JavaSinkTracer_MCP

JavaSinkTracer_MCP provides a function-level taint analysis-based security auditing workflow for Java source code. It builds a function call graph, traces from potentially dangerous sink functions back to external sources, and extracts the source code of the implicated call chains for AI-assisted analysis. The MCP tools exposed include building the call graph, scanning for vulnerabilities, analyzing vulnerability chains, extracting method code, listing sink/source rules, and retrieving project statistics. To use it, configure the MCP server in Claude Desktop or your MCP client, then invoke the available tools to scan a Java project, inspect specific vulnerability types (e.g., RCE, SQLI, XPATH injections), and obtain the corresponding source code snippets for deeper review.

Prerequisites:

• Python 3.8+ installed on your system
• Access to the JavaSinkTracer project directory and its mcp_server.py script
• Internet access to install Python dependencies (if not already available)

Step-by-step:

1. Prepare environment and install dependencies

   • Ensure you have pip available and a Python virtual environment if desired
   • From the project root, install required packages: pip install -r requirements.txt

2. Configure MCP client (Claude Desktop or other MCP client)

   • Create or edit the MCP server entry to point to the Python script as shown in the README, for example: { "mcpServers": { "javasinktracer": { "command": "python", "args": ["/path/to/JavaSinkTracer/mcp_server.py"], "description": "Java源代码漏洞审计工具 - 基于函数级污点分析" } } }

3. Run the MCP server (via your MCP client)

   • Start the server through Claude Desktop or your chosen MCP integration by selecting the javasinktracer entry
   • Ensure the path in args points to your local mcp_server.py

4. Verify installation

   • Restart Claude Desktop or your client after configuration
   • Use the provided tools (build_callgraph, find_vulnerabilities, analyze_vulnerability_chain, extract_method_code, list_sink_rules, get_project_statistics) to validate the setup with a sample Java project

Tips and common issues:

• Ensure the path in the MCP configuration (mcp_server.py) is correct and accessible by the user running Claude Desktop.
• If dependencies fail to install, verify Python environment and network access to PyPI; consider using a virtual environment.
• The tooling uses function-level taint analysis, which may yield false positives in complex multi-threaded or reflective code; use analyze_vulnerability_chain to inspect source code for confirmation.
• Regularly update the rules under Rules/rules.json to tailor sink/source/sanitizer definitions to your project.
• If the MCP server fails to load, check Claude Desktop developer tools logs for errors related to module imports or Python runtime compatibility.