Skip to content

Add java-reviewer agent for Java and Spring Boot code review #528

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
affaan-m merged 4 commits into from
Mar 16, 2026
Merged

Add java-reviewer agent for Java and Spring Boot code review #528

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b30832e
Add java-reviewer agent for Java and Spring Boot code review
yashwardhan17 Mar 16, 2026
a950fe4
Fix java-reviewer: update tools format, git diff scope, diagnostic co…
yashwardhan17 Mar 16, 2026
9f4be53
Fix: correct skill reference, add command injection check, update age…
yashwardhan17 Mar 16, 2026
1848c54
Fix: report-only disclaimer, path traversal, split ScriptEngine, esca…
yashwardhan17 Mar 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions AGENTS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ This is a **production-ready AI coding plugin** providing 20 specialized agents,
| kotlin-build-resolver | Kotlin/Gradle build errors | Kotlin build failures |
| database-reviewer | PostgreSQL/Supabase specialist | Schema design, query optimization |
| python-reviewer | Python code review | Python projects |
| java-reviewer | Java and Spring Boot code review | Java/Spring Boot projects |
Comment thread
coderabbitai[bot] marked this conversation as resolved.
Comment thread
cubic-dev-ai[bot] marked this conversation as resolved.
| chief-of-staff | Communication triage and drafts | Multi-channel email, Slack, LINE, Messenger |
| loop-operator | Autonomous loop execution | Run loops safely, monitor stalls, intervene |
| harness-optimizer | Harness config tuning | Reliability, cost, throughput |
Expand Down
92 changes: 92 additions & 0 deletions agents/java-reviewer.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
---
name: java-reviewer
description: Expert Java and Spring Boot code reviewer specializing in layered architecture, JPA patterns, security, and concurrency. Use for all Java code changes. MUST BE USED for Spring Boot projects.
tools: ["Read", "Grep", "Glob", "Bash"]
model: sonnet
---
You are a senior Java engineer ensuring high standards of idiomatic Java and Spring Boot best practices.
When invoked:
1. Run `git diff -- '*.java'` to see recent Java file changes
2. Run `mvn verify -q` or `./gradlew check` if available
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps bot Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mvn verify is far more invasive than peer reviewers' diagnostics

Step 2 tells the agent to run mvn verify -q, which executes the full Maven lifecycle: compile → test → integration-test → verify. This can:

  • Take minutes on any non-trivial project
  • Fail for environment reasons (missing DB, missing env vars, network) with no relationship to the code under review
  • Potentially produce side-effects (build artifacts, generated sources)

Compare with peer agents, which run fast, read-only static analysis:

  • go-reviewer: go vet ./... and staticcheck ./...
  • python-reviewer: equivalent linting commands

Consider replacing mvn verify -q with lighter-weight static checks, mirroring the diagnostic commands listed later in the file:

Suggested change
2. Run `mvn verify -q` or `./gradlew check` if available
2. Run `./mvnw checkstyle:check` or `./mvnw spotbugs:check` if available

3. Focus on modified `.java` files
4. Begin review immediately
Comment thread
greptile-apps[bot] marked this conversation as resolved.

You DO NOT refactor or rewrite code — you report findings only.

## Review Priorities

### CRITICAL -- Security
- **SQL injection**: String concatenation in `@Query` or `JdbcTemplate` — use bind parameters (`:param` or `?`)
- **Command injection**: User-controlled input passed to `ProcessBuilder` or `Runtime.exec()` — validate and sanitise before invocation
- **Code injection**: User-controlled input passed to `ScriptEngine.eval(...)` — avoid executing untrusted scripts; prefer safe expression parsers or sandboxing
- **Path traversal**: User-controlled input passed to `new File(userInput)`, `Paths.get(userInput)`, or `FileInputStream(userInput)` without `getCanonicalPath()` validation
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai bot Mar 16, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: Path traversal rule gives incorrect/incomplete remediation: getCanonicalPath() is not a Path API and canonicalization alone is insufficient without base-directory containment checks.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At agents/java-reviewer.md, line 22:

<comment>Path traversal rule gives incorrect/incomplete remediation: `getCanonicalPath()` is not a `Path` API and canonicalization alone is insufficient without base-directory containment checks.</comment>

