Skip to main content

Scanning Recipes

This doc contains all scanning recipes.

io.moderne.recipe

rewrite-cryptography

  • io.moderne.cryptography.FindCryptoVulnerabilitiesPipeline
    • Find cryptographic vulnerability chains
    • Detects cryptographic vulnerabilities that span multiple operations, tracking flow from hardcoded algorithms through key material to encryption operations.
  • io.moderne.cryptography.FindDirectSSLConfigurationEditing
    • Find direct SSL configuration editing
    • Detects direct configuration of protocols or cipher suites on SSL objects like SSLSocket, SSLServerSocket, or SSLEngine. This pattern makes SSL/TLS configuration scattered throughout the codebase and prevents centralized security policy management, hindering crypto-agility.
  • io.moderne.cryptography.FindHardcodedAlgorithmChoice
    • Find hardcoded algorithm choices
    • Detects hardcoded algorithm choices in cryptographic operations. Hardcoded algorithms prevent easy migration to stronger or quantum-resistant algorithms when needed. This is a critical crypto-agility issue that makes systems vulnerable to future attacks.
  • io.moderne.cryptography.FindHardcodedAlgorithmParameters
    • Find hardcoded algorithm-specific parameters
    • Detects hardcoded algorithm-specific parameters like RSA public exponents or EC curve parameters. These hardcoded values prevent algorithm agility and may use weak or non-standard parameters that compromise security.
  • io.moderne.cryptography.FindHardcodedCertificate
    • Find hardcoded certificates
    • Detects hardcoded certificates in the code, including certificates that are hardcoded as strings and used to generate X509Certificate instances via CertificateFactory. Hardcoded certificates can lead to security issues when they expire or need to be revoked.
  • io.moderne.cryptography.FindHardcodedCiphersuiteChoice
    • Find hardcoded cipher suite choices
    • Detects hardcoded cipher suite choices used in SSL/TLS configurations. Hardcoded cipher suites prevent easy updates when cipher suites become weak or need to be changed for compliance reasons.
  • io.moderne.cryptography.FindHardcodedKeyLength
    • Find hardcoded cryptographic key lengths
    • Detects hardcoded key lengths used in cryptographic operations like KeyGenerator.init(), KeyPairGenerator.initialize(), RSAKeyGenParameterSpec, and PBEKeySpec. Hardcoded key lengths reduce flexibility and may not meet changing security requirements.
  • io.moderne.cryptography.FindHardcodedPrivateKey
    • Find hardcoded private keys
    • Detects hardcoded private keys in the code, including PEM-encoded keys that flow into KeyFactory.generatePrivate() calls. Hardcoded private keys are a severe security vulnerability as they compromise the entire cryptographic system.
  • io.moderne.cryptography.FindHardcodedProtocolChoice
    • Find hardcoded SSL/TLS protocol choices
    • Detects hardcoded SSL/TLS protocol choices like 'TLSv1.2', 'SSLv3' used in SSLContext.getInstance() and setProtocols() calls. Hardcoded protocols prevent easy updates when protocols become obsolete or insecure.
  • io.moderne.cryptography.FindHardcodedProviderName
    • Find hardcoded cryptographic provider names
    • Detects hardcoded cryptographic provider names (like 'BC', 'SunJCE') used in getInstance() calls. Hardcoding provider names reduces portability and can cause issues when the provider is not available on different systems.
  • io.moderne.cryptography.FindProgrammaticProviderEditing
    • Find programmatic security provider editing
    • Detects programmatic modifications to the Java Security Provider list through Security.addProvider(), insertProviderAt(), or removeProvider() calls. Modifying providers at runtime makes the security configuration unpredictable and prevents crypto-agility by hardcoding provider dependencies.
  • io.moderne.cryptography.FindSSLContextSetDefault
    • Find SSLContext.setDefault() usage
    • Detects calls to SSLContext.setDefault() which sets the system-wide default SSL context. This is problematic because it affects all SSL/TLS connections in the JVM, potentially overriding security configurations set by other parts of the application or libraries. It also prevents crypto-agility as the configuration becomes global.

rewrite-devcenter

rewrite-hibernate

rewrite-java-application-server

rewrite-prethink

  • io.moderne.prethink.ComprehendCode
    • Comprehend code with AI
    • Use an LLM to generate descriptions for classes and methods in the codebase. Descriptions are cached based on source code checksums to avoid regenerating descriptions for unchanged code.
  • io.moderne.prethink.ComprehendCodeTokenCounter
    • Estimate comprehension token usage
    • Estimate the input token counts that would be sent to an LLM for method comprehension, without actually calling a model. Uses OpenAI's tokenizer locally. Outputs to the MethodDescriptions table with blank descriptions.
  • io.moderne.prethink.calm.FindCalmRelationships
    • Find CALM relationships
    • Discover method call relationships within the repository for building interaction diagrams. Captures all method-to-method calls between in-repo classes. Entity IDs are resolved by GenerateCalmArchitecture when building CALM relationships.
  • io.moderne.prethink.calm.GenerateCalmMermaidDiagram
    • Generate architecture mermaid diagram
    • Generate a markdown file with a mermaid architecture diagram from discovered service endpoints, database connections, external service calls, and messaging connections.
  • io.moderne.prethink.quality.FindClassMetrics
    • Find class quality metrics
    • Compute per-class code quality metrics including WMC, LCOM4, TCC, CBO, and maintainability index.
  • io.moderne.prethink.quality.FindCodeSmells
    • Find code smells
    • Detect code smells including God Class, Feature Envy, and Data Class using composite metric thresholds with severity ratings.
  • io.moderne.prethink.quality.FindPackageMetrics
    • Find package quality metrics
    • Compute per-package architectural quality metrics including afferent/efferent coupling, instability, abstractness, distance from the main sequence, and dependency cycle detection using Tarjan's strongly connected components algorithm.
  • io.moderne.prethink.testing.coverage.FindTestCoverage
    • Find test coverage mapping
    • Map test methods to their corresponding implementation methods. Uses JavaType.Method matching to determine coverage relationships. Optionally generates AI summaries of what each test is verifying when LLM provider is configured.
  • io.moderne.prethink.testing.coverage.FindTestGaps
    • Find test coverage gaps
    • Identify public non-trivial methods that lack test coverage. Reports gaps with cyclomatic complexity and risk scores to help prioritize where to add tests.

