feat(rdf): SPARQL playground, MCP knowledge-graph tools, insights endpoints

[harshach]

Describe your changes

This PR closes the RDF fidelity gaps in the knowledge-graph stack and removes the experimental R2RML row-materialization feature (the schema-level concept-graph is the strategy going forward; row triples don't scale and were the wrong target). It adds: a SPARQL playground UI, five MCP knowledge-graph tools (SparqlQueryTool, EntityNeighborhoodTool, FindByTagTool, OntologyDescribeTool, ShaclValidateTool), insights endpoints (PageRank-based importance, Louvain communities, shortest-path explain-lineage, tag/glossary co-occurrence, recommendations), an inference-rule registry with a starter pack (transitive lineage, schema-tag/domain inheritance, PII-propagation-via-lineage), federated-SPARQL allowlist, expanded SHACL shapes + REST validator, custom-ontology upload/extension, PROV-O activity mapper, DQV quality mapper, usage mapper, and JSON-LD context coverage for AI/Automation/Governance entities. Deletes the R2RML mapping schema, validator, registry, applier, materializer workflow, OntologyEmitter sink, Linked-Data UI mode, and emitOntologyTriples profiler flag. Adds the OpenMetadata ontology TTL coverage (skos, dcat, prov, dprod, foaf) for the new entity types and a CHANGELOG.

Type of change

• Improvement
• New feature
• Documentation

Tests

• Unit + ITs added for every new component: SparqlQueryToolTest, EntityNeighborhoodToolTest, FindByTagToolTest, OntologyDescribeToolTest, ShaclValidateToolTest, CustomOntologyValidatorTest, SparqlFederationGuardTest, InferenceRuleValidatorTest, CentralityComputationTest, CommunityComputationTest, LouvainTest, PageRankTest, LineagePathBuilderTest, LineagePathFinderTest, ImportanceQueryBuilderTest, CoOccurrenceQueryBuilderTest, RecommendationsQueryBuilderTest, RdfShaclValidatorTest, OntologyDocumentTest, RdfUsageMapperTest, RdfJsonLdContextTest, expanded RdfPropertyMapperTest, and RdfResourceIT. SPARQL playground covered by SparqlPlayground.test.tsx.

UI screen recording / screenshots

SPARQL playground + KnowledgeGraph view: screenshot/recording to be attached on PR.

🤖 Generated with Claude Code

---

Summary by Gitar

• Configuration updates:
  • Renamed remoteEndpoint to RDF_REMOTE_ENDPOINT in openmetadata.yaml for RDF configuration.
• Migration handling:
  • Updated MigrationWorkflow.java to surface and list specific pending migration versions in error messages.
• UI localization:
  • Added panel-background-color key across all supported language files in openmetadata-ui.
• Generated Types:
  • Added rdfConfiguration.ts to define schema types for RDF-related configuration, supporting the new knowledge-graph infrastructure.

_{This will update automatically on new commits.}

Greptile Summary

This PR significantly expands the RDF/knowledge-graph stack by adding a SPARQL playground UI, five MCP knowledge-graph tools, a suite of graph-analytics insights endpoints (PageRank centrality, Louvain communities, BFS lineage paths, tag co-occurrence, recommendations), an inference-rule registry, federated-SPARQL allowlist enforcement, expanded SHACL validation, custom-ontology upload, and broader JSON-LD context coverage — while removing the experimental R2RML row-materialization path.

• Security hardenings are solid: SPARQL UPDATE validation now uses UpdateFactory (Jena parser) instead of fragile keyword matching; the federation guard uses ElementWalker to catch SERVICE clauses structurally; RdfIriValidator centralises IRI sanitisation for SPARQL interpolation; all new endpoints are authorizeAdmin-gated.
• New MCP tools (SparqlQueryTool, EntityNeighborhoodTool, FindByTagTool, OntologyDescribeTool, ShaclValidateTool) are read-only, enforce the federation allowlist, and cap response sizes.
• CustomOntologyValidator.hasCycle has a correctness bug: onStack is not reset between outer-loop DFS calls, so nodes that merely reference nodes in a confirmed cycle are falsely reported as cyclic themselves, causing valid ontology extensions to be rejected at the admin validation endpoint.

Confidence Score: 3/5

The SPARQL injection hardenings and federation allowlist are well-implemented, but the cycle-detection bug in CustomOntologyValidator will falsely reject valid ontology extensions once any extension with a true cycle has been validated in the same request.

The bulk of the change — federation guard, IRI validator, read-only MCP tools, insights endpoints, SHACL validation — is carefully implemented and admin-gated. The one correctness defect in hasCycle produces incorrect validation results for a real admin workflow (custom ontology registration) with no easy workaround; it needs a one-line fix before this path is relied upon.

openmetadata-service/src/main/java/org/openmetadata/service/rdf/extension/CustomOntologyValidator.java — the detectClassHierarchyCycles / hasCycle pair needs onStack.clear() between outer iterations.

