroupState for Kafka 4.0 compatibility. ConsumerGroupState was deprecated in favor of GroupState which supports both consumer groups and share groups.
  • io.moderne.kafka.MigrateConsumerPollToDuration
    • Migrate KafkaConsumer.poll(long) to poll(Duration)
    • Migrates from the deprecated KafkaConsumer.poll(long) to poll(Duration) for Kafka 4.0 compatibility. Converts millisecond timeout values to Duration.ofMillis() calls.
  • io.moderne.kafka.MigrateSendOffsetsToTransaction
    • Migrate deprecated sendOffsetsToTransaction to use ConsumerGroupMetadata
    • Migrates from the deprecated KafkaProducer.sendOffsetsToTransaction(Map, String) to sendOffsetsToTransaction(Map, ConsumerGroupMetadata) for Kafka 4.0 compatibility. This recipe uses a conservative approach with new ConsumerGroupMetadata(groupId).
  • io.moderne.kafka.MigrateToKafka23
    • Migrate to Kafka 2.3
    • Migrate applications to the latest Kafka 2.3 release.
  • io.moderne.kafka.MigrateToKafka24
    • Migrate to Kafka 2.4
    • Migrate applications to the latest Kafka 2.4 release.
  • io.moderne.kafka.MigrateToKafka25
    • Migrate to Kafka 2.5
    • Migrate applications to the latest Kafka 2.5 release.
  • io.moderne.kafka.MigrateToKafka26
    • Migrate to Kafka 2.6
    • Migrate applications to the latest Kafka 2.6 release.
  • io.moderne.kafka.MigrateToKafka27
    • Migrate to Kafka 2.7
    • Migrate applications to the latest Kafka 2.7 release.
  • io.moderne.kafka.MigrateToKafka28
    • Migrate to Kafka 2.8
    • Migrate applications to the latest Kafka 2.8 release.
  • io.moderne.kafka.MigrateToKafka30
    • Migrate to Kafka 3.0
    • Migrate applications to the latest Kafka 3.0 release.
  • io.moderne.kafka.MigrateToKafka31
    • Migrate to Kafka 3.1
    • Migrate applications to the latest Kafka 3.1 release.
  • io.moderne.kafka.MigrateToKafka32
    • Migrate to Kafka 3.2
    • Migrate applications to the latest Kafka 3.2 release.
  • io.moderne.kafka.MigrateToKafka33
    • Migrate to Kafka 3.3
    • Migrate applications to the latest Kafka 3.3 release.
  • io.moderne.kafka.MigrateToKafka40
    • Migrate to Kafka 4.0
    • Migrate applications to the latest Kafka 4.0 release. This includes updating dependencies to 4.0.x, ensuring Java 11+ for clients and Java 17+ for brokers/tools, and handling changes.
  • io.moderne.kafka.MigrateToKafka41
    • Migrate to Kafka 4.1
    • Migrate applications to the latest Kafka 4.1 release. This includes updating dependencies to 4.1.x, migrating deprecated Admin API methods, updating Streams configuration properties, and removing deprecated broker properties.
  • io.moderne.kafka.RemoveDeprecatedKafkaProperties
    • Remove deprecated Kafka property
    • Removes a specific Kafka property that is no longer supported in Kafka 4.0.
  • io.moderne.kafka.UpgradeJavaForKafkaBroker
    • Upgrade Java to 17+ for Kafka broker/tools
    • Ensures Java 17 or higher is used when Kafka broker or tools dependencies are present.
  • io.moderne.kafka.UpgradeJavaForKafkaClients
    • Upgrade Java to 11+ for Kafka clients
    • Ensures Java 11 or higher is used when Kafka client libraries are present.
  • io.moderne.kafka.streams.MigrateJoinedNameMethod
    • Migrate Joined.named() to Joined.as()
    • In Kafka Streams 2.3, Joined.named() was deprecated in favor of Joined.as(). Additionally, the name() method was deprecated for removal and should not be used.
  • io.moderne.kafka.streams.MigrateKStreamToTable
    • Migrate KStream to KTable conversion to use toTable() method
    • In Kafka Streams 2.5, a new toTable() method was added to simplify converting a KStream to a KTable. This recipe replaces the manual aggregation pattern .groupByKey().reduce((oldVal, newVal) -> newVal) with the more concise .toTable() method.
  • io.moderne.kafka.streams.MigrateKafkaStreamsStoreMethod
    • Migrate deprecated KafkaStreams#store method
    • In Kafka Streams 2.5, the method KafkaStreams#store(String storeName, QueryableStoreType<T> storeType) was deprecated. It only allowed querying active stores and did not support any additional query options. Use the new StoreQueryParameters API instead.
  • io.moderne.kafka.streams.MigrateRetryConfiguration
    • Migrate deprecated retry configuration to task timeout
    • In Kafka 2.7, RETRIES_CONFIG and RETRY_BACKOFF_MS_CONFIG were deprecated in favor of TASK_TIMEOUT_MS_CONFIG. This recipe migrates the old retry configuration to the new task timeout configuration, attempting to preserve the retry budget by multiplying retries × backoff time. If only one config is present, it falls back to 60000ms (1 minute).
  • io.moderne.kafka.streams.MigrateStreamsUncaughtExceptionHandler
    • Migrate to StreamsUncaughtExceptionHandler API
    • Migrates from the JVM-level Thread.UncaughtExceptionHandler to Kafka Streams' StreamsUncaughtExceptionHandler API introduced in version 2.8. This new API provides explicit control over how the Streams client should respond to uncaught exceptions (REPLACE_THREAD, SHUTDOWN_CLIENT, or SHUTDOWN_APPLICATION).
  • io.moderne.kafka.streams.MigrateTaskAndThreadMetadata
    • Migrate TaskMetadata and ThreadMetadata
    • Migrates TaskMetadata and ThreadMetadata from org.apache.kafka.streams.processor package to org.apache.kafka.streams package, and updates TaskMetadata.taskId() calls to include .toString() for String compatibility.
  • io.moderne.kafka.streams.MigrateTaskMetadataTaskId
    • Migrate TaskMetadata.taskId() to return TaskId
    • In Kafka Streams 3.0, TaskMetadata.taskId() changed its return type from String to TaskId. This recipe adds .toString() calls where necessary to maintain String compatibility.
  • io.moderne.kafka.streams.MigrateWindowStorePutMethod
    • Migrate WindowStore.put() to include timestamp
    • In Kafka Streams 2.4, WindowStore.put() requires a timestamp parameter. This recipe adds context.timestamp() as the third parameter.
  • io.moderne.kafka.streams.ProcessingGuaranteeExactlyOnceToBeta
    • Migrate exactly_once to exactly_once_beta
    • Kafka Streams 2.6 introduces the exactly-once semantics v2, which is a more efficient implementation with improved internal handling. Though it is beta, it’s fully backward-compatible from the API standpoint, but internally it uses a different transaction/commit protocol. Starting from 3.0, it becomes the default "exactly_once_v2".
  • io.moderne.kafka.streams.ProcessingGuaranteeExactlyOnceToV2
    • Migrate exactly_once and exactly_once_beta to exactly_once_v2
    • Kafka Streams 2.6 introduces the exactly-once semantics v2, which is a more efficient implementation with improved internal handling. Starting from 3.0, it becomes the default "exactly_once_v2".
  • io.moderne.kafka.streams.RemovePartitionGrouperConfiguration
    • Remove PartitionGrouper configuration
    • Starting with Kafka Streams 2.4, the PartitionGrouper API was deprecated and partition grouping is now fully handled internally by the library. This recipe removes the deprecated PARTITION_GROUPER_CLASS_CONFIG configuration.

rewrite-prethink

rewrite-program-analysis

  • io.moderne.recipe.rewrite-program-analysis.InlineDeprecatedMethods
    • Inline deprecated delegating methods
    • Automatically generated recipes to inline deprecated method calls that delegate to other methods in the same class.
  • org.openrewrite.analysis.java.FindNullPointerIssues
    • Find null pointer issues
    • Detects potential null pointer dereferences using path-sensitive analysis to distinguish between definite NPEs, possible NPEs, and safe dereferences.
  • org.openrewrite.analysis.java.controlflow.FindUnusedDefinitions
    • Find unused variable definitions
    • Identifies variable assignments whose values are never used before being overwritten.
  • org.openrewrite.analysis.java.controlflow.search.FindCyclomaticComplexity
    • Find cyclomatic complexity
    • Calculates the cyclomatic complexity of methods and produces a data table containing the class name, method name, argument types, complexity value, and complexity threshold.
  • org.openrewrite.analysis.java.controlflow.search.FindUnreachableCode
    • Find unreachable code
    • Uses control flow analysis to identify statements that can never be executed.
  • org.openrewrite.analysis.java.dataflow.FindDeadStores
    • Find dead stores
    • Identifies variable assignments whose values are never used before being overwritten or going out of scope.
  • org.openrewrite.analysis.java.dataflow.FindUnclosedResources
    • Find unclosed resources (S2095)
    • Identifies resources implementing AutoCloseable/Closeable that are opened but not properly closed on all execution paths. Unclosed resources can lead to resource leaks that degrade application performance and stability.
  • org.openrewrite.analysis.java.datalineage.TrackDataLineage
    • Track data lineage
    • Tracks the flow of data from database sources to API sinks to understand data dependencies and support compliance requirements. ## Prerequisites for detecting a data flow All of the following conditions must be met for the recipe to report a flow: 1. The source code must contain at least one method call matching a recognized source (see below). 2. The source code must contain at least one method call matching a recognized sink (see below). 3. The tainted data must propagate from the source to the sink through variable assignments within the same method or via fields across methods in the same compilation unit. 4. No flow breaker (see below) may appear on the path between source and sink. 5. The relevant library types (e.g., java.sql.ResultSet, javax.ws.rs.core.Response) must be on the classpath so that OpenRewrite can resolve types. If types are unresolved, method matchers will not trigger and no flows will be detected. ## Recognized sources (database reads) | Category | Classes | | --- | --- | | JDBC | java.sql.ResultSet | | JPA (javax) | javax.persistence.EntityManager, Query, TypedQuery | | JPA (jakarta) | jakarta.persistence.EntityManager, Query, TypedQuery | | Hibernate | org.hibernate.Session, org.hibernate.query.Query | | Spring Data | org.springframework.data.repository.CrudRepository | | Spring JDBC | org.springframework.jdbc.core.JdbcTemplate | | MyBatis | org.apache.ibatis.session.SqlSession, org.mybatis.spring.SqlSessionTemplate | | MongoDB | com.mongodb.client.MongoCollection, org.springframework.data.mongodb.core.MongoTemplate | | Redis | redis.clients.jedis.Jedis, org.springframework.data.redis.core.RedisTemplate, ValueOperations, HashOperations | | Cassandra | com.datastax.driver.core.Session, org.springframework.data.cassandra.core.CassandraTemplate | | Elasticsearch | org.elasticsearch.client.RestHighLevelClient, org.springframework.data.elasticsearch.core.ElasticsearchTemplate | | Heuristic | Any class with Repository, Dao, or Mapper in its name calling methods starting with find, get, query, search, load, fetch, or select | ## Recognized sinks (API responses) | Category | Classes | | --- | --- | | JAX-RS (javax) | javax.ws.rs.core.Response, Response.ResponseBuilder | | JAX-RS (jakarta) | jakarta.ws.rs.core.Response, Response.ResponseBuilder | | Spring MVC | org.springframework.http.ResponseEntity, ResponseEntity.BodyBuilder | | Servlet (javax) | javax.servlet.http.HttpServletResponse, javax.servlet.ServletOutputStream | | Servlet (jakarta) | jakarta.servlet.http.HttpServletResponse, jakarta.servlet.ServletOutputStream | | Java I/O | java.io.PrintWriter, java.io.Writer, java.io.OutputStream | | Jackson | com.fasterxml.jackson.databind.ObjectMapper, com.fasterxml.jackson.core.JsonGenerator | | Gson | com.google.gson.Gson, com.google.gson.JsonWriter | | GraphQL | graphql.schema.DataFetcher, graphql.schema.PropertyDataFetcher | | Spring WebFlux | ServerResponse, reactor.core.publisher.Mono, reactor.core.publisher.Flux | | gRPC | io.grpc.stub.StreamObserver | | WebSocket | javax.websocket.Session, RemoteEndpoint.Basic, jakarta.websocket.*, org.springframework.web.socket.WebSocketSession | ## Flow breakers Flows are broken by methods matching common sanitization patterns (anonymize, redact, mask, encrypt, hash, sanitize, etc.) or authorization checks (isAuthorized, hasPermission, hasRole, etc.).
  • org.openrewrite.analysis.java.privacy.FindPiiExposure
    • Find PII exposure in logs and external APIs
    • Detects when Personally Identifiable Information (PII) is exposed through logging statements or sent to external APIs without proper sanitization. This helps prevent data leaks and ensures compliance with privacy regulations like GDPR and CCPA.
  • org.openrewrite.analysis.java.security.FindArrayIndexInjection
    • Find improper validation of array index
    • Detects when user-controlled input flows into array or collection index expressions without proper bounds validation, which could allow out-of-bounds access or denial of service (CWE-129).
  • org.openrewrite.analysis.java.security.FindCommandInjection
    • Find command injection vulnerabilities
    • Detects when user-controlled input flows into system command execution methods like Runtime.exec() or ProcessBuilder, which could allow attackers to execute arbitrary commands.
  • org.openrewrite.analysis.java.security.FindJndiInjection
    • Find JNDI injection vulnerabilities
    • Detects when user-controlled input flows into JNDI lookup operations without proper validation, which could allow an attacker to connect to malicious naming/directory services (CWE-99).
  • org.openrewrite.analysis.java.security.FindLdapInjection
    • Find LDAP injection vulnerabilities
    • Finds LDAP injection vulnerabilities by tracking tainted data flow from user input to LDAP queries.
  • org.openrewrite.analysis.java.security.FindLogInjection
    • Find log injection vulnerabilities
    • Detects when user-controlled input flows into logging methods without sanitization, which could allow attackers to forge log entries by injecting newline characters.
  • org.openrewrite.analysis.java.security.FindPathTraversal
    • Find path traversal vulnerabilities
    • Detects potential path traversal vulnerabilities where user input flows to file system operations without proper validation.
  • org.openrewrite.analysis.java.security.FindProcessControlInjection
    • Find process control vulnerabilities
    • Detects when user-controlled input flows into native library loading methods without proper validation, which could allow an attacker to load arbitrary native code (CWE-114).
  • org.openrewrite.analysis.java.security.FindSecurityVulnerabilities
    • Find security vulnerabilities using taint analysis
    • Identifies potential security vulnerabilities where untrusted data from sources flows to sensitive sinks without proper sanitization.
  • org.openrewrite.analysis.java.security.FindSqlInjection
    • Find SQL injection vulnerabilities
    • Detects potential SQL injection vulnerabilities where user input flows to SQL execution methods without proper sanitization.
  • org.openrewrite.analysis.java.security.FindUnencryptedPiiStorage
    • Find unencrypted PII storage
    • Identifies when personally identifiable information (PII) is stored in databases, files, or other persistent storage without encryption.
  • org.openrewrite.analysis.java.security.FindUnsafeReflectionInjection
    • Find unsafe reflection vulnerabilities
    • Detects when user-controlled input flows into reflection-based class loading or instantiation without proper validation, which could allow an attacker to instantiate arbitrary classes (CWE-470).
  • org.openrewrite.analysis.java.security.FindXssVulnerability
    • Find XSS vulnerabilities
    • Detects potential cross-site scripting vulnerabilities where user input flows to output methods without proper sanitization.
  • org.openrewrite.analysis.java.security.FindXxeVulnerability
    • Find XXE vulnerabilities
    • Locates XML parsers that are not configured to prevent XML External Entity (XXE) attacks.
  • org.openrewrite.analysis.java.security.SanitizeLogInjection
    • Sanitize log injection vulnerabilities
    • Sanitizes user-controlled input before it flows into logging methods by stripping newline, carriage return, and tab characters that could enable log forging.