rewrite-program-analysis

  • org.openrewrite.analysis.java.datalineage.TrackDataLineage
    • Track data lineage
    • Tracks the flow of data from database sources to API sinks to understand data dependencies and support compliance requirements. ## Prerequisites for detecting a data flow All of the following conditions must be met for the recipe to report a flow: 1. The source code must contain at least one method call matching a recognized source (see below). 2. The source code must contain at least one method call matching a recognized sink (see below). 3. The tainted data must propagate from the source to the sink through variable assignments within the same method or via fields across methods in the same compilation unit. 4. No flow breaker (see below) may appear on the path between source and sink. 5. The relevant library types (e.g., java.sql.ResultSet, javax.ws.rs.core.Response) must be on the classpath so that OpenRewrite can resolve types. If types are unresolved, method matchers will not trigger and no flows will be detected. ## Recognized sources (database reads) | Category | Classes | | --- | --- | | JDBC | java.sql.ResultSet | | JPA (javax) | javax.persistence.EntityManager, Query, TypedQuery | | JPA (jakarta) | jakarta.persistence.EntityManager, Query, TypedQuery | | Hibernate | org.hibernate.Session, org.hibernate.query.Query | | Spring Data | org.springframework.data.repository.CrudRepository | | Spring JDBC | org.springframework.jdbc.core.JdbcTemplate | | MyBatis | org.apache.ibatis.session.SqlSession, org.mybatis.spring.SqlSessionTemplate | | MongoDB | com.mongodb.client.MongoCollection, org.springframework.data.mongodb.core.MongoTemplate | | Redis | redis.clients.jedis.Jedis, org.springframework.data.redis.core.RedisTemplate, ValueOperations, HashOperations | | Cassandra | com.datastax.driver.core.Session, org.springframework.data.cassandra.core.CassandraTemplate | | Elasticsearch | org.elasticsearch.client.RestHighLevelClient, org.springframework.data.elasticsearch.core.ElasticsearchTemplate | | Heuristic | Any class with Repository, Dao, or Mapper in its name calling methods starting with find, get, query, search, load, fetch, or select | ## Recognized sinks (API responses) | Category | Classes | | --- | --- | | JAX-RS (javax) | javax.ws.rs.core.Response, Response.ResponseBuilder | | JAX-RS (jakarta) | jakarta.ws.rs.core.Response, Response.ResponseBuilder | | Spring MVC | org.springframework.http.ResponseEntity, ResponseEntity.BodyBuilder | | Servlet (javax) | javax.servlet.http.HttpServletResponse, javax.servlet.ServletOutputStream | | Servlet (jakarta) | jakarta.servlet.http.HttpServletResponse, jakarta.servlet.ServletOutputStream | | Java I/O | java.io.PrintWriter, java.io.Writer, java.io.OutputStream | | Jackson | com.fasterxml.jackson.databind.ObjectMapper, com.fasterxml.jackson.core.JsonGenerator | | Gson | com.google.gson.Gson, com.google.gson.JsonWriter | | GraphQL | graphql.schema.DataFetcher, graphql.schema.PropertyDataFetcher | | Spring WebFlux | ServerResponse, reactor.core.publisher.Mono, reactor.core.publisher.Flux | | gRPC | io.grpc.stub.StreamObserver | | WebSocket | javax.websocket.Session, RemoteEndpoint.Basic, jakarta.websocket.*, org.springframework.web.socket.WebSocketSession | ## Flow breakers Flows are broken by methods matching common sanitization patterns (anonymize, redact, mask, encrypt, hash, sanitize, etc.) or authorization checks (isAuthorized, hasPermission, hasRole, etc.).
  • org.openrewrite.analysis.java.privacy.FindPiiExposure
    • Find PII exposure in logs and external APIs
    • Detects when Personally Identifiable Information (PII) is exposed through logging statements or sent to external APIs without proper sanitization. This helps prevent data leaks and ensures compliance with privacy regulations like GDPR and CCPA.
  • org.openrewrite.analysis.java.security.FindArrayIndexInjection
    • Find improper validation of array index
    • Detects when user-controlled input flows into array or collection index expressions without proper bounds validation, which could allow out-of-bounds access or denial of service (CWE-129).
  • org.openrewrite.analysis.java.security.FindCommandInjection
    • Find command injection vulnerabilities
    • Detects when user-controlled input flows into system command execution methods like Runtime.exec() or ProcessBuilder, which could allow attackers to execute arbitrary commands.
  • org.openrewrite.analysis.java.security.FindJndiInjection
    • Find JNDI injection vulnerabilities
    • Detects when user-controlled input flows into JNDI lookup operations without proper validation, which could allow an attacker to connect to malicious naming/directory services (CWE-99).
  • org.openrewrite.analysis.java.security.FindLdapInjection
    • Find LDAP injection vulnerabilities
    • Finds LDAP injection vulnerabilities by tracking tainted data flow from user input to LDAP queries.
  • org.openrewrite.analysis.java.security.FindLogInjection
    • Find log injection vulnerabilities
    • Detects when user-controlled input flows into logging methods without sanitization, which could allow attackers to forge log entries by injecting newline characters.
  • org.openrewrite.analysis.java.security.FindPathTraversal
    • Find path traversal vulnerabilities
    • Detects potential path traversal vulnerabilities where user input flows to file system operations without proper validation.
  • org.openrewrite.analysis.java.security.FindProcessControlInjection
    • Find process control vulnerabilities
    • Detects when user-controlled input flows into native library loading methods without proper validation, which could allow an attacker to load arbitrary native code (CWE-114).
  • org.openrewrite.analysis.java.security.FindSqlInjection
    • Find SQL injection vulnerabilities
    • Detects potential SQL injection vulnerabilities where user input flows to SQL execution methods without proper sanitization.
  • org.openrewrite.analysis.java.security.FindUnencryptedPiiStorage
    • Find unencrypted PII storage
    • Identifies when personally identifiable information (PII) is stored in databases, files, or other persistent storage without encryption.
  • org.openrewrite.analysis.java.security.FindUnsafeReflectionInjection
    • Find unsafe reflection vulnerabilities
    • Detects when user-controlled input flows into reflection-based class loading or instantiation without proper validation, which could allow an attacker to instantiate arbitrary classes (CWE-470).
  • org.openrewrite.analysis.java.security.FindXssVulnerability
    • Find XSS vulnerabilities
    • Detects potential cross-site scripting vulnerabilities where user input flows to output methods without proper sanitization.
  • org.openrewrite.analysis.java.security.FindXxeVulnerability
    • Find XXE vulnerabilities
    • Locates XML parsers that are not configured to prevent XML External Entity (XXE) attacks.
  • org.openrewrite.analysis.java.security.SanitizeLogInjection
    • Sanitize log injection vulnerabilities
    • Sanitizes user-controlled input before it flows into logging methods by stripping newline, carriage return, and tab characters that could enable log forging.