Important Files Changed

Filename	Overview
openmetadata-service/src/main/java/org/openmetadata/service/rdf/extension/CustomOntologyValidator.java	New admin-only validator for custom ontology extensions; contains a P1 bug in hasCycle where onStack is not reset between outer DFS iterations, producing false-positive cycle errors for nodes that merely reference cyclic nodes without being part of a cycle themselves.
openmetadata-service/src/main/java/org/openmetadata/service/rdf/federation/SparqlFederationGuard.java	New SPARQL SERVICE-clause allowlist guard; correctly uses Jena's ElementWalker to parse real SERVICE elements (not text matching), handles subqueries and variable endpoints, and is applied at both the REST and MCP tool SPARQL paths.
openmetadata-service/src/main/java/org/openmetadata/service/resources/rdf/RdfResource.java	Major expansion adding SHACL validation, inference-rule CRUD, insights endpoints (importance, centrality, communities, lineage path, recommendations, co-occurrence), and ontology extension management — all guarded by authorizeAdmin. The private executeSparqlQuery helper correctly enforces the federation guard on every query path including internally-built insight queries.
openmetadata-mcp/src/main/java/org/openmetadata/mcp/tools/SparqlQueryTool.java	New MCP SPARQL read-only tool; correctly rejects UPDATE/INSERT/DELETE via Jena parser (not text matching), enforces the federation allowlist, caps response size at configurable maxBytes with safe UTF-8 split logic, and restricts accepted formats to a known set.
openmetadata-mcp/src/main/java/org/openmetadata/mcp/tools/FindByTagTool.java	New MCP tag-search tool; SPARQL is built by string interpolation but the FQN is validated to block quotes, backslash, and newlines before insertion into a double-quoted SPARQL string literal, preventing injection.
openmetadata-service/src/main/java/org/openmetadata/service/rdf/insights/LineagePathFinder.java	BFS lineage path-finder; uses per-frontier SPARQL round-trips with a visited set to prevent cycles and a parents map for path reconstruction. Inputs are validated by LineagePathBuilder.validateNodeUri.
openmetadata-service/src/main/java/org/openmetadata/service/rdf/insights/PageRank.java	Clean iterative weighted PageRank with dangling-node mass redistribution, convergence tolerance, and post-normalization. Handles disconnected components and isolated sinks correctly.
openmetadata-ui/src/main/resources/ui/src/pages/SparqlPlayground/SparqlPlayground.component.tsx	New admin SPARQL playground UI; uses window.prompt() for saved-query naming (P2 UX issue). Format options, inference selection, sample queries, and result rendering are well structured.
openmetadata-service/src/main/java/org/openmetadata/service/rdf/RdfIriValidator.java	New shared IRI validator for SPARQL interpolation; blocks angle-brackets, quotes, backticks, and control characters, enforces http/https scheme, and caps length at 2048. Not yet reused by LineagePathBuilder.validateNodeUri.
openmetadata-service/src/main/java/org/openmetadata/service/migration/api/MigrationWorkflow.java	Minor improvement: pending migration versions are now surfaced in the error message, making startup failures easier to diagnose.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant UI as SparqlPlayground UI
    participant REST as RdfResource (JAX-RS)
    participant Guard as SparqlFederationGuard
    participant Repo as RdfRepository
    participant MCP as MCP SparqlQueryTool

    UI->>REST: "POST /v1/rdf/sparql {query, format, inference}"
    REST->>Guard: enforce(query)
    alt SERVICE clause blocked
        Guard-->>REST: FederationDisallowedException
        REST-->>UI: 403 Forbidden
    else allowed
        Guard-->>REST: ok
        REST->>Repo: executeSparqlQuery(query, mimeType)
        Repo-->>REST: results
        REST-->>UI: 200 + result body
    end

    MCP->>MCP: SparqlQueryTool.execute(params)
    MCP->>MCP: QueryFactory.create(query) — reject UPDATE
    MCP->>Guard: new SparqlFederationGuard(config).enforce(query)
    alt SERVICE blocked
        Guard-->>MCP: FederationDisallowedException
        MCP-->>MCP: return error map
    else allowed
        MCP->>Repo: executeSparqlQuery(query, mimeType)
        Repo-->>MCP: results (capped at maxBytes)
        MCP-->>MCP: return result map
    end

    REST->>REST: "GET /v1/rdf/insights/path?from=..&to=.."
    REST->>REST: LineagePathBuilder.validateNodeUri(from, to)
    REST->>Repo: BFS frontier SPARQL queries (per hop)
    Repo-->>REST: neighbor rows
    REST-->>REST: reconstruct path + decorate with rdf:type
    REST-->>UI: 200 Path JSON

Loading

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant UI as SparqlPlayground UI
    participant REST as RdfResource (JAX-RS)
    participant Guard as SparqlFederationGuard
    participant Repo as RdfRepository
    participant MCP as MCP SparqlQueryTool

