Added the following.

Ability to retrieve applications based on Metadata
Ability to retreive applications based on Tags
Ability to retrieve route coverage and vulnerabilities based on Session Metadata.
Either requesting a specifc metadata value or the latest session.
Fixed an issue which application retrieval and caching. Now if the application cannot be found in the cache, a check is made to the API.
Allow users to specify if Teamserver is run on http/https. It defaults to https. But for local teamserver installations http is now an option.
Added Technologies as information returned in the Application.

Author: JoeBeeContrast

README.md

@@ -42,6 +42,20 @@ Contrast's MCP server allows you as a developer or security professional to quic
 
 * Which libraries in Application X are not being used?
 
+#### Retrieving application based on Tags
+* please give me the applications tagged with "backend"
+
+#### Retrieving application based on Metadata
+* please give me the applications with metadata  "dev-team" "backend-team"
+
+#### Retrieving vulnerabilities based on Session Metadata
+* give me the sesssion metadata for application x
+* give me the vulnerabilities in the latest session for application X
+* give me the vulnerabilities for session metadata "Branch Name" "feature/some-new-fix" for application X
+* give me the route coverage for the latest session for application X
+* give me the route coverage for session metadata "Branch Name" "feature/some-new-fix" for application X
+
+
 ### For the Security Professional
 * Please give me a breakdown of applications and servers vulnerable to CVE-xxxx-xxxx
 * Please list the libraries for application named xxx and tell me what version of commons-collections is being used

src/main/java/com/contrast/labs/ai/mcp/contrast/ADRService.java

@@ -18,6 +18,7 @@
 import com.contrast.labs.ai.mcp.contrast.sdkexstension.SDKExtension;
 import com.contrast.labs.ai.mcp.contrast.sdkexstension.SDKHelper;
 import com.contrast.labs.ai.mcp.contrast.sdkexstension.data.ProtectData;
+import com.contrast.labs.ai.mcp.contrast.sdkexstension.data.application.Application;
 import com.contrastsecurity.sdk.ContrastSDK;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -26,6 +27,7 @@
 import org.springframework.stereotype.Service;
 
 import java.io.IOException;
+import java.util.Optional;
 
 @Service
 public class ADRService {
@@ -66,14 +68,14 @@ public ProtectData getProtectData(String applicationName) throws IOException {
 
             // Get application ID from name
             logger.debug("Looking up application ID for name: {}", applicationName);
-            String appID = SDKHelper.getAppIDFromName(applicationName, orgID, contrastSDK);
-            if (appID == null || appID.isEmpty()) {
+            Optional<Application> app = SDKHelper.getApplicationByName(applicationName, orgID, contrastSDK);
+            if (app.isEmpty()) {
                 logger.warn("No application ID found for application: {}", applicationName);
                 return null;
             }
-            logger.debug("Found application ID: {} for application: {}", appID, applicationName);
+            logger.debug("Found application ID: {} for application: {}", app.get().getAppId(), applicationName);
 
-            ProtectData result = getProtectDataByAppID(appID);
+            ProtectData result = getProtectDataByAppID(app.get().getAppId());
             long duration = System.currentTimeMillis() - startTime;
             logger.info("Completed retrieval of protection rules for application: {} (took {} ms)", applicationName, duration);
             return result;

src/main/java/com/contrast/labs/ai/mcp/contrast/AssessService.java

@@ -2,10 +2,14 @@
 
 import com.contrast.labs.ai.mcp.contrast.sdkexstension.SDKExtension;
 import com.contrast.labs.ai.mcp.contrast.sdkexstension.SDKHelper;
+import com.contrast.labs.ai.mcp.contrast.sdkexstension.data.application.Application;
 import com.contrast.labs.ai.mcp.contrast.sdkexstension.data.routecoverage.Route;
+import com.contrast.labs.ai.mcp.contrast.sdkexstension.data.routecoverage.RouteCoverageBySessionIDAndMetadataRequestExtended;
 import com.contrast.labs.ai.mcp.contrast.sdkexstension.data.routecoverage.RouteCoverageResponse;
 import com.contrast.labs.ai.mcp.contrast.sdkexstension.data.routecoverage.RouteDetailsResponse;
-import com.contrastsecurity.models.Application;
+import com.contrast.labs.ai.mcp.contrast.sdkexstension.data.sessionmetadata.SessionMetadataResponse;
+import com.contrastsecurity.models.RouteCoverageBySessionIDAndMetadataRequest;
+import com.contrastsecurity.models.RouteCoverageMetadataLabelValues;
 import com.contrastsecurity.sdk.ContrastSDK;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -52,30 +56,23 @@ public RouteCoverageResponse getRouteCoverage(String app_name) throws IOExceptio
         logger.info("Retrieving route coverage for application by name: {}", app_name);
         ContrastSDK contrastSDK = SDKHelper.getSDK(hostName, apiKey, serviceKey, userName,httpProxyHost, httpProxyPort);
         SDKExtension sdkExtension = new SDKExtension(contrastSDK);
-        Optional<String> appID = Optional.empty();
         logger.debug("Searching for application ID matching name: {}", app_name);
 
