fix(rules/java): repair invalid query in security-interface-impl

[boorad]

Summary

The third pattern in rules/java/security-interface-impl.toml used name: (type_identifier) inside scoped_type_identifier, but per tree-sitter-java 0.23.5 node-types.json that node has no fields — only unnamed children of types annotation, generic_type, marker_annotation, scoped_type_identifier, and type_identifier.

Result: the entire rule failed to compile, was skipped at scan time, and emitted a WARN on every Java scan ("Query error at 18:9. Impossible pattern"). Any class implementing a fully-qualified Spring Security interface (e.g. implements org.springframework.security.core.userdetails.UserDetailsService) was silently missed.

Changes

• rules/java/security-interface-impl.toml
  • Drop the name: field designator from the scoped_type_identifier pattern.
  • Anchor the capture to the last type_identifier with . so we capture the actual scoped name (e.g. UserDetailsService) rather than the package prefix.
  • Add a test fixture covering implements org.springframework.security.core.userdetails.UserDetailsService.
• src/scanner/matcher.rs — add four cargo test unit tests for this rule (it had none, which is why the bug went unnoticed):
  • java_security_interface_impl_matches (plain)
  • java_security_interface_impl_scoped_matches (fully-qualified)
  • java_security_interface_impl_generic_matches (AuthorizationManager<...>)
  • java_security_interface_impl_no_false_positive (implements Serializable)

Verification

$ cargo run --quiet -- rules validate
All 32 rules validated successfully.

$ cargo test
test result: ok. 89 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out

Before this change, scans on the issue's sample tarballs printed the WARN. After, they don't.

Refs #6 (the broken-rule half of the issue; the larger custom-authz-service detection is tracked separately).

Notes

While running cargo run -- rules test, I noticed java-access-decision-voter[1] is failing pre-existing — it expects extends AbstractAccessDecisionManager to match but the query doesn't. Out of scope here; flagging for a follow-up.

Test plan

• cargo fmt -- --check
• cargo clippy --tests -- -D warnings
• cargo test
• cargo run -- rules validate
• cargo run -- rules test — only pre-existing java-access-decision-voter[1] failure remains
• Scan vbench-server and endorsed_resume tarballs from Zift did not find the major authorization logic in this app #6/Zift did not discover all instances of authorization, even though they follow patterns similar to the ones that it did find #7 — no more WARN

Summary by CodeRabbit

• Tests

  • Added unit tests verifying Java security rule detection across multiple interface implementation scenarios, including fully-qualified names and generic types.

• Bug Fixes

  • Improved pattern matching for Java security interface implementations to capture additional naming contexts.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updates a Java security interface implementation rule to capture fully-qualified interface names and extends test coverage with four new unit tests verifying detection of Spring Security interface implementations and negative cases.

Changes

Cohort / File(s)	Summary
Security Rule Definition rules/java/security-interface-impl.toml	Updated query pattern for scoped_type_identifier to capture interface references in different formats; added test case for fully-qualified package name matching.
Test Suite src/scanner/matcher.rs	Added four unit tests validating the security rule: positive cases for simple and fully-qualified UserDetailsService, generic type AuthorizationManager, and a negative case for Serializable.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

A rule now sees both near and far,\
When interfaces hide behind a star,\
With tests standing guard in rows so bright,\
Spring Security implementations caught in sight,
The scanner hops with pattern delight! 🐰✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: fixing an invalid query pattern in the security-interface-impl rule, which is the core focus of the changeset.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[amazon-q-developer]

Review Summary

This PR effectively resolves a critical query compilation error in the security-interface-impl rule. The changes are well-structured and properly tested.

Changes Verified

✅ Fixed invalid name: field designator in tree-sitter query that was causing compilation failure
✅ Added proper anchor syntax (.) to capture the correct type identifier
✅ Added comprehensive test coverage (4 new unit tests) covering plain, scoped, generic, and negative cases
✅ New test fixture for fully-qualified interface names
✅ Tests follow established patterns in the codebase

Validation

The PR description shows thorough validation:

• All 32 rules validate successfully
• All 89 tests pass
• Previously failing scans now work without warnings

No blocking issues found. This is a clean bug fix with appropriate test coverage.

---

You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.

[coderabbitai]

🧹 Nitpick comments (1)

src/scanner/matcher.rs (1)

480-543: Optional: consolidate these into a table-driven test.

All four tests share the same harness and assertions shape; parameterizing cases would reduce duplication and make future variants easier to add.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/scanner/matcher.rs` around lines 480 - 543, These four unit tests
(java_security_interface_impl_matches,
java_security_interface_impl_scoped_matches,
java_security_interface_impl_generic_matches,
java_security_interface_impl_no_false_positive) are duplicate harnesses —
refactor into a single table-driven test that iterates test cases calling
parse_and_match_java with the snippet and
include_str!("../../rules/java/security-interface-impl.toml"), asserting either
findings.is_empty() or !findings.is_empty() per case; use a Vec of (case_name,
source_snippet, expect_match: bool) and iterate asserting with the case_name to
preserve per-case failure messages.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@src/scanner/matcher.rs`:
- Around line 480-543: These four unit tests
(java_security_interface_impl_matches,
java_security_interface_impl_scoped_matches,
java_security_interface_impl_generic_matches,
java_security_interface_impl_no_false_positive) are duplicate harnesses —
refactor into a single table-driven test that iterates test cases calling
parse_and_match_java with the snippet and
include_str!("../../rules/java/security-interface-impl.toml"), asserting either
findings.is_empty() or !findings.is_empty() per case; use a Vec of (case_name,
source_snippet, expect_match: bool) and iterate asserting with the case_name to
preserve per-case failure messages.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 369d98dd-6d3a-4ab9-b8ac-4ffaaf9cb179

📥 Commits

Reviewing files that changed from the base of the PR and between 0d03082 and 1791d73.

📒 Files selected for processing (2)

• rules/java/security-interface-impl.toml
• src/scanner/matcher.rs