| find_callersA | Find all methods that directly call the given method. Args:
method_fqn: Fully-qualified method name, e.g. ``com.example.Foo.bar``.
exclude_generated: When True, filter out Lombok/compiler-generated callers.
Returns:
List of dicts with keys ``fqn``, ``file_path``, ``line_start``.
Empty list if the method is not found or has no callers.
|
| find_calleesA | Find all methods directly called by the given method. Args:
method_fqn: Fully-qualified method name, e.g. ``com.example.Foo.bar``.
exclude_generated: When True, filter out Lombok/compiler-generated callees.
Returns:
List of dicts with keys ``fqn``, ``file_path``, ``line_start``.
Empty list if the method is not found or makes no calls.
|
| find_endpoint_callers | Find the handler method for an endpoint and all upstream callers. Args:
http_method: HTTP verb — GET, POST, PUT, DELETE, or PATCH (case-insensitive).
path_pattern: Exact path of the endpoint, e.g. ``/api/users/{id}``.
Returns:
List of dicts with keys ``role`` (``"handler"`` or ``"caller"``),
``fqn``, ``file_path``, ``line_start``.
Empty list if the endpoint is not found.
|
| find_repo_dependenciesA | Find all repositories that the given repository directly depends on. Args:
repo_name: The logical name of the repository as indexed (e.g. ``point-bank-bff``).
Returns:
List of dicts with key ``name`` for each dependency repo.
Empty list if the repo is not found or has no declared dependencies.
|
| blast_radiusA | Find all methods transitively affected by changing the given method. Performs a breadth-first traversal of CALLS edges in reverse
(callers of callers) up to *max_depth* hops.
Args:
method_fqn: FQN of the method being changed, e.g. ``com.example.Foo.bar``.
max_depth: Maximum number of hops to traverse (default 3, max 10).
exclude_generated: When True, filter out Lombok/compiler-generated callers.
Returns:
List of dicts with keys ``fqn``, ``file_path``, and ``depth``.
Depth 1 = direct callers, depth 2 = their callers, etc.
The changed method itself is not included.
|
| search_symbolA | Search for classes or methods by name (case-insensitive substring match). Args:
query: Substring to search for, e.g. ``InterestCalc`` or ``calculate``.
Returns:
List of dicts with keys ``type`` (``"class"`` or ``"method"``),
``fqn``, and ``file_path``.
Results from both classes and methods are merged and returned together.
|
| get_file_locationA | Get the source file path and line number for a method or class by FQN. Tries Method first, then Class.
Args:
fqn: Fully-qualified name of the method or class.
Returns:
Dict with keys ``fqn``, ``file_path``, ``line_start``,
or ``None`` if not found.
|
| list_endpointsA | List all HTTP endpoints in the graph, optionally filtered by repository. Args:
repo_name: If provided, only return endpoints belonging to this repo.
Pass an empty string (the default) to list all repos.
Returns:
List of dicts with keys ``http_method``, ``path``,
``handler_fqn``, and ``repo_name``.
|
| list_unresolved_callsA | List outgoing REST calls that could not be matched to a known endpoint. These represent cross-repo or external HTTP calls that Orihime has not yet
resolved to an Endpoint node.
Args:
repo_name: If provided, only return unresolved calls from this repo.
Pass an empty string (the default) to list all repos.
Returns:
List of dicts with keys ``url_pattern``, ``http_method``,
``callee_name``, ``caller_fqn``, and ``repo_name``.
|
| list_reposA | List all indexed repositories with their stats. Returns:
List of dicts with keys: ``name``, ``root_path``, ``method_count``,
``endpoint_count``.
Empty list if no repositories have been indexed yet.
|
| list_branchesA | List all indexed branches, optionally filtered by repository. Args:
repo_name: If provided, only return branches belonging to this repo.
Pass an empty string (the default) to list all repos.
Returns:
List of dicts with keys ``repo_name``, ``branch_name``.
|
| find_implementationsA | Find all classes that directly implement the given interface (up to 10 hops via IMPLEMENTS). Args:
interface_fqn: FQN of the interface, e.g. ``com.example.WalletService``.
