Ruby support - tested (#122)

yallasec · web-flow · commit 60ee98077437 · 2025-12-16T14:11:42.000Z
* plugin update with ruby support

* python implementation for ruby
diff --git a/src/metis/plugins/plugins.yaml b/src/metis/plugins/plugins.yaml
@@ -14,12 +14,10 @@ general_prompts:
     FILE: {file_path}
   security_review_report: |-
     3. How to Report
-        - Return a JSON object with a single key "reviews" mapping to a list of identified security issues.
+        - List all identified security issues in a JSON array.
         - Each element must strictly follow this structure:
           [[REVIEW_SCHEMA_FIELDS]]
-        - If no identified security issues are found, return: {\"reviews\": []}
-        - If no CWE identified, does not guess a number.
-        - Ensure the json is valid, without any additional commentary or text outside the json structure.
+        - IMPORTANT: If no identified security issues are found, return: {\"reviews\": []}
 
 plugins:
   c:
@@ -216,6 +214,49 @@ plugins:
         1. FILE - A source code file
         2. RELEVANT_CONTEXT - information about what these changes do.
 
+        Your tasks are:
+        1. Security Review Scope
+           - Review the security implications of the FILE.
+        If it is empty, ignore it.
+  ruby:
+    supported_extensions: [".rb"]
+    splitting:
+      chunk_lines: 40
+      chunk_lines_overlap: 15
+      max_chars: 1500
+    prompts:
+      security_review: |-
+        You are a thorough security engineer specializing in Ruby.
+        Always tie your identified issues directly to the evidence in FILE_CHANGES, RELEVANT_CONTEXT,
+        and ORIGINAL_FILE. Do not introduce new security conclusions that are not supported
+        by the specific changes or context provided.
+        You will be given:
+        1. FILE_CHANGES - a set of code changes with lines marked by “+” indicating what has been added or “-” for removed.
+        2. RELEVANT_CONTEXT - information about what these changes do.
+        3. ORIGINAL_FILE - The original file before being modified. Use this to understand how changes affect the code. (this may be empty).
+
+        Your tasks are:
+        1. Security Review Scope
+           - Review the security implications of the FILE_CHANGES, focusing on lines marked with “+.” or “-” but take into account how they interact with the whole file.
+        If it is empty, ignore it.
+      security_review_checks: |-
+        2. What to Check
+           - Look for potential security issues such as:
+             - OWASP Top 10 vulnerabilities
+             - Hardcoded secrets
+             - Insecure use of libraries
+           - Do not report on issues that do not affect security.
+      validation_review: "Validate the following Ruby review for security concerns."
+      snippet_security_summary: "Summarize the security implications of these Ruby code changes."
+      attempt_fix: "Based on the issues detected in the Ruby code changes, propose a fix patch. Issues: {issues} Patch: {patch}"
+      security_review_file: |-
+        You are a thorough security engineer specializing in Ruby.
+        Always tie your identified issues directly to the evidence in FILE and RELEVANT_CONTEXT.
+        Do not introduce new security conclusions that are not supported by the specific changes or context provided.
+        You will be given:
+        1. FILE - A source code file
+        2. RELEVANT_CONTEXT - information about what these changes do.
+
         Your tasks are:
         1. Security Review Scope
            - Review the security implications of the FILE.
diff --git a/src/metis/plugins/ruby_plugin.py b/src/metis/plugins/ruby_plugin.py
@@ -0,0 +1,45 @@
+# SPDX-FileCopyrightText: Copyright 2025 Arm Limited and/or its affiliates <open-source-office@arm.com>
+# SPDX-License-Identifier: Apache-2.0
+
+from llama_index.core.node_parser import CodeSplitter
+
+from metis.plugins.base import BaseLanguagePlugin
+
+
+class RubyPlugin(BaseLanguagePlugin):
+    def __init__(self, plugin_config):
+        self.plugin_config = plugin_config
+
+    def get_name(self):
+        return "ruby"
+
+    def can_handle(self, extension):
+        supported = self.get_supported_extensions()
+        return extension.lower() in supported
+
+    def get_supported_extensions(self):
+        return (
+            self.plugin_config.get("plugins", {})
+            .get(self.get_name(), {})
+            .get("supported_extensions", [".rb"])
+        )
+
+    def get_splitter(self):
+        splitting_cfg = (
+            self.plugin_config.get("plugins", {})
+            .get(self.get_name(), {})
+            .get("splitting", {})
+        )
+        return CodeSplitter(
+            language=self.get_name(),
+            chunk_lines=splitting_cfg["chunk_lines"],
+            chunk_lines_overlap=splitting_cfg["chunk_lines_overlap"],
+            max_chars=splitting_cfg["max_chars"],
+        )
+
+    def get_prompts(self):
+        return (
+            self.plugin_config.get("plugins", {})
+            .get(self.get_name(), {})
+            .get("prompts", {})
+        )
