Skip to main content

Scanning Recipes

This doc contains all scanning recipes.

rewrite-all

  • org.openrewrite.FindDuplicateSourceFiles
    • Find duplicate source files
    • Record the presence of LSTs with duplicate paths, indicating that the same file was parsed more than once.
  • org.openrewrite.LanguageComposition
    • Language composition report
    • Counts the number of lines of the various kinds of source code and data formats parsed by OpenRewrite. Comments are not included in line counts. This recipe emits its results as two data tables, making no changes to any source file. One data table is per-file, the other is per-repository.

rewrite-analysis

rewrite-azul

rewrite-codemods

rewrite-codemods-ng

rewrite-concourse

rewrite-core

  • org.openrewrite.AddToGitignore
    • Add entries to .gitignore
    • Adds entries to the project's .gitignore file. If no .gitignore file exists, one will be created. Existing entries that match will not be duplicated.
  • org.openrewrite.ExcludeFileFromGitignore
    • Remove ignoral of files or directories from .gitignore
    • This recipe will remove a file or directory from the .gitignore file. If the file or directory is already in the .gitignore file, it will be removed or negated. If the file or directory is not in the .gitignore file, no action will be taken.
  • org.openrewrite.FindCollidingSourceFiles
    • Find colliding source files
    • Finds source files which share a path with another source file. There should always be exactly one source file per path within a repository. This is a diagnostic for finding problems in OpenRewrite parsers/build plugins.
  • org.openrewrite.FindGitProvenance
    • Show Git source control metadata
    • List out the contents of each unique GitProvenance marker in the set of source files. When everything is working correctly, exactly one such marker should be printed as all source files are expected to come from the same repository / branch / commit hash.
  • org.openrewrite.FindLstProvenance
    • Find LST provenance
    • Produces a data table showing what versions of OpenRewrite/Moderne tooling was used to produce a given LST.
  • org.openrewrite.ListRuntimeClasspath
    • List runtime classpath
    • A diagnostic utility which emits the runtime classpath to a data table.
  • org.openrewrite.search.FindCommitters
    • Find committers on repositories
    • List the committers on a repository.
  • org.openrewrite.search.RepositoryContainsFile
    • Repository contains file
    • Intended to be used primarily as a precondition for other recipes, this recipe checks if a repository contains a specific file or files matching a pattern. If present all files in the repository are marked with a SearchResult marker. If you want to get only the matching file as a search result, use FindSourceFiles instead.
  • org.openrewrite.text.AppendToTextFile
    • Append to text file
    • Appends or replaces content of an existing plain text file, or creates a new one if it doesn't already exist. Please note that this recipes requires existing plain text files' format to be successfully parsable by OpenRewrite. If a file is left unchanged, it might be parsed as a Quark rather than plain text. In such case, use the plainTextMask option. See the Gradle or Maven plugin configuration page.
  • org.openrewrite.text.CreateTextFile
    • Create text file
    • Creates a new plain text file.

