Nashorn to GraalVM Migration

agent/agent_standalone_pkg/pom.xml

@@ -21,8 +21,19 @@
       <version>${project.version}</version>
     </dependency>
     <dependency>
-      <groupId>org.openjdk.nashorn</groupId>
-      <artifactId>nashorn-core</artifactId>
+      <groupId>org.graalvm.polyglot</groupId>
+      <artifactId>polyglot</artifactId>
+      <scope>runtime</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.graalvm.polyglot</groupId>
+      <artifactId>js-community</artifactId>
+      <type>pom</type>
+      <scope>runtime</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.graalvm.js</groupId>
+      <artifactId>js-scriptengine</artifactId>
       <scope>runtime</scope>
     </dependency>
   </dependencies>

agent/apiharness/pom.xml

@@ -70,8 +70,18 @@
     </dependency>
 
     <dependency>
-      <groupId>org.openjdk.nashorn</groupId>
-      <artifactId>nashorn-core</artifactId>
+      <groupId>org.graalvm.polyglot</groupId>
+      <artifactId>polyglot</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.graalvm.polyglot</groupId>
+      <artifactId>js-community</artifactId>
+      <type>pom</type>
+      <scope>runtime</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.graalvm.js</groupId>
+      <artifactId>js-scriptengine</artifactId>
     </dependency>
   </dependencies>
 </project>

agent/apiharness/src/main/java/com/intuit/tank/runner/method/LogicRunner.java

@@ -30,7 +30,7 @@
 import com.intuit.tank.vm.common.LogicScriptUtil;
 import com.intuit.tank.vm.common.TankConstants;
 
-import javax.script.ScriptEngineManager;
+import com.intuit.tank.tools.script.JsEngineFactory;
 
 class LogicRunner implements Runner {
     private static Logger LOG = LogManager.getLogger(LogicRunner.class);
@@ -60,7 +60,7 @@ public String execute() {
         String scriptToRun = new LogicScriptUtil().buildScript(step.getScript());
         try {
             ScriptIOBean ioBean = new ScriptRunner().runScript(step.getName(), scriptToRun,
-                    new ScriptEngineManager().getEngineByExtension("js"), inputs, outputLogger);
+                    JsEngineFactory.createJsEngine(), inputs, outputLogger);
             String action = (String) ioBean.getOutput("action");
             if (action != null) {
                 ret = handleAction(action);

agent/apiharness_pkg/pom.xml

@@ -26,8 +26,19 @@
       <scope>runtime</scope>
     </dependency>
     <dependency>
-      <groupId>org.openjdk.nashorn</groupId>
-      <artifactId>nashorn-core</artifactId>
+      <groupId>org.graalvm.polyglot</groupId>
+      <artifactId>polyglot</artifactId>
+      <scope>runtime</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.graalvm.polyglot</groupId>
+      <artifactId>js-community</artifactId>
+      <type>pom</type>
+      <scope>runtime</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.graalvm.js</groupId>
+      <artifactId>js-scriptengine</artifactId>
       <scope>runtime</scope>
     </dependency>
   </dependencies>

data_model/pom.xml

@@ -36,5 +36,10 @@
       <groupId>commons-io</groupId>
       <artifactId>commons-io</artifactId>
     </dependency>
+    <dependency>
+      <groupId>${project.groupId}</groupId>
+      <artifactId>script-engine</artifactId>
+      <version>${project.version}</version>
+    </dependency>
   </dependencies>
 </project>

data_model/src/main/java/com/intuit/tank/project/ExternalScript.java

@@ -20,6 +20,7 @@
 import jakarta.persistence.Table;
 import javax.script.ScriptEngine;
 import javax.script.ScriptEngineManager;
+import com.intuit.tank.tools.script.JsEngineFactory;
 import jakarta.validation.constraints.NotNull;
 import jakarta.validation.constraints.Size;
 
@@ -89,7 +90,11 @@ public void setProductName(String productName) {
     }
 
     public ScriptEngine getEngine() {
-        return new ScriptEngineManager().getEngineByExtension(FilenameUtils.getExtension(name));
+        String ext = FilenameUtils.getExtension(name);
+        if ("js".equalsIgnoreCase(ext)) {
+            return JsEngineFactory.createJsEngine();
+        }
+        return new ScriptEngineManager().getEngineByExtension(ext);
     }
 
     /**

pom.xml

@@ -744,9 +744,20 @@
         <version>10.0.2.0</version>
       </dependency>
       <dependency>
-        <groupId>org.openjdk.nashorn</groupId>
-        <artifactId>nashorn-core</artifactId>
-        <version>15.7</version>
+        <groupId>org.graalvm.polyglot</groupId>
+        <artifactId>polyglot</artifactId>
+        <version>25.0.2</version>
+      </dependency>
+      <dependency>
+        <groupId>org.graalvm.polyglot</groupId>
+        <artifactId>js-community</artifactId>
+        <version>25.0.2</version>
+        <type>pom</type>
+      </dependency>
+      <dependency>
+        <groupId>org.graalvm.js</groupId>
+        <artifactId>js-scriptengine</artifactId>
+        <version>25.0.2</version>
       </dependency>
       <dependency>
         <groupId>jakarta.servlet.jsp.jstl</groupId>

tools/agent_debugger/src/main/java/com/intuit/tank/tools/debugger/ConfiguredLanguage.java