rewrite-react

rewrite-release-metromap

rewrite-spring

  • io.moderne.java.jsf.MigrateToJsf_2_3
    • Migrate to JSF 2.3
    • Complete migration to JSF 2.3, including associated technologies like RichFaces. Updates dependencies, transforms XHTML views, and migrates Java APIs.
  • io.moderne.java.jsf.richfaces.ConvertExtendedDataTableHeightToStyle
    • Convert height/width attributes to extendedDataTable style
    • Converts height and width attributes to inline style attribute for RichFaces extendedDataTable components.
  • io.moderne.java.jsf.richfaces.MigrateRichFaces_4_5
    • Migrate RichFaces 3.x to 4.5
    • Complete RichFaces 3.x to 4.5 migration including tag renames, attribute migrations, and Java API updates.
  • io.moderne.java.jsf.richfaces.update45.UpdateXHTMLTags
    • Migrate RichFaces tags in xhtml files
    • Migrate RichFaces tags in xhtml files to RichFaces 4.
  • io.moderne.java.spring.boot.AddSpringBootApplication
    • Add @SpringBootApplication class
    • Adds a @SpringBootApplication class containing a main method to bootify your Spring Framework application.
  • io.moderne.java.spring.boot.FieldToConstructorInjection
    • Convert field injection to constructor injection
    • Converts @Autowired field injection to constructor injection pattern. For non-final classes, adds both a no-args constructor and the autowired constructor to maintain compatibility with extending classes. Moves @Qualifier annotations to constructor parameters.
  • io.moderne.java.spring.boot.IsLikelyNotSpringBoot
    • Is likely not a Spring Boot project
    • Marks the project if it's likely not a Spring Boot project.
  • io.moderne.java.spring.boot.IsLikelySpringBoot
    • Is likely a Spring Boot project
    • Marks the project if it's likely a Spring Boot project.
  • io.moderne.java.spring.boot.MarkEmbeddedServerProvidedForWar
    • Mark embedded server as provided for WAR projects
    • For WAR-packaged projects migrating to Spring Boot, add the embedded Tomcat starter with provided scope to prevent conflicts with the external servlet container.
  • io.moderne.java.spring.boot.MigrateSpringFrameworkDependenciesToSpringBoot
    • Migrate Spring Framework dependencies to Spring Boot
    • Migrate Spring Framework dependencies to Spring Boot.
  • io.moderne.java.spring.boot.ReplaceSpringFrameworkDepsWithBootStarters
    • Replace Spring Framework dependencies with Spring Boot starters
    • Replace common Spring Framework dependencies with their Spring Boot starter equivalents. This recipe handles the direct dependency replacement; any remaining Spring Framework dependencies that become transitively available through starters are cleaned up separately by RemoveRedundantDependencies.
  • io.moderne.java.spring.boot.SpringToSpringBoot
    • Migrate Spring Framework to Spring Boot
    • Migrate non Spring Boot applications to the latest compatible Spring Boot release. This recipe will modify an application's build files introducing Maven dependency management for Spring Boot, or adding the Gradle Spring Boot build plugin.
  • io.moderne.java.spring.boot2.UpgradeSpringBoot_2_0
    • Migrate to Spring Boot 2.0 (Moderne Edition)
    • Migrate applications to the latest Spring Boot 2.0 release. This recipe will modify an application's build files, make changes to deprecated/preferred APIs, and migrate configuration settings that have changes between versions. This recipe will also chain additional framework migrations (Spring Framework, Spring Data, etc) that are required as part of the migration to Spring Boot 2.0.
  • io.moderne.java.spring.boot3.AddValidToConfigurationPropertiesFields
    • Add @Valid annotation to fields
    • In Spring Boot 3.4, validation of @ConfigurationProperties classes annotated with @Validated now follows the Bean Validation specification, only cascading to nested properties if the corresponding field is annotated with @Valid. The recipe will add a @Valid annotation to each field which has a type that has a field which is annotated with a jakarta.validation.constraints.* annotation.
  • io.moderne.java.spring.boot3.CommentDeprecations
    • Comment deprecated methods in Spring 3.4
    • Spring Boot 3.4 deprecates methods that are not commonly used or need manual interaction.
  • io.moderne.java.spring.boot3.CommentOnMockAndSpyBeansInConfigSpring34
    • Comment on @MockitoSpyBean and @MockitoBean in @Configuration
    • As stated in Spring Docs @MockitoSpyBean and @MockitoBean will only work in tests, explicitly not in @Configuration annotated classes.
  • io.moderne.java.spring.boot3.ConditionalOnAvailableEndpointMigrationSpring34
    • Migrate ConditionalOnAvailableEndpoint for Spring Boot 3.4
    • Migrate @ConditionalOnAvailableEndpoint(EndpointExposure.CLOUD_FOUNDRY) to @ConditionalOnAvailableEndpoint(EndpointExposure.WEB) for Spring Boot 3.4.
  • io.moderne.java.spring.boot3.MigrateAbstractDiscoveredEndpointConstructor
    • Migrate AbstractDiscoveredEndpoint deprecated constructor
    • The boolean-parameter constructor of AbstractDiscoveredEndpoint has been deprecated in Spring Boot 3.4. This recipe transforms it to use the new constructor with an Access parameter.
  • io.moderne.java.spring.boot3.MigrateAbstractExposableEndpointConstructor
    • Migrate AbstractExposableEndpoint deprecated constructor
    • The boolean-parameter constructor of AbstractExposableEndpoint has been deprecated in Spring Boot 3.4. This recipe transforms it to use the new constructor with an Access parameter instead of boolean enableByDefault.
  • io.moderne.java.spring.boot3.MigrateEndpointAnnotationAccessValueSpring34
    • Migrate @Endpoints defaultAccess value
    • Since Spring Boot 3.4 the @Endpoint access configuration values are no longer true|false but none|read-only|unrestricted.
  • io.moderne.java.spring.boot3.MigrateEndpointDiscovererConstructor
    • Migrate EndpointDiscoverer deprecated constructor
    • The 4-parameter constructor of EndpointDiscoverer has been deprecated in Spring Boot 3.4. This recipe transforms it to use the new 5-parameter constructor with an additional Collection parameter.
  • io.moderne.java.spring.boot3.MigrateEntityManagerFactoryBuilderConstructor
    • Migrate EntityManagerFactoryBuilder deprecated constructor
    • The constructors of EntityManagerFactoryBuilder have been deprecated in Spring Boot 3.4. This recipe transforms them to use the new constructor with a Function parameter for property mapping.
  • io.moderne.java.spring.boot3.MigrateJmxEndpointDiscovererConstructor
    • Migrate JmxEndpointDiscoverer deprecated constructor
    • The 4-parameter constructor of JmxEndpointDiscoverer has been deprecated in Spring Boot 3.4. This recipe transforms it to use the new 5-parameter constructor with an additional Collection parameter.
  • io.moderne.java.spring.boot3.MigrateRestTemplateToRestClient
    • Migrate RestTemplate to RestClient
    • Migrates Spring's RestTemplate to the modern RestClient API introduced in Spring Framework 6.1. RestClient provides a fluent, synchronous API that is the recommended approach for new development. This recipe converts constructor calls, type declarations, and common method invocations (getForObject, getForEntity, postForObject, postForEntity, patchForObject, put, delete, headForHeaders, postForLocation, optionsForAllow, exchange) to their RestClient equivalents.
  • io.moderne.java.spring.boot3.MigrateWebEndpointDiscovererConstructor
    • Migrate WebEndpointDiscoverer 6-parameter constructor to 8-parameter
    • The 6-parameter constructor of WebEndpointDiscoverer has been deprecated in Spring Boot 3.3. This recipe adds two new parameters (AdditionalPathsMapper and OperationFilter<WebOperation>) to the constructor and updates the Bean method signature to inject them as ObjectProvider types.
  • io.moderne.java.spring.boot3.RemoveDeprecatedConditions
    • Remove Spring Boot 3.5 deprecated conditions
    • Replace Spring Boot 3.5 deprecated condition classes with their corresponding conditional annotations.
  • io.moderne.java.spring.boot3.RemoveReplaceNoneFromAutoConfigureTestDatabase
    • Remove Replace.NONE from @AutoConfigureTestDatabase
    • Replace.NONE is the default value for @AutoConfigureTestDatabase since Spring Boot 3.4.
  • io.moderne.java.spring.boot3.RemoveTestRestTemplateEnableRedirectsOptionRecipe
    • Remove TestRestTemplate.HttpClientOption.ENABLE_REDIRECTS option
    • The TestRestTemplate now uses the same follow redirects settings as the regular RestTemplate. The HttpOption.ENABLE_REDIRECTS option has also been deprecated. This recipe removes the option from the TestRestTemplate constructor arguments.
  • io.moderne.java.spring.boot3.ReplaceConditionalOutcomeInverse
    • Replace ConditionOutcome.inverse() with constructor
    • Replace deprecated ConditionOutcome.inverse(ConditionOutcome outcome) calls with new ConditionOutcome(!outcome.isMatch(), outcome.getConditionMessage()).
  • io.moderne.java.spring.boot3.ReplaceDeprecatedKafkaConnectionDetailsBootstrapServerGetters
    • Replace deprecated KafkaConnectionDetails bootstrap server methods
    • Replace deprecated KafkaConnectionDetails bootstrap server methods with chained calls. For example, getProducerBootstrapServers() becomes getProducer().getBootstrapServers().
  • io.moderne.java.spring.boot3.ReplaceDeprecatedThreadPoolTaskSchedulerConstructor
    • Replace deprecated ThreadPoolTaskSchedulerBuilder 5-argument constructor
    • The 5-parameter constructor of ThreadPoolTaskSchedulerBuilder has been deprecated in Spring Boot 3.5. This recipe transforms it to use the builder pattern instead, omitting null values and defaults.
  • io.moderne.java.spring.boot3.ReplaceKafkaTransactionManagerSetter
    • Use kafkaAwareTransactionManager setter
    • Replace deprecated ContainerProperties#setTransactionManager(org.springframework.transaction.PlatformTransactionManager) method with ContainerProperties#setKafkaAwareTransactionManager(org.springframework.kafka.transaction.KafkaAwareTransactionManager). The method will be replaced only if its argument has the type KafkaAwareTransactionManager.
  • io.moderne.java.spring.boot3.ReplaceTaskExecutorNameByApplicationTaskExecutorName
    • Use bean name applicationTaskExecutor instead of taskExecutor
    • Spring Boot 3.5 removed the bean name taskExecutor. Where this bean name is used, the recipe replaces the bean name to applicationTaskExecutor. This also includes instances where the developer provided their own bean named taskExecutor. This also includes scenarios where JSR-250's @Resource annotation is used.
  • io.moderne.java.spring.boot3.ResolveDeprecationsSpringBoot_3_3
    • Resolve Deprecations in Spring Boot 3.3
    • Migrates Deprecations in the Spring Boot 3.3 Release. Contains the removal of DefaultJmsListenerContainerFactoryConfigurer.setObservationRegistry and adds new parameter of WebEndpointDiscoverer constructor.
  • io.moderne.java.spring.boot3.ResolveTaskExecutorFromContext
    • Replace taskExecutor with applicationTaskExecutor
    • Use bean name applicationTaskExecutor instead of taskExecutor when resolving TaskExecutor Bean from application context.
  • io.moderne.java.spring.boot3.SpringBoot34Deprecations
    • Migrate Spring Boot 3.4 deprecated classes and methods
    • Migrate deprecated classes and methods that have been marked for removal in Spring Boot 4.0. This includes constructor changes for EntityManagerFactoryBuilder, HikariCheckpointRestoreLifecycle, and various actuator endpoint discovery classes.
  • io.moderne.java.spring.boot3.SpringBoot35Deprecations
    • Migrate Spring Boot 3.5 deprecated classes and methods
    • Migrate deprecated classes and methods that have been marked for removal in Spring Boot 3.5.
  • io.moderne.java.spring.boot3.SpringBoot3BestPractices
    • Spring Boot 3.5 best practices
    • Applies best practices to Spring Boot 3.5+ applications.
  • io.moderne.java.spring.boot3.SpringBootProperties_3_4
    • Migrate @Endpoint Security properties to 3.4 (Moderne Edition)
    • Migrate the settings for Spring Boot Management Endpoint Security from true|false to read-only|none.
  • io.moderne.java.spring.boot3.UpdateOpenTelemetryResourceAttributes
    • Update OpenTelemetry resource attributes
    • The service.group resource attribute has been deprecated for OpenTelemetry in Spring Boot 3.5. Consider using alternative attributes or remove the deprecated attribute.
  • io.moderne.java.spring.boot3.UpgradeGradle7Spring34
    • Upgrade Gradle to 7.6.4+ for Spring Boot 3.4
    • Spring Boot 3.4 requires Gradle 7.6.4.
  • io.moderne.java.spring.boot3.UpgradeGradle8Spring34
    • Upgrade Gradle 8 to 8.4+ for Spring Boot 3.4
    • Spring Boot 3.4 requires Gradle 8.4+.
  • io.moderne.java.spring.boot3.UpgradeMyBatisToSpringBoot_3_4
    • Upgrade MyBatis to Spring Boot 3.4
    • Upgrade MyBatis Spring modules to a version corresponding to Spring Boot 3.4.
  • io.moderne.java.spring.boot3.UpgradeMyBatisToSpringBoot_3_5
    • Upgrade MyBatis to Spring Boot 3.5
    • Upgrade MyBatis Spring modules to a version corresponding to Spring Boot 3.5.
  • io.moderne.java.spring.boot3.UpgradeSpringBoot_3_4
    • Migrate to Spring Boot 3.4 (Moderne Edition)