rewrite-spring

rewrite-vulncheck

  • io.moderne.vulncheck.FixVulnCheckVulnerabilities
    • Use VulnCheck Exploit Intelligence to fix vulnerabilities
    • This software composition analysis (SCA) tool detects and upgrades dependencies with publicly disclosed vulnerabilities. This recipe both generates a report of vulnerable dependencies and upgrades to newer versions with fixes. This recipe by default only upgrades to the latest patch version. If a minor or major upgrade is required to reach the fixed version, this can be controlled using the maximumUpgradeDelta option. Vulnerability information comes from VulnCheck Vulnerability Intelligence. The recipe has an option to limit fixes to only those vulnerabilities that have evidence of exploitation at various levels of severity.

org.openrewrite

rewrite-core

  • org.openrewrite.AddToGitignore
    • Add entries to .gitignore
    • Adds entries to the project's .gitignore file. If no .gitignore file exists, one will be created. Existing entries that match will not be duplicated.
  • org.openrewrite.ExcludeFileFromGitignore
    • Remove ignoral of files or directories from .gitignore
    • This recipe will remove a file or directory from the .gitignore file. If the file or directory is already in the .gitignore file, it will be removed or negated. If the file or directory is not in the .gitignore file, no action will be taken.
  • org.openrewrite.FindCollidingSourceFiles
    • Find colliding source files
    • Finds source files which share a path with another source file. There should always be exactly one source file per path within a repository. This is a diagnostic for finding problems in OpenRewrite parsers/build plugins.
  • org.openrewrite.FindGitProvenance
    • Show Git source control metadata
    • List out the contents of each unique GitProvenance marker in the set of source files. When everything is working correctly, exactly one such marker should be printed as all source files are expected to come from the same repository / branch / commit hash.
  • org.openrewrite.FindLstProvenance
    • Find LST provenance
    • Produces a data table showing what versions of OpenRewrite/Moderne tooling was used to produce a given LST.
  • org.openrewrite.ListRuntimeClasspath
    • List runtime classpath
    • A diagnostic utility which emits the runtime classpath to a data table.
  • org.openrewrite.search.FindCommitters
    • Find committers on repositories
    • List the committers on a repository.
  • org.openrewrite.search.RepositoryContainsFile
    • Repository contains file
    • Intended to be used primarily as a precondition for other recipes, this recipe checks if a repository contains a specific file or files matching a pattern. If present all files in the repository are marked with a SearchResult marker. If you want to get only the matching file as a search result, use FindSourceFiles instead.
  • org.openrewrite.text.AppendToTextFile
    • Append to text file
    • Appends or replaces content of an existing plain text file, or creates a new one if it doesn't already exist. Please note that this recipes requires existing plain text files' format to be successfully parsable by OpenRewrite. If a file is left unchanged, it might be parsed as a Quark rather than plain text. In such case, use the plainTextMask option. See the Gradle or Maven plugin configuration page.
  • org.openrewrite.text.CreateTextFile
    • Create text file
    • Creates a new plain text file.

rewrite-gradle

  • org.openrewrite.gradle.AddDependency
    • Add Gradle dependency
    • Add a gradle dependency to a build.gradle file in the correct configuration based on where it is used.
  • org.openrewrite.gradle.AddPlatformDependency
    • Add Gradle platform dependency
    • Add a gradle platform dependency to a build.gradle file in the correct configuration based on where it is used.
  • org.openrewrite.gradle.AddProperty
    • Add Gradle property
    • Add a property to the gradle.properties file.
  • org.openrewrite.gradle.ChangeDependency
    • Change Gradle dependency
    • Change a Gradle dependency coordinates. The newGroupId or newArtifactId MUST be different from before.
  • org.openrewrite.gradle.MigrateDependenciesToVersionCatalog
    • Migrate Gradle project dependencies to version catalog
    • Migrates Gradle project dependencies to use the version catalog feature. Supports migrating dependency declarations of various forms: * String notation: "group:artifact:version" * Map notation: group: 'group', name: 'artifact', version: 'version' * Property references: "group:artifact:$version" or "group:artifact:$\{version\}" The recipe will: * Create a gradle/libs.versions.toml file with version declarations * Replace dependency declarations with catalog references (e.g., libs.springCore) * Migrate version properties from gradle.properties to the version catalog * Preserve project dependencies unchanged Note: If a version catalog already exists, the recipe will not modify it.
  • org.openrewrite.gradle.UpdateGradleWrapper
    • Update Gradle wrapper
    • Update the version of Gradle used in an existing Gradle wrapper. Queries downloads.gradle.org to determine the available releases, but prefers the artifact repository URL which already exists within the wrapper properties file. If your artifact repository does not contain the same Gradle distributions as downloads.gradle.org, then the recipe may suggest a version which is not available in your artifact repository.
  • org.openrewrite.gradle.UpgradeDependencyVersion
    • Upgrade Gradle dependency versions
    • Upgrade the version of a dependency in a build.gradle file. Supports updating dependency declarations of various forms: * String notation: "group:artifact:version" * Map notation: group: 'group', name: 'artifact', version: 'version' Can update version numbers which are defined earlier in the same file in variable declarations.
  • org.openrewrite.gradle.UpgradeTransitiveDependencyVersion
    • Upgrade transitive Gradle dependencies
    • Upgrades the version of a transitive dependency in a Gradle build file. There are many ways to do this in Gradle, so the mechanism for upgrading a transitive dependency must be considered carefully depending on your style of dependency management.
  • org.openrewrite.gradle.plugins.UpgradePluginVersion
    • Update a Gradle plugin by id
    • Update a Gradle plugin by id to a later version defined by the plugins DSL. To upgrade a plugin dependency defined by buildscript.dependencies, use the UpgradeDependencyVersion recipe instead.
  • org.openrewrite.gradle.search.ModuleHasDependency
    • Module has dependency
    • Searches for Gradle Projects (modules) that have a dependency matching the specified id or implementing class. Places a SearchResult marker on all sources within a project with a matching dependency. This recipe is intended to be used as a precondition for other recipes. For example this could be used to limit the application of a spring boot migration to only projects that use spring-boot-starter, limiting unnecessary upgrading. If the search result you want is instead just the build.gradle(.kts) file that use the dependency, use the FindDependency recipe instead.
  • org.openrewrite.gradle.search.ModuleHasPlugin
    • Module has plugin
    • Searches for Gradle Projects (modules) that have a plugin matching the specified id or implementing class. Places a SearchResult marker on all sources within a project with a matching plugin. This recipe is intended to be used as a precondition for other recipes. For example this could be used to limit the application of a spring boot migration to only projects that apply the spring dependency management plugin, limiting unnecessary upgrading. If the search result you want is instead just the build.gradle(.kts) file applying the plugin, use the FindPlugins recipe instead.

