feat: utilize the OpenAI API for tunneling detection

Author: efebeydogan01

.github/workflows/gradle.yml

@@ -18,6 +18,9 @@ jobs:
 
     runs-on: ubuntu-latest
 
+    env:
+      OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+
     steps:
     - uses: actions/checkout@v3
     - name: Set up JDK

build.gradle

@@ -36,6 +36,7 @@ dependencies {
     implementation("org.atteo:evo-inflector:1.3")
     implementation("org.apache.opennlp:opennlp-tools:2.3.0")
     implementation("nz.ac.waikato.cms.weka:weka-stable:3.8.6")
+    implementation("com.openai:openai-java:1.6.1")
 }
 
 shadowJar {

src/main/java/cli/RestRulerCli.java

@@ -28,6 +28,10 @@ public class RestRulerCli implements Runnable {
             description = "Specify the naming convention to use (camelcase or kebabcase). Default is kebabcase.")
     private String namingConvention;
 
+    @Option(names = {"-llm", "--enableExternalLLM"},
+        description = "Enable the usage of LLMs for the evaluation of some rules.")
+    private boolean enableLLM;
+
     public static void main(String[] args) {
         PicocliRunner.run(RestRulerCli.class, args);
     }
@@ -46,7 +50,7 @@ public void run() {
             } else {
                 output.setNamingConventionRules(false);
             }
-
+            output.setEnableLLM(this.enableLLM);
             if (filename != null)
                 output.startAnalysis(this.openApiPath, this.filename);
             else

src/main/java/cli/ai/gpt.java

@@ -0,0 +1,100 @@
+package cli.ai;
+
+import cli.analyzer.RestAnalyzer;
+import cli.rule.IRestRule;
+import cli.rule.Violation;
+import cli.rule.constants.*;
+import com.openai.client.OpenAIClient;
+import com.openai.client.okhttp.OpenAIOkHttpClient;
+import com.openai.models.ChatModel;
+import com.openai.models.responses.Response;
+import com.openai.models.responses.ResponseCreateParams;
+
+import java.util.List;
+
+// gpt is a class that brings together the LLM-related functionality in the CLI
+// different rules may use the methods in this class to establish a connection to an external LLM agent for rule evaluation
+public class gpt {
+    private OpenAIClient client;
+
+    private final String modelNoResponse = "no";
+    
+    private final String systemMessageTunneling = """
+        You are a REST API design validator. Your task is to determine whether HTTP method tunneling is present in a given endpoint.
+
+        An endpoint is considered to be tunneling if it uses a certain HTTP method to perform actions that are more appropriately represented by another HTTP method.
+
+        HTTP Method Definitions (use these exact criteria):
+        - POST must be used to create a new resource in a collection or to execute controllers and not for other purposes
+        - GET must be used to retrieve a representation of a resource and not for other purposes
+        - DELETE should be used to delete a resource and not for other purposes
+        - PUT must be used to both insert and update a stored resource and not for other purposes
+
+        If the actual HTTP method does not align with the conventional RESTful method implied by the endpoint's summary or description, classify it as tunneling.
+
+        Only respond with a one-word valid method name (one of POST, GET, DELETE or PUT) or "No" if no violation is detected.
+        Do not explain your reasoning.
+
+        Examples:
+
+        Method: POST  
+        Description: Update a list.  
+        Summary: Update a list based on input.
+        Response: PUT
+
+        Method: PUT  
+        Description: Submit a new application for review.  
+        Summary: Create a new application  
+        Response: POST
+
+        Method: DELETE  
+        Description: Deactivate a user account.  
+        Summary: Soft delete a user  
+        Response: No
+        """;
+    
+    public gpt() {
+        this.client = OpenAIOkHttpClient.fromEnv();
+    }
+
+    public void tunnelingViolationAI(IRestRule rule, String keyPath, String description, String summary,
+    String requestType, String requestTypeMessage, String improvement, List<Violation> violations) {
+        String input = this.constructTunnelingInput(description, summary, requestType);
+        ResponseCreateParams params = ResponseCreateParams.builder()
+        .temperature(0)
+        .instructions(this.systemMessageTunneling)
+        .input(input)
+        .model(ChatModel.GPT_4_1_MINI)
+        .build();
+        Response response = this.client.responses().create(params);
+
+        response.output().stream()
+                .flatMap(item -> item.message().stream())
+                .flatMap(message -> message.content().stream())
+                .flatMap(content -> content.outputText().stream())
+                .forEach(outputText -> {
+                    String output = outputText.text();
+
+                    if (!output.toLowerCase().equals(this.modelNoResponse) && !output.toUpperCase().equals(requestType.toUpperCase())) {
+                        violations.add(new Violation(rule, RestAnalyzer.locMapper.getLOCOfPath(keyPath),
+                                requestTypeMessage + improvement + output,
+                                keyPath,
+                                ErrorMessage.REQUESTTYPE));
+                    }
+                });
+    }
+
+    private String constructTunnelingInput(String description, String summary, String requestType) {
+        String res = String.format("Method: %s", requestType);
+
+        if (description != null && !description.isEmpty()) {
+            res += String.format("\nDescription: %s", description);
+        }
+
+        if (summary != null && !summary.isEmpty()) {
+            res += String.format("\nSummary: %s", summary);
+        }
+
+        return res;
+    }
+}