    • Migrate applications to the latest Spring Boot 3.4 release. This recipe will modify an application's build files, make changes to deprecated/preferred APIs, and migrate configuration settings that have changes between versions. This recipe will also chain additional framework migrations (Spring Framework, Spring Data, etc) that are required as part of the migration to Spring Boot 3.4.
  • io.moderne.java.spring.boot3.UpgradeSpringBoot_3_5
    • Migrate to Spring Boot 3.5 (Moderne Edition)
    • Migrate applications to the latest Spring Boot 3.5 release. This recipe will modify an application's build files, make changes to deprecated/preferred APIs, and migrate configuration settings that have changes between versions. This recipe will also chain additional framework migrations (Spring Framework, Spring Data, etc) that are required as part of the migration to Spring Boot 3.5.
  • io.moderne.java.spring.boot3.UpgradeSpringCloudAWSToSpringBoot_3_4
    • Upgrade Spring Cloud AWS to Spring Boot 3.4 compatible version
    • Upgrade the Spring Cloud AWS dependency to a version compatible with Spring Boot 3.4.
  • io.moderne.java.spring.boot3.UpgradeSpringKafka_3_3
    • Migrate to Spring Kafka 3.3
    • Migrate applications to the latest Spring Kafka 3.3 release.
  • io.moderne.java.spring.boot4.AddAutoConfigureMockMvc
    • Add @AutoConfigureMockMvc to @SpringBootTest classes using MockMvc
    • Adds @AutoConfigureMockMvc annotation to classes annotated with @SpringBootTest that use MockMvc.
  • io.moderne.java.spring.boot4.AddFlywayStarters
    • Add Flyway starters
    • Adds spring-boot-starter-flyway and spring-boot-starter-flyway-test dependencies when Flyway usage is detected in the module.
  • io.moderne.java.spring.boot4.AddJackson2ForJerseyJson
    • Add Jackson2 for Jersey using JSON
    • Check whether a module uses Jersey on combination with JSON and adds the needed spring-boot-jackson dependency and conditionally spring-boot-jackson2 dependency.
  • io.moderne.java.spring.boot4.AddLenientMockitoSettings
    • Add @MockitoSettings(strictness = Strictness.LENIENT) for @MockitoBean tests
    • When migrating from @MockBean to @MockitoBean, the implicit LENIENT Mockito strictness from Spring Boot's MockitoPostProcessor is lost. If @ExtendWith(MockitoExtension.class) is present, Mockito enforces STRICT_STUBS by default, causing UnnecessaryStubbingException for tests with unused stubs. This recipe adds @MockitoSettings(strictness = Strictness.LENIENT) to preserve the original behavior.
  • io.moderne.java.spring.boot4.AddLiquibaseStarters
    • Add Liquibase starters
    • Adds spring-boot-starter-liquibase and spring-boot-starter-liquibase-test dependencies when Liquibase usage is detected in the module.
  • io.moderne.java.spring.boot4.AddModularStarters
    • Add Spring Boot 4.0 modular starters
    • Add Spring Boot 4.0 starter dependencies based on package usage. Note: Higher-level starters (like data-jpa) include lower-level ones (like jdbc) transitively, so only the highest-level detected starter is added for each technology.
  • io.moderne.java.spring.boot4.AddMongoDbRepresentationProperties
    • Add MongoDB representation properties for UUID and BigDecimal
    • Adds the 'spring.mongodb.representation.uuid' property with value 'standard' and the 'spring.data.mongodb.representation.big-decimal' property with the value 'decimal128' to Spring configuration files when a MongoDB dependency is detected.
  • io.moderne.java.spring.boot4.AddMssqlKerberosJaasConfig
    • Add useDefaultJaasConfig=true to MSSQL Kerberos JDBC URLs
    • For MSSQL JDBC connections using Kerberos authentication (authenticationScheme=JavaKerberos or integratedSecurity=true), adds useDefaultJaasConfig=true to the connection string. This is required for compatibility with Keycloak 26.4+ which changes JAAS configuration handling.
  • io.moderne.java.spring.boot4.AddValidationStarterDependency
    • Add spring-boot-starter-validation dependency
    • In Spring Boot 4, validation is no longer auto-included from the web starter. This recipe adds the spring-boot-starter-validation dependency when Jakarta Validation annotations are used in the project.
  • io.moderne.java.spring.boot4.AdoptJackson3
    • Adopt Jackson 3
    • Adopt Jackson 3 which is supported by Spring Boot 4 and Jackson 2 support is deprecated.
  • io.moderne.java.spring.boot4.FlagDeprecatedReactorNettyHttpClientMapper
    • Flag deprecated ReactorNettyHttpClientMapper for migration
    • Adds a TODO comment to classes implementing the deprecated ReactorNettyHttpClientMapper interface. Migration to ClientHttpConnectorBuilderCustomizer<ReactorClientHttpConnectorBuilder> requires wrapping the HttpClient configuration in builder.withHttpClientCustomizer(...).
  • io.moderne.java.spring.boot4.InsertPropertyMapperAlwaysMethodInvocation
    • Preserve PropertyMapper null-passing behavior
    • Spring Boot 4.0 changes the PropertyMapper behavior so that from() no longer calls to() when the source value is null. This recipe inserts .always() before terminal mapping methods to preserve the previous behavior. Chains that already contain .whenNonNull() or .alwaysApplyingWhenNonNull() are skipped, as they explicitly opted into null-skipping behavior which is now the default.
  • io.moderne.java.spring.boot4.MigrateHazelcastSpringSession
    • Migrate Spring Session Hazelcast to Hazelcast Spring Session
    • Spring Boot 4.0 removed direct support for Spring Session Hazelcast. The Hazelcast team now maintains their own Spring Session integration. This recipe changes the dependency from org.springframework.session:spring-session-hazelcast to com.hazelcast.spring:hazelcast-spring-session and updates the package from org.springframework.session.hazelcast to com.hazelcast.spring.session.
  • io.moderne.java.spring.boot4.MigrateMockMvcToAssertJ
    • Migrate MockMvc to AssertJ assertions
    • Migrates Spring MockMvc tests from Hamcrest-style andExpect() assertions to AssertJ-style fluent assertions. Changes MockMvc to MockMvcTester and converts assertion chains.
  • io.moderne.java.spring.boot4.MigratePropertyMapper
    • Migrate PropertyMapper API for Spring Boot 4.0
    • Migrates PropertyMapper usage to accommodate Spring Boot 4.0 behavioral changes. In Boot 4.0, PropertyMapper.from() no longer calls to() when the source value is null. This recipe first inserts .always() on bare chains to preserve null-passing behavior, then removes the now-redundant .whenNonNull() and .alwaysApplyingWhenNonNull() calls. Guarded by a Spring Boot < 4.0 precondition so that on subsequent recipe cycles (after the version is bumped by the parent migration recipe), this recipe becomes a no-op — preventing it from incorrectly adding .always() to chains that just had .whenNonNull() stripped.
  • io.moderne.java.spring.boot4.MigrateRestAssured
    • Add explicit version for REST Assured
    • REST Assured is no longer managed by Spring Boot 4.0. This recipe adds an explicit version to REST Assured dependencies.
  • io.moderne.java.spring.boot4.MigrateSpringRetry
    • Migrate Spring Retry to Spring Resilience
    • Handle spring-retry no longer managed by Spring Boot and the possible migration to Spring Core Resilience.
  • io.moderne.java.spring.boot4.MigrateSpringRetryToSpringFramework7
    • Migrate spring-retry to Spring Framework resilience
    • Migrate spring-retrys @Retryable and @Backoff annotation to Spring Framework 7 Resilience annotations.
  • io.moderne.java.spring.boot4.MigrateToModularStarters
    • Migrate to Spring Boot 4.0 modular starters (Moderne Edition)
    • Remove monolithic starters and adds the necessary Spring Boot 4.0 starter dependencies based on package usage, where any spring-boot-starter was used previously.
  • io.moderne.java.spring.boot4.MockMvcAssertionsToAssertJ
    • Migrate MockMvc andExpect() chains to AssertJ assertions
    • Converts MockMvc Hamcrest-style andExpect() assertion chains to AssertJ-style fluent assertions using assertThat(). Handles status, content, JSON path, header, redirect, and forward assertions.
  • io.moderne.java.spring.boot4.MockMvcRequestBuildersToMockMvcTester
    • Migrate MockMvcRequestBuilders to MockMvcTester request methods
    • Converts mockMvcTester.perform(get(&quot;/api&quot;).param(&quot;k&quot;,&quot;v&quot;)) to mockMvcTester.get().uri(&quot;/api&quot;).param(&quot;k&quot;,&quot;v&quot;), removing the perform() wrapper and MockMvcRequestBuilders static method calls.
  • io.moderne.java.spring.boot4.MockMvcToMockMvcTester
    • Migrate MockMvc to MockMvcTester
    • Converts MockMvc fields and initialization to MockMvcTester. Changes field types, renames fields from mockMvc to mockMvcTester, and converts MockMvcBuilders.standaloneSetup().build() to MockMvcTester.of() and MockMvcBuilders.webAppContextSetup().build() to MockMvcTester.from().
  • io.moderne.java.spring.boot4.ModuleHasMonolithicStarter
    • Module has monolithic Spring Boot starter
    • Precondition that matches modules with the monolithic Spring Boot starters that need to be migrated to modular starters. Matches the production monolithic spring-boot-starter and spring-boot-starter-classic, but not specific modular starters like spring-boot-starter-test or spring-boot-starter-ldap.
  • io.moderne.java.spring.boot4.ModuleStarterRelocations
    • Spring Boot 4.0 Module Starter Relocations
    • Relocate types and packages for Spring Boot 4.0 modular starters.
  • io.moderne.java.spring.boot4.ModuleUsesFlyway
    • Module uses Flyway
    • Precondition that marks all files in a module if Flyway usage is detected. Detection is based on having a Flyway dependency, using Flyway types, or having migration files.
  • io.moderne.java.spring.boot4.ModuleUsesLiquibase
    • Module uses Liquibase
    • Precondition that marks all files in a module if Liquibase usage is detected. Detection is based on having a Liquibase dependency, using Liquibase types, or having changelog files.
  • io.moderne.java.spring.boot4.RemoveContentNegotiationFavorPathExtension
    • Remove ContentNegotiationConfigurer.favorPathExtension() calls
    • Spring Framework 7 removed favorPathExtension() from ContentNegotiationConfigurer. Path extension content negotiation is no longer supported. This recipe removes calls to favorPathExtension().
  • io.moderne.java.spring.boot4.RemoveGradleUberJarLoaderImplementationConfig
    • Remove loaderImplementation from Gradle
    • Removes the Spring Boot Uber-Jar loaderImplementation configuration from Gradle build files.
  • io.moderne.java.spring.boot4.RemoveHttpMessageConvertersAutoConfigurationReferences
    • Remove HttpMessageConvertersAutoConfiguration references
    • Removes references to the deprecated HttpMessageConvertersAutoConfiguration class which was removed in Spring Boot 4.0. For @AutoConfigureAfter and @AutoConfigureBefore annotations, the reference is removed. For @Import annotations, a TODO comment is added since manual migration may be required.
  • io.moderne.java.spring.boot4.RemoveKafkaPropertiesSslBundlesParameter
    • Remove SslBundles parameter from KafkaProperties build methods
    • In Spring Boot 4.0, the SslBundles parameter was removed from KafkaProperties.buildProducerProperties, buildConsumerProperties, buildAdminProperties, and buildStreamsProperties. This recipe removes the argument from method calls.
  • io.moderne.java.spring.boot4.RemoveSpringPulsarReactive
    • Remove Spring Pulsar Reactive support
    • Spring Boot 4.0 removed support for Spring Pulsar Reactive as it is no longer maintained. This recipe removes the Spring Pulsar Reactive dependencies.
  • io.moderne.java.spring.boot4.RemoveZipkinAutoConfigurationExclude
    • Remove ZipkinAutoConfiguration
    • Zipkin is no longer auto-configured by default in Spring Boot 4.0; remove references to it from exclusions on annotations.
  • io.moderne.java.spring.boot4.ReplaceDeprecatedAutoconfigureMongoApi
    • Replace deprecated org.springframework.boot.autoconfigure.mongo API
    • Replace deprecated org.springframework.boot.autoconfigure.mongo API.
  • io.moderne.java.spring.boot4.ReplaceDeprecatedDockerApi
    • Replace deprecated DockerApi
    • Replaces deprecated DockerApi constructors and configuration methods with their modern equivalents.
  • io.moderne.java.spring.boot4.ReplaceDeprecatedRequestMatcherProvider
    • Replace deprecated RequestMatcherProvider with new API
    • Replaces the deprecated org.springframework.boot.autoconfigure.security.servlet.RequestMatcherProvider with org.springframework.boot.security.autoconfigure.actuate.web.servlet.RequestMatcherProvider. The new interface adds an HttpMethod parameter to the getRequestMatcher method.
  • io.moderne.java.spring.boot4.ReplaceDeprecatedThreadPoolTaskSchedulerBuilderApi
    • Replace deprecated ThreadPoolTaskSchedulerBuilder constructor
    • Replaces the deprecated 5-argument constructor of ThreadPoolTaskSchedulerBuilder with the builder pattern.
  • io.moderne.java.spring.boot4.SpringBoot4BestPractices
    • Spring Boot 4.0 best practices
    • Applies best practices to Spring Boot 4.+ applications.
  • io.moderne.java.spring.boot4.UpgradeMyBatisToSpringBoot_4_0
    • Upgrade MyBatis to Spring Boot 4.0