rewrite-hcl

rewrite-java

  • org.openrewrite.java.CreateEmptyJavaClass
    • Create Java class
    • Create a new, empty Java class.
  • org.openrewrite.java.search.ClasspathTypeCounts
    • Study the size of the classpath by source set
    • Emit one data table row per source set in a project, with the number of types in the source set.
  • org.openrewrite.java.search.FindDistinctMethods
    • Find distinct methods in use
    • A sample of every distinct method in use in a repository. The code sample in the method calls data table will be a representative use of the method, though there may be many other such uses of the method.
  • org.openrewrite.java.search.FindTypeMappings
    • Find type mappings
    • Study the frequency of J types and their JavaType type attribution.
  • org.openrewrite.java.search.HasMinimumJavaVersion
    • Find the oldest Java version in use
    • The oldest Java version in use is the lowest Java version in use in any source set of any subproject of a repository. It is possible that, for example, the main source set of a project uses Java 8, but a test source set uses Java 17. In this case, the oldest Java version in use is Java 8.
  • org.openrewrite.java.search.ModuleContainsFile
    • Module contains file
    • Intended to be used primarily as a precondition for other recipes, this recipe checks if a module contains a specific file or files matching a pattern. Only files belonging to modules containing the specified file are marked with a SearchResult marker. This is more specific than RepositoryContainsFile which marks all files in the repository if any file matches.
  • org.openrewrite.java.search.ModuleUsesType
    • Module uses type
    • Intended to be used primarily as a precondition for other recipes, this recipe checks if a module uses a specified type. Only files belonging to modules that use the specified type are marked with a SearchResult marker. This is more specific than UsesType which only marks the files that directly use the type.

rewrite-json

rewrite-maven

  • org.openrewrite.maven.AddAnnotationProcessor
    • Add an annotation processor to maven-compiler-plugin
    • Add an annotation processor path to the maven-compiler-plugin configuration. For modules with an in-reactor parent, adds to the parent's build/pluginManagement/plugins section. For modules without a parent or with a parent outside the reactor, adds directly to build/plugins. Updates the annotation processor version if a newer version is specified.
  • org.openrewrite.maven.AddDependency
    • Add Maven dependency
    • Add a Maven dependency to a pom.xml file in the correct scope based on where it is used.
  • org.openrewrite.maven.AddDevelocityMavenExtension
    • Add the Develocity Maven extension
    • To integrate the Develocity Maven extension into Maven projects, ensure that the develocity-maven-extension is added to the .mvn/extensions.xml file if not already present. Additionally, configure the extension by adding the .mvn/develocity.xml configuration file.
  • org.openrewrite.maven.AddManagedDependency
    • Add managed Maven dependency
    • Add a managed Maven dependency to a pom.xml file.
  • org.openrewrite.maven.AddRuntimeConfig
    • Add a configuration option for the Maven runtime
    • Add a new configuration option for the Maven runtime if not already present.
  • org.openrewrite.maven.ChangeDependencyGroupIdAndArtifactId
    • Change Maven dependency
    • Change a Maven dependency coordinates. The newGroupId or newArtifactId MUST be different from before. Matching <dependencyManagement> coordinates are also updated if a newVersion or versionPattern is provided. Exclusions that reference the old dependency coordinates are preserved, and a sibling exclusion for the new coordinates is added alongside them.
  • org.openrewrite.maven.ChangeParentPom
    • Change Maven parent
    • Change the parent pom of a Maven pom.xml by matching the existing parent via groupId and artifactId, and updating it to a new groupId, artifactId, version, and optional relativePath. Also updates the project to retain dependency management and properties previously inherited from the old parent that are no longer provided by the new parent. Removes redundant dependency versions already managed by the new parent.
  • org.openrewrite.maven.IncrementProjectVersion
    • Increment Maven project version
    • Increase Maven project version by incrementing either the major, minor, or patch version as defined by semver. Other versioning schemes are not supported.
  • org.openrewrite.maven.ManageDependencies
    • Manage dependencies
    • Make existing dependencies managed by moving their version to be specified in the dependencyManagement section of the POM.
  • org.openrewrite.maven.RemoveUnusedProperties
    • Remove unused properties
    • Detect and remove Maven property declarations which do not have any usage within the project.
  • org.openrewrite.maven.UpdateMavenWrapper
    • Update Maven wrapper
    • Update the version of Maven used in an existing Maven wrapper.
  • org.openrewrite.maven.UpgradeDependencyVersion
    • Upgrade Maven dependency version
    • Upgrade the version of a dependency by specifying a group and (optionally) an artifact using Node Semver advanced range selectors, allowing more precise control over version updates to patch or minor releases.
  • org.openrewrite.maven.UpgradeParentVersion
    • Upgrade Maven parent project version
    • Set the parent pom version number according to a version selector or to a specific version number.
  • org.openrewrite.maven.UpgradeTransitiveDependencyVersion
    • Upgrade transitive Maven dependencies
    • Upgrades the version of a transitive dependency in a Maven pom file. Leaves direct dependencies unmodified. Can be paired with the regular Upgrade Dependency Version recipe to upgrade a dependency everywhere, regardless of whether it is direct or transitive.
  • org.openrewrite.maven.UseMavenCompilerPluginReleaseConfiguration
    • Use Maven compiler plugin release configuration
    • Replaces any explicit source or target configuration (if present) on the maven-compiler-plugin with release, and updates the release value if needed. When testSource or testTarget differ from the main version, introduces testRelease. Will not downgrade the Java version if the current version is higher. Also removes stale maven.compiler.source, maven.compiler.target, maven.compiler.testSource, and maven.compiler.testTarget properties that are no longer referenced.
  • org.openrewrite.maven.search.ModuleHasDependency
    • Module has dependency
    • Searches for Maven modules that have a dependency matching the specified groupId and artifactId. Places a SearchResult marker on all sources within a module with a matching dependency. This recipe is intended to be used as a precondition for other recipes. For example this could be used to limit the application of a spring boot migration to only projects that use spring-boot-starter, limiting unnecessary upgrading. If the search result you want is instead just the build.gradle(.kts) file applying the plugin, use the FindDependency recipe instead.
  • org.openrewrite.maven.search.ModuleHasPlugin
    • Module has plugin
    • Searches for Maven modules that have a plugin matching the specified groupId and artifactId. Places a SearchResult marker on all sources within a module with a matching plugin. This recipe is intended to be used as a precondition for other recipes. For example this could be used to limit the application of a spring boot migration to only projects that apply the spring boot plugin, limiting unnecessary upgrading. If the search result you want is instead just the build.gradle(.kts) file applying the plugin, use the FindPlugins recipe instead.