rewrite-csharp

rewrite-dotnet

rewrite-gradle

  • org.openrewrite.gradle.AddDependency
    • Add Gradle dependency
    • Add a gradle dependency to a build.gradle file in the correct configuration based on where it is used.
  • org.openrewrite.gradle.AddPlatformDependency
    • Add Gradle platform dependency
    • Add a gradle platform dependency to a build.gradle file in the correct configuration based on where it is used.
  • org.openrewrite.gradle.AddProperty
    • Add Gradle property
    • Add a property to the gradle.properties file.
  • org.openrewrite.gradle.MigrateDependenciesToVersionCatalog
    • Migrate Gradle project dependencies to version catalog
    • Migrates Gradle project dependencies to use the version catalog feature. Supports migrating dependency declarations of various forms: * String notation: "group:artifact:version" * Map notation: group: 'group', name: 'artifact', version: 'version' * Property references: "group:artifact:$version" or "group:artifact:${version}" The recipe will: * Create a gradle/libs.versions.toml file with version declarations * Replace dependency declarations with catalog references (e.g., libs.springCore) * Migrate version properties from gradle.properties to the version catalog * Preserve project dependencies unchanged Note: If a version catalog already exists, the recipe will not modify it.
  • org.openrewrite.gradle.UpdateGradleWrapper
    • Update Gradle wrapper
    • Update the version of Gradle used in an existing Gradle wrapper. Queries services.gradle.org to determine the available releases, but prefers the artifact repository URL which already exists within the wrapper properties file. If your artifact repository does not contain the same Gradle distributions as services.gradle.org, then the recipe may suggest a version which is not available in your artifact repository.
  • org.openrewrite.gradle.UpgradeDependencyVersion
    • Upgrade Gradle dependency versions
    • Upgrade the version of a dependency in a build.gradle file. Supports updating dependency declarations of various forms: * String notation: "group:artifact:version" * Map notation: group: 'group', name: 'artifact', version: 'version' Can update version numbers which are defined earlier in the same file in variable declarations.
  • org.openrewrite.gradle.UpgradeTransitiveDependencyVersion
    • Upgrade transitive Gradle dependencies
    • Upgrades the version of a transitive dependency in a Gradle build file. There are many ways to do this in Gradle, so the mechanism for upgrading a transitive dependency must be considered carefully depending on your style of dependency management.
  • org.openrewrite.gradle.plugins.UpgradePluginVersion
    • Update a Gradle plugin by id
    • Update a Gradle plugin by id to a later version defined by the plugins DSL. To upgrade a plugin dependency defined by buildscript.dependencies, use the UpgradeDependencyVersion recipe instead.
  • org.openrewrite.gradle.search.ModuleHasDependency
    • Module has dependency
    • Searches for Gradle Projects (modules) that have a dependency matching the specified id or implementing class. Places a SearchResult marker on all sources within a project with a matching dependency. This recipe is intended to be used as a precondition for other recipes. For example this could be used to limit the application of a spring boot migration to only projects that use spring-boot-starter, limiting unnecessary upgrading. If the search result you want is instead just the build.gradle(.kts) file that use the dependency, use the FindDependency recipe instead.
  • org.openrewrite.gradle.search.ModuleHasPlugin
    • Module has plugin
    • Searches for Gradle Projects (modules) that have a plugin matching the specified id or implementing class. Places a SearchResult marker on all sources within a project with a matching plugin. This recipe is intended to be used as a precondition for other recipes. For example this could be used to limit the application of a spring boot migration to only projects that apply the spring dependency management plugin, limiting unnecessary upgrading. If the search result you want is instead just the build.gradle(.kts) file applying the plugin, use the FindPlugins recipe instead.