    • Upgrade MyBatis Spring modules to a version corresponding to Spring Boot 4.0.
  • io.moderne.java.spring.boot4.UpgradeSpringBoot_4_0
    • Migrate to Spring Boot 4.0 (Moderne Edition)
    • Migrate applications to the latest Spring Boot 4.0 release. This recipe will modify an application's build files, make changes to deprecated/preferred APIs, and migrate configuration settings that have changes between versions. This recipe will also chain additional framework migrations (Spring Framework, Spring Data, etc) that are required as part of the migration to Spring Boot 4.0.
  • io.moderne.java.spring.boot4.UpgradeSpringKafka_4_0
    • Migrate to Spring Kafka 4.0
    • Migrate applications to Spring Kafka 4.0. This includes removing deprecated configuration options that are no longer supported.
  • io.moderne.java.spring.cloud2020.SpringCloudProperties_2020
    • Migrate Spring Cloud properties to 2020
    • Migrate properties found in application.properties and application.yml.
  • io.moderne.java.spring.cloud2021.SpringCloudProperties_2021
    • Migrate Spring Cloud properties to 2021
    • Migrate properties found in application.properties and application.yml.
  • io.moderne.java.spring.cloud2022.SpringCloudProperties_2022
    • Migrate Spring Cloud properties to 2022
    • Migrate properties found in application.properties and application.yml.
  • io.moderne.java.spring.cloud2023.SpringCloudProperties_2023
    • Migrate Spring Cloud properties to 2023
    • Migrate properties found in application.properties and application.yml.
  • io.moderne.java.spring.cloud2024.SpringCloudProperties_2024
    • Migrate Spring Cloud properties to 2024
    • Migrate properties found in application.properties and application.yml.
  • io.moderne.java.spring.cloud2025.SpringCloudProperties_2025
    • Migrate Spring Cloud properties to 2025
    • Migrate properties found in application.properties and application.yml.
  • io.moderne.java.spring.cloud20251.SpringCloudProperties_2025_1
    • Migrate Spring Cloud properties to 2025.1
    • Migrate properties found in application.properties and application.yml for Spring Cloud 2025.1 (Oakwood). This includes the stubrunner property prefix migration from stubrunner. to spring.cloud.contract.stubrunner..
  • io.moderne.java.spring.cloud20251.UpgradeSpringCloud_2025_1
    • Upgrade to Spring Cloud 2025.1
    • Upgrade to Spring Cloud 2025.1 (Oakwood). This release is based on Spring Framework 7 and Spring Boot 4. Each Spring Cloud project has been updated to version 5.0.0.
  • io.moderne.java.spring.framework.AddSetUseSuffixPatternMatch
    • Add setUseSuffixPatternMatch(true) in Spring MVC configuration
    • In Spring Framework 5.2.4 and earlier, suffix pattern matching was enabled by default. This meant a controller method mapped to /users would also match /users.json, /users.xml, etc. Spring Framework 5.3 deprecated this behavior and changed the default to false. This recipe adds setUseSuffixPatternMatch(true) to WebMvcConfigurer implementations to preserve the legacy behavior during migration. Note: This only applies to Spring MVC; Spring WebFlux does not support suffix pattern matching.
  • io.moderne.java.spring.framework.AddSetUseSuffixPatternMatchIfPreSpring53
    • Add setUseSuffixPatternMatch(true) for pre-Spring Framework 5.3 projects
    • Only adds setUseSuffixPatternMatch(true) when the project is on Spring Framework < 5.3, where suffix pattern matching was enabled by default. Projects already on 5.3+ have been running with the new default (false) and should not get this configuration added.
  • io.moderne.java.spring.framework.FindDeprecatedPathMatcherUsage
    • Find deprecated PathMatcher usage
    • In Spring Framework 7.0, PathMatcher and AntPathMatcher are deprecated in favor of PathPatternParser. This recipe finds usages of the deprecated AntPathMatcher class that may require manual migration to PathPatternParser.
  • io.moderne.java.spring.framework.FlagSuffixPatternMatchUsage
    • Flag deprecated suffix pattern matching usage for manual review
    • Handles deprecated setUseSuffixPatternMatch() and setUseRegisteredSuffixPatternMatch() calls. When suffix pattern matching is explicitly enabled, adds TODO comments and search markers since there is no automatic migration path. When explicitly disabled, the call is safely removed since false is already the default since Spring Framework 5.3.
  • io.moderne.java.spring.framework.IsLikelySpringFramework
    • Is likely a Spring Framework project
    • Marks the project if it's likely a Spring Framework project.
  • io.moderne.java.spring.framework.JaxRsToSpringWeb
    • Convert JAX-RS annotations to Spring Web
    • Converts JAX-RS annotations such as @Path, @GET, @POST, etc., to their Spring Web equivalents like @RestController, @RequestMapping, @GetMapping, etc.
  • io.moderne.java.spring.framework.MigrateConverterSetObjectMapper
    • Replace setObjectMapper with constructor injection
    • Folds setObjectMapper calls on MappingJackson2HttpMessageConverter into the constructor. If the converter is instantiated in the same block with no other invocations, the setter call is replaced with constructor injection. Otherwise, a TODO comment is added.
  • io.moderne.java.spring.framework.MigrateDefaultResponseErrorHandler
    • Migrate DefaultResponseErrorHandler.handleError method signature
    • Migrates overridden handleError(ClientHttpResponse response) methods to the new signature handleError(URI url, HttpMethod method, ClientHttpResponse response) in classes extending DefaultResponseErrorHandler. The old single-argument method was removed in Spring Framework 7.0.
  • io.moderne.java.spring.framework.MigrateDeprecatedBeanXmlProperties
    • Migrate Bean XML properties deprecated in Spring Framework 3.0
    • Migrate Bean XML properties that were deprecated in Spring Framework 3.0.
  • io.moderne.java.spring.framework.MigrateFilterToOncePerRequestFilter
    • Migrate Filter to OncePerRequestFilter
    • Migrates classes that implement javax.servlet.Filter (or jakarta.servlet.Filter) to extend org.springframework.web.filter.OncePerRequestFilter. This transformation renames doFilter to doFilterInternal, changes parameter types to HTTP variants, removes manual casting, and removes empty init() and destroy() methods.
  • io.moderne.java.spring.framework.MigrateHandleErrorMethodInvocations
    • Migrate handleError method invocations to new signature
    • Updates invocations of handleError(ClientHttpResponse) to the new handleError(URI, HttpMethod, ClientHttpResponse) signature introduced in Spring Framework 7.0. In test sources, example values are used. In main sources, null is passed with a TODO comment.
  • io.moderne.java.spring.framework.MigrateHttpHeadersMultiValueMapMethods
    • Migrate HttpHeaders methods removed when MultiValueMap contract was dropped
    • Spring Framework 7.0 changed HttpHeaders to no longer implement MultiValueMap. This recipe replaces removed inherited method calls: containsKey() with containsHeader(), keySet() with headerNames(), and entrySet() with headerSet().
  • io.moderne.java.spring.framework.MigrateTrailingSlashMatch
    • Migrate trailing slash matching to explicit routes
    • Migrates deprecated setUseTrailingSlashMatch() configuration removed in Spring Framework 7.0. Only adds explicit trailing slash routes when the project previously enabled trailing slash matching via setUseTrailingSlashMatch(true). The deprecated configuration calls are always removed.
  • io.moderne.java.spring.framework.ModularSpringFrameworkDependencies
    • Add Spring Framework modular dependencies
    • Adds Spring Framework modular dependencies based on package usage, replacing legacy monolithic org.springframework:spring.
  • io.moderne.java.spring.framework.NullableSpringWebParameters
    • Add @Nullable to optional Spring web parameters
    • In Spring Boot 4, JSpecify's @Nullable annotation should be used to indicate that a parameter can be null. This recipe adds @Nullable to parameters annotated with @PathVariable(required = false) or @RequestParam(required = false) and removes the now-redundant required = false attribute.
  • io.moderne.java.spring.framework.RemoveDeprecatedPathMappingOptions
    • Migrate deprecated path mapping options
    • Migrates deprecated path mapping configuration options that have been removed in Spring Framework 7.0. For trailing slash matching, this recipe adds explicit dual routes to controller methods before removing the deprecated configuration. For suffix pattern matching, this recipe flags usages for manual review since there is no automatic migration path. Path extension content negotiation options are removed as they should be replaced with query parameter-based negotiation.
  • io.moderne.java.spring.framework.RemoveEmptyPathMatchConfiguration
    • Remove empty path match configuration methods
    • Removes empty configurePathMatch (WebMvc) and configurePathMatching (WebFlux) method overrides. These methods may become empty after deprecated path matching options are removed.
  • io.moderne.java.spring.framework.RemovePathExtensionContentNegotiation
    • Remove path extension content negotiation methods
    • Remove calls to favorPathExtension() and ignoreUnknownPathExtensions() on ContentNegotiationConfigurer. These methods and the underlying PathExtensionContentNegotiationStrategy were removed in Spring Framework 7.0. Path extension content negotiation was deprecated due to URI handling issues. Use query parameter-based negotiation with favorParameter(true) as an alternative.
  • io.moderne.java.spring.framework.RemoveSetPathMatcherCall
    • Remove deprecated setPathMatcher() calls
    • In Spring Framework 7.0, PathMatcher and AntPathMatcher are deprecated in favor of PathPatternParser, which has been the default in Spring MVC since 6.0. This recipe removes calls to setPathMatcher(new AntPathMatcher()) since they are now redundant. The default PathPatternParser provides better performance through pre-parsed patterns.
  • io.moderne.java.spring.framework.ReplaceControllerWithRestController
    • Replace @Controller with @RestController
    • When a class is annotated with @Controller and either the class itself or all of its handler methods are annotated with @ResponseBody, the class can use @RestController instead. This removes the need for individual @ResponseBody annotations.
  • io.moderne.java.spring.framework.UpgradeSpringFramework_3_0
    • Migrate to Spring Framework 3.x
    • Migrate applications to the latest Spring Framework 3 release, pulling in additional proprietary Moderne recipes.
  • io.moderne.java.spring.framework.UpgradeSpringFramework_5_3
    • Migrate to Spring Framework 5.3 (Moderne Edition)
    • Migrate applications to the latest Spring Framework 5.3 release, pulling in additional proprietary Moderne recipes.
  • io.moderne.java.spring.framework.beansxml.BeansXmlToConfiguration
    • Migrate beans.xml to Spring Framework configuration class
    • Converts Java/Jakarta EE beans.xml configuration files to Spring Framework @Configuration classes.
  • io.moderne.java.spring.framework.jsf23.MigrateFacesConfig
    • Migrate JSF variable-resolver to el-resolver
    • Migrates JSF faces-config.xml from namespaces, tags and values that was deprecated in JSF 1.2 and removed in later versions, to the JSF 2.3 compatible constructs.
  • io.moderne.java.spring.framework.webxml.FindWelcomeFileConfiguration
    • Add landing page controller for welcome file configuration
    • Generates a LandingPageController when welcome-file-list is found in web.xml or context-root in jboss-web.xml. When migrating to Spring Framework 5.3+, applications that rely on these server-side landing page configurations need a @Controller with a @RequestMapping for / to avoid 404 errors, as Spring MVC can take over the root mapping. Skips generation if a controller already maps to /.
  • io.moderne.java.spring.framework.webxml.WebXmlToWebApplicationInitializer
    • Migrate web.xml to WebApplicationInitializer
    • Migrate web.xml to WebApplicationInitializer for Spring applications. This allows for programmatic configuration of the web application context, replacing the need for XML-based configuration. This recipe only picks up web.xml files located in the src/main/webapp/WEB-INF directory to avoid inference with tests. It creates a WebXmlWebAppInitializer class in src/main/java with respect to submodules if they contain java files. If it finds an existing WebXmlWebAppInitializer, it skips the creation.
  • io.moderne.java.spring.framework7.AddDynamicDestinationResolverToJmsTemplate
    • Explicitly set DynamicDestinationResolver on JmsTemplate
    • Spring Framework 7.0 changed the default DestinationResolver for JmsTemplate from DynamicDestinationResolver to SimpleDestinationResolver, which caches Session-resolved Queue and Topic instances. This recipe adds an explicit call to setDestinationResolver(new DynamicDestinationResolver()) to preserve the previous behavior. The caching behavior of SimpleDestinationResolver should be fine for most JMS brokers, so this explicit configuration can be removed once compatibility with the new default is verified.