Returns:
List of dicts with keys ``class_fqn``, ``class_name``, ``file_path``, ``repo_name``.
|
| find_superclassesA | Walk the EXTENDS chain upward from the given class (BFS, max depth 10). Returns:
List of dicts with keys ``class_fqn``, ``depth``, ``repo_name``.
Depth 1 = direct parent. Starting class not included.
|
| list_entity_relationsA | List all JPA entity relationships in a repo. Returns list of dicts: source_class_fqn, field_name, relation_type,
fetch_type, target_class_fqn.
|
| find_eager_fetchesA | Find all EAGER fetch relationships — potential N+1 query sources. Returns list of dicts with source_class_fqn, field_name, relation_type,
target_class_fqn for all relations where fetch_type = 'EAGER'.
|
| find_cross_service_taintA | Find taint paths from HTTP endpoint handler parameters to outgoing REST calls. This is an Orihime-native equivalent of SonarQube Enterprise "Advanced SAST"
cross-service taint analysis.
A taint path is a call chain that starts at an HTTP endpoint handler method
(whose parameters are user-controlled: @RequestParam, @PathVariable, @RequestBody)
and ends at a method that issues an outgoing HTTP call (UNRESOLVED_CALL or
CALLS_REST edge). Intermediate hops are method CALLS edges.
Args:
repo_name: Repository to analyse.
max_depth: Maximum call-chain depth to traverse (default 6).
Returns:
List of dicts, each describing one taint path::
{
"source_handler_fqn": str, # endpoint handler method
"source_endpoint": str, # HTTP path e.g. GET /api/users/{id}
"sink_method_fqn": str, # method that makes the outgoing call
"sink_url_pattern": str, # URL pattern of the outgoing call
"sink_http_method": str, # GET/POST/...
"path_length": int, # number of hops
"call_chain": list, # [method_fqn, ...] from source to sink
}
|
| find_external_callsA | Return all calls to methods NOT in the indexed repo (callee has no Method node). These are calls to external libraries, frameworks, or unindexed services.
Returns [{caller_fqn, callee_name, call_count}] sorted by call_count descending.
Useful for: "what external dependencies does this service actually call at runtime?"
Args:
repo_name: The logical name of the indexed repository.
Returns:
List of dicts with keys ``caller_fqn``, ``callee_name``, ``call_count``.
Empty list if the repo is not found or has no external calls.
|
| find_taint_sinksA | Find all calls to known dangerous sink methods in the given repository. Uses the built-in sink registry (SQL, HTTP clients, exec) merged with any
custom sinks defined in ``~/.orihime/security.yml``. This is the custom
sources/sinks equivalent of SonarQube Enterprise's configurable taint rules.
Args:
repo_name: Repository to analyse.
Returns:
List of dicts with keys:
``caller_fqn``, ``sink_method``, ``file_path``, ``line_start``.
|
| find_taint_flowsA | Return confirmed taint flows where a tainted argument (position 0) flows to a known sink's first parameter. Stricter than find_taint_sinks — only returns findings where:
1. The caller method has a @RequestParam/@RequestBody/@PathVariable parameter (taint source)
2. The CALLS edge has caller_arg_pos=0 (first argument is passed)
3. The callee method name matches a known sink
Returns:
List of dicts with keys:
``source_method_fqn``, ``sink_method_name``, ``caller_arg_pos``,
``callee_param_pos``, ``file_path``, ``line_start``, ``owasp_category``.
|
| find_taint_pathsA | Multi-hop taint path analysis from annotation-based sources to dangerous sinks. Performs BFS forward through CALLS edges from all taint-source methods
(those annotated with @RequestParam, @PathVariable, @RequestBody, etc.)
up to max_depth hops. Sanitizer calls prune the branch. All distinct
call chains reaching a sink are returned.
Unlike find_taint_flows (single-hop, arg_pos=0 only), this tool finds
handler → service → sink chains of arbitrary depth up to max_depth.
Args:
repo_name: Repository to analyse.
max_depth: Maximum hop depth (default 5, capped at 10).
Returns:
List of dicts with keys:
source_method_fqn, source_annotations, sink_method_fqn, sink_type,
path_length, call_chain, sanitizer_pruned, file_path, line_start.