rewrite-hcl

rewrite-hibernate

rewrite-java

rewrite-java-dependencies

  • org.openrewrite.java.dependencies.AddDependency
    • Add Gradle or Maven dependency
    • For a Gradle project, add a gradle dependency to a build.gradle file in the correct configuration based on where it is used. Or For a maven project, Add a Maven dependency to a pom.xml file in the correct scope based on where it is used.
  • org.openrewrite.java.dependencies.DependencyResolutionDiagnostic
    • Dependency resolution diagnostic
    • Recipes which manipulate dependencies must be able to successfully access the artifact repositories and resolve dependencies from them. This recipe produces two data tables used to understand the state of dependency resolution. The Repository accessibility report lists all the artifact repositories known to the project and whether respond to network access. The network access is attempted while the recipe is run and so is representative of current conditions. The Gradle dependency configuration errors lists all the dependency configurations that failed to resolve one or more dependencies when the project was parsed. This is representative of conditions at the time the LST was parsed.
  • org.openrewrite.java.dependencies.RelocatedDependencyCheck
    • Find relocated dependencies
    • Find Maven and Gradle dependencies and Maven plugins that have relocated to a new groupId or artifactId. Relocation information comes from the oga-maven-plugin maintained by Jonathan Lermitage, Filipe Roque and others. This recipe makes no changes to any source file by default. Add changeDependencies=true to change dependencies, but note that you might need to run additional recipes to update imports and adopt other breaking changes.
  • org.openrewrite.java.dependencies.RemoveDependency
    • Remove a Gradle or Maven dependency
    • For Gradle project, removes a single dependency from the dependencies section of the build.gradle. For Maven project, removes a single dependency from the <dependencies> section of the pom.xml.
  • org.openrewrite.java.dependencies.RemoveRedundantDependencies
    • Remove redundant explicit dependencies
    • Remove explicit dependencies that are already provided transitively by a specified dependency. This recipe downloads and resolves the parent dependency's POM to determine its true transitive dependencies, allowing it to detect redundancies even when both dependencies are explicitly declared.
  • org.openrewrite.java.dependencies.UpgradeDependencyVersion
    • Upgrade Gradle or Maven dependency versions
    • For Gradle projects, upgrade the version of a dependency in a build.gradle file. Supports updating dependency declarations of various forms: * String notation: "group:artifact:version" * Map notation: group: 'group', name: 'artifact', version: 'version' It is possible to update version numbers which are defined earlier in the same file in variable declarations. For Maven projects, upgrade the version of a dependency by specifying a group ID and (optionally) an artifact ID using Node Semver advanced range selectors, allowing more precise control over version updates to patch or minor releases.
  • org.openrewrite.java.dependencies.UpgradeTransitiveDependencyVersion
    • Upgrade transitive Gradle or Maven dependencies
    • Upgrades the version of a transitive dependency in a Maven pom.xml or Gradle build.gradle. Leaves direct dependencies unmodified. Can be paired with the regular Upgrade Dependency Version recipe to upgrade a dependency everywhere, regardless of whether it is direct or transitive.
  • org.openrewrite.java.dependencies.search.FindMinimumDependencyVersion
    • Find the oldest matching dependency version in use
    • The oldest dependency version in use is the lowest dependency version in use in any source set of any subproject of a repository. It is possible that, for example, the main source set of a project uses Jackson 2.11, but a test source set uses Jackson 2.16. In this case, the oldest Jackson version in use is Java 2.11.
  • org.openrewrite.java.dependencies.search.FindMinimumJUnitVersion
    • Find minimum JUnit version
    • A recipe to find the minimum version of JUnit dependencies. This recipe is designed to return the minimum version of JUnit in a project. It will search for JUnit 4 and JUnit 5 dependencies in the project. If both versions are found, it will return the minimum version of JUnit 4. If a minimumVersion is provided, the recipe will search to see if the minimum version of JUnit used by the project is no lower than the minimumVersion. For example: if the minimumVersion is 4, and the project has JUnit 4.12 and JUnit 5.7, the recipe will return JUnit 4.12. If the project has only JUnit 5.7, the recipe will return JUnit 5.7. Another example: if the minimumVersion is 5, and the project has JUnit 4.12 and JUnit 5.7, the recipe will not return any results.
  • org.openrewrite.java.dependencies.search.ModuleHasDependency
    • Module has dependency
    • Searches for both Gradle and Maven modules that have a dependency matching the specified groupId and artifactId. Places a SearchResult marker on all sources within a module with a matching dependency. This recipe is intended to be used as a precondition for other recipes. For example this could be used to limit the application of a spring boot migration to only projects that use spring-boot-starter, limiting unnecessary upgrading. If the search result you want is instead just the build.gradle(.kts) or pom.xml file applying the plugin, use the FindDependency recipe instead.
  • org.openrewrite.java.dependencies.search.RepositoryHasDependency
    • Repository has dependency
    • Searches for both Gradle and Maven modules that have a dependency matching the specified groupId and artifactId. Places a SearchResult marker on all sources within a repository with a matching dependency. This recipe is intended to be used as a precondition for other recipes. For example this could be used to limit the application of a spring boot migration to only projects that use a springframework dependency, limiting unnecessary upgrading. If the search result you want is instead just the build.gradle(.kts) or pom.xml file applying the plugin, use the FindDependency recipe instead.