-        for(Application app : SDKHelper.getApplicationsWithCache(orgID, contrastSDK)) {
-            if(app.getName().toLowerCase().contains(app_name.toLowerCase())) {
-                appID = Optional.of(app.getId());
-                logger.debug("Found matching application with ID: {}", appID.get());
-                break;
-            }
-        }
+        Optional<Application> application = SDKHelper.getApplicationByName(app_name, orgID, contrastSDK);
 
-        if (!appID.isPresent()) {
+        if (!application.isPresent()) {
             logger.error("Application not found: {}", app_name);
             throw new IOException("Application not found: " + app_name);
         }
 
-        logger.debug("Fetching route coverage data for application ID: {}", appID.get());
-        RouteCoverageResponse response = sdkExtension.getRouteCoverage(orgID, appID.get(), null);
+        logger.debug("Fetching route coverage data for application ID: {}", application.get().getAppId());
+        RouteCoverageResponse response = sdkExtension.getRouteCoverage(orgID, application.get().getAppId(), null);
         logger.debug("Found {} routes for application", response.getRoutes().size());
 
         logger.debug("Retrieving route details for each route");
         for(Route route : response.getRoutes()) {
             logger.trace("Fetching details for route: {}", route.getSignature());
-            RouteDetailsResponse routeDetailsResponse = sdkExtension.getRouteDetails(orgID, appID.get(), route.getRouteHash());
+            RouteDetailsResponse routeDetailsResponse = sdkExtension.getRouteDetails(orgID, application.get().getAppId(), route.getRouteHash());
             route.setRouteDetailsResponse(routeDetailsResponse);
         }
 
@@ -105,6 +102,86 @@ public RouteCoverageResponse getRouteCoverageByAppID(String app_id) throws IOExc
         return response;
     }
 