src/main/java/cli/rule/IRestRule.java

@@ -23,6 +23,14 @@ public interface IRestRule {
     boolean getIsActive();
 
     void setIsActive(boolean isActive);
+    
+    /**
+     * Method used to determine whether the rule will use an LLM-based approach during evaluation.
+     * This method is only used by rules that actually have an LLM component, so not every rule needs to implement a body for this.
+     *
+     * @param enableLLM determines whether LLM usage is enabled or not
+     */
+    default void setEnableLLM(boolean enableLLM) {}
 
     /**
      * Method used to check for any violations of the implemented rule

src/main/java/cli/rule/rules/RequestTypeDescriptionRule.java

@@ -8,6 +8,7 @@
 import io.swagger.v3.oas.models.Paths;
 import org.apache.commons.lang3.tuple.ImmutablePair;
 import cli.weka.RequestMethodsWekaClassifier;
+import cli.ai.gpt;
 
 import java.util.ArrayList;
 import java.util.List;
@@ -18,13 +19,17 @@ public class RequestTypeDescriptionRule implements IRestRule {
     private static final RuleIdentifier RULE_IDENTIFIER = RuleIdentifier.REQUEST_TYPE_DESCRIPTION;
     static final RuleCategory RULE_CATEGORY = RuleCategory.META;
     static final RuleSeverity RULE_SEVERITY = RuleSeverity.WARNING;
-    static final List<RuleSoftwareQualityAttribute> SOFTWARE_QUALITY_ATTRIBUTES = List.of(RuleSoftwareQualityAttribute.MAINTAINABILITY);
+    static final List<RuleSoftwareQualityAttribute> SOFTWARE_QUALITY_ATTRIBUTES = List
+            .of(RuleSoftwareQualityAttribute.MAINTAINABILITY);
     private static final String IMPROVEMNT_SUB_STRING = " The request should be of type: ";
     private boolean isActive;
     final String MODEL = "/models/request_model.dat";
+    private gpt gptClient;
+    private boolean enableLLM = false;
 
     public RequestTypeDescriptionRule(boolean isActive) {
         this.isActive = isActive;
+        this.gptClient = new gpt();
     }
 
     @Override
@@ -62,6 +67,11 @@ public void setIsActive(boolean isActive) {
         this.isActive = isActive;
     }
 
+    @Override
+    public void setEnableLLM(boolean enableLLM) {
+        this.enableLLM = enableLLM;
+    }
+
     @Override
     public List<Violation> checkViolation(OpenAPI openAPI) {
         RequestMethodsWekaClassifier wt = new RequestMethodsWekaClassifier();
@@ -72,57 +82,103 @@ public List<Violation> checkViolation(OpenAPI openAPI) {
         Set<String> paths = openAPI.getPaths().keySet();
         Paths pathsTest = openAPI.getPaths();
 
-        if (paths.isEmpty()) return violations;
+        if (paths.isEmpty())
+            return violations;
         pathsTest.values().forEach(pathItem -> {
-            String keyPath = pathsTest.keySet().stream().filter(key -> pathsTest.get(key).equals(pathItem)).findFirst().get();
-            if(pathItem.getGet() != null){
+            String keyPath = pathsTest.keySet().stream().filter(key -> pathsTest.get(key).equals(pathItem)).findFirst()
+                    .get();
+            if (pathItem.getGet() != null) {
                 String description = pathItem.getGet().getDescription();
                 String summary = pathItem.getGet().getSummary();
-                if(summary != null && !summary.isEmpty()){
-                   getViolationGetRequest(wt, keyPath, summary, ErrorMessage.REQUESTTYPETUNNELINGGET, "get", ImprovementSuggestion.REQUESTTYPEGET, true, violations);
-                }else if (description != null && !description.isEmpty()){
-                    getViolationGetRequest(wt, keyPath, description, ErrorMessage.REQUESTTYPETUNNELINGGET, "get", ImprovementSuggestion.REQUESTTYPEGET, true, violations);
+
+                if (this.enableLLM) {
+                    this.gptClient.tunnelingViolationAI(this, keyPath, description, summary, "get", ImprovementSuggestion.REQUESTTYPEGET, IMPROVEMNT_SUB_STRING, violations);
+                } else {
+                    if (summary != null && !summary.isEmpty()) {
+                        getViolationGetRequest(wt, keyPath, summary,
+                        ErrorMessage.REQUESTTYPETUNNELINGGET, "get",
+                        ImprovementSuggestion.REQUESTTYPEGET, true, violations);
+                    } else if (description != null && !description.isEmpty()) {
+                        getViolationGetRequest(wt, keyPath, description,
+                        ErrorMessage.REQUESTTYPETUNNELINGGET, "get",
+                        ImprovementSuggestion.REQUESTTYPEGET, true, violations);
+                    }
                 }
 