rewrite-java-security

  • org.openrewrite.csharp.dependencies.DependencyVulnerabilityCheck
    • Find and fix vulnerable Nuget dependencies
    • This software composition analysis (SCA) tool detects and upgrades dependencies with publicly disclosed vulnerabilities. This recipe both generates a report of vulnerable dependencies and upgrades to newer versions with fixes. This recipe only upgrades to the latest patch version. If a minor or major upgrade is required to reach the fixed version, this recipe will not make any changes. Vulnerability information comes from the GitHub Security Advisory Database, which aggregates vulnerability data from several public databases, including the National Vulnerability Database maintained by the United States government. Dependencies following Semantic Versioning will see their patch version updated where applicable.
  • org.openrewrite.java.dependencies.DependencyLicenseCheck
    • Find licenses in use in third-party dependencies
    • Locates and reports on all licenses in use.
  • org.openrewrite.java.dependencies.DependencyVulnerabilityCheck
    • Find and fix vulnerable dependencies
    • This software composition analysis (SCA) tool detects and upgrades dependencies with publicly disclosed vulnerabilities. This recipe both generates a report of vulnerable dependencies and upgrades to newer versions with fixes. This recipe by default only upgrades to the latest patch version. If a minor or major upgrade is required to reach the fixed version, this can be controlled using the maximumUpgradeDelta option. Vulnerability information comes from the GitHub Security Advisory Database, which aggregates vulnerability data from several public databases, including the National Vulnerability Database maintained by the United States government. Upgrades dependencies versioned according to Semantic Versioning. ## Customizing Vulnerability Data This recipe can be customized by extending DependencyVulnerabilityCheckBase and overriding the vulnerability data sources: - baselineVulnerabilities(ExecutionContext ctx): Provides the default set of known vulnerabilities. The base implementation loads vulnerability data from the GitHub Security Advisory Database CSV file using ResourceUtils.parseResourceAsCsv(). Override this method to replace the entire vulnerability dataset with your own curated list. - supplementalVulnerabilities(ExecutionContext ctx): Allows adding custom vulnerability data beyond the baseline. The base implementation returns an empty list. Override this method to add organization-specific vulnerabilities, internal security advisories, or vulnerabilities from additional sources while retaining the baseline GitHub Advisory Database. Both methods return List<Vulnerability> objects. Vulnerability data can be loaded from CSV files using ResourceUtils.parseResourceAsCsv(path, Vulnerability.class, consumer) or constructed programmatically. To customize, extend DependencyVulnerabilityCheckBase and override one or both methods depending on your needs. For example, override supplementalVulnerabilities() to add custom CVEs while keeping the standard vulnerability database, or override baselineVulnerabilities() to use an entirely different vulnerability data source. Last updated: 2026-01-05T1103.
  • org.openrewrite.java.dependencies.RemoveUnusedDependencies
    • Remove unused dependencies
    • Scans through source code collecting references to types and methods, removing any dependencies that are not used from Maven or Gradle build files. This recipe takes reflective access into account: When reflective access to a class is made unambiguously via a string literal, such as: Class.forName("java.util.List") that is counted correctly. When reflective access to a class is made ambiguously via anything other than a string literal no dependencies will be removed. This recipe takes transitive dependencies into account: When a direct dependency is not used but a transitive dependency it brings in is in use the direct dependency is not removed.
  • org.openrewrite.java.dependencies.SoftwareBillOfMaterials
    • Software bill of materials
    • Produces a software bill of materials (SBOM) for a project. An SBOM is a complete list of all dependencies used in a project, including transitive dependencies. The produced SBOM is in the CycloneDX XML format. Supports Gradle and Maven. Places a file named sbom.xml adjacent to the Gradle or Maven build file.
  • org.openrewrite.java.security.XmlParserXXEVulnerability
    • XML parser XXE vulnerability
    • Avoid exposing dangerous features of the XML parser by updating certain factory settings.
  • org.openrewrite.java.security.spring.CsrfProtection
    • Enable CSRF attack prevention
    • Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user's web browser to perform an unwanted action on a trusted site when the user is authenticated. See the full OWASP cheatsheet.
  • org.openrewrite.java.security.spring.PreventClickjacking
    • Prevent clickjacking
    • The frame-ancestors directive can be used in a Content-Security-Policy HTTP response header to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid Clickjacking attacks by ensuring that their content is not embedded into other sites.