Empty list if no repo found, no sources, or no paths exist.
|
| list_security_configA | Return the active security configuration (sources, sinks, sanitizers). Shows the merged built-in + user-defined rules currently in effect.
Useful for verifying that custom ``~/.orihime/security.yml`` rules were loaded.
Returns:
Dict with keys ``source_annotations``, ``source_methods``,
``sink_methods``, ``sanitizer_methods``.
|
| find_second_order_injectionA | Detect second-order injection patterns: taint written to DB then read back unsanitized. A second-order (stored) injection occurs when:
1. User-controlled data reaches a persistence write (JPA save/persist/merge).
2. That same data is later read back from the DB and passed to a dangerous sink.
Orihime approximates this by finding:
- Methods that write to a JPA entity (call to save/persist/merge on a Repository
class or on an EntityManager).
- Methods that read from the same entity type (findById/findAll/executeQuery) AND
whose return value flows into a sink (detected via call chain analysis).
This is a structural approximation — it is not full data-flow. False positives are
expected; use it to prioritise manual review, not as a definitive scanner.
Args:
repo_name: Repository to analyse.
Returns:
List of dicts with keys:
``entity_fqn``, ``write_method_fqn``, ``read_method_fqn``,
``read_file_path``, ``risk_level``.
|
| generate_security_reportA | Generate a security findings report mapped to a compliance framework. This is the Orihime equivalent of SonarQube Enterprise's OWASP / CWE /
PCI DSS / STIG security reports. It aggregates findings from the taint
analysis and maps each to the requested framework's taxonomy.
Args:
repo_name: Repository to analyse.
framework: One of ``owasp``, ``cwe``, ``pci``, ``stig`` (default: ``owasp``).
Returns:
List of dicts, each a finding with framework-specific keys.
OWASP: ``category``, ``caller_fqn``, ``sink_method``, ``file_path``, ``line_start``.
CWE: ``cwe_id``, ``caller_fqn``, ``sink_method``, ``file_path``, ``line_start``.
PCI: ``requirement``, ``caller_fqn``, ``sink_method``, ``file_path``.
STIG: ``vuln_id``, ``caller_fqn``, ``sink_method``, ``file_path``.
|
| find_entry_pointsB | Return all methods/endpoints marked as entry points (is_entry_point=true). Entry points include HTTP handler methods, @KafkaListener, @Scheduled,
@JmsListener, and @RabbitListener methods.
Args:
repo_name: Repository to query.
Returns:
List of dicts with keys ``fqn``, ``file_path``, ``line_start``,
``annotations``.
|
| find_reachable_sinksA | Return taint sinks reachable from entry points via CALLS edges. When show_all=False (default), only returns sinks reachable from an entry
point. When show_all=True, returns all sinks (same as find_taint_sinks).
Uses BFS from all entry points through CALLS edges to build a reachable
method ID set, then filters find_taint_sinks results to only those whose
caller method is reachable from an entry point.
Args:
repo_name: Repository to analyse.
show_all: When True, skip reachability filtering and return all sinks.
Returns:
List of dicts with keys ``caller_fqn``, ``sink_method``, ``file_path``,
``line_start``, ``sink_category``.
|
| find_complexity_hintsA | Return methods with complexity hints, sorted by CALLS in-degree descending. Detects static complexity patterns stored on Method nodes during indexing:
O(n2)-candidate, O(n2)-list-scan, recursive, n+1-risk, unbounded-query.
Args:
repo_name: Repository to query.
min_severity: Severity filter:
``"low"`` — include all hints
``"medium"`` — exclude hints that are ONLY ``recursive``
``"high"`` — only include hints containing ``O(n2)`` or ``n+1-risk``
Returns:
List of dicts: ``method_fqn``, ``file_path``, ``line_start``,
``complexity_hint``, ``call_degree``.
Sorted by ``call_degree`` descending (most-called methods first).
|
| find_io_fanoutA | Return entry-point methods ranked by I/O call count, with serial/parallel breakdown. For each HTTP/Kafka/Scheduled entry point, reports the total number of I/O
operations (DB + HTTP + cache) detectable in its method body, split into
serial (latency adds) and parallel (latency = max of group).