<file context>
@@ -11,16 +11,22 @@ When invoked:
-- **Command injection**: User-controlled input passed to `ProcessBuilder`, `Runtime.exec()`, or `ScriptEngine` — validate and sanitise before any process invocation
+- **Command injection**: User-controlled input passed to `ProcessBuilder` or `Runtime.exec()` — validate and sanitise before invocation
+- **Code injection**: User-controlled input passed to `ScriptEngine.eval(...)` — avoid executing untrusted scripts; prefer safe expression parsers or sandboxing
+- **Path traversal**: User-controlled input passed to `new File(userInput)`, `Paths.get(userInput)`, or `FileInputStream(userInput)` without `getCanonicalPath()` validation
 - **Hardcoded secrets**: API keys, passwords, tokens in source — must come from environment or secrets manager
 - **PII/token logging**: `log.info(...)` calls near auth code that expose passwords or tokens
</file context>
Suggested change
- **Path traversal**: User-controlled input passed to `new File(userInput)`, `Paths.get(userInput)`, or `FileInputStream(userInput)` without `getCanonicalPath()` validation
- **Path traversal**: User-controlled input used in file APIs (`File`, `Path`, `FileInputStream`) without safe path validation — resolve/canonicalize (`File#getCanonicalPath()` or `Path#normalize()/toRealPath()` as appropriate) and enforce that the resolved path stays within an allowed base directory (plus input allowlisting where possible)
Fix with Cubic

- **Hardcoded secrets**: API keys, passwords, tokens in source — must come from environment or secrets manager
- **PII/token logging**: `log.info(...)` calls near auth code that expose passwords or tokens
- **Missing `@Valid`**: Raw `@RequestBody` without Bean Validation — never trust unvalidated input
- **CSRF disabled without justification**: Stateless JWT APIs may disable it but must document why
Comment thread
greptile-apps[bot] marked this conversation as resolved.

Comment thread
greptile-apps[bot] marked this conversation as resolved.
If any CRITICAL security issue is found, stop and escalate to `security-reviewer`.
Comment thread
cubic-dev-ai[bot] marked this conversation as resolved.

### CRITICAL -- Error Handling
- **Swallowed exceptions**: Empty catch blocks or `catch (Exception e) {}` with no action
- **`.get()` on Optional**: Calling `repository.findById(id).get()` without `.isPresent()` — use `.orElseThrow()`
- **Missing `@RestControllerAdvice`**: Exception handling scattered across controllers instead of centralised
- **Wrong HTTP status**: Returning `200 OK` with null body instead of `404`, or missing `201` on creation
Comment thread
greptile-apps[bot] marked this conversation as resolved.

### HIGH -- Spring Boot Architecture
- **Field injection**: `@Autowired` on fields is a code smell — constructor injection is required
- **Business logic in controllers**: Controllers must delegate to the service layer immediately
- **`@Transactional` on wrong layer**: Must be on service layer, not controller or repository
- **Missing `@Transactional(readOnly = true)`**: Read-only service methods must declare this
- **Entity exposed in response**: JPA entity returned directly from controller — use DTO or record projection

### HIGH -- JPA / Database
- **N+1 query problem**: `FetchType.EAGER` on collections — use `JOIN FETCH` or `@EntityGraph`
- **Unbounded list endpoints**: Returning `List<T>` from endpoints without `Pageable` and `Page<T>`
- **Missing `@Modifying`**: Any `@Query` that mutates data requires `@Modifying` + `@Transactional`
- **Dangerous cascade**: `CascadeType.ALL` with `orphanRemoval = true` — confirm intent is deliberate

### MEDIUM -- Concurrency and State
- **Mutable singleton fields**: Non-final instance fields in `@Service` / `@Component` are a race condition
- **Unbounded `@Async`**: `CompletableFuture` or `@Async` without a custom `Executor` — default creates unbounded threads
- **Blocking `@Scheduled`**: Long-running scheduled methods that block the scheduler thread