rewrite-jenkins

rewrite-joda

rewrite-json

rewrite-liberty

rewrite-maven

  • org.openrewrite.maven.AddDependency
    • Add Maven dependency
    • Add a Maven dependency to a pom.xml file in the correct scope based on where it is used.
  • org.openrewrite.maven.AddDevelocityMavenExtension
    • Add the Develocity Maven extension
    • To integrate the Develocity Maven extension into Maven projects, ensure that the develocity-maven-extension is added to the .mvn/extensions.xml file if not already present. Additionally, configure the extension by adding the .mvn/develocity.xml configuration file.
  • org.openrewrite.maven.AddManagedDependency
    • Add managed Maven dependency
    • Add a managed Maven dependency to a pom.xml file.
  • org.openrewrite.maven.AddRuntimeConfig
    • Add a configuration option for the Maven runtime
    • Add a new configuration option for the Maven runtime if not already present.
  • org.openrewrite.maven.IncrementProjectVersion
    • Increment Maven project version
    • Increase Maven project version by incrementing either the major, minor, or patch version as defined by semver. Other versioning schemes are not supported.
  • org.openrewrite.maven.ManageDependencies
    • Manage dependencies
    • Make existing dependencies managed by moving their version to be specified in the dependencyManagement section of the POM.
  • org.openrewrite.maven.RemoveUnusedProperties
    • Remove unused properties
    • Detect and remove Maven property declarations which do not have any usage within the project.
  • org.openrewrite.maven.UpdateMavenWrapper
    • Update Maven wrapper
    • Update the version of Maven used in an existing Maven wrapper.
  • org.openrewrite.maven.UpgradeDependencyVersion
    • Upgrade Maven dependency version
    • Upgrade the version of a dependency by specifying a group and (optionally) an artifact using Node Semver advanced range selectors, allowing more precise control over version updates to patch or minor releases.
  • org.openrewrite.maven.UpgradeTransitiveDependencyVersion
    • Upgrade transitive Maven dependencies
    • Upgrades the version of a transitive dependency in a Maven pom file. Leaves direct dependencies unmodified. Can be paired with the regular Upgrade Dependency Version recipe to upgrade a dependency everywhere, regardless of whether it is direct or transitive.
  • org.openrewrite.maven.search.ModuleHasDependency
    • Module has dependency
    • Searches for Maven modules that have a dependency matching the specified groupId and artifactId. Places a SearchResult marker on all sources within a module with a matching dependency. This recipe is intended to be used as a precondition for other recipes. For example this could be used to limit the application of a spring boot migration to only projects that use spring-boot-starter, limiting unnecessary upgrading. If the search result you want is instead just the build.gradle(.kts) file applying the plugin, use the FindDependency recipe instead.
  • org.openrewrite.maven.search.ModuleHasPlugin
    • Module has plugin
    • Searches for Maven modules that have a plugin matching the specified groupId and artifactId. Places a SearchResult marker on all sources within a module with a matching plugin. This recipe is intended to be used as a precondition for other recipes. For example this could be used to limit the application of a spring boot migration to only projects that apply the spring boot plugin, limiting unnecessary upgrading. If the search result you want is instead just the build.gradle(.kts) file applying the plugin, use the FindPlugins recipe instead.