rewrite-properties

rewrite-python

  • org.openrewrite.python.AddDependency
    • Add Python dependency
    • Add a dependency to a Python project. Supports pyproject.toml (with scope/group targeting), requirements.txt, and Pipfile. When uv is available, the uv.lock file is regenerated.
  • org.openrewrite.python.ChangeDependency
    • Change Python dependency
    • Change a dependency to a different package. Supports pyproject.toml, requirements.txt, and Pipfile. Searches all dependency scopes. When uv is available, the uv.lock file is regenerated.
  • org.openrewrite.python.RemoveDependency
    • Remove Python dependency
    • Remove a dependency from a Python project. Supports pyproject.toml (with scope/group targeting), requirements.txt, and Pipfile. When uv is available, the uv.lock file is regenerated.
  • org.openrewrite.python.UpgradeDependencyVersion
    • Upgrade Python dependency version
    • Upgrade the version constraint for a dependency. Supports pyproject.toml (with scope/group targeting), requirements.txt, and Pipfile. When uv is available, the uv.lock file is regenerated.
  • org.openrewrite.python.UpgradeTransitiveDependencyVersion
    • Upgrade transitive Python dependency version
    • Pin a transitive dependency version using the strategy appropriate for the file type and package manager. For pyproject.toml: uv uses [tool.uv].constraint-dependencies, PDM uses [tool.pdm.overrides], and other managers add a direct dependency. For requirements.txt and Pipfile: appends the dependency.

rewrite-toml

rewrite-xml

rewrite-yaml

  • org.openrewrite.yaml.CopyValue
    • Copy YAML value
    • Copies a YAML value from one key to another. The existing key/value pair remains unaffected by this change. Attempts to merge the copied value into the new key if it already exists. By default, attempts to create the new key if it does not exist.
  • org.openrewrite.yaml.CreateYamlFile
    • Create YAML file
    • Create a new YAML file.

org.openrewrite.meta

rewrite-analysis

org.openrewrite.recipe

rewrite-all

  • org.openrewrite.FindDuplicateSourceFiles
    • Find duplicate source files
    • Record the presence of LSTs with duplicate paths, indicating that the same file was parsed more than once.
  • org.openrewrite.LanguageComposition
    • Language composition report
    • Counts the number of lines of the various kinds of source code and data formats parsed by OpenRewrite. Comments are not included in line counts. This recipe emits its results as two data tables, making no changes to any source file. One data table is per-file, the other is per-repository.

rewrite-codemods

rewrite-codemods-ng

rewrite-concourse

rewrite-dotnet

rewrite-jackson

  • org.openrewrite.java.jackson.LombokJacksonizedConfig
    • Update lombok.config for Jackson 3 compatibility
    • When @Jacksonized is used, Lombok generates Jackson annotations. By default it generates Jackson 2.x annotations. This recipe adds lombok.jacksonized.jacksonVersion += 3 to lombok.config so Lombok generates Jackson 3 compatible annotations.