    UI->>REST: "POST /v1/rdf/sparql {query, format, inference}"
    REST->>Guard: enforce(query)
    alt SERVICE clause blocked
        Guard-->>REST: FederationDisallowedException
        REST-->>UI: 403 Forbidden
    else allowed
        Guard-->>REST: ok
        REST->>Repo: executeSparqlQuery(query, mimeType)
        Repo-->>REST: results
        REST-->>UI: 200 + result body
    end

    MCP->>MCP: SparqlQueryTool.execute(params)
    MCP->>MCP: QueryFactory.create(query) — reject UPDATE
    MCP->>Guard: new SparqlFederationGuard(config).enforce(query)
    alt SERVICE blocked
        Guard-->>MCP: FederationDisallowedException
        MCP-->>MCP: return error map
    else allowed
        MCP->>Repo: executeSparqlQuery(query, mimeType)
        Repo-->>MCP: results (capped at maxBytes)
        MCP-->>MCP: return result map
    end

    REST->>REST: "GET /v1/rdf/insights/path?from=..&to=.."
    REST->>REST: LineagePathBuilder.validateNodeUri(from, to)
    REST->>Repo: BFS frontier SPARQL queries (per hop)
    Repo-->>REST: neighbor rows
    REST-->>REST: reconstruct path + decorate with rdf:type
    REST-->>UI: 200 Path JSON

Loading

_{Reviews (1): Last reviewed commit: "Fix Java checkstyle" | Re-trigger Greptile}

Greptile also left 4 inline comments on this PR.

[github-actions]

✅ TypeScript Types Auto-Updated

The generated TypeScript types have been automatically updated based on JSON schema changes in this PR.

[github-actions]

The Python checkstyle failed.

Please run make py_format and py_format_check in the root of your repository and commit the changes to this PR.
You can also use pre-commit to automate the Python code formatting.

You can install the pre-commit hooks with make install_test precommit_install.

[Copilot]

Pull request overview

This PR expands OpenMetadata’s RDF/knowledge-graph capabilities end-to-end: UI support for running SPARQL, spec-level ontology/context updates, and service/MCP tooling for querying, validation (SHACL), federation-guarding, inference rules, and “insights” SPARQL query builders.

Changes:

• Adds SPARQL playground client support + routing, plus supporting UI enums/interfaces and locale keys.
• Introduces/extends RDF specs (ontology changelog, JSON-LD contexts, RDF configuration schema) and adds inference-rule + federation configuration shapes.
• Adds service-side RDF utilities (ontology document serving, SHACL validator, usage/quality/activity mappers, insights query builders) and MCP tools that expose read-only SPARQL + graph utilities.