+    @Tool(name = "get_application_route_coverage_by_app_name_and_session_metadata", description = "takes a application name and return the route coverage data for that application for the specified session metadata name and value. " +
+            "If a route/endpoint is DISCOVERED, it means it has been found by Assess but that route has had no inbound http requests. If it is EXERCISED, it means it has had at least one inbound http request to that route/endpoint.")
+    public RouteCoverageResponse getRouteCoverageByAppNameAndSessionMetadata(String app_name, String session_Metadata_Name, String session_Metadata_Value) throws IOException {
+        logger.info("Retrieving route coverage for application by Name: {}", app_name);
+        ContrastSDK contrastSDK = SDKHelper.getSDK(hostName, apiKey, serviceKey, userName,httpProxyHost, httpProxyPort);
+        logger.debug("Searching for application ID matching name: {}", app_name);
+
+        Optional<Application> application = SDKHelper.getApplicationByName(app_name, orgID, contrastSDK);
+        if (!application.isPresent()) {
+            logger.error("Application not found: {}", app_name);
+            throw new IOException("Application not found: " + app_name);
+        }
+        return getRouteCoverageByAppIDAndSessionMetadata(application.get().getAppId(), session_Metadata_Name, session_Metadata_Value);
+    }
+
+    @Tool(name = "get_application_route_coverage_by_app_id_and_session_metadata", description = "takes a application id and return the route coverage data for that application for the specified session metadata name and value. " +
+            "If a route/endpoint is DISCOVERED, it means it has been found by Assess but that route has had no inbound http requests. If it is EXERCISED, it means it has had at least one inbound http request to that route/endpoint.")
+    public RouteCoverageResponse getRouteCoverageByAppIDAndSessionMetadata(String app_id, String session_Metadata_Name, String session_Metadata_Value) throws IOException {
+        logger.info("Retrieving route coverage for application by ID: {}", app_id);
+        ContrastSDK contrastSDK = SDKHelper.getSDK(hostName, apiKey, serviceKey, userName,httpProxyHost, httpProxyPort);
+        SDKExtension sdkExtension = new SDKExtension(contrastSDK);
+        RouteCoverageBySessionIDAndMetadataRequestExtended requestExtended = new RouteCoverageBySessionIDAndMetadataRequestExtended();
+        RouteCoverageMetadataLabelValues metadataLabelValue = new RouteCoverageMetadataLabelValues();
+        metadataLabelValue.setLabel(session_Metadata_Name);
+        metadataLabelValue.getValues().add(String.valueOf(session_Metadata_Value));
+        requestExtended.getValues().add(metadataLabelValue);
+        logger.debug("Fetching route coverage data for application ID: {}", app_id);
+        RouteCoverageResponse response = sdkExtension.getRouteCoverage(orgID, app_id, requestExtended);
+        logger.debug("Found {} routes for application", response.getRoutes().size());
+
+        logger.debug("Retrieving route details for each route");
+        for(Route route : response.getRoutes()) {
+            logger.trace("Fetching details for route: {}", route.getSignature());
+            RouteDetailsResponse routeDetailsResponse = sdkExtension.getRouteDetails(orgID, app_id, route.getRouteHash());
+            route.setRouteDetailsResponse(routeDetailsResponse);
+        }
+
+        logger.info("Successfully retrieved route coverage for application ID: {}", app_id);
+        return response;
+    }
+
+    @Tool(name = "get_application_route_coverage_by_app_name_latest_session", description = "takes a application name and return the route coverage data for that application from the latest session. " +
+            "If a route/endpoint is DISCOVERED, it means it has been found by Assess but that route has had no inbound http requests. If it is EXERCISED, it means it has had atleast one inbound http request to that route/endpoint.")
+    public RouteCoverageResponse getRouteCoverageByAppNameLatestSession(String app_name) throws IOException {
+        logger.info("Retrieving route coverage for application by Name: {}", app_name);
+        ContrastSDK contrastSDK = SDKHelper.getSDK(hostName, apiKey, serviceKey, userName, httpProxyHost, httpProxyPort);
+        Optional<Application> application = SDKHelper.getApplicationByName(app_name, orgID, contrastSDK);
+        if (application.isEmpty()) {
+            logger.error("Application not found: {}", app_name);
+            throw new IOException("Application not found: " + app_name);
+        }
+        return getRouteCoverageByAppIDLatestSession(application.get().getAppId());
+    }
+
+
+    @Tool(name = "get_application_route_coverage_by_app_id_latest_session", description = "takes a application id and return the route coverage data for that application from the latest session. " +
+            "If a route/endpoint is DISCOVERED, it means it has been found by Assess but that route has had no inbound http requests. If it is EXERCISED, it means it has had atleast one inbound http request to that route/endpoint.")
+    public RouteCoverageResponse getRouteCoverageByAppIDLatestSession(String app_id) throws IOException {
+        logger.info("Retrieving route coverage for application by ID: {}", app_id);
+        ContrastSDK contrastSDK = SDKHelper.getSDK(hostName, apiKey, serviceKey, userName,httpProxyHost, httpProxyPort);
+        SDKExtension sdkExtension = new SDKExtension(contrastSDK);
+        SDKExtension extension = new SDKExtension(contrastSDK);
+        SessionMetadataResponse latest = extension.getLatestSessionMetadata(orgID,app_id);
+        RouteCoverageBySessionIDAndMetadataRequestExtended requestExtended = new RouteCoverageBySessionIDAndMetadataRequestExtended();
+        requestExtended.setSessionId(latest.getAgentSession().getAgentSessionId());
+        logger.debug("Fetching route coverage data for application ID: {}", app_id);
+        RouteCoverageResponse response = sdkExtension.getRouteCoverage(orgID, app_id, requestExtended);
+        logger.debug("Found {} routes for application", response.getRoutes().size());
+
+        logger.debug("Retrieving route details for each route");
+        for(Route route : response.getRoutes()) {
+            logger.trace("Fetching details for route: {}", route.getSignature());
+            RouteDetailsResponse routeDetailsResponse = sdkExtension.getRouteDetails(orgID, app_id, route.getRouteHash());
+            route.setRouteDetailsResponse(routeDetailsResponse);
+        }
+
+        logger.info("Successfully retrieved route coverage for application ID: {}", app_id);
+        return response;
+    }
+
 
