Javasinktracer_mcp: MCP Tool for Multiple Vulnerability Detection, Call Chain Tracing & AI Security Analysis

Javasinktracer MCP

A Java source code vulnerability auditing tool based on function-level taint analysis. It provides security analysis capabilities for AI assistants through the MCP protocol, supporting the detection of multiple vulnerability types and call chain tracing.

Security Developer tools #Java security #Taint analysis #Vulnerability auditing #MCP tool .Python

rating : 2.5 points

downloads : 4.6K

update time : 2025-12-12

Open Site

What is JavaSinkTracer MCP?

JavaSinkTracer MCP is an intelligent Java source code security analysis tool specifically designed for AI assistants (such as Claude). It can automatically scan Java projects, trace back from dangerous functions to external input sources, and discover potential security vulnerability chains. Through the integration of the Model Context Protocol (MCP), you can directly use natural language commands in AI conversations for code security auditing.

How to use JavaSinkTracer MCP?

Using JavaSinkTracer MCP is very simple: First, install the Python dependencies and configure Claude Desktop, then restart Claude. After the configuration is completed, you can directly request the AI assistant in the conversation to scan the security vulnerabilities of the Java project, and the AI will automatically call the corresponding analysis tool and return the results.

Applicable scenarios

JavaSinkTracer MCP is particularly suitable for the following scenarios: 1. Quickly check code security during the development process 2. Assist in discovering potential vulnerabilities during code review 3. Learn the principles and detection methods of Java security vulnerabilities 4. Demonstrate code security analysis in an educational environment 5. Security assessment of small to medium-sized Java projects

Main features

Intelligent vulnerability scanning

Automatically trace back from dangerous functions (such as Runtime.exec, Statement.execute) to external entry points (such as HttpServletRequest.getParameter) to discover potential security vulnerability chains. It supports the detection of 13 common vulnerability types.

Call graph analysis

Build a complete function call relationship graph for Java projects, supporting call tracing across files and classes. Visualize the call relationships between functions to help understand the code structure.

Function-level taint analysis

Adopt an innovative function-level taint analysis technology to effectively avoid the chain break problem of traditional variable-level analysis in complex scenarios (threads, reflection, callbacks), and improve the analysis coverage.

Intelligent code extraction

Automatically extract the complete source code of each function on the vulnerability chain for in-depth analysis by humans or AI. Support on-demand extraction to avoid loading too much code at once.

Support for mainstream frameworks

Support the vulnerability detection rules of mainstream Java frameworks such as Spring Boot, MyBatis, Fastjson, OkHttp, and Log4j to improve the analysis accuracy of actual projects.

AI assistant integration

Seamlessly integrate with AI assistants such as Claude through the MCP protocol. You can perform complex security analysis using natural language, reducing the usage threshold.

Advantages

No complex configuration required: It can be used through AI conversations, reducing the technical threshold.

Intelligent analysis: Combine the understanding ability of AI to provide more accurate analysis results.

Efficient tracing: Function-level taint analysis effectively handles complex call scenarios.

Comprehensive coverage: Support 13 common vulnerability types and mainstream Java frameworks.

Cache optimization: Use the cache after the first analysis to significantly improve the speed of subsequent analyses.

Limitations

Possible false positives: Function-level analysis may produce certain false positives, which need to be confirmed by AI or humans.

Slow first analysis: It takes time to build the AST and call graph for large projects for the first time.

Dependent on Claude Desktop: You need to configure Claude Desktop to use it.

Not suitable for binary analysis: Only support Java source code analysis.

How to use

Install dependencies

Ensure that Python 3.8+ is installed, then install the dependency packages required by the project.

Configure Claude Desktop

Edit the Claude Desktop configuration file according to the operating system and add the MCP server configuration.

Restart Claude Desktop

After saving the configuration file, restart the Claude Desktop application to make the configuration take effect.

Start using

In the Claude conversation, use natural language commands to request security analysis.