Reviewed changes

Copilot reviewed 97 out of 100 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
openmetadata-ui/src/main/resources/ui/src/rest/rdfAPI.ts	Adds SPARQL playground REST helper (runSparqlQuery) and result typing.
openmetadata-ui/src/main/resources/ui/src/pages/SparqlPlayground/SparqlPlayground.interface.ts	Adds local types/constants for saved queries and sample queries.
openmetadata-ui/src/main/resources/ui/src/locale/languages/en-us.json	Adds SPARQL playground-related labels/messages; removes one label key.
openmetadata-ui/src/main/resources/ui/src/locale/languages/zh-tw.json	Adds SPARQL playground-related labels/messages; removes one label key.
openmetadata-ui/src/main/resources/ui/src/locale/languages/zh-cn.json	Adds SPARQL playground-related labels/messages; removes one label key.
openmetadata-ui/src/main/resources/ui/src/locale/languages/tr-tr.json	Adds SPARQL playground-related labels/messages; removes one label key.
openmetadata-ui/src/main/resources/ui/src/locale/languages/th-th.json	Adds SPARQL playground-related labels/messages; removes one label key.
openmetadata-ui/src/main/resources/ui/src/locale/languages/ru-ru.json	Adds SPARQL playground-related labels/messages; removes one label key.
openmetadata-ui/src/main/resources/ui/src/locale/languages/pt-pt.json	Adds SPARQL playground-related labels/messages; removes one label key.
openmetadata-ui/src/main/resources/ui/src/locale/languages/pt-br.json	Adds SPARQL playground-related labels/messages; removes one label key.
openmetadata-ui/src/main/resources/ui/src/locale/languages/pr-pr.json	Adds SPARQL playground-related labels/messages; removes one label key.
openmetadata-ui/src/main/resources/ui/src/locale/languages/nl-nl.json	Adds SPARQL playground-related labels/messages; removes one label key.
openmetadata-ui/src/main/resources/ui/src/locale/languages/mr-in.json	Adds SPARQL playground-related labels/messages; removes one label key.
openmetadata-ui/src/main/resources/ui/src/locale/languages/ko-kr.json	Adds SPARQL playground-related labels/messages; removes one label key.
openmetadata-ui/src/main/resources/ui/src/locale/languages/ja-jp.json	Adds SPARQL playground-related labels/messages; removes one label key.
openmetadata-ui/src/main/resources/ui/src/locale/languages/he-he.json	Adds SPARQL playground-related labels/messages; removes one label key.
openmetadata-ui/src/main/resources/ui/src/locale/languages/gl-es.json	Adds SPARQL playground-related labels/messages; removes one label key.
openmetadata-ui/src/main/resources/ui/src/locale/languages/fr-fr.json	Adds SPARQL playground-related labels/messages; removes one label key.
openmetadata-ui/src/main/resources/ui/src/locale/languages/es-es.json	Adds SPARQL playground-related labels/messages; removes one label key.
openmetadata-ui/src/main/resources/ui/src/locale/languages/de-de.json	Adds SPARQL playground-related labels/messages; removes one label key.
openmetadata-ui/src/main/resources/ui/src/locale/languages/ar-sa.json	Adds SPARQL playground-related labels/messages; removes one label key.
openmetadata-ui/src/main/resources/ui/src/enums/codemirror.enum.ts	Adds CodeMirror mode value for SPARQL.
openmetadata-ui/src/main/resources/ui/src/constants/constants.ts	Adds route constant for SPARQL playground.
openmetadata-ui/src/main/resources/ui/src/components/KnowledgeGraph/KnowledgeGraph.tsx	Refactors metadata-mode body rendering; removes a header label.
openmetadata-ui/src/main/resources/ui/src/components/AppRouter/AuthenticatedAppRouter.tsx	Registers lazy-loaded SPARQL playground route.
openmetadata-spec/src/main/resources/rdf/ontology/openmetadata-prov.ttl	Adds missing RDF prefix in PROV extension TTL.
openmetadata-spec/src/main/resources/rdf/ontology/CHANGELOG.md	Introduces ontology changelog documenting fidelity changes.
openmetadata-spec/src/main/resources/rdf/contexts/lineage.jsonld	Adjusts lineage JSON-LD mappings to avoid predicate collisions.
openmetadata-spec/src/main/resources/rdf/contexts/governance.jsonld	Aligns governance mappings with SKOS predicates and adds new fields.
openmetadata-spec/src/main/resources/rdf/contexts/automation.jsonld	Adds JSON-LD context for automation/workflow entities.
openmetadata-spec/src/main/resources/rdf/contexts/ai.jsonld	Adds JSON-LD context for AI/MCP-related entities.
openmetadata-spec/src/main/resources/json/schema/api/configuration/rdfConfiguration.json	Adds federation config block to RDF configuration schema.
openmetadata-spec/src/main/resources/json/schema/api/configuration/rdf/inferenceRule.json	Adds schema for inference rule objects (CONSTRUCT/RDFS placeholder).
openmetadata-spec/src/main/resources/json/schema/api/configuration/rdf/customOntology.json	Adds schema for custom ontology extension definitions.
openmetadata-service/src/test/java/org/openmetadata/service/resources/rdf/RdfShaclValidatorTest.java	Adds SHACL validation tests for key shape constraints.
openmetadata-service/src/test/java/org/openmetadata/service/resources/rdf/OntologyDocumentTest.java	Adds tests for ontology serving endpoint serialization.
openmetadata-service/src/test/java/org/openmetadata/service/rdf/translator/RdfUsageMapperTest.java	Adds tests for RDF usage summary mapping.
openmetadata-service/src/test/java/org/openmetadata/service/rdf/insights/RecommendationsQueryBuilderTest.java	Adds tests for recommendations SPARQL builder validation/shape.
openmetadata-service/src/test/java/org/openmetadata/service/rdf/insights/CoOccurrenceQueryBuilderTest.java	Adds tests for co-occurrence/popularity/reach SPARQL builders.
openmetadata-service/src/main/resources/rdf/inference-rules/transitive-lineage-closure.json	Adds starter inference rule JSON.
openmetadata-service/src/main/resources/rdf/inference-rules/schema-tag-inheritance.json	Adds starter inference rule JSON.
openmetadata-service/src/main/resources/rdf/inference-rules/pii-propagation-via-lineage.json	Adds starter inference rule JSON.
openmetadata-service/src/main/resources/rdf/inference-rules/domain-membership-inheritance.json	Adds starter inference rule JSON.
openmetadata-service/src/main/java/org/openmetadata/service/resources/rdf/RdfShaclValidator.java	Adds SHACL shapes loader + validator helper.
openmetadata-service/src/main/java/org/openmetadata/service/resources/rdf/OntologyDocument.java	Adds merged ontology document loader + serializer for multiple formats.
openmetadata-service/src/main/java/org/openmetadata/service/rdf/translator/RdfUsageMapper.java	Adds mapper emitting usage-summary triples.
openmetadata-service/src/main/java/org/openmetadata/service/rdf/translator/RdfQualityMapper.java	Adds mapper emitting DQV quality measurement resources.
openmetadata-service/src/main/java/org/openmetadata/service/rdf/translator/RdfActivityMapper.java	Adds PROV activity mapping for pipeline runs.
openmetadata-service/src/main/java/org/openmetadata/service/rdf/translator/JsonLdTranslator.java	Loads new JSON-LD contexts and assigns column IDs for named column resources.
openmetadata-service/src/main/java/org/openmetadata/service/rdf/RdfUtils.java	Adds RDF types for new entities and a helper to mint column URIs.
openmetadata-service/src/main/java/org/openmetadata/service/rdf/insights/RecommendationsQueryBuilder.java	Adds recommendations SPARQL builder.
openmetadata-service/src/main/java/org/openmetadata/service/rdf/insights/ImportanceQueryBuilder.java	Adds importance ranking SPARQL builder.
openmetadata-service/src/main/java/org/openmetadata/service/rdf/insights/CoOccurrenceQueryBuilder.java	Adds co-occurrence/popularity/reach SPARQL builders.
openmetadata-service/src/main/java/org/openmetadata/service/rdf/inference/InferenceRuleValidator.java	Adds strict validation for inference rule bodies.
openmetadata-service/src/main/java/org/openmetadata/service/rdf/inference/InferenceRuleRegistry.java	Adds in-memory inference rule registry + starter pack loader.
openmetadata-service/src/main/java/org/openmetadata/service/rdf/federation/SparqlFederationGuard.java	Adds SERVICE allowlist enforcement for federated SPARQL.
openmetadata-service/src/main/java/org/openmetadata/service/rdf/extension/CustomOntologyRegistry.java	Adds in-memory registry for custom ontology extensions.
openmetadata-mcp/src/test/java/org/openmetadata/mcp/tools/OntologyDescribeToolTest.java	Adds tests for ontology describe MCP tool.
openmetadata-mcp/src/test/java/org/openmetadata/mcp/tools/FindByTagToolTest.java	Adds tests for find-by-tag MCP tool.
openmetadata-mcp/src/test/java/org/openmetadata/mcp/tools/EntityNeighborhoodToolTest.java	Adds tests for entity neighborhood MCP tool.
openmetadata-mcp/src/main/resources/json/data/mcp/tools.json	Registers new MCP tool schemas for KG/SPARQL features.
openmetadata-mcp/src/main/java/org/openmetadata/mcp/tools/SparqlQueryTool.java	Adds read-only SPARQL MCP tool with federation guard + truncation.
openmetadata-mcp/src/main/java/org/openmetadata/mcp/tools/ShaclValidateTool.java	Adds SHACL validation MCP tool (entity-scoped or full graph).
openmetadata-mcp/src/main/java/org/openmetadata/mcp/tools/OntologyDescribeTool.java	Adds ontology describe MCP tool (full ontology or DESCRIBE).
openmetadata-mcp/src/main/java/org/openmetadata/mcp/tools/FindByTagTool.java	Adds MCP tool to find entities by tag/glossary FQN.
openmetadata-mcp/src/main/java/org/openmetadata/mcp/tools/DefaultToolContext.java	Wires new MCP tools into tool dispatcher.
ingestion/src/metadata/workflow/profiler.py	Adds optional ontology emission step to profiler workflow.
docker/development/docker-compose-postgres-fuseki.yml	Adds RDF endpoint env var for Fuseki-based dev stack.