rewrite-micronaut

rewrite-migrate-java

  • org.openrewrite.java.migrate.AddStaticVariableOnProducerSessionBean
    • Adds static modifier to @Produces fields that are in session beans
    • Ensures that the fields annotated with @Produces which is inside the session bean (@Stateless, @Stateful, or @Singleton) are declared static.
  • org.openrewrite.java.migrate.jakarta.HasNoJakartaAnnotations
    • Project has no Jakarta annotations
    • Mark all source as found per JavaProject where no Jakarta annotations are found. This is useful mostly as a precondition for recipes that require Jakarta annotations to be present.
  • org.openrewrite.java.migrate.javax.AddJaxbRuntime
    • Use latest JAXB API and runtime for Jakarta EE 8
    • Update build files to use the latest JAXB runtime from Jakarta EE 8 to maintain compatibility with Java version 11 or greater. The recipe will add a JAXB run-time, in Gradle compileOnly+testImplementation and Maven provided scope, to any project that has a transitive dependency on the JAXB API. The resulting dependencies still use the javax namespace, despite the move to the Jakarta artifact.
  • org.openrewrite.java.migrate.javax.AddScopeToInjectedClass
    • Add scope annotation to injected classes
    • Finds member variables annotated with @Inject' and applies @Dependent` scope annotation to the variable's type.
  • org.openrewrite.java.migrate.javax.AddTransientAnnotationToEntity
    • Unannotated entity attributes require a Transient annotation
    • In OpenJPA, attributes that are themselves entity classes are not persisted by default. EclipseLink has a different default behavior and tries to persist these attributes to the database. To keep the OpenJPA behavior of ignoring unannotated entity attributes, add the javax.persistence.Transient annotation to these attributes in EclipseLink.
  • org.openrewrite.java.migrate.javax.RemoveEmbeddableId
    • @Embeddable classes cannot have an @Id annotation when referenced by an @EmbeddedId annotation
    • According to the Java Persistence API (JPA) specification, if an entity defines an attribute with an @EmbeddedId annotation, the embeddable class cannot contain an attribute with an @Id annotation. If both the @EmbeddedId annotation and the @Id annotation are defined, OpenJPA ignores the @Id annotation, whereas EclipseLink throws an exception.
  • org.openrewrite.java.migrate.lombok.AdoptLombokGetterMethodNames
    • Rename getter methods to fit Lombok
    • Rename methods that are effectively getter to the name Lombok would give them. Limitations: - If two methods in a class are effectively the same getter then one's name will be corrected and the others name will be left as it is. - If the correct name for a method is already taken by another method then the name will not be corrected. - Method name swaps or circular renaming within a class cannot be performed because the names block each other. E.g. int getFoo() { return ba; } int getBa() { return foo; } stays as it is.
  • org.openrewrite.java.migrate.lombok.AdoptLombokSetterMethodNames
    • Rename setter methods to fit Lombok
    • Rename methods that are effectively setter to the name Lombok would give them. Limitations: - If two methods in a class are effectively the same setter then one's name will be corrected and the others name will be left as it is. - If the correct name for a method is already taken by another method then the name will not be corrected. - Method name swaps or circular renaming within a class cannot be performed because the names block each other. E.g. int getFoo() { return ba; } int getBa() { return foo; } stays as it is.
  • org.openrewrite.java.migrate.lombok.LombokValueToRecord
    • Convert @lombok.Value class to Record
    • Convert Lombok @Value annotated classes to standard Java Records.
  • org.openrewrite.java.migrate.search.PlanJavaMigration
    • Plan a Java version migration
    • Study the set of Java versions and associated tools in use across many repositories.

rewrite-nodejs

rewrite-program-analysis

rewrite-properties

rewrite-rewrite

  • org.openrewrite.java.recipes.ExamplesExtractor
    • Extract documentation examples from tests
    • Extract the before/after sources from tests annotated with @DocumentExample, and generate a YAML file with those examples to be shown in the documentation to show usage.

rewrite-spring

rewrite-static-analysis

  • org.openrewrite.staticanalysis.LowercasePackage
    • Rename packages to lowercase
    • By convention all Java package names should contain only lowercase letters, numbers, and dashes. This recipe converts any uppercase letters in package names to be lowercase.
  • org.openrewrite.staticanalysis.MethodNameCasing
    • Standardize method name casing
    • Fixes method names that do not follow standard naming conventions. For example, String getFoo_bar() would be adjusted to String getFooBar() and int DoSomething() would be adjusted to int doSomething().

rewrite-testing-frameworks

rewrite-toml

rewrite-vulncheck

  • io.moderne.vulncheck.FixVulnCheckVulnerabilities
    • Use VulnCheck Exploit Intelligence to fix vulnerabilities
    • This software composition analysis (SCA) tool detects and upgrades dependencies with publicly disclosed vulnerabilities. This recipe both generates a report of vulnerable dependencies and upgrades to newer versions with fixes. This recipe by default only upgrades to the latest patch version. If a minor or major upgrade is required to reach the fixed version, this can be controlled using the maximumUpgradeDelta option. Vulnerability information comes from VulnCheck Vulnerability Intelligence. The recipe has an option to limit fixes to only those vulnerabilities that have evidence of exploitation at various levels of severity.

rewrite-xml

rewrite-yaml

  • org.openrewrite.yaml.CopyValue
    • Copy YAML value
    • Copies a YAML value from one key to another. The existing key/value pair remains unaffected by this change. Attempts to merge the copied value into the new key if it already exists. Attempts to create the new key if it does not exist.
  • org.openrewrite.yaml.CreateYamlFile
    • Create YAML file
    • Create a new YAML file.