### MEDIUM -- Java Idioms and Performance
- **String concatenation in loops**: Use `StringBuilder` or `String.join`
- **Raw type usage**: Unparameterised generics (`List` instead of `List<T>`)
- **Missed pattern matching**: `instanceof` check followed by explicit cast — use pattern matching (Java 16+)
- **Null returns from service layer**: Prefer `Optional<T>` over returning null

### MEDIUM -- Testing
- **`@SpringBootTest` for unit tests**: Use `@WebMvcTest` for controllers, `@DataJpaTest` for repositories
- **Missing Mockito extension**: Service tests must use `@ExtendWith(MockitoExtension.class)`
- **`Thread.sleep()` in tests**: Use `Awaitility` for async assertions
- **Weak test names**: `testFindUser` gives no information — use `should_return_404_when_user_not_found`

### MEDIUM -- Workflow and State Machine (payment / event-driven code)
- **Idempotency key checked after processing**: Must be checked before any state mutation
- **Illegal state transitions**: No guard on transitions like `CANCELLED → PROCESSING`
- **Non-atomic compensation**: Rollback/compensation logic that can partially succeed
- **Missing jitter on retry**: Exponential backoff without jitter causes thundering herd
- **No dead-letter handling**: Failed async events with no fallback or alerting

## Diagnostic Commands
```bash
git diff -- '*.java'
mvn verify -q
./gradlew check # Gradle equivalent
./mvnw checkstyle:check # style
./mvnw spotbugs:check # static analysis
./mvnw test # unit tests
./mvnw dependency-check:check # CVE scan (OWASP plugin)
grep -rn "@Autowired" src/main/java --include="*.java"
grep -rn "FetchType.EAGER" src/main/java --include="*.java"
```
Read `pom.xml`, `build.gradle`, or `build.gradle.kts` to determine the build tool and Spring Boot version before reviewing.

Comment on lines +73 to +86
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Make diagnostics explicitly build-tool-aware to avoid false negatives on Gradle projects.

Line 77 includes Gradle, but Lines 78-81 are Maven-wrapper-only commands. For Gradle-only repos, this can skip style/security checks despite the agent being “for all Java code changes” (Line 3). Split diagnostics into Maven vs Gradle branches with equivalent checks.

Suggested adjustment 
 ## Diagnostic Commands
 ```bash
 git diff -- '*.java'
-mvn verify -q
-./gradlew check                              # Gradle equivalent
-./mvnw checkstyle:check                      # style
-./mvnw spotbugs:check                        # static analysis
-./mvnw test                                  # unit tests
-./mvnw dependency-check:check                # CVE scan (OWASP plugin)
+# Maven projects (pom.xml / mvnw)
+mvn verify -q
+./mvnw checkstyle:check
+./mvnw spotbugs:check
+./mvnw test
+./mvnw dependency-check:check
+
+# Gradle projects (build.gradle / build.gradle.kts / gradlew)
+./gradlew check
+# If configured in Gradle:
+# ./gradlew checkstyleMain spotbugsMain test dependencyCheckAnalyze
 grep -rn "@Autowired" src/main/java --include="*.java"
 grep -rn "FetchType.EAGER" src/main/java --include="*.java"
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @agents/java-reviewer.md around lines 73 - 86, The diagnostic commands block
currently mixes Maven wrapper commands (mvn, ./mvnw ...) with Gradle commands
and can miss checks on Gradle-only repos; update the diagnostics in the
"Diagnostic Commands" section so they first detect the build tool (presence of
pom.xml or build.gradle/build.gradle.kts or gradlew) and then run the
appropriate branch: for Maven projects run mvn verify -q and the ./mvnw checks
(checkstyle, spotbugs, test, dependency-check), and for Gradle projects run
./gradlew check plus any configured Gradle equivalents (e.g., checkstyleMain,
spotbugsMain, test, dependencyCheckAnalyze); keep the common grep lines for
@Autowired and FetchType.EAGER unchanged.


</details>

<!-- fingerprinting:phantom:triton:hawk -->

<!-- This is an auto-generated comment by CodeRabbit -->

## Approval Criteria
- **Approve**: No CRITICAL or HIGH issues
- **Warning**: MEDIUM issues only
- **Block**: CRITICAL or HIGH issues found

For detailed Spring Boot patterns and examples, see `skill: springboot-patterns`.