@@ -46,7 +46,7 @@ public class ConfiguredLanguage {
 
     private static final String[][] data = {
             { "ECMAScript", SyntaxConstants.SYNTAX_STYLE_JAVASCRIPT, "Javascript",
-                    "com.sun.script.javascript.RhinoScriptEngineFactory", "js" },
+                    "com.oracle.truffle.js.scriptengine.GraalJSScriptEngineFactory", "js" },
             { "ruby", SyntaxConstants.SYNTAX_STYLE_RUBY, "Ruby", "com.sun.script.jruby.JRubyScriptEngineFactory", "rb" },
             { "groovy", SyntaxConstants.SYNTAX_STYLE_GROOVY, "Groovy",
                     "org.codehaus.groovy.jsr223.GroovyScriptEngineFactory", "groovy" }

tools/agent_debugger_pkg/pom.xml

@@ -60,8 +60,19 @@
 			<scope>runtime</scope>
 		</dependency>
 		<dependency>
-			<groupId>org.openjdk.nashorn</groupId>
-			<artifactId>nashorn-core</artifactId>
+			<groupId>org.graalvm.polyglot</groupId>
+			<artifactId>polyglot</artifactId>
+			<scope>runtime</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.graalvm.polyglot</groupId>
+			<artifactId>js-community</artifactId>
+			<type>pom</type>
+			<scope>runtime</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.graalvm.js</groupId>
+			<artifactId>js-scriptengine</artifactId>
 			<scope>runtime</scope>
 		</dependency>
 	</dependencies>

tools/script_engine/pom.xml

@@ -24,7 +24,37 @@
       <groupId>jakarta.annotation</groupId>
       <artifactId>jakarta.annotation-api</artifactId>
     </dependency>
-
+    <dependency>
+      <groupId>org.graalvm.polyglot</groupId>
+      <artifactId>polyglot</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.graalvm.js</groupId>
+      <artifactId>js-scriptengine</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.graalvm.polyglot</groupId>
+      <artifactId>js-community</artifactId>
+      <type>pom</type>
+      <scope>runtime</scope>
+    </dependency>
+    <dependency>
+      <groupId>com.intuit.tank</groupId>
+      <artifactId>api</artifactId>
+      <version>${project.version}</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter-api</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter-engine</artifactId>
+      <scope>test</scope>
+    </dependency>
+
   </dependencies>
 
 </project>

tools/script_engine/src/main/java/com/intuit/tank/tools/script/JsEngineFactory.java

@@ -0,0 +1,73 @@
+package com.intuit.tank.tools.script;
+
+import com.oracle.truffle.js.scriptengine.GraalJSScriptEngine;
+import org.graalvm.polyglot.Context;
+import org.graalvm.polyglot.HostAccess;
+
+import javax.script.ScriptEngine;
+import javax.script.ScriptEngineManager;
+import java.util.Set;
+
+/**
+ * Factory for obtaining a JavaScript {@link ScriptEngine}.
+ *
+ * <p>When GraalVM JS is on the classpath a cached, thread-local engine is returned
+ * with host access restricted to Tank packages that scripts legitimately need.
+ * Falls back to whatever JSR-223 "js" engine the JVM provides.
+ */
+public final class JsEngineFactory {
+
+    /**
+     * Package prefixes that user-authored scripts are allowed to access via
+     * {@code Java.type()} / {@code importPackage()}.  Anything outside this
+     * list is blocked to prevent arbitrary class access (e.g. Runtime, ProcessBuilder).
+     */
+    private static final Set<String> ALLOWED_PACKAGE_PREFIXES = Set.of(
+            "com.intuit.tank.script.models.",
+            "java.util."
+    );
+
+    private static final boolean GRAALVM_AVAILABLE;
+
+    static {
+        boolean available;
+        try {
+            Class.forName("com.oracle.truffle.js.scriptengine.GraalJSScriptEngine");
+            available = true;
+        } catch (ClassNotFoundException e) {
+            available = false;
+        }
+        GRAALVM_AVAILABLE = available;
+    }
+
+    private JsEngineFactory() {}
+
+    static boolean isAllowedClass(String className) {
+        for (String prefix : ALLOWED_PACKAGE_PREFIXES) {
+            if (className.startsWith(prefix)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    /**
+     * @return a JS {@link ScriptEngine} configured for restricted host access.
+     *         A new engine is created per call because GraalVM contexts cannot
+     *         be safely reused after script evaluation. Engine creation is fast
+     *         once the GraalVM runtime is warmed up.
+     */
+    public static ScriptEngine createJsEngine() {
+        if (GRAALVM_AVAILABLE) {
+            return GraalJSScriptEngine.create(null,
+                    Context.newBuilder("js")
+                           .allowExperimentalOptions(true)
+                           .allowHostAccess(HostAccess.ALL)
+                           .allowHostClassLookup(JsEngineFactory::isAllowedClass)
+                           .option("js.ecmascript-version", "2025")
+                           .option("js.nashorn-compat", "true"));
+        }
+        // GraalVM not on classpath — fall back to whatever JSR-223 provides
+        return new ScriptEngineManager().getEngineByExtension("js");
+    }
+}