Comments suppressed due to low confidence (1)

openmetadata-service/src/main/java/org/openmetadata/service/rdf/RdfUtils.java:20

• New RDF types were added for workflowinstance, agentexecution, mcpexecution, automation, etc., but PROV_ACTIVITY_TYPES was not updated. Since JsonLdTranslator.toRdf() relies on getProvType() to add prov:Activity typing (when the primary rdf:type is not already a PROV class), these new execution-like entities will miss rdf:type prov:Activity, reducing PROV-O compatibility and potentially breaking queries that filter by prov:Activity. Please extend the PROV type sets to cover the new entity types.

  private static final Set<String> PROV_ACTIVITY_TYPES =
      Set.of(
          "pipeline",
          "ingestionpipeline",
          "storedprocedure",
          "dbtpipeline",
          "workflow",
          "pipelinerun");

[github-actions]

The Python checkstyle failed.

Please run make py_format and py_format_check in the root of your repository and commit the changes to this PR.
You can also use pre-commit to automate the Python code formatting.

You can install the pre-commit hooks with make install_test precommit_install.

[Copilot]

Pull request overview

Copilot reviewed 95 out of 98 changed files in this pull request and generated 4 comments.

[github-actions]

The Java checkstyle failed.

Please run mvn spotless:apply in the root of your repository and commit the changes to this PR.
You can also use pre-commit to automate the Java code formatting.

You can install the pre-commit hooks with make install_test precommit_install.

