- Home
- MCP servers
- JavaSinkTracer
JavaSinkTracer
- python
105
GitHub Stars
python
Language
6 months ago
First Indexed
2 months ago
Catalog Refreshed
Documentation & install
Readme and setup notes from the catalogue, plus a client-ready config you can copy for your MCP host.
JavaSinkTracer MCP Server enables AI-assisted security analysis for Java projects by using function-level taint analysis. It exposes an MCP endpoint that lets you analyze source code, trace vulnerable call chains, and extract relevant code snippets for deep inspection by humans or AI tools.
How to use
You interact with the MCP Server through your MCP client. Start the local server if you are using a stdio configuration, or connect to the remote MCP endpoint if you have an http URL. Typical workflows let you trigger full vulnerability scans, focus on specific vulnerability types, or request detailed source code for each function in a detected chain. Use the client to request a full call graph, run a targeted vulnerability check, and then retrieve the complete source code for the implicated methods to review or annotate.
How to install
Prerequisites and setup steps you need to follow are below.
pip install -r requirements.txt
Configuration and usage notes
Configure the MCP server integration in your client by pointing it to the local stdio server command shown below. This creates a background process that the MCP client can communicate with to perform analysis tasks.
{
"mcpServers": {
"javasinktracer": {
"command": "python",
"args": [
"/path/to/JavaSinkTracer/mcp_server.py"
],
"description": "Java源代码漏洞审计工具 - 基于函数级污点分析"
}
}
}
Additional notes
- Replace "/path/to/JavaSinkTracer" with the actual path to your project.
- After configuring, restart your MCP client so the tool loads automatically.
- The server supports multiple tools and operations, including building a call graph, scanning vulnerabilities, analyzing vulnerability chains, extracting method code, listing rules, and obtaining project statistics.
Troubleshooting tips
If the MCP server does not load, verify that the Python dependencies are installed, and ensure the path to the server script is correct. Check the client configuration file for accuracy and confirm that the Python process starts without errors.
Available tools
build_callgraph
Constructs the full Java project function call graph to support cross-file and cross-class analysis.
find_vulnerabilities
Scans for potential security vulnerabilities across the project using the function-level taint model.
analyze_vulnerability_chain
Analyzes the identified vulnerability chain to provide detailed insights and source code context.
extract_method_code
Extracts the complete source code for specific methods involved in a vulnerability chain.
list_sink_rules
Lists the configured sink rules that define dangerous functions or API usage.
get_project_statistics
Provides high-level statistics about the analyzed Java project.