playbooks

home / mcp / javasinktracer mcp server

JavaSinkTracer MCP Server

基于函数级污点分析的 Java 源代码漏洞审计工具JavaSinkTracer,通过 Model Context Protocol (MCP) 为 AI 助手提供安全分析能力。

Installation
Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "zacarx-javasinktracer_mcp": {
      "url": "https://mcp.example.com/javasinktracer/mcp",
      "headers": {
        "PYTHONPATH": "/path/to/libs"
      }
    }
  }
}

JavaSinkTracer MCP Server enables AI-assisted security analysis for Java projects by using function-level taint analysis. It exposes an MCP endpoint that lets you analyze source code, trace vulnerable call chains, and extract relevant code snippets for deep inspection by humans or AI tools.

How to use

You interact with the MCP Server through your MCP client. Start the local server if you are using a stdio configuration, or connect to the remote MCP endpoint if you have an http URL. Typical workflows let you trigger full vulnerability scans, focus on specific vulnerability types, or request detailed source code for each function in a detected chain. Use the client to request a full call graph, run a targeted vulnerability check, and then retrieve the complete source code for the implicated methods to review or annotate.

How to install

Prerequisites and setup steps you need to follow are below.

pip install -r requirements.txt

Configuration and usage notes

Configure the MCP server integration in your client by pointing it to the local stdio server command shown below. This creates a background process that the MCP client can communicate with to perform analysis tasks.

{
  "mcpServers": {
    "javasinktracer": {
      "command": "python",
      "args": [
        "/path/to/JavaSinkTracer/mcp_server.py"
      ],
      "description": "Java源代码漏洞审计工具 - 基于函数级污点分析"
    }
  }
}

Additional notes

- Replace "/path/to/JavaSinkTracer" with the actual path to your project. - After configuring, restart your MCP client so the tool loads automatically. - The server supports multiple tools and operations, including building a call graph, scanning vulnerabilities, analyzing vulnerability chains, extracting method code, listing rules, and obtaining project statistics.

Troubleshooting tips

If the MCP server does not load, verify that the Python dependencies are installed, and ensure the path to the server script is correct. Check the client configuration file for accuracy and confirm that the Python process starts without errors.

Available tools

build_callgraph

Constructs the full Java project function call graph to support cross-file and cross-class analysis.

find_vulnerabilities

Scans for potential security vulnerabilities across the project using the function-level taint model.

analyze_vulnerability_chain

Analyzes the identified vulnerability chain to provide detailed insights and source code context.

extract_method_code

Extracts the complete source code for specific methods involved in a vulnerability chain.

list_sink_rules

Lists the configured sink rules that define dangerous functions or API usage.

get_project_statistics

Provides high-level statistics about the analyzed Java project.