[sonarqubecloud]

Quality Gate passed for 'open-metadata-ingestion'

Issues
3 New issues
0 Accepted issues

Measures
0 Security Hotspots
80.6% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

❌ PR checklist incomplete

This PR cannot be merged until the following are addressed on its linked issue:

• No GitHub issue is linked. Link an issue in the Development section of the PR (or add Fixes #12345 to the description). For a same-org cross-repo issue, add Fixes open-metadata/<repo>#123 to the description.

The fields live on the linked issue in the Shipping project (open the issue → right sidebar → Projects). After you set them, re-run this check (or push a commit) — issue/project changes do not re-trigger it automatically.

Maintainers can bypass this check by adding the skip-pr-checks label.

[github-actions]

The Java checkstyle failed.

Please run mvn spotless:apply in the root of your repository and commit the changes to this PR.
You can also use pre-commit to automate the Java code formatting.

You can install the pre-commit hooks with make install_test precommit_install.

[gitar-bot]

Code Review ⚠️ Changes requested 7 resolved / 9 findings

Implements extensive knowledge-graph features including a SPARQL playground, MCP tools, and inference registry while deprecating legacy R2RML materialization. Resolves multiple injection and validation vulnerabilities, though the CustomOntologyValidator requires a fix for class forward-references and the SPARQL UPDATE logic lacks proper URI sanitization.

⚠️ Bug: CustomOntologyValidator rejects valid forward-references between classes

📄 openmetadata-service/src/main/java/org/openmetadata/service/rdf/extension/CustomOntologyValidator.java:106-109 📄 openmetadata-service/src/main/java/org/openmetadata/service/rdf/extension/CustomOntologyValidator.java:151 📄 openmetadata-service/src/main/java/org/openmetadata/service/rdf/extension/CustomOntologyValidator.java:157-158

The validateClass method checks whether a parent class URI exists in seenUris (line 158), but seenUris is populated incrementally as classes are processed in list order (line 151). If class B declares class A as its subClassOf parent, but A appears after B in the classes list, the validator will incorrectly report "references unknown parent class" — even though both classes are declared in the same extension.

This makes validation order-dependent and will reject valid ontology extensions where the author didn't happen to declare classes in topological order. The cycle-detection method (detectClassHierarchyCycles) correctly builds the full graph before traversing, so it's not affected — only the parent-existence check is broken.

Pre-collect all class URIs before validating parent references, so declaration order doesn't matter. Change the duplicate-URI detection inside validateClass to use a separate seen-set or check before adding.

// First pass: collect all declared class URIs
Set<String> classUris = new HashSet<>();
for (CustomOntologyClass cls : classes) {
  if (cls != null && cls.getUri() != null && !cls.getUri().isBlank()) {
    classUris.add(cls.getUri());
  }
}
// Second pass: validate each class against the full set
for (CustomOntologyClass cls : classes) {
  validateClass(cls, classUris, errors);
}

💡 Security: SPARQL UPDATE built via string concat without URI validation

📄 openmetadata-service/src/main/java/org/openmetadata/service/rdf/insights/CentralityComputation.java:146-157 📄 openmetadata-service/src/main/java/org/openmetadata/service/rdf/insights/CommunityComputation.java:214-218

In CentralityComputation.persistScores and CommunityComputation.persistCommunities, entity URIs obtained from SPARQL SELECT results are concatenated directly into SPARQL UPDATE strings using <uri> syntax without any IRI validation. While valid RDF IRIs cannot contain > (so Jena-stored URIs should be safe), this is a defense-in-depth gap: if a malformed URI ever enters the triplestore (e.g., via a custom ontology upload or a bug in another component), it could break out of the <…> brackets and inject arbitrary SPARQL UPDATE operations.

The codebase already provides RdfIriValidator.validateEntityIri() for this purpose but it's not used in the insights package.

Add a basic IRI sanity check (or use RdfIriValidator) before concatenating URIs into the UPDATE string. Apply similarly in CommunityComputation.persistCommunities.

// In CentralityComputation.persistScores, before appending:
for (Map.Entry<String, Double> e : sorted) {
  String uri = e.getKey();
  if (uri == null || uri.contains(">") || uri.contains(" ") || uri.contains("
")) {
    continue; // skip malformed URIs
  }
  update.append("  <").append(uri).append("> ...");
}

✅ 7 resolved

✅ Security: SPARQL injection via insufficient URI sanitization in validateGraph

📄 openmetadata-service/src/main/java/org/openmetadata/service/resources/rdf/RdfResource.java:197-200 📄 openmetadata-service/src/main/java/org/openmetadata/service/rdf/insights/CommunityComputation.java:202-205 📄 openmetadata-service/src/main/java/org/openmetadata/service/resources/rdf/RdfResource.java:199 📄 openmetadata-service/src/main/java/org/openmetadata/service/rdf/insights/CommunityComputation.java:203
The validateGraph endpoint (line 199) sanitizes user-supplied entityUri by only stripping > characters before interpolating into a SPARQL query: String.format("DESCRIBE <%s>", entityUri.replace(">", "")). This is insufficient — an attacker can inject SPARQL via newlines, # comments, or other control characters. For example, entityUri = "http://x> . } DELETE WHERE { ?s ?p ?o } #" would close the angle bracket context on a newline. Since this is an admin-only endpoint the blast radius is somewhat limited, but it's still a direct injection vector against the triplestore.