Usage examples

Comprehensive security audit

Conduct a comprehensive security vulnerability scan on a newly developed Java Web application to discover potential security risks.

Targeted vulnerability detection

Detect specific types of vulnerabilities, such as SQL injection and command execution vulnerabilities.

Vulnerability confirmation analysis

Conduct in-depth analysis of the discovered vulnerabilities to confirm whether they are real vulnerabilities.

Code structure understanding

Understand the code structure and function call relationships of complex projects through call graph analysis.

Frequently asked questions

What should I do if the tool is not displayed in Claude?

What should I do if the analysis speed of large projects is very slow?

What should I do if there are false positives in the analysis results?

Which Java versions are supported?

How to add custom vulnerability detection rules?

Can the tool be used offline?

Related resources

Video demonstration

A practical usage demonstration video of JavaSinkTracer MCP.

GitHub repository

The source code and detailed documentation of the JavaSinkTracer project.

MCP protocol documentation

The official documentation and specifications of the Model Context Protocol.

Claude Desktop configuration guide

The official usage and configuration guide for Claude Desktop.

CWE vulnerability classification

The Common Weakness Enumeration (CWE) vulnerability classification standard.

🚀 JavaSinkTracer_MCP

JavaSinkTracer is a Java source code vulnerability auditing tool based on function-level taint analysis. It provides security analysis capabilities for AI assistants through the Model Context Protocol (MCP).

🚀 Quick Start

1. Install Dependencies

pip install -r requirements.txt

2. Configure Claude Desktop

Edit the configuration file and add the MCP server configuration:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json Windows: %APPDATA%/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "javasinktracer": {
      "command": "python",
      "args": [
        "/path/to/JavaSinkTracer/mcp_server.py"
      ],
      "description": "Java source code vulnerability auditing tool - based on function-level taint analysis"
    }
  }
}

Note: Replace /path/to/JavaSinkTracer with the actual project path.

3. Restart Claude Desktop

After the configuration is complete, restart Claude Desktop, and the MCP tool will be automatically loaded.

🎥 Video Demo

https://www.bilibili.com/video/BV1XrxDz1EvF

✨ Features

Vulnerability Scanning

Trace back from dangerous functions (Sink) to external entrances (Source) to automatically discover potential security vulnerability chains.

Call Graph Analysis

Build a complete function call relationship graph for Java projects, supporting cross-file and cross-class call tracing.

Intelligent Analysis

Based on function-level taint analysis, effectively avoid the chain-breaking problem of variable-level tracing in complex scenarios (threads, reflection, callbacks).

Code Extraction

Automatically extract the complete source code of each function in the vulnerability chain for in-depth analysis by humans or AI.

🛠️ Available Tools

Tool Name	Function Description
`build_callgraph`	Build the project call relationship graph
`find_vulnerabilities`	Scan for security vulnerabilities
`analyze_vulnerability_chain`	Analyze the source code of the vulnerability call chain
`extract_method_code`	Extract the source code of the specified method
`list_sink_rules`	View the vulnerability rule configuration
`get_project_statistics`	Get project statistics

💻 Usage Examples

Example 1: Comprehensive Vulnerability Scanning

Please help me scan the security vulnerabilities of the /path/to/java-project project.

The AI will automatically:

Build the call relationship graph.
Scan for all types of vulnerabilities.
Analyze and report the discovered issues.

Example 2: Targeted Detection

Check if there are SQL injection and command execution vulnerabilities in the project.

The AI will scan for specific types of vulnerabilities (SQLI, RCE).

Example 3: In-depth Analysis

Is this vulnerability chain a real vulnerability? Please analyze the source code of the call chain.

The AI will extract the complete call chain code and perform analysis.