 
 

src/main/java/com/contrast/labs/ai/mcp/contrast/RouteCoverageService.java

@@ -21,8 +21,8 @@
 import com.contrast.labs.ai.mcp.contrast.sdkexstension.data.CveData;
 import com.contrast.labs.ai.mcp.contrast.sdkexstension.data.Library;
 import com.contrast.labs.ai.mcp.contrast.sdkexstension.data.LibraryExtended;
+import com.contrast.labs.ai.mcp.contrast.sdkexstension.data.application.Application;
 import com.contrastsecurity.http.LibraryFilterForm;
-import com.contrastsecurity.models.Application;
 import com.contrastsecurity.sdk.ContrastSDK;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -62,7 +62,7 @@ public class SCAService {
     private String httpProxyPort;
 
 
-    @Tool(name = "list_application_libraries_by_app_id", description = "takes a application ID and returns the libraries used in the application, note if class usage count is 0 the library is unlikely to be used")
+    @Tool(name = "list_application_libraries_by_app_id", description = "Takes a application ID and returns the libraries used in the application, note if class usage count is 0 the library is unlikely to be used")
     public List<LibraryExtended> getApplicationLibrariesByID(String appID) throws IOException {
         logger.info("Retrieving libraries for application id: {}", appID);
         ContrastSDK contrastSDK = SDKHelper.getSDK(hostName, apiKey, serviceKey, userName,httpProxyHost, httpProxyPort);
@@ -81,18 +81,11 @@ public List<LibraryExtended> getApplicationLibraries(String app_name) throws IOE
         logger.debug("ContrastSDK initialized with host: {}", hostName);
 
         SDKExtension extendedSDK = new SDKExtension(contrastSDK);
-        Optional<String> appID = Optional.empty();
         logger.debug("Searching for application ID matching name: {}", app_name);
-        
-        for(Application app : SDKHelper.getApplicationsWithCache(orgID, contrastSDK)) {
-            if(app.getName().toLowerCase().contains(app_name.toLowerCase())) {
-                appID = Optional.of(app.getId());
-                logger.info("Found matching application - ID: {}, Name: {}", app.getId(), app.getName());
-                break;
-            }
-        }
-        if(appID.isPresent()) {
-            return SDKHelper.getLibsForID(appID.get(),orgID, extendedSDK);
+
+        Optional<Application> application = SDKHelper.getApplicationByName(app_name, orgID, contrastSDK);
+        if(application.isPresent()) {
+            return SDKHelper.getLibsForID(application.get().getAppId(),orgID, extendedSDK);
         } else {
             logger.error("Application not found: {}", app_name);
             throw new IOException("Application not found");

src/main/java/com/contrast/labs/ai/mcp/contrast/SCAService.java

@@ -15,7 +15,10 @@
  */
 package com.contrast.labs.ai.mcp.contrast.data;
 
-import java.util.Date;
+import java.util.List;
 
-public record ApplicationData(String name, String status, String appID, long lastSeen, String lastSeenDate, String language) {
+public record ApplicationData(String name, String status, String appID,
+                              long lastSeen, String lastSeenDate,
+                              String language, List<Metadata> metadata,List<String> tags,
+                              List<String> technologies) {
 }

src/main/java/com/contrast/labs/ai/mcp/contrast/data/ApplicationData.java

@@ -0,0 +1,4 @@
+package com.contrast.labs.ai.mcp.contrast.data;
+
+public record Metadata(String name,String value) {
+}

src/main/java/com/contrast/labs/ai/mcp/contrast/data/Metadata.java

@@ -0,0 +1,14 @@
+package com.contrast.labs.ai.mcp.contrast.data;
+
+public class TraceFilterBody extends com.contrastsecurity.models.TraceFilterBody {
+
+    private String agentSessionId;
+
+    public String getAgentSessionId() {
+        return agentSessionId;
+    }
+
+    public void setAgentSessionId(String agentSessionId) {
+        this.agentSessionId = agentSessionId;
+    }
+}

src/main/java/com/contrast/labs/ai/mcp/contrast/data/TraceFilterBody.java

@@ -15,5 +15,9 @@
  */
 package com.contrast.labs.ai.mcp.contrast.data;
 
-public record VulnLight(String title, String type, String vulnID,String severity) {
+import com.contrast.labs.ai.mcp.contrast.sdkexstension.data.traces.SessionMetadata;
+
+import java.util.List;
+
+public record VulnLight(String title, String type, String vulnID, String severity, List<SessionMetadata> sessionMetadata, String lastSeenDate, long lastSeenTime ) {
 }