If perf data has been ingested via ingest_perf_results, also estimates
latency_floor_ms = sum(serial p99s) + max(parallel p99s).
Args:
repo_name: Repository to query.
min_total: Only return methods with at least this many I/O calls (default 2).
Returns:
List of dicts: endpoint_path, http_method, handler_fqn, file_path,
line_start, total_io, serial_io, parallel_io, parallel_wrapper, latency_floor_ms.
Sorted by total_io descending.
|
| ingest_perf_resultsA | Ingest a Gatling/JMeter/JSON perf results file into the graph. Creates PerfSample nodes and OBSERVED_AT edges to matching Method nodes.
Args:
repo_name: The logical name of the indexed repository.
file_path: Absolute path to the perf results file
(.log = Gatling, .xml = JMeter, .json = simple JSON).
Returns:
Dict with keys ``ingested``, ``matched_methods``, ``unmatched``.
On failure, returns ``{"error": "<message>"}``.
|
| find_hotspotsA | Return methods ranked by composite risk: complexity_hint x p99. Methods with both a complexity hint AND high p99 latency are ranked highest.
Methods that have a complexity hint but no perf data are included with
p99_ms=null and risk_score = hint_weight * 100.
Args:
repo_name: The logical name of the indexed repository.
Returns:
List of dicts: ``method_fqn``, ``complexity_hint``, ``p99_ms``,
``p50_ms``, ``risk_score``, ``file_path``, ``line_start``.
Sorted by risk_score descending.
|
| estimate_capacityA | Estimate capacity per endpoint using Little's Law. concurrency = RPS x (p99_ms / 1000)
saturation_rps = thread_pool_size / (p99_ms / 1000)
Risk levels (based on current_rps / saturation_rps):
CRITICAL > 80%
HIGH > 60%
MEDIUM > 40%
LOW otherwise
Args:
repo_name: The logical name of the indexed repository.
Returns:
List of dicts: ``endpoint_fqn``, ``current_rps``, ``p99_ms``,
``saturation_rps``, ``ceiling_concurrency``, ``risk_level``.
|
| find_cascade_riskA | Find upstream endpoints at cascade risk from saturated downstream services. Walks CALLS_REST edges: if Method A (in repo_name) calls Endpoint B (in
another repo) and B's corresponding PerfSample has a lower saturation_rps
than A's current_rps, A is flagged as being at cascade risk.
saturation_rps for endpoint B = thread_pool_size / (p99_ms / 1000).
Args:
repo_name: The logical name of the upstream repository to analyse.
Returns:
List of dicts: ``upstream_method_fqn``, ``downstream_endpoint``,
``downstream_saturation_rps``, ``upstream_current_rps``,
``risk`` (``"SATURATED"`` or ``"NEAR_SATURATION"``).
|
| find_license_violationsA | Check dependencies in the repo for license compliance. Looks for pom.xml and build.gradle/build.gradle.kts in the repo root.
Queries Maven Central for each dependency's license.
Args:
repo_name: The logical name of the indexed repository.
allowed: List of SPDX license IDs to allow
(default: MIT, Apache-2.0, BSD-*, ISC, etc.).
license_overrides: Maps "group:artifact" to a license SPDX string to
bypass Maven Central lookups (useful for testing or
when a known license is not in Maven Central metadata).
Returns:
List of dicts [{group, artifact, version, license, status, reason}]
where status is "OK", "VIOLATION", "WARNING", or "UNKNOWN".
Only VIOLATION and WARNING items are returned (OK items filtered out).
|
| index_repo_toolA | Index a source repository into the Orihime knowledge graph. After indexing, all other query tools will reflect the new data.
Args:
repo_path: Absolute path to the repository root on disk.
repo_name: Logical name to identify the repo in queries
(e.g. ``point-bank-bff``).
branch: Branch name to tag this index run with (default: ``"master"``).
Index the same repo under different branch names to compare
branches side-by-side.
force: When True, re-parse every file even if blob hashes are unchanged.
Returns:
Summary dict with counts: ``repos``, ``files``, ``classes``,
``methods``, ``endpoints``, ``rest_calls``, ``call_edges``.
On failure, returns ``{"error": "<message>"}``.
|