  • io.moderne.java.spring.framework7.AddSpringExtensionConfigForNestedTests
    • Add @SpringExtensionConfig for nested tests
    • Spring Framework 7.0 changed SpringExtension to use test-method scoped ExtensionContext instead of test-class scoped. This can break @Nested test class hierarchies. Adding @SpringExtensionConfig(useTestClassScopedExtensionContext = true) restores the previous behavior.
  • io.moderne.java.spring.framework7.FindOkHttp3IntegrationUsage
    • Find Spring OkHttp3 integration usage
    • Spring Framework 7.0 removes OkHttp3 integration classes. This recipe identifies usages of OkHttp3ClientHttpRequestFactory and OkHttp3ClientHttpConnector that need to be replaced. Consider migrating to Java's built-in HttpClient with JdkClientHttpRequestFactory or JdkClientHttpConnector, or to Apache HttpClient 5 with HttpComponentsClientHttpRequestFactory.
  • io.moderne.java.spring.framework7.FindRemovedAPIs
    • Find removed APIs in Spring Framework 7.0
    • Finds usages of APIs that were removed in Spring Framework 7.0 and require manual intervention. This includes Theme support, OkHttp3 integration, and servlet view document/feed classes which have no direct automated replacement.
  • io.moderne.java.spring.framework7.FindServletViewSupportUsage
    • Find removed Spring servlet view classes
    • Spring Framework 7.0 removes the org.springframework.web.servlet.view.document and org.springframework.web.servlet.view.feed packages. This recipe adds TODO comments to imports of AbstractPdfView, AbstractXlsView, AbstractXlsxView, AbstractXlsxStreamingView, AbstractPdfStampView, AbstractFeedView, AbstractAtomFeedView, and AbstractRssFeedView that need to be replaced with direct usage of the underlying libraries (Apache POI, OpenPDF/iText, ROME) in web handlers.
  • io.moderne.java.spring.framework7.FindThemeSupportUsage
    • Find Spring Theme support usage
    • Spring Framework 7.0 removes Theme support entirely. This recipe identifies usages of Theme-related classes like ThemeResolver, ThemeSource, and ThemeChangeInterceptor that need to be removed or replaced with CSS-based alternatives. The Spring team recommends using CSS directly for theming functionality.
  • io.moderne.java.spring.framework7.MigrateDeprecatedAPIs
    • Migrate deprecated APIs removed in Spring Framework 7.0
    • Migrates deprecated APIs that were removed in Spring Framework 7.0. This includes ListenableFuture to CompletableFuture migration, ContentCachingRequestWrapper constructor changes, and NestedServletException to ServletException type migration.
  • io.moderne.java.spring.framework7.MigrateHttpStatusToRfc9110
    • Migrate HttpStatus enum values to RFC 9110 names
    • Spring Framework 7.0 aligns HttpStatus enum values with RFC 9110. This recipe replaces deprecated status code constants with their RFC 9110 equivalents: PAYLOAD_TOO_LARGE becomes CONTENT_TOO_LARGE and UNPROCESSABLE_ENTITY becomes UNPROCESSABLE_CONTENT.
  • io.moderne.java.spring.framework7.MigrateJackson2ObjectMapperBuilder
    • Migrate Jackson2ObjectMapperBuilder to mapper builder pattern
    • Replaces Jackson2ObjectMapperBuilder.json().build() and similar factory methods with the corresponding Jackson mapper builder pattern (e.g. JsonMapper.builder()...build()). Setter calls on the resulting mapper are folded into the builder chain when safe, or annotated with a TODO comment when automatic migration is not possible.
  • io.moderne.java.spring.framework7.MigrateJmsDestinationResolver
    • Preserve DynamicDestinationResolver behavior for JmsTemplate
    • Spring Framework 7.0 changed the default DestinationResolver for JmsTemplate from DynamicDestinationResolver to SimpleDestinationResolver, which caches Session-resolved Queue and Topic instances. This recipe explicitly configures DynamicDestinationResolver to preserve the pre-7.0 behavior. The caching behavior of SimpleDestinationResolver should be fine for most JMS brokers, so this explicit configuration can be removed once verified.
  • io.moderne.java.spring.framework7.MigrateListenableFuture
    • Migrate ListenableFuture to CompletableFuture
    • Spring Framework 6.0 deprecated ListenableFuture in favor of CompletableFuture. Spring Framework 7.0 removes ListenableFuture entirely. This recipe migrates usages of ListenableFuture and its callbacks to use CompletableFuture and BiConsumer instead.
  • io.moderne.java.spring.framework7.MigrateResponseEntityGetStatusCodeValueMethod
    • Migrate ResponseEntity#getStatusCodeValue() to getStatusCode().value()
    • Replaces calls to ResponseEntity#getStatusCodeValue() which was deprecated in Spring Framework 6.0 and removed in Spring Framework 7.0 with getStatusCode().value().
  • io.moderne.java.spring.framework7.RemoveSpringJcl
    • Remove spring-jcl dependency
    • The spring-jcl module has been removed in Spring Framework 7.0 in favor of Apache Commons Logging 1.3.0. This recipe removes any explicit dependency on org.springframework:spring-jcl. The change should be transparent for most applications, as spring-jcl was typically a transitive dependency and the logging API calls (org.apache.commons.logging.*) remain unchanged.
  • io.moderne.java.spring.framework7.RenameMemberCategoryConstants
    • Rename MemberCategory field constants for Spring Framework 7.0
    • Renames deprecated MemberCategory constants to their new names in Spring Framework 7.0. MemberCategory.PUBLIC_FIELDS is renamed to MemberCategory.INVOKE_PUBLIC_FIELDS and MemberCategory.DECLARED_FIELDS is renamed to MemberCategory.INVOKE_DECLARED_FIELDS. These renames clarify the original intent of these categories and align with the rest of the API.
  • io.moderne.java.spring.framework7.RenameRequestContextJstlPresent
    • Rename RequestContext.jstPresent to JSTL_PRESENT
    • Renames the protected static field RequestContext.jstPresent to JSTL_PRESENT in Spring Framework 7.0. This field was renamed as part of a codebase-wide effort to use uppercase for classpath-related static final field names (see https://github.com/spring-projects/spring-framework/issues/35525).
  • io.moderne.java.spring.framework7.ReplaceJUnit4SpringTestBaseClasses
    • Replace JUnit 4 Spring test base classes with JUnit Jupiter annotations
    • Replace AbstractJUnit4SpringContextTests and AbstractTransactionalJUnit4SpringContextTests base classes with @ExtendWith(SpringExtension.class) and @Transactional annotations. These base classes are deprecated in Spring Framework 7.0 in favor of the SpringExtension for JUnit Jupiter.
  • io.moderne.java.spring.framework7.SimplifyReflectionHintRegistration
    • Simplify reflection hint registrations for Spring Framework 7.0
    • Removes deprecated MemberCategory arguments from registerType() calls on ReflectionHints. In Spring Framework 7.0, registering a reflection hint for a type now implies methods, constructors, and fields introspection. All MemberCategory values except INVOKE_* have been deprecated. This recipe removes those deprecated arguments, simplifying code like hints.reflection().registerType(MyType.class, MemberCategory.DECLARED_FIELDS) to hints.reflection().registerType(MyType.class).
  • io.moderne.java.spring.framework7.UpdateGraalVmNativeHints
    • Update GraalVM native reflection hints for Spring Framework 7.0
    • Migrates GraalVM native reflection hints to Spring Framework 7.0 conventions. Spring Framework 7.0 adopts the unified reachability metadata format for GraalVM. This recipe renames deprecated MemberCategory constants and simplifies reflection hint registrations where explicit member categories are no longer needed.
  • io.moderne.java.spring.framework7.UpgradeSpringFramework_7_0
    • Migrate to Spring Framework 7.0
    • Migrates applications to Spring Framework 7.0. This recipe applies all necessary changes including API migrations, removed feature detection, and configuration updates.
  • io.moderne.java.spring.framework7.WrapGenericMessageMapInMessageHeaders
    • Wrap GenericMessage map argument in MessageHeaders
    • Wraps the Map argument in GenericMessage constructors in Kotlin sources with MessageHeaders(map) to explicitly use the MessageHeaders overload. This resolves Kotlin overload resolution ambiguity between the Map and MessageHeaders constructor overloads.
  • io.moderne.java.spring.hibernate.MigrateDaoSupportGetSession
    • Migrate HibernateDaoSupport#getSession() usage
    • Migrate HibernateDaoSupport#getSession() usage to HibernateDaoSupport#getSessionFactory()#getCurrentSession() and annotate the methods with @Transactional.
  • io.moderne.java.spring.hibernate.MigrateSaveOrUpdateAll
    • Migrate HibernateDaoSupport#getHibernateTemplate#saveOrUpdateAll
    • Migrate removed HibernateDaoSupport#getHibernateTemplate#.saveOrUpdateAll to an iterative HibernateDaoSupport#getHibernateTemplate#.saveOrUpdate.
  • io.moderne.java.spring.kafka.consumer.FindKafkaListenerWithoutErrorHandling
    • Find @KafkaListener methods without error handling
    • Flags @KafkaListener methods that lack proper error handling. Methods should have @RetryableTopic, specify an errorHandler in the annotation, or implement try-catch blocks for error handling.
  • io.moderne.java.spring.kafka.consumer.FindMissingDltHandler
    • Find @RetryableTopic without @DltHandler
    • Flags classes that use @RetryableTopic without a corresponding @DltHandler method. A DLT handler should be defined to process messages that have exhausted all retries.
  • io.moderne.java.spring.kafka.consumer.IsKafkaConsumer
    • Is likely a Kafka consumer module
    • Marks the project if it's likely a Kafka consumer module.
  • io.moderne.java.spring.kafka.producer.FindCustomKeyUsage
    • Find KafkaTemplate.send() with custom key
    • Flags KafkaTemplate.send() calls that use a custom key (3+ arguments). Custom keys should be reviewed to ensure they provide appropriate partition distribution.
  • io.moderne.java.spring.kafka.producer.IsKafkaProducer
    • Is likely a Kafka producer module
    • Marks the project if it's likely a Kafka producer module.
  • io.moderne.java.spring.orm.SpringORM5
    • Migrate to Spring ORM to 5
    • Migrate applications using Spring ORM Hibernate Support to Hibernate 5 compatible version. This will enable a further migration by the Spring Framework migration past 5.
  • io.moderne.java.spring.security.MigrateAcegiToSpringSecurity_5_0
    • Migrate from Acegi Security 1.0.x to Spring Security 5.0
    • Migrates Acegi Security 1.0.x directly to Spring Security 5.0. This recipe handles dependency changes, type renames, XML configuration updates, web.xml filter migration, and adds TODO comments for password encoders that require manual migration.
  • io.moderne.java.spring.security6.MigrateAntPathRequestMatcher
    • Migrate antPathRequestMatcher to pathPatternRequestMatcher
    • In Spring Security 6.5, AntPathRequestMatcher is deprecated in favor of PathPatternRequestMatcher. This recipe migrates static method calls and constructor usage to the new pattern.
  • io.moderne.java.spring.security6.UpgradeSpringSecurity_6_5
    • Migrate to Spring Security 6.5 (Moderne Edition)
    • Migrate applications to the latest Spring Security 6.5 release. This recipe will modify an application's build files, make changes to deprecated/preferred APIs, and migrate configuration settings that have changes between versions.
  • io.moderne.java.spring.security7.MigrateMvcRequestMatcher
    • Migrate MvcRequestMatcher to PathPatternRequestMatcher
    • In Spring Security 7.0, MvcRequestMatcher which depends on the deprecated HandlerMappingIntrospector is removed in favor of PathPatternRequestMatcher. This recipe migrates constructor and builder usage to the new pattern.
  • io.moderne.java.spring.security7.MigrateOAuth2AccessTokenResponseClient
    • Migrate OAuth2AccessTokenResponseClient from RestOperations to RestClient based implementations
    • A new set of OAuth2AccessTokenResponseClient implementations were introduced based on RestClient. This recipe replaces the RestOperations-based implementations which have been deprecated. The RestClient implementations are drop-in replacements for the deprecated implementations.
  • io.moderne.java.spring.security7.MigrateOAuth2RestOperationsToRestClient
    • Migrate OAuth2 token response client from RestOperations to RestClient
    • Migrates setRestOperations(RestOperations) calls to setRestClient(RestClient) on the new RestClient-based OAuth2 AccessTokenResponseClient implementations. The RestClient-based implementations introduced in Spring Security 7 use RestClient instead of RestOperations.
  • io.moderne.java.spring.security7.MigrateRequiresChannelToRedirectToHttps
    • Migrate requiresChannel() to redirectToHttps()
    • In Spring Security 7.0, HttpSecurity.requiresChannel() is deprecated in favor of HttpSecurity.redirectToHttps(). This recipe renames the method call and simplifies anyRequest().requiresSecure() to Customizer.withDefaults().
  • io.moderne.java.spring.security7.ModularizeSpringSecurity7
    • Spring Security 7 modularization
    • Spring Security Core was modularized in version 7, deprecated classes that are still a crucial part of some applications are moved to spring-security-access.