+
             }
-            if(pathItem.getPost() != null){
+            if (pathItem.getPost() != null) {
                 String description = pathItem.getPost().getDescription();
                 String summary = pathItem.getPost().getSummary();
-                if(summary != null && !summary.isEmpty()){
-                   getViolationGetRequest(wt, keyPath, summary, ErrorMessage.REQUESTTYPETUNNELINGPOST, "post", ImprovementSuggestion.REQUESTTYPEPOST, true, violations);
-                }else if (description != null && !description.isEmpty()){
-                    getViolationGetRequest(wt, keyPath, description, ErrorMessage.REQUESTTYPETUNNELINGPOST, "post", ImprovementSuggestion.REQUESTTYPEPOST, true, violations);
+
+                if (this.enableLLM) {
+                    this.gptClient.tunnelingViolationAI(this, keyPath, description, summary, "post", ImprovementSuggestion.REQUESTTYPEPOST, IMPROVEMNT_SUB_STRING, violations);
+                } else {
+                    if (summary != null && !summary.isEmpty()) {
+                        getViolationGetRequest(wt, keyPath, summary,
+                        ErrorMessage.REQUESTTYPETUNNELINGPOST, "post",
+                        ImprovementSuggestion.REQUESTTYPEPOST, true, violations);
+                    } else if (description != null && !description.isEmpty()) {
+                        getViolationGetRequest(wt, keyPath, description,
+                        ErrorMessage.REQUESTTYPETUNNELINGPOST, "post",
+                        ImprovementSuggestion.REQUESTTYPEPOST, true, violations);
+                    }
                 }
             }
-            if(pathItem.getPut() != null){
+            if (pathItem.getPut() != null) {
                 String description = pathItem.getPut().getDescription();
                 String summary = pathItem.getPut().getSummary();
-                if(summary != null && !summary.isEmpty()){
-                    getViolationGetRequest(wt, keyPath, summary, "", "put", ImprovementSuggestion.REQUESTTYPEPUT, false, violations);
-                }else if (description != null && !description.isEmpty()){
-                    getViolationGetRequest(wt, keyPath, description, "", "put", ImprovementSuggestion.REQUESTTYPEPUT, false, violations);
+
+                if (this.enableLLM) {
+                    this.gptClient.tunnelingViolationAI(this, keyPath, description, summary, "put", ImprovementSuggestion.REQUESTTYPEPUT, IMPROVEMNT_SUB_STRING, violations);
+                } else {
+                    if (summary != null && !summary.isEmpty()) {
+                        getViolationGetRequest(wt, keyPath, summary, "", "put",
+                        ImprovementSuggestion.REQUESTTYPEPUT, false,
+                        violations);
+                    } else if (description != null && !description.isEmpty()) {
+                        getViolationGetRequest(wt, keyPath, description, "", "put",
+                        ImprovementSuggestion.REQUESTTYPEPUT,
+                        false, violations);
+                    }
                 }
             }
-            if(pathItem.getDelete() != null){
+            if (pathItem.getDelete() != null) {
                 String description = pathItem.getDelete().getDescription();
                 String summary = pathItem.getDelete().getSummary();
-                if(summary != null && !summary.isEmpty()){
-                    getViolationGetRequest(wt, keyPath, summary, "", "delete", ImprovementSuggestion.REQUESTTYPEDELETE, false, violations);
-                }else if (description != null && !description.isEmpty()){
-                   getViolationGetRequest(wt, keyPath, description, "", "delete", ImprovementSuggestion.REQUESTTYPEDELETE, false, violations);
+
+                if (this.enableLLM) {
+                    this.gptClient.tunnelingViolationAI(this, keyPath, description, summary, "delete",
+                    ImprovementSuggestion.REQUESTTYPEDELETE, IMPROVEMNT_SUB_STRING, violations);
+                } else {
+                    if (summary != null && !summary.isEmpty()) {
+                        getViolationGetRequest(wt, keyPath, summary, "", "delete",
+                        ImprovementSuggestion.REQUESTTYPEDELETE,
+                        false, violations);
+                    } else if (description != null && !description.isEmpty()) {
+                        getViolationGetRequest(wt, keyPath, description, "", "delete",
+                        ImprovementSuggestion.REQUESTTYPEDELETE, false, violations);
+                    }
                 }
             }
         });
 