rewrite-java-dependencies

  • org.openrewrite.java.dependencies.AddDependency
    • Add Gradle or Maven dependency
    • For a Gradle project, add a gradle dependency to a build.gradle file in the correct configuration based on where it is used. Or For a maven project, Add a Maven dependency to a pom.xml file in the correct scope based on where it is used.
  • org.openrewrite.java.dependencies.ChangeDependency
    • Change Gradle or Maven dependency
    • Change the group ID, artifact ID, and/or the version of a specified Gradle or Maven dependency.
  • org.openrewrite.java.dependencies.DependencyResolutionDiagnostic
    • Dependency resolution diagnostic
    • Recipes which manipulate dependencies must be able to successfully access the artifact repositories and resolve dependencies from them. This recipe produces two data tables used to understand the state of dependency resolution. The Repository accessibility report lists all the artifact repositories known to the project and whether respond to network access. The network access is attempted while the recipe is run and so is representative of current conditions. The Gradle dependency configuration errors lists all the dependency configurations that failed to resolve one or more dependencies when the project was parsed. This is representative of conditions at the time the LST was parsed.
  • org.openrewrite.java.dependencies.RelocatedDependencyCheck
    • Find relocated dependencies
    • Find Maven and Gradle dependencies and Maven plugins that have relocated to a new groupId or artifactId. Relocation information comes from the oga-maven-plugin maintained by Jonathan Lermitage, Filipe Roque and others. This recipe makes no changes to any source file by default. Add changeDependencies=true to change dependencies, but note that you might need to run additional recipes to update imports and adopt other breaking changes.
  • org.openrewrite.java.dependencies.RemoveDependency
    • Remove a Gradle or Maven dependency
    • For Gradle project, removes a single dependency from the dependencies section of the build.gradle. For Maven project, removes a single dependency from the <dependencies> section of the pom.xml.
  • org.openrewrite.java.dependencies.RemoveRedundantDependencies
    • Remove redundant explicit dependencies
    • Remove explicit dependencies that are already provided transitively by a specified dependency. This recipe downloads and resolves the parent dependency's POM to determine its true transitive dependencies, allowing it to detect redundancies even when both dependencies are explicitly declared.
  • org.openrewrite.java.dependencies.UpgradeDependencyVersion
    • Upgrade Gradle or Maven dependency versions
    • For Gradle projects, upgrade the version of a dependency in a build.gradle file. Supports updating dependency declarations of various forms: * String notation: "group:artifact:version" * Map notation: group: 'group', name: 'artifact', version: 'version' It is possible to update version numbers which are defined earlier in the same file in variable declarations. For Maven projects, upgrade the version of a dependency by specifying a group ID and (optionally) an artifact ID using Node Semver advanced range selectors, allowing more precise control over version updates to patch or minor releases.
  • org.openrewrite.java.dependencies.UpgradeTransitiveDependencyVersion
    • Upgrade transitive Gradle or Maven dependencies
    • Upgrades the version of a transitive dependency in a Maven pom.xml or Gradle build.gradle. Leaves direct dependencies unmodified. Can be paired with the regular Upgrade Dependency Version recipe to upgrade a dependency everywhere, regardless of whether it is direct or transitive.
  • org.openrewrite.java.dependencies.search.FindDuplicateClasses
    • Find duplicate classes on the classpath
    • Detects classes that appear in multiple dependencies on the classpath. This is similar to what the Maven duplicate-finder-maven-plugin does. Duplicate classes can cause runtime issues when different versions of the same class are loaded.
  • org.openrewrite.java.dependencies.search.FindMinimumDependencyVersion
    • Find the oldest matching dependency version in use
    • The oldest dependency version in use is the lowest dependency version in use in any source set of any subproject of a repository. It is possible that, for example, the main source set of a project uses Jackson 2.11, but a test source set uses Jackson 2.16. In this case, the oldest Jackson version in use is Java 2.11.
  • org.openrewrite.java.dependencies.search.FindMinimumJUnitVersion
    • Find minimum JUnit version
    • A recipe to find the minimum version of JUnit dependencies. This recipe is designed to return the minimum version of JUnit in a project. It will search for JUnit 4 and JUnit 5 dependencies in the project. If both versions are found, it will return the minimum version of JUnit 4. If a minimumVersion is provided, the recipe will search to see if the minimum version of JUnit used by the project is no lower than the minimumVersion. For example: if the minimumVersion is 4, and the project has JUnit 4.12 and JUnit 5.7, the recipe will return JUnit 4.12. If the project has only JUnit 5.7, the recipe will return JUnit 5.7. Another example: if the minimumVersion is 5, and the project has JUnit 4.12 and JUnit 5.7, the recipe will not return any results.
  • org.openrewrite.java.dependencies.search.ModuleHasDependency
    • Module has dependency
    • Searches for both Gradle and Maven modules that have a dependency matching the specified groupId and artifactId. Places a SearchResult marker on all sources within a module with a matching dependency. This recipe is intended to be used as a precondition for other recipes. For example this could be used to limit the application of a spring boot migration to only projects that use spring-boot-starter, limiting unnecessary upgrading. If the search result you want is instead just the build.gradle(.kts) or pom.xml file applying the plugin, use the FindDependency recipe instead.
  • org.openrewrite.java.dependencies.search.RepositoryHasDependency
    • Repository has dependency
    • Searches for both Gradle and Maven modules that have a dependency matching the specified groupId and artifactId. Places a SearchResult marker on all sources within a repository with a matching dependency. This recipe is intended to be used as a precondition for other recipes. For example this could be used to limit the application of a spring boot migration to only projects that use a springframework dependency, limiting unnecessary upgrading. If the search result you want is instead just the build.gradle(.kts) or pom.xml file applying the plugin, use the FindDependency recipe instead.

rewrite-java-security

  • org.openrewrite.csharp.dependencies.DependencyVulnerabilityCheck
    • Find and fix vulnerable Nuget dependencies
    • This software composition analysis (SCA) tool detects and upgrades dependencies with publicly disclosed vulnerabilities. This recipe both generates a report of vulnerable dependencies and upgrades to newer versions with fixes. This recipe only upgrades to the latest patch version. If a minor or major upgrade is required to reach the fixed version, this recipe will not make any changes. Vulnerability information comes from the GitHub Security Advisory Database, which aggregates vulnerability data from several public databases, including the National Vulnerability Database maintained by the United States government. Dependencies following Semantic Versioning will see their patch version updated where applicable.
  • org.openrewrite.java.dependencies.AddExplicitTransitiveDependencies
    • Add explicit transitive dependencies
    • Detects when Java source code or configuration files reference types from transitive Maven dependencies and promotes those transitive dependencies to explicit direct dependencies in the pom.xml. This ensures the build is resilient against changes in transitive dependency trees of upstream libraries.
  • org.openrewrite.java.dependencies.DependencyLicenseCheck
    • Find licenses in use in third-party dependencies
    • Locates and reports on all licenses in use.
  • org.openrewrite.java.dependencies.DependencyVulnerabilityCheck
    • Find and fix vulnerable dependencies
    • This software composition analysis (SCA) tool detects and upgrades dependencies with publicly disclosed vulnerabilities. This recipe both generates a report of vulnerable dependencies and upgrades to newer versions with fixes. This recipe by default only upgrades to the latest patch version. If a minor or major upgrade is required to reach the fixed version, this can be controlled using the maximumUpgradeDelta option. Vulnerability information comes from the GitHub Security Advisory Database, which aggregates vulnerability data from several public databases, including the National Vulnerability Database maintained by the United States government. Upgrades dependencies versioned according to Semantic Versioning. ## Customizing Vulnerability Data This recipe can be customized by extending DependencyVulnerabilityCheckBase and overriding the vulnerability data sources: - baselineVulnerabilities(ExecutionContext ctx): Provides the default set of known vulnerabilities. The base implementation loads vulnerability data from the GitHub Security Advisory Database CSV file using ResourceUtils.parseResourceAsCsv(). Override this method to replace the entire vulnerability dataset with your own curated list. - supplementalVulnerabilities(ExecutionContext ctx): Allows adding custom vulnerability data beyond the baseline. The base implementation returns an empty list. Override this method to add organization-specific vulnerabilities, internal security advisories, or vulnerabilities from additional sources while retaining the baseline GitHub Advisory Database. Both methods return List<Vulnerability> objects. Vulnerability data can be loaded from CSV files using ResourceUtils.parseResourceAsCsv(path, Vulnerability.class, consumer) or constructed programmatically. To customize, extend DependencyVulnerabilityCheckBase and override one or both methods depending on your needs. For example, override supplementalVulnerabilities() to add custom CVEs while keeping the standard vulnerability database, or override baselineVulnerabilities() to use an entirely different vulnerability data source. Last updated: 2026-04-27T1132.
  • org.openrewrite.java.dependencies.RemoveUnusedDependencies
    • Remove unused dependencies
    • Scans through source code collecting references to types and methods, removing any dependencies that are not used from Maven or Gradle build files. This is best effort and not guaranteed to work well in all cases; false positives are still possible. This recipe takes reflective access into account: - When reflective access to a class is made unambiguously via a string literal, such as: Class.forName("java.util.List") that is counted correctly. - When reflective access to a class is made ambiguously via anything other than a string literal no dependencies will be removed. This recipe takes transitive dependencies into account: - When a direct dependency is not used but a transitive dependency it brings in is in use the direct dependency is not removed.
  • org.openrewrite.java.dependencies.SoftwareBillOfMaterials
    • Software bill of materials
    • Produces a software bill of materials (SBOM) for a project. An SBOM is a complete list of all dependencies used in a project, including transitive dependencies. The produced SBOM is in the CycloneDX XML format. Supports Gradle and Maven. Places a file named sbom.xml adjacent to the Gradle or Maven build file.
  • org.openrewrite.java.security.XmlParserXXEVulnerability
    • XML parser XXE vulnerability
    • Avoid exposing dangerous features of the XML parser by updating certain factory settings.
  • org.openrewrite.java.security.search.FindHardcodedAuthenticationCredentials
    • Find hardcoded authentication credentials
    • Finds hardcoded passwords flowing into Spring Security user builders: InMemoryUserDetailsManagerConfigurer (inMemoryAuthentication().withUser(...).password(...)) and the User.UserBuilder.password(...) API. Uses taint analysis so credentials assigned to a variable, field, or constant before being passed to .password(...) are also detected.
  • org.openrewrite.java.security.spring.CsrfProtection
    • Enable CSRF attack prevention
    • Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user's web browser to perform an unwanted action on a trusted site when the user is authenticated. See the full OWASP cheatsheet.
  • org.openrewrite.java.security.spring.PreventClickjacking
    • Prevent clickjacking
    • The frame-ancestors directive can be used in a Content-Security-Policy HTTP response header to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid Clickjacking attacks by ensuring that their content is not embedded into other sites.
  • org.openrewrite.python.dependencies.DependencyVulnerabilityCheck
    • Find and fix vulnerable PyPI dependencies
    • This software composition analysis (SCA) tool detects and upgrades dependencies with publicly disclosed vulnerabilities. This recipe both generates a report of vulnerable dependencies and upgrades to newer versions with fixes. This recipe by default only upgrades to the latest patch version. If a minor or major upgrade is required to reach the fixed version, this can be controlled using the maximumUpgradeDelta option. Vulnerability information comes from the GitHub Security Advisory Database, which aggregates vulnerability data from several public databases, including the National Vulnerability Database maintained by the United States government. Dependencies following Semantic Versioning will see their patch version updated where applicable. ## Customizing Vulnerability Data This recipe can be customized by extending DependencyVulnerabilityCheckBase and overriding the vulnerability data sources: - baselineVulnerabilities(ExecutionContext ctx): Provides the default set of known vulnerabilities. The base implementation loads vulnerability data from the GitHub Security Advisory Database CSV file using ResourceUtils.parseResourceAsCsv(). Override this method to replace the entire vulnerability dataset with your own curated list. - supplementalVulnerabilities(ExecutionContext ctx): Allows adding custom vulnerability data beyond the baseline. The base implementation returns an empty list. Override this method to add organization-specific vulnerabilities, internal security advisories, or vulnerabilities from additional sources while retaining the baseline GitHub Advisory Database. Both methods return List<Vulnerability> objects. Vulnerability data can be loaded from CSV files using ResourceUtils.parseResourceAsCsv(path, Vulnerability.class, consumer) or constructed programmatically. To customize, extend DependencyVulnerabilityCheckBase and override one or both methods depending on your needs. For example, override supplementalVulnerabilities() to add custom CVEs while keeping the standard vulnerability database, or override baselineVulnerabilities() to use an entirely different vulnerability data source.