rewrite-tapestry

  • org.openrewrite.tapestry.ChangeTapestryPackages
    • Change Tapestry 4 packages to Tapestry 5
    • Updates package imports from org.apache.tapestry to org.apache.tapestry5. Only renames packages that have direct equivalents in Tapestry 5.
  • org.openrewrite.tapestry.ChangeTapestryTypes
    • Change Tapestry 4 types to Tapestry 5 equivalents
    • Renames Tapestry 4 types that have direct equivalents in Tapestry 5. This handles types from different packages that were reorganized in T5.
  • org.openrewrite.tapestry.ConvertAnnotatedMethodToField
    • Convert annotated abstract method to field
    • Converts abstract getter methods annotated with sourceAnnotation to private fields annotated with targetAnnotation. Also removes corresponding abstract setter methods.
  • org.openrewrite.tapestry.ConvertBeanAnnotation
    • Convert Tapestry 4 @Bean to @Property
    • Converts Tapestry 4's @Bean annotation to @Property fields. Bean initialization with 'initializer' attribute requires manual migration.
  • org.openrewrite.tapestry.ConvertListenerInterfaces
    • Convert Tapestry 4 listener interfaces to Tapestry 5 annotations
    • Converts Tapestry 4 page lifecycle listener interfaces (PageBeginRenderListener, PageEndRenderListener, etc.) to Tapestry 5 lifecycle annotations (@SetupRender, @CleanupRender, etc.) and removes the interface implementations.
  • org.openrewrite.tapestry.MigrateTapestry4To5
    • Migrate Tapestry 4 to Tapestry 5
    • Migrates Apache Tapestry 4 applications to Tapestry 5. This includes package renames, removing base class inheritance, converting listener interfaces to annotations, and updating dependencies.
  • org.openrewrite.tapestry.RemoveIRequestCycleParameter
    • Remove IRequestCycle parameters
    • Removes IRequestCycle parameters from methods. In Tapestry 5, event handler methods don't receive the request cycle as a parameter.
  • org.openrewrite.tapestry.RemoveObsoleteFormTypes
    • Remove obsolete Tapestry form types
    • Removes field declarations and imports for Tapestry 4 form component types (IPropertySelectionModel, StringPropertySelectionModel, etc.) that don't exist in Tapestry 5. Code using these types will need manual refactoring to use Tapestry 5's SelectModel pattern.
  • org.openrewrite.tapestry.RemoveTapestryBaseClasses
    • Remove Tapestry 4 base classes
    • Removes Tapestry 4 base class inheritance (BasePage, BaseComponent, AbstractComponent) and converts the class to a POJO suitable for Tapestry 5. Abstract getter/setter methods are converted to fields with @Property annotation.
  • org.openrewrite.tapestry.ReplaceReverseComparator
    • Replace ReverseComparator with Collections.reverseOrder()
    • Replaces tapestry-contrib's ReverseComparator with the standard Java Collections.reverseOrder() method.
  • org.openrewrite.tapestry.UpdateTapestryDependencies
    • Update Tapestry dependencies
    • Updates dependencies from Tapestry 4 to Tapestry 5.

rewrite-vulncheck

  • io.moderne.vulncheck.FixVulnCheckVulnerabilities
    • Use VulnCheck Exploit Intelligence to fix vulnerabilities
    • This software composition analysis (SCA) tool detects and upgrades dependencies with publicly disclosed vulnerabilities. This recipe both generates a report of vulnerable dependencies and upgrades to newer versions with fixes. This recipe by default only upgrades to the latest patch version. If a minor or major upgrade is required to reach the fixed version, this can be controlled using the maximumUpgradeDelta option. Vulnerability information comes from VulnCheck Vulnerability Intelligence. The recipe has an option to limit fixes to only those vulnerabilities that have evidence of exploitation at various levels of severity.