🚨 Supported Vulnerability Types

RCE - Remote Code Execution (CWE-78)
SQLI - SQL Injection (CWE-89)
XXE - XML External Entity Injection (CWE-611)
SSRF - Server-Side Request Forgery (CWE-918)
PATH_TRAVERSAL - Path Traversal (CWE-22)
DESERIALIZE - Deserialization Vulnerability (CWE-502)
XPATH_INJECTION - XPath Injection (CWE-643)
TEMPLATE_INJECTION - Template Injection (CWE-94)
JNDI_INJECTION - JNDI Injection (CWE-74)
REFLECTION_INJECTION - Reflection Injection (CWE-470)
LOG_INJECTION - Log Injection (CWE-117)
CRYPTO_WEAKNESS - Cryptographic Algorithm Weakness (CWE-327)

🌟 Supported Frameworks

Spring Boot / Spring MVC
MyBatis / Hibernate / JPA
Fastjson / Jackson / Gson
OkHttp / Apache HttpClient
Freemarker / Velocity / Thymeleaf
Log4j / SLF4J

🔧 Technical Details

Function-Level Taint Analysis

Different from the "variable-level" taint analysis of traditional SAST tools, this tool uses "function-level" taint analysis:

Advantages: Effectively avoid the chain-breaking problem in scenarios such as thread calls, listener callbacks, and reflection calls.
Trade-offs: May produce false positives, which need to be further analyzed and confirmed by AI or humans.

Analysis Process

Parse the Java source code and build the AST.
Extract information about all classes and methods.
Build the function call relationship graph.
Trace back from the Sink point (dangerous function).
Identify the call chain reaching the Source point (external entrance).
Filter out functions without parameters (exclude uncontrollable variables).
Extract the source code of all functions in the call chain.

⚙️ Configuration Instructions

Rule File

The rule configuration file is located at Rules/rules.json, which contains:

sink_rules: Rules for dangerous functions (e.g., Runtime.exec).
source_rules: External input sources (e.g., HttpServletRequest.getParameter).
sanitizer_rules: Sanitizing functions (e.g., StringEscapeUtils.escapeHtml).

Custom Rules

You can edit rules.json according to your actual needs to add new Sink, Source, or Sanitizer rules:

{
  "sink_rules": [
    {
      "sink_name": "CUSTOM_VULN",
      "sink_desc": "Custom vulnerability type",
      "severity_level": "High",
      "cwe": "CWE-XXX",
      "sinks": [
        "com.example.DangerousClass:dangerousMethod"
      ]
    }
  ]
}

⚡ Performance Optimization

Caching Mechanism

Build the AST and call graph when analyzing the project for the first time.
Automatically reuse the cache for subsequent calls, significantly improving the speed.
Cache key: project_path:rules_path

Lightweight Mode

The find_vulnerabilities tool uses the lightweight mode by default:

Only return the vulnerability chain information.
Do not immediately extract the source code.
Use analyze_vulnerability_chain to obtain the detailed code when needed.

❓ Frequently Asked Questions

The tool is not loaded?

Check if the path in the configuration file is correct.
Make sure all Python dependencies are installed.
Check the developer tool logs of Claude Desktop.

The analysis is slow?

It takes time to build the AST for the first analysis of large projects.
The speed will be significantly improved after using the cache.
You can call build_callgraph first to warm up the cache.

There are false positives in the results?

Function-level taint analysis may produce some false positives.
Use analyze_vulnerability_chain to view the source code.
Combine AI analysis or manual confirmation to verify the authenticity of the vulnerabilities.

🚧 Extended Development

Add a New MCP Tool

Edit mcp_server.py:

@app.list_tools()
async def list_tools() -> list[Tool]:
    return [
        Tool(
            name="your_tool",
            description="Tool description",
            inputSchema={...}
        )
    ]

@app.call_tool()
async def call_tool(name: str, arguments: Any):
    if name == "your_tool":
        # Implement your tool logic
        pass

📚 Related Resources

Detailed Usage Guide: View MCP_GUIDE.md.
Principle Explanation: View README.md.
Optimization Log: View UPGRADE_SUMMARY.md.

🙏 Acknowledgments

The developer of JavaSinkTracer Tr0e

📄 License

This project is for learning and research purposes only. Do not use it for commercial or illegal purposes. The user shall bear all consequences arising from the use of this project.