The same pattern appears in CommunityComputation.persistCommunities (line 203) where member URIs from SPARQL results are directly interpolated into SPARQL UPDATE statements — if a malicious triple exists in the graph, it could inject arbitrary updates.

✅ Bug: CONSTRUCT query flattens multi-hop neighborhood onto single subject

📄 openmetadata-mcp/src/main/java/org/openmetadata/mcp/tools/EntityNeighborhoodTool.java:102-116
In EntityNeighborhoodTool.buildConstructQuery (line 102-121), the WHERE clause captures ?p ?o triples from 1-3 hops away, but then does BIND(<entityUri> AS ?s) and the CONSTRUCT template is { ?s ?p ?o }. This means ALL matched triples — even those 2-3 hops from the start entity — are emitted with the start entity as subject, producing an incorrect/flattened graph. For depth≥2, triples from intermediate nodes lose their actual subject and get attributed to the root entity.

The tool's purpose is to return the neighborhood subgraph, but consumers will see a star graph rather than the actual topology.

✅ Performance: Double symmetrization quadruples edge weights in Louvain input

📄 openmetadata-service/src/main/java/org/openmetadata/service/rdf/insights/CommunityComputation.java:161-162 📄 openmetadata-service/src/main/java/org/openmetadata/service/rdf/insights/Louvain.java:128-129
CommunityComputation.parseGraph (lines 161-162) already symmetrizes the adjacency list by adding weight in both directions for every SPARQL result row. Then Louvain.addAllEdges (lines 128-129) symmetrizes again by doing adj.get(src).merge(dst, w, Double::sum) AND adj.get(dst).merge(src, w, Double::sum). Since the input already has both A→B and B→A entries, the result is each edge getting 4× its original weight.

While this may not change community assignments (the ratio is preserved in the modularity gain formula), it inflates totalWeight and degree[] arrays by 4×, making the absolute modularity score meaningless for comparison with other runs or standard benchmarks. It also doubles memory usage for the adjacency structure.

✅ Quality: 14 fully-qualified class names in validateGraph method

📄 openmetadata-service/src/main/java/org/openmetadata/service/resources/rdf/RdfResource.java:203-217
The validateGraph method uses inline fully-qualified names (org.apache.jena.rdf.model.Model, org.apache.jena.riot.RDFDataMgr, java.io.ByteArrayOutputStream, etc.) instead of imports. This violates the project's coding standards ('No fully qualified names') and makes the method hard to read. There are 14 FQN usages in a single 70-line method.

✅ Bug: SparqlFederationGuard race condition on lazy init

📄 openmetadata-service/src/main/java/org/openmetadata/service/resources/rdf/RdfResource.java:113-120
In RdfResource.java lines 113-120, getFederationGuard() has a lazy-init pattern without synchronization. The field is volatile, but the check-then-assign pattern is not atomic — two threads could both see null and both create a new instance. While the consequences here are benign (both would be functionally equivalent), the field is already initialized in initialize() (line 110), so the lazy fallback is only for tests. The inconsistency with the double-checked locking pattern used for getSemanticSearchEngine() is confusing.

...and 2 more resolved from earlier reviews

🤖 Prompt for agents

Code Review: Implements extensive knowledge-graph features including a SPARQL playground, MCP tools, and inference registry while deprecating legacy R2RML materialization. Resolves multiple injection and validation vulnerabilities, though the CustomOntologyValidator requires a fix for class forward-references and the SPARQL UPDATE logic lacks proper URI sanitization.

1. ⚠️ Bug: CustomOntologyValidator rejects valid forward-references between classes
   Files: openmetadata-service/src/main/java/org/openmetadata/service/rdf/extension/CustomOntologyValidator.java:106-109, openmetadata-service/src/main/java/org/openmetadata/service/rdf/extension/CustomOntologyValidator.java:151, openmetadata-service/src/main/java/org/openmetadata/service/rdf/extension/CustomOntologyValidator.java:157-158

   The `validateClass` method checks whether a parent class URI exists in `seenUris` (line 158), but `seenUris` is populated incrementally as classes are processed in list order (line 151). If class B declares class A as its `subClassOf` parent, but A appears *after* B in the `classes` list, the validator will incorrectly report "references unknown parent class" — even though both classes are declared in the same extension.
   
   This makes validation order-dependent and will reject valid ontology extensions where the author didn't happen to declare classes in topological order. The cycle-detection method (`detectClassHierarchyCycles`) correctly builds the full graph before traversing, so it's not affected — only the parent-existence check is broken.