org.openrewrite

rewrite-python

org.openrewrite.recipe

rewrite-android

rewrite-circleci

rewrite-codemods-ng

rewrite-compiled-analysis

rewrite-concourse

rewrite-dotnet

rewrite-java-security

  • org.openrewrite.csharp.dependencies.DependencyInsight
    • Dependency insight for C#
    • Finds dependencies in *.csproj and packages.config.
  • org.openrewrite.csharp.dependencies.DependencyVulnerabilityCheck
    • Find and fix vulnerable Nuget dependencies
    • This software composition analysis (SCA) tool detects and upgrades dependencies with publicly disclosed vulnerabilities. This recipe both generates a report of vulnerable dependencies and upgrades to newer versions with fixes. This recipe only upgrades to the latest patch version. If a minor or major upgrade is required to reach the fixed version, this recipe will not make any changes. Vulnerability information comes from the GitHub Security Advisory Database, which aggregates vulnerability data from several public databases, including the National Vulnerability Database maintained by the United States government. Dependencies following Semantic Versioning will see their patch version updated where applicable.
  • org.openrewrite.csharp.dependencies.UpgradeDependencyVersion
    • Upgrade C# dependency versions
    • Upgrades dependencies in *.csproj, Directory.Packages.props, and packages.config.
  • org.openrewrite.java.dependencies.AddExplicitTransitiveDependencies
    • Add explicit transitive dependencies
    • Detects when Java source code or configuration files reference types from transitive Maven dependencies and promotes those transitive dependencies to explicit direct dependencies in the pom.xml. This ensures the build is resilient against changes in transitive dependency trees of upstream libraries.
  • org.openrewrite.java.dependencies.DependencyLicenseCheck
    • Find licenses in use in third-party dependencies
    • Locates and reports on all licenses in use.
  • org.openrewrite.java.dependencies.DependencyVulnerabilityCheck
    • Find and fix vulnerable dependencies
    • This software composition analysis (SCA) tool detects and upgrades dependencies with publicly disclosed vulnerabilities. This recipe both generates a report of vulnerable dependencies and upgrades to newer versions with fixes. This recipe by default only upgrades to the latest patch version. If a minor or major upgrade is required to reach the fixed version, this can be controlled using the maximumUpgradeDelta option. Vulnerability information comes from the GitHub Security Advisory Database, which aggregates vulnerability data from several public databases, including the National Vulnerability Database maintained by the United States government. Upgrades dependencies versioned according to Semantic Versioning. ## Customizing Vulnerability Data This recipe can be customized by extending DependencyVulnerabilityCheckBase and overriding the vulnerability data sources: - baselineVulnerabilities(ExecutionContext ctx): Provides the default set of known vulnerabilities. The base implementation loads vulnerability data from the GitHub Security Advisory Database CSV file using ResourceUtils.parseResourceAsCsv(). Override this method to replace the entire vulnerability dataset with your own curated list. - supplementalVulnerabilities(ExecutionContext ctx): Allows adding custom vulnerability data beyond the baseline. The base implementation returns an empty list. Override this method to add organization-specific vulnerabilities, internal security advisories, or vulnerabilities from additional sources while retaining the baseline GitHub Advisory Database. Both methods return List&lt;Vulnerability&gt; objects. Vulnerability data can be loaded from CSV files using ResourceUtils.parseResourceAsCsv(path, Vulnerability.class, consumer) or constructed programmatically. To customize, extend DependencyVulnerabilityCheckBase and override one or both methods depending on your needs. For example, override supplementalVulnerabilities() to add custom CVEs while keeping the standard vulnerability database, or override baselineVulnerabilities() to use an entirely different vulnerability data source. Last updated: 2026-04-20T1128.
  • org.openrewrite.java.dependencies.RemoveUnusedDependencies
    • Remove unused dependencies
    • Scans through source code collecting references to types and methods, removing any dependencies that are not used from Maven or Gradle build files. This is best effort and not guaranteed to work well in all cases; false positives are still possible. This recipe takes reflective access into account: - When reflective access to a class is made unambiguously via a string literal, such as: Class.forName(&quot;java.util.List&quot;) that is counted correctly. - When reflective access to a class is made ambiguously via anything other than a string literal no dependencies will be removed. This recipe takes transitive dependencies into account: - When a direct dependency is not used but a transitive dependency it brings in is in use the direct dependency is not removed.
  • org.openrewrite.java.dependencies.SoftwareBillOfMaterials
    • Software bill of materials
    • Produces a software bill of materials (SBOM) for a project. An SBOM is a complete list of all dependencies used in a project, including transitive dependencies. The produced SBOM is in the CycloneDX XML format. Supports Gradle and Maven. Places a file named sbom.xml adjacent to the Gradle or Maven build file.
  • org.openrewrite.java.security.FindTextDirectionChanges
    • Find text-direction changes
    • Finds unicode control characters which can change the direction text is displayed in. These control characters can alter how source code is presented to a human reader without affecting its interpretation by tools like compilers. So a malicious patch could pass code review while introducing vulnerabilities. Note that text direction-changing unicode control characters aren't inherently malicious. These characters can appear for legitimate reasons in code written in or dealing with right-to-left languages. See: https://trojansource.codes/ for more information.
  • org.openrewrite.java.security.FixCwe338
    • Fix CWE-338 with SecureRandom
    • Use a cryptographically strong pseudo-random number generator (PRNG).
  • org.openrewrite.java.security.FixCwe918
    • Remediate server-side request forgery (SSRF)
    • Inserts a guard that validates URLs constructed from user-controlled input do not target internal network addresses, blocking server-side request forgery (SSRF) attacks.
  • org.openrewrite.java.security.ImproperPrivilegeManagement
    • Improper privilege management
    • Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it.
  • org.openrewrite.java.security.JavaSecurityBestPractices
    • Java security best practices
    • Applies security best practices to Java code.
  • org.openrewrite.java.security.Owasp2025A01
    • Remediate OWASP A01:2025 Broken access control
    • OWASP A01:2025 describes failures related to broken access control.
  • org.openrewrite.java.security.Owasp2025A02
    • Remediate OWASP A02:2025 Security misconfiguration
    • OWASP A02:2025 describes failures related to security misconfiguration. Previously A05:2021, this category moved up to #2 in 2025.
  • org.openrewrite.java.security.Owasp2025A03
    • Remediate OWASP A03:2025 Software supply chain failures
    • OWASP A03:2025 describes failures related to the software supply chain, including vulnerable and outdated components. Expanded from A06:2021 Vulnerable and Outdated Components.
  • org.openrewrite.java.security.Owasp2025A04
    • Remediate OWASP A04:2025 Cryptographic failures
    • OWASP A04:2025 describes failures related to cryptography (or lack thereof), which often lead to exposure of sensitive data. Previously A02:2021.
  • org.openrewrite.java.security.Owasp2025A05
    • Remediate OWASP A05:2025 Injection
    • OWASP A05:2025 describes failures related to user-supplied data being used to influence program state to operate outside of its intended bounds. Previously A03:2021.
  • org.openrewrite.java.security.OwaspA01
    • Remediate OWASP A01:2021 Broken access control
    • OWASP A01:2021 describes failures related to broken access control.
  • org.openrewrite.java.security.OwaspA02
    • Remediate OWASP A02:2021 Cryptographic failures
    • OWASP A02:2021 describes failures related to cryptography (or lack thereof), which often lead to exposure of sensitive data. This recipe seeks to remediate these vulnerabilities.
  • org.openrewrite.java.security.OwaspA03
    • Remediate OWASP A03:2021 Injection
    • OWASP A03:2021 describes failures related to user-supplied data being used to influence program state to operate outside of its intended bounds. This recipe seeks to remediate these vulnerabilities.
  • org.openrewrite.java.security.OwaspA05
    • Remediate OWASP A05:2021 Security misconfiguration
    • OWASP A05:2021 describes failures related to security misconfiguration.
  • org.openrewrite.java.security.OwaspA06
    • Remediate OWASP A06:2021 Vulnerable and outdated components
    • OWASP A06:2021 describes failures related to vulnerable and outdated components.
  • org.openrewrite.java.security.OwaspA08
    • Remediate OWASP A08:2021 Software and data integrity failures
    • OWASP A08:2021 software and data integrity failures.
  • org.openrewrite.java.security.OwaspTopTen
    • Remediate vulnerabilities from the OWASP Top Ten
    • OWASP publishes a list of the most impactful common security vulnerabilities. These recipes identify and remediate vulnerabilities from the OWASP Top Ten.
  • org.openrewrite.java.security.PartialPathTraversalVulnerability
    • Partial path traversal vulnerability
    • Replaces dir.getCanonicalPath().startsWith(parent.getCanonicalPath(), which is vulnerable to partial path traversal attacks, with the more secure dir.getCanonicalFile().toPath().startsWith(parent.getCanonicalFile().toPath()). To demonstrate this vulnerability, consider &quot;/usr/outnot&quot;.startsWith(&quot;/usr/out&quot;). The check is bypassed although /outnot is not under the /out directory. It's important to understand that the terminating slash may be removed when using various String representations of the File object. For example, on Linux, println(new File(&quot;/var&quot;)) will print /var, but println(new File(&quot;/var&quot;, &quot;/&quot;) will print /var/; however, println(new File(&quot;/var&quot;, &quot;/&quot;).getCanonicalPath()) will print /var.
  • org.openrewrite.java.security.RegularExpressionDenialOfService
    • Regular Expression Denial of Service (ReDOS)
    • ReDoS is a Denial of Service attack that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). See the OWASP description of this attack here for more details.
  • org.openrewrite.java.security.SecureRandom
    • Secure random
    • Use cryptographically secure Pseudo Random Number Generation in the "main" source set. Replaces instantiation of java.util.Random with java.security.SecureRandom.
  • org.openrewrite.java.security.SecureRandomPrefersDefaultSeed
    • SecureRandom seeds are not constant or predictable
    • Remove SecureRandom#setSeed(*) method invocations having constant or predictable arguments.
  • org.openrewrite.java.security.SecureTempFileCreation
    • Use secure temporary file creation
    • java.io.File.createTempFile() has exploitable default file permissions. This recipe migrates to the more secure java.nio.file.Files.createTempFile().
  • org.openrewrite.java.security.UseFilesCreateTempDirectory
    • Use Files#createTempDirectory
    • Use Files#createTempDirectory when the sequence File#createTempFile(..)->File#delete()->File#mkdir() is used for creating a temp directory.
  • org.openrewrite.java.security.XmlParserXXEVulnerability
    • XML parser XXE vulnerability
    • Avoid exposing dangerous features of the XML parser by updating certain factory settings.
  • org.openrewrite.java.security.ZipSlip
    • Zip slip
    • Zip slip is an arbitrary file overwrite critical vulnerability, which typically results in remote command execution. A fuller description of this vulnerability is available in the Snyk documentation on it.
  • org.openrewrite.java.security.marshalling.InsecureJmsDeserialization
    • Insecure JMS deserialization
    • JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage#getObject is called. Deserialization of untrusted data can lead to security flaws.
  • org.openrewrite.java.security.marshalling.SecureJacksonDefaultTyping
    • Secure the use of Jackson default typing
    • See the blog post on this subject.
  • org.openrewrite.java.security.marshalling.SecureSnakeYamlConstructor
    • Secure the use of SnakeYAML's constructor
    • See the paper on this subject.
  • org.openrewrite.java.security.search.FindCommandInjection
    • Find OS command injection vectors
    • Finds calls to Runtime.exec(String) which passes the command through a shell interpreter, enabling command injection via metacharacters like ;, |, and &amp;&amp;. Use the String[] overload instead to avoid shell interpretation.
  • org.openrewrite.java.security.search.FindExpressionLanguageInjection
    • Find Expression Language injection vectors
    • Finds calls to Expression Language (EL) evaluation methods which, when the expression is built from user input, can allow arbitrary code execution. Use parameterized expressions or input validation instead.
  • org.openrewrite.java.security.search.FindHardcodedIv
    • Find hardcoded initialization vectors
    • Finds IvParameterSpec constructed with hardcoded byte arrays or string literals. A static IV makes CBC and other modes deterministic, enabling chosen-plaintext attacks. IVs should be generated randomly using SecureRandom for each encryption operation.
  • org.openrewrite.java.security.search.FindHttpResponseSplitting
    • Find HTTP response splitting vectors
    • Finds calls to HttpServletResponse.addHeader(), setHeader(), and addCookie() which, when header values are derived from user input without CRLF sanitization, can allow HTTP response splitting attacks. Full taint-based detection requires rewrite-program-analysis; this recipe identifies the sink call sites for manual review.
  • org.openrewrite.java.security.search.FindInadequateKeySize
    • Find inadequate cryptographic key sizes
    • Finds cryptographic key generation with inadequate key sizes. RSA keys should be at least 2048 bits, DSA keys at least 2048 bits, EC keys at least 256 bits, and symmetric keys (AES) at least 128 bits. NIST recommends RSA-2048+ and AES-128+ as minimum for all new applications.
  • org.openrewrite.java.security.search.FindJacksonDefaultTypeMapping
    • Find Jackson default type mapping enablement