rewrite-jenkins

rewrite-liberty

rewrite-micronaut

rewrite-migrate-java

  • org.openrewrite.java.migrate.AddStaticVariableOnProducerSessionBean
    • Adds static modifier to @Produces fields that are in session beans
    • Ensures that the fields annotated with @Produces which is inside the session bean (@Stateless, @Stateful, or @Singleton) are declared static.
  • org.openrewrite.java.migrate.jakarta.HasNoJakartaAnnotations
    • Project has no Jakarta annotations
    • Mark all source as found per JavaProject where no Jakarta annotations are found. This is useful mostly as a precondition for recipes that require Jakarta annotations to be present.
  • org.openrewrite.java.migrate.javax.AddJaxbRuntime
    • Use latest JAXB API and runtime for Jakarta EE 8
    • Update build files to use the latest JAXB runtime from Jakarta EE 8 to maintain compatibility with Java version 11 or greater. The recipe will add a JAXB run-time, in Gradle compileOnly+testImplementation and Maven provided scope, to any project that has a transitive dependency on the JAXB API. The resulting dependencies still use the javax namespace, despite the move to the Jakarta artifact.
  • org.openrewrite.java.migrate.javax.AddScopeToInjectedClass
    • Add scope annotation to injected classes
    • Finds member variables annotated with @Inject' and applies @Dependent` scope annotation to the variable's type.
  • org.openrewrite.java.migrate.javax.AddTransientAnnotationToEntity
    • Unannotated entity attributes require a Transient annotation
    • In OpenJPA, attributes that are themselves entity classes are not persisted by default. EclipseLink has a different default behavior and tries to persist these attributes to the database. To keep the OpenJPA behavior of ignoring unannotated entity attributes, add the javax.persistence.Transient annotation to these attributes in EclipseLink.
  • org.openrewrite.java.migrate.javax.RemoveEmbeddableId
    • @Embeddable classes cannot have an @Id annotation when referenced by an @EmbeddedId annotation
    • According to the Java Persistence API (JPA) specification, if an entity defines an attribute with an @EmbeddedId annotation, the embeddable class cannot contain an attribute with an @Id annotation. If both the @EmbeddedId annotation and the @Id annotation are defined, OpenJPA ignores the @Id annotation, whereas EclipseLink throws an exception.
  • org.openrewrite.java.migrate.lombok.AdoptLombokGetterMethodNames
    • Rename getter methods to fit Lombok
    • Rename methods that are effectively getter to the name Lombok would give them. Limitations: - If two methods in a class are effectively the same getter then one's name will be corrected and the others name will be left as it is. - If the correct name for a method is already taken by another method then the name will not be corrected. - Method name swaps or circular renaming within a class cannot be performed because the names block each other. E.g. int getFoo() \{ return ba; \} int getBa() \{ return foo; \} stays as it is.
  • org.openrewrite.java.migrate.lombok.AdoptLombokSetterMethodNames
    • Rename setter methods to fit Lombok
    • Rename methods that are effectively setter to the name Lombok would give them. Limitations: - If two methods in a class are effectively the same setter then one's name will be corrected and the others name will be left as it is. - If the correct name for a method is already taken by another method then the name will not be corrected. - Method name swaps or circular renaming within a class cannot be performed because the names block each other. E.g. int getFoo() \{ return ba; \} int getBa() \{ return foo; \} stays as it is.
  • org.openrewrite.java.migrate.lombok.LombokValueToRecord
    • Convert @lombok.Value class to Record
    • Convert Lombok @Value annotated classes to standard Java Records.
  • org.openrewrite.java.migrate.search.ModuleHasKotlinSource
    • Module has Kotlin source files
    • Marks all files in modules that contain at least one Kotlin source file (.kt). Intended as a precondition to scope recipes to projects that actually compile Kotlin, as opposed to projects that merely pick up kotlin-stdlib transitively.
  • org.openrewrite.java.migrate.search.PlanJavaMigration
    • Plan a Java version migration
    • Study the set of Java versions and associated tools in use across many repositories.