         return violations;
     }
 
-    private void getViolationGetRequest(RequestMethodsWekaClassifier wt, String keyPath, String description, String requestTypeTunnelingType, String requestType, String requestTypeMessage, boolean switchRequestType, List<Violation> violations) {
+    private void getViolationGetRequest(RequestMethodsWekaClassifier wt, String keyPath, String description,
+            String requestTypeTunnelingType, String requestType, String requestTypeMessage, boolean switchRequestType,
+            List<Violation> violations) {
         ImmutablePair<String, Double> predictionValues = wt.predict(description);
-        if ((predictionValues != null && predictionValues.right != null && predictionValues.left != null) && predictionValues.left.equals("invalid") && (predictionValues.right >= 0.75) && switchRequestType) {
-            violations.add(new Violation(this, RestAnalyzer.locMapper.getLOCOfPath(keyPath), ImprovementSuggestion.REQUESTTYPETUNELING, keyPath, requestTypeTunnelingType));
-        } else if ((predictionValues != null && predictionValues.right != null && predictionValues.left != null) && !predictionValues.left.equals(requestType) && (predictionValues.right >= 0.75)) {
-            violations.add(new Violation(this, RestAnalyzer.locMapper.getLOCOfPath(keyPath), requestTypeMessage + IMPROVEMNT_SUB_STRING + predictionValues.left.toUpperCase(), keyPath, ErrorMessage.REQUESTTYPE));
+        if ((predictionValues != null && predictionValues.right != null && predictionValues.left != null)
+                && predictionValues.left.equals("invalid") && (predictionValues.right >= 0.75) && switchRequestType) {
+            violations.add(new Violation(this, RestAnalyzer.locMapper.getLOCOfPath(keyPath),
+                    ImprovementSuggestion.REQUESTTYPETUNELING, keyPath, requestTypeTunnelingType));
+        } else if ((predictionValues != null && predictionValues.right != null && predictionValues.left != null)
+                && !predictionValues.left.equals(requestType) && (predictionValues.right >= 0.75)) {
+            violations.add(new Violation(this, RestAnalyzer.locMapper.getLOCOfPath(keyPath),
+                    requestTypeMessage + IMPROVEMNT_SUB_STRING + predictionValues.left.toUpperCase(), keyPath,
+                    ErrorMessage.REQUESTTYPE));
         }
     }
 

src/main/java/cli/utility/Output.java

@@ -17,6 +17,7 @@ public class Output {
     private static final String UNDERLINE = "----------------------------------------------";
     private final Scanner scanner = new Scanner(System.in);
     private boolean useCamelCase = false;
+    private boolean enableLLM = false;
 
     /**
      * Sets which naming convention rules should be active
@@ -26,6 +27,14 @@ public void setNamingConventionRules(boolean useCamelCase) {
         this.useCamelCase = useCamelCase;
     }
 
+    /**
+     * Toggles flag to enable the usage of LLMs in some rules
+     * @param enableLLM if true, enables the usage of LLMs
+     */
+    public void setEnableLLM(boolean enableLLM) {
+        this.enableLLM = enableLLM;
+    }
+
     /**
      * Method for the expert mode. User will be asked to enable or disable each rule. The input will
      * be saved in the config file.
@@ -128,6 +137,11 @@ public void startAnalysis(String pathToFile, boolean generateReport) {
         List<IRestRule> ruleList = activeRules.getAllRuleObjects();
         for (IRestRule rule : ruleList) {
             RuleIdentifier ruleIdentifier = rule.getIdentifier();
+
+            if (ruleIdentifier == RuleIdentifier.REQUEST_TYPE_DESCRIPTION) {
+                rule.setEnableLLM(this.enableLLM);
+            }
+
             if (useCamelCase) {
                 if (ruleIdentifier == RuleIdentifier.CAMEL_CASE) {
                     rule.setIsActive(true);
@@ -173,6 +187,11 @@ public void startAnalysis(String pathToFile, String title) {
         List<IRestRule> ruleList = activeRules.getAllRuleObjects();
         for (IRestRule rule : ruleList) {
             RuleIdentifier ruleIdentifier = rule.getIdentifier();
+
+            if (ruleIdentifier == RuleIdentifier.REQUEST_TYPE_DESCRIPTION) {
+                rule.setEnableLLM(this.enableLLM);
+            }
+
             if (useCamelCase) {
                 if (ruleIdentifier == RuleIdentifier.CAMEL_CASE) {
                     rule.setIsActive(true);