    • ObjectMapper#enableTypeMapping(..) can lead to vulnerable deserialization.
  • org.openrewrite.java.security.search.FindPermissiveCorsConfiguration
    • Find permissive CORS configuration
    • Finds overly permissive CORS configurations that allow all origins, which can expose the application to cross-domain attacks.
  • org.openrewrite.java.security.search.FindPredictableSalt
    • Find predictable cryptographic salts
    • Finds PBEParameterSpec and PBEKeySpec constructed with hardcoded salt byte arrays. A predictable salt undermines the purpose of salting, making rainbow table and precomputation attacks feasible. Salts should be generated randomly using SecureRandom.
  • org.openrewrite.java.security.search.FindProcessControl
    • Find process control vectors
    • Finds calls to System.loadLibrary(), System.load(), and Runtime.load() which, when the library path or name is derived from user input, can allow an attacker to load arbitrary native code. Ensure library names are not externally controlled.
  • org.openrewrite.java.security.search.FindResourceInjection
    • Find resource injection vectors
    • Detects resource injection vulnerabilities where user-controlled input flows to resource access operations — file paths, JNDI lookups, class loading, and native library loading. Uses taint analysis from rewrite-program-analysis for source-to-sink tracking with sanitizer support, plus structural detection as fallback.
  • org.openrewrite.java.security.search.FindRsaWithoutOaep
    • Find RSA encryption without OAEP padding
    • Finds uses of RSA encryption with PKCS#1 v1.5 padding or no padding specification. RSA without OAEP padding is vulnerable to padding oracle attacks. Use RSA/ECB/OAEPWithSHA-256AndMGF1Padding or equivalent OAEP mode instead.
  • org.openrewrite.java.security.search.FindScriptEngineInjection
    • Find script engine code injection vectors
    • Finds calls to ScriptEngine.eval() which can execute arbitrary code if the script string is influenced by user input. Consider sandboxing or removing dynamic script evaluation.
  • org.openrewrite.java.security.search.FindSensitiveApiEndpoints
    • Find sensitive API endpoints
    • Find data models exposed by REST APIs that contain sensitive information like PII and secrets.
  • org.openrewrite.java.security.search.FindSqlInjection
    • Find potential SQL injection
    • Finds SQL query methods where the query string is constructed via string concatenation, which may indicate SQL injection vulnerabilities. Use parameterized queries or prepared statements instead.
  • org.openrewrite.java.security.search.FindUnsafeReflection
    • Find unsafe reflection vectors
    • Finds calls to Class.forName() which, when the class name is derived from user input, can allow an attacker to instantiate arbitrary classes. Review these call sites to ensure the class name is not externally controlled.
  • org.openrewrite.java.security.search.FindVulnerableJacksonJsonTypeInfo
    • Find vulnerable uses of Jackson @JsonTypeInfo
    • Identify where attackers can deserialize gadgets into a target field.
  • org.openrewrite.java.security.search.FindWeakCryptoAlgorithm
    • Find weak cryptographic algorithms
    • Finds uses of broken or risky cryptographic algorithms such as MD5, SHA-1, DES, DESede (3DES), RC2, RC4, and Blowfish in calls to Cipher.getInstance(), MessageDigest.getInstance(), Mac.getInstance(), KeyGenerator.getInstance(), and SecretKeyFactory.getInstance().
  • org.openrewrite.java.security.search.FindWeakPasswordHashing
    • Find weak password hashing
    • Finds uses of MessageDigest.getInstance() with algorithms unsuitable for password hashing (MD5, SHA-1, SHA-256, SHA-384, SHA-512). Passwords should be hashed with a purpose-built password hashing function such as bcrypt, scrypt, Argon2, or PBKDF2 that includes a salt and a tunable work factor.
  • org.openrewrite.java.security.search.FindXPathInjection
    • Find XPath injection vectors
    • Finds calls to XPath.evaluate() and XPath.compile() which, when the expression is built from user input, can allow XPath injection attacks. Use parameterized XPath expressions or input validation instead.
  • org.openrewrite.java.security.secrets.FindArtifactorySecrets
    • Find Artifactory secrets
    • Locates Artifactory secrets stored in plain text in code.
  • org.openrewrite.java.security.secrets.FindAwsSecrets
    • Find AWS secrets
    • Locates AWS secrets stored in plain text in code.
  • org.openrewrite.java.security.secrets.FindAzureSecrets
    • Find Azure secrets
    • Locates Azure secrets stored in plain text in code.
  • org.openrewrite.java.security.secrets.FindDiscordSecrets
    • Find Discord secrets
    • Locates Discord secrets stored in plain text in code.
  • org.openrewrite.java.security.secrets.FindFacebookSecrets
    • Find Facebook secrets
    • Locates Facebook secrets stored in plain text in code.
  • org.openrewrite.java.security.secrets.FindGenericSecrets
    • Find generic secrets
    • Locates generic secrets stored in plain text in code.
  • org.openrewrite.java.security.secrets.FindGitHubSecrets
    • Find GitHub secrets
    • Locates GitHub secrets stored in plain text in code.
  • org.openrewrite.java.security.secrets.FindGoogleSecrets
    • Find Google secrets
    • Locates Google secrets stored in plain text in code.
  • org.openrewrite.java.security.secrets.FindHerokuSecrets
    • Find Heroku secrets
    • Locates Heroku secrets stored in plain text in code.
  • org.openrewrite.java.security.secrets.FindJwtSecrets
    • Find JWT secrets
    • Locates JWTs stored in plain text in code.
  • org.openrewrite.java.security.secrets.FindMailChimpSecrets
    • Find MailChimp secrets
    • Locates MailChimp secrets stored in plain text in code.
  • org.openrewrite.java.security.secrets.FindMailgunSecrets
    • Find Mailgun secrets
    • Locates Mailgun secrets stored in plain text in code.
  • org.openrewrite.java.security.secrets.FindNpmSecrets
    • Find NPM secrets
    • Locates NPM secrets stored in plain text in code.
  • org.openrewrite.java.security.secrets.FindPasswordInUrlSecrets
    • Find passwords used in URLs
    • Locates URLs that contain passwords in plain text.
  • org.openrewrite.java.security.secrets.FindPayPalSecrets
    • Find PayPal secrets
    • Locates PayPal secrets stored in plain text in code.
  • org.openrewrite.java.security.secrets.FindPgpSecrets
    • Find PGP secrets
    • Locates PGP secrets stored in plain text in code.
  • org.openrewrite.java.security.secrets.FindPicaticSecrets
    • Find Picatic secrets
    • Locates Picatic secrets stored in plain text in code.
  • org.openrewrite.java.security.secrets.FindRsaSecrets
    • Find RSA private keys
    • Locates RSA private keys stored in plain text in code.
  • org.openrewrite.java.security.secrets.FindSecrets
    • Find secrets
    • Locates secrets stored in plain text in code.
  • org.openrewrite.java.security.secrets.FindSecretsByPattern
    • Find secrets with regular expressions
    • A secret is a literal that matches any one of the provided patterns.
  • org.openrewrite.java.security.secrets.FindSendGridSecrets
    • Find SendGrid secrets
    • Locates SendGrid secrets stored in plain text in code.
  • org.openrewrite.java.security.secrets.FindSlackSecrets
    • Find Slack secrets
    • Locates Slack secrets stored in plain text in code.
  • org.openrewrite.java.security.secrets.FindSquareSecrets
    • Find Square secrets
    • Locates Square secrets stored in plain text in code.
  • org.openrewrite.java.security.secrets.FindSshSecrets
    • Find SSH secrets
    • Locates SSH secrets stored in plain text in code.
  • org.openrewrite.java.security.secrets.FindStripeSecrets
    • Find Stripe secrets
    • Locates Stripe secrets stored in plain text in code.
  • org.openrewrite.java.security.secrets.FindTelegramSecrets
    • Find Telegram secrets
    • Locates Telegram secrets stored in plain text in code.
  • org.openrewrite.java.security.secrets.FindTwilioSecrets
    • Find Twilio secrets
    • Locates Twilio secrets stored in plain text in code.
  • org.openrewrite.java.security.secrets.FindTwitterSecrets
    • Find Twitter secrets
    • Locates Twitter secrets stored in plain text in code.
  • org.openrewrite.java.security.servlet.CookieSetHttpOnly
    • Cookies missing HttpOnly flag
    • Check for use of cookies without the HttpOnly flag. Cookies should be marked as HttpOnly to prevent client-side scripts from accessing them, reducing the risk of cross-site scripting (XSS) attacks.
  • org.openrewrite.java.security.servlet.CookieSetSecure
    • Insecure cookies
    • Check for use of insecure cookies. Cookies should be marked as secure. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks.
  • org.openrewrite.java.security.spring.CsrfProtection
    • Enable CSRF attack prevention
    • Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user's web browser to perform an unwanted action on a trusted site when the user is authenticated. See the full OWASP cheatsheet.
  • org.openrewrite.java.security.spring.InsecureSpringServiceExporter
    • Secure Spring service exporters
    • The default Java deserialization mechanism is available via ObjectInputStream class. This mechanism is known to be vulnerable. If an attacker can make an application deserialize malicious data, it may result in arbitrary code execution. Spring’s RemoteInvocationSerializingExporter uses the default Java deserialization mechanism to parse data. As a result, all classes that extend it are vulnerable to deserialization attacks. The Spring Framework contains at least HttpInvokerServiceExporter and SimpleHttpInvokerServiceExporter that extend RemoteInvocationSerializingExporter. These exporters parse data from the HTTP body using the unsafe Java deserialization mechanism. See the full blog post by Artem Smotrakov on CVE-2016-1000027 from which the above description is excerpted.
  • org.openrewrite.java.security.spring.PreventClickjacking
    • Prevent clickjacking
    • The frame-ancestors directive can be used in a Content-Security-Policy HTTP response header to indicate whether or not a browser should be allowed to render a page in a &lt;frame&gt; or &lt;iframe&gt;. Sites can use this to avoid Clickjacking attacks by ensuring that their content is not embedded into other sites.
  • org.openrewrite.java.security.spring.RemoveEnableWebSecurityDebug
    • Remove debug mode from Spring Security
    • Removes the debug attribute from @EnableWebSecurity annotations to prevent sensitive security information from being logged in production.
  • org.openrewrite.python.dependencies.DependencyVulnerabilityCheck
    • Find and fix vulnerable PyPI dependencies
    • This software composition analysis (SCA) tool detects and upgrades dependencies with publicly disclosed vulnerabilities. This recipe both generates a report of vulnerable dependencies and upgrades to newer versions with fixes. This recipe by default only upgrades to the latest patch version. If a minor or major upgrade is required to reach the fixed version, this can be controlled using the maximumUpgradeDelta option. Vulnerability information comes from the GitHub Security Advisory Database, which aggregates vulnerability data from several public databases, including the National Vulnerability Database maintained by the United States government. Dependencies following Semantic Versioning will see their patch version updated where applicable. ## Customizing Vulnerability Data This recipe can be customized by extending DependencyVulnerabilityCheckBase and overriding the vulnerability data sources: - baselineVulnerabilities(ExecutionContext ctx): Provides the default set of known vulnerabilities. The base implementation loads vulnerability data from the GitHub Security Advisory Database CSV file using ResourceUtils.parseResourceAsCsv(). Override this method to replace the entire vulnerability dataset with your own curated list. - supplementalVulnerabilities(ExecutionContext ctx): Allows adding custom vulnerability data beyond the baseline. The base implementation returns an empty list. Override this method to add organization-specific vulnerabilities, internal security advisories, or vulnerabilities from additional sources while retaining the baseline GitHub Advisory Database. Both methods return List&lt;Vulnerability&gt; objects. Vulnerability data can be loaded from CSV files using ResourceUtils.parseResourceAsCsv(path, Vulnerability.class, consumer) or constructed programmatically. To customize, extend DependencyVulnerabilityCheckBase and override one or both methods depending on your needs. For example, override supplementalVulnerabilities() to add custom CVEs while keeping the standard vulnerability database, or override baselineVulnerabilities() to use an entirely different vulnerability data source.
  • org.openrewrite.recipe.rewrite-java-security.InlineDeprecatedMethods
    • Inline deprecated delegating methods
    • Automatically generated recipes to inline deprecated method calls that delegate to other methods in the same class.
  • org.openrewrite.text.FindHardcodedLoopbackAddresses
    • Find hard-coded loopback IPv4 addresses
    • Locates mentions of hard-coded IPv4 addresses from the loopback IP range. The loopback IP range includes 127.0.0.0 to 127.255.255.255. This detects the entire localhost/loopback subnet range, not just the commonly used 127.0.0.1.
  • org.openrewrite.text.FindHardcodedPrivateIPAddresses
    • Find hard-coded private IPv4 addresses
    • Locates mentions of hard-coded IPv4 addresses from private IP ranges. Private IP ranges include: * 192.168.0.0 to 192.168.255.255 * 10.0.0.0 to 10.255.255.255 * 172.16.0.0 to 172.31.255.255 It is not detecting the localhost subnet 127.0.0.0 to 127.255.255.255.
  • org.openrewrite.text.RemoveHardcodedIPAddressesFromComments
    • Remove hard-coded IP addresses from comments
    • Removes hard-coded IPv4 addresses from comments when they match private IP ranges or loopback addresses. This targets IP addresses that are commented out in various comment formats: Private IP ranges: * 192.168.0.0 to 192.168.255.255 * 10.0.0.0 to 10.255.255.255 * 172.16.0.0 to 172.31.255.255 Loopback IP range: * 127.0.0.0 to 127.255.255.255 Supported comment formats: * C-style line comments (//) * C-style block comments (/* */) * Shell/Python style comments (#) * XML comments (&lt;!-- --&gt;) * YAML comments (#) * Properties file comments (# or !) For line comments, the entire line is removed. For block comments, only the IP address is removed.

rewrite-kubernetes

rewrite-migrate-kotlin

rewrite-migrate-python

rewrite-nodejs

rewrite-reactive-streams

rewrite-sql

rewrite-static-analysis-python

rewrite-struts

rewrite-terraform