rewrite-migrate-python

rewrite-nodejs

rewrite-openapi

rewrite-prethink

  • org.openrewrite.prethink.ExportContext
    • Export context files
    • Export DataTables to CSV files in .moderne/context/ along with a markdown description file. The markdown file describes the context and includes schema information for each data table.
  • org.openrewrite.prethink.UpdateAgentConfig
    • Update agent configuration files
    • Update coding agent configuration files (CLAUDE.md, .cursorrules, etc.) to include references to Moderne Prethink context files in .moderne/context/.
  • org.openrewrite.prethink.UpdateGitignore
    • Update .gitignore for Prethink context
    • Updates .gitignore to allow committing the .moderne/context/ directory while ignoring other files in .moderne/. Only modifies .gitignore when context files exist in .moderne/context/. Transforms .moderne/ into .moderne/* with an exception for !.moderne/context/.
  • org.openrewrite.prethink.calm.GenerateCalmArchitecture
    • Generate CALM architecture
    • Generate a FINOS CALM (Common Architecture Language Model) JSON file from discovered service endpoints, database connections, external service calls, and messaging connections.

rewrite-rewrite

  • org.openrewrite.java.recipes.ExamplesExtractor
    • Extract documentation examples from tests
    • Extract the before/after sources from tests annotated with @DocumentExample, and generate a YAML file with those examples to be shown in the documentation to show usage.
  • org.openrewrite.java.recipes.GenerateDeprecatedMethodRecipes
    • Generate InlineMethodCalls recipes for deprecated delegating methods
    • Finds @Deprecated method declarations whose body is a single delegation call to another method in the same class, and generates a declarative YAML recipe file containing InlineMethodCalls entries for each.

rewrite-spring

rewrite-static-analysis

  • org.openrewrite.staticanalysis.LowercasePackage
    • Rename packages to lowercase
    • By convention all Java package names should contain only lowercase letters, numbers, and dashes. This recipe converts any uppercase letters in package names to be lowercase. Consistent package naming prevents confusion and potential issues on case-insensitive file systems.
  • org.openrewrite.staticanalysis.MethodNameCasing
    • Standardize method name casing
    • Fixes method names that do not follow standard naming conventions. For example, String getFoo_bar() would be adjusted to String getFooBar() and int DoSomething() would be adjusted to int doSomething(). Following a consistent casing convention for method names improves code readability and helps developers quickly distinguish methods from classes or constants.

rewrite-struts

  • org.openrewrite.java.struts.migrate6.MigrateStaticOgnlMethodAccess
    • Migrate static OGNL method access to action wrapper methods
    • Migrates OGNL expressions using static method access (e.g., @com.app.Util@makeCode()) to use action wrapper methods instead. Static method access is disabled by default in Struts 6 for security reasons.

rewrite-terraform

  • org.openrewrite.terraform.MoveProviderVersionToRequiredProviders
    • Move provider version to required_providers
    • In Terraform 0.13+, version constraints should be specified in the terraform \{ required_providers \{ ... \} \} block instead of the provider block. This recipe removes the version attribute from provider blocks and adds it to required_providers.

rewrite-testing-frameworks

  • org.openrewrite.java.testing.cleanup.TestsShouldNotBePublic
    • Remove public visibility of JUnit 5 tests
    • Remove public and optionally protected modifiers from methods with @Test, @ParameterizedTest, @RepeatedTest, @TestFactory, @BeforeEach, @AfterEach, @BeforeAll, or @AfterAll. They no longer have to be public visibility to be usable by JUnit 5.
  • org.openrewrite.java.testing.junit5.AddHamcrestJUnitDependency
    • Add Hamcrest JUnit dependency
    • Add Hamcrest JUnit dependency only if JUnit 4's assertThat or assumeThat is used.
  • org.openrewrite.java.testing.junit5.AddJupiterDependencies
    • Add JUnit Jupiter dependencies
    • Adds JUnit Jupiter dependencies to a Maven or Gradle project. JUnit Jupiter can be added either with the artifact junit-jupiter, or both of junit-jupiter-api and junit-jupiter-engine. This adds junit-jupiter dependency unless junit-jupiter-api or junit-jupiter-engine are already present.
  • org.openrewrite.java.testing.mockito.AddMockitoJupiterDependency
    • Add mockito-junit-jupiter dependency
    • Adds org.mockito:mockito-junit-jupiter dependency if @ExtendWith(MockitoExtension.class) will be added to any test class, i.e. when Mockito annotations are used in JUnit 5 tests without the extension already present.
  • org.openrewrite.java.testing.mockito.AnyToNullable
    • Replace Mockito 1.x anyString()/any() with nullable(Class)
    • Since Mockito 2.10 anyString() and any() no longer matches null values. Use nullable(Class) instead.
  • org.openrewrite.java.testing.mockito.ReplacePowerMockDependencies
    • Replace PowerMock dependencies with Mockito equivalents
    • Replaces PowerMock API dependencies with mockito-inline when mockStatic(), whenNew(), or @PrepareForTest usage is detected, or mockito-core otherwise. PowerMock features like static mocking, constructor mocking, and final class mocking require the inline mock maker which is bundled in mockito-inline for Mockito 3.x/4.x.
  • org.openrewrite.java.testing.mockito.VerifyZeroToNoMoreInteractions
    • Replace verifyZeroInteractions() with verifyNoMoreInteractions()
    • Replaces verifyZeroInteractions() with verifyNoMoreInteractions() in Mockito tests when migration when using a Mockito version < 3.x.