   Fix (Pre-collect all class URIs before validating parent references, so declaration order doesn't matter. Change the duplicate-URI detection inside validateClass to use a separate seen-set or check before adding.):
   // First pass: collect all declared class URIs
   Set<String> classUris = new HashSet<>();
   for (CustomOntologyClass cls : classes) {
     if (cls != null && cls.getUri() != null && !cls.getUri().isBlank()) {
       classUris.add(cls.getUri());
     }
   }
   // Second pass: validate each class against the full set
   for (CustomOntologyClass cls : classes) {
     validateClass(cls, classUris, errors);
   }

2. 💡 Security: SPARQL UPDATE built via string concat without URI validation
   Files: openmetadata-service/src/main/java/org/openmetadata/service/rdf/insights/CentralityComputation.java:146-157, openmetadata-service/src/main/java/org/openmetadata/service/rdf/insights/CommunityComputation.java:214-218

   In `CentralityComputation.persistScores` and `CommunityComputation.persistCommunities`, entity URIs obtained from SPARQL SELECT results are concatenated directly into SPARQL UPDATE strings using `<uri>` syntax without any IRI validation. While valid RDF IRIs cannot contain `>` (so Jena-stored URIs should be safe), this is a defense-in-depth gap: if a malformed URI ever enters the triplestore (e.g., via a custom ontology upload or a bug in another component), it could break out of the `<…>` brackets and inject arbitrary SPARQL UPDATE operations.
   
   The codebase already provides `RdfIriValidator.validateEntityIri()` for this purpose but it's not used in the insights package.

   Fix (Add a basic IRI sanity check (or use RdfIriValidator) before concatenating URIs into the UPDATE string. Apply similarly in CommunityComputation.persistCommunities.):
   // In CentralityComputation.persistScores, before appending:
   for (Map.Entry<String, Double> e : sorted) {
     String uri = e.getKey();
     if (uri == null || uri.contains(">") || uri.contains(" ") || uri.contains("
   ")) {
       continue; // skip malformed URIs
     }
     update.append("  <").append(uri).append("> ...");
   }

Options

Display: compact → Showing less information.

Comment with these commands to change:

Compact

gitar display:verbose

_{Was this helpful? React with 👍 / 👎 | Gitar}

[greptile-apps]

hasCycle leaves onStack dirty, causing false-positive cycle errors

The onStack set is shared across all outer-loop iterations but is never cleared when a cycle is detected early. When hasCycle(A) finds a cycle (A → B → A) and returns true, it unwinds the stack without calling onStack.remove() for any node along the path. Nodes A and B remain in onStack. If a subsequent outer-loop call processes a node D that has an edge to B (D → B), hasCycle(B) returns true immediately because B is still in onStack — even though D is not part of any cycle. This falsely rejects valid ontology extensions with "class hierarchy contains a cycle through D".

The fix is to clear onStack before each outer-loop call (the visited set correctly prevents re-processing, so only onStack needs resetting).

[greptile-apps]

window.prompt() is a native blocking dialog that is suppressed in most embedded or iframe contexts, returns null when dismissed without input, and is not accessible on mobile. Consider replacing with an inline rename input or a modal form consistent with the rest of the UI; it would also allow pre-validation of the name before saving.

Suggested change

	const handleSaveCurrent = useCallback(() => {
	const name = window.prompt(t('label.sparql-save-prompt'));
	if (!name || !name.trim()) {
	return;
	}
	const [saveDialogOpen, setSaveDialogOpen] = useState(false);
	const handleSaveCurrent = useCallback(() => {
	setSaveDialogOpen(true);
	}, []);
	// Replace the prompt with a controlled modal/input in the JSX and wire
	// the confirmed name through a separate callback.
	const commitSave = useCallback((name: string) => {
	if (!name || !name.trim()) {
	return;
	}

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[greptile-apps]

validateNodeUri doesn't reuse the shared RdfIriValidator

RdfIriValidator.validateEntityIri was introduced in this PR specifically to provide a single, reusable IRI validator. validateNodeUri reimplements the same checks but misses a few characters that RdfIriValidator also blocks: ", ', `, and control characters below 0x20. For angle-bracket SPARQL IRI literals (<uri>), only > must be blocked to prevent injection, so the current behaviour is safe — but keeping two divergent validators risks them drifting apart over time. Consider delegating to RdfIriValidator.validateEntityIri and translating null to an IllegalArgumentException.

[greptile-apps]

Minor style: errors.size() > 0 is less idiomatic than !errors.isEmpty(). The latter is also marginally more efficient for certain List implementations.

Suggested change

	if (errors.size() > 0) {
	return errors;
	}
	if (!errors.isEmpty()) {
	return errors;
	}

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[sonarqubecloud]

Quality Gate passed for 'open-metadata-ingestion'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud