Content
# Tool List
Fenrir is a code audit tool based on the MCP protocol and AST technology, designed to solve the problems of low efficiency and poor accuracy in traditional code search and analysis methods when facing large-scale, complex, or even decompiled code in the field of security research and automated code audit.
The project uses AST (Abstract Syntax Tree) as its core, combined with MCP protocol and advanced technologies such as go-tree-sitter, to achieve structured parsing, indexing, and efficient retrieval of source code in languages like Java. Its main features include:
* Precise code segment search based on AST, such as classes, methods, fields, parent classes, and subclasses
* Persistent caching of AST indexes
* Intelligent tool registration and AI collaboration under the MCP protocol
* Good compatibility with decompiled code
The project's innovation lies in the deep integration of AST structure and AI intelligent dialogue, greatly improving the practicality and intelligence of large models in code security analysis scenarios. The overall architecture is modular and easy to extend, making it suitable for integration into larger automated security platforms, with high engineering practical value and industry promotion prospects.
## Features
### 1. AST Abstract Syntax Tree
The core principle of this tool's code search function is to build an AST abstract syntax tree for the code.
### 2. Code Structure Analysis
Based on the AST syntax tree, precise code segment search functions are implemented for classes, methods, properties, parent classes, and subclasses, allowing large models to accurately find the code segments they want.
### 3. MCP Protocol
Using the popular MCP protocol to empower AI, through providing powerful MCP tools, large models can have equal dialogue with security researchers in the same code context, fully exerting the "subjective initiative" of AI.
### 4. Efficient AST Cache Mechanism
Supports persistent caching of AST indexes, avoiding repeated parsing of source code for each analysis, and greatly improving the analysis speed of large projects. The cache mechanism is configurable and supports automatic rebuilding and manual cleaning.
## Installation Instructions
### System Requirements
- The build version is Go 1.23.0 (if there are version issues, it is recommended to use Go 1.23.0 for building)
- Other dependencies are listed in the go.mod file
- The new version of go-tree-sitter has compatibility issues: undefined: Node, because the library code calls import "C", which means cgo support is enabled. If you want to use cgo (such as calling certain local C libraries), you need to install a C compiler that can be recognized by Go in the system, such as MinGW-w64.
### Installation Steps
1. Clone the repository
```bash
git clone https://github.com/yourusername/Fenrir-CodeAuditTool.git
cd Fenrir-CodeAuditTool
```
2. Install dependencies
```bash
go mod download
```
3. Build the project
```bash
go build -o fenrir
```
## Usage
First, run the exe file or the application/server/main.go file, you can use the -i parameter to specify the code repository path in the command line,
or specify the code repository path in the resources\config.yaml file (must use double backslashes), and start the MCP server.
Command line specification example:
.\Fenrir-CodeAuditTool.exe -i "D:\CodeAudit\Apache Sling CMS 1.1.8\apache-sling-cms-1.1.8"
Second, use Cherry Studio or other client tools to configure this MCP server, configure the large model API key, and start the dialogue. (The API key of the large model needs to be purchased by yourself).
Note: You can view the AST cache file of the corresponding code repository in the cache directory.
## Project Structure
```
Fenrir-CodeAuditTool/
├── application/ # Server startup program, including MCP tools and prompt word registration
├── cache/ # AST cache file directory
├── configs/ # Configuration program
├── docs/ # Demo pictures
├── internal/ # AST parsing core program
├── prompts/ # Code audit prompt words
├── resources/ # Configuration files
├── test/ # Test program
└── tools/ # Cache file management program
```
## Demo
Select the Apache open-source project Sling CMS as the project to be audited, project address: https://github.com/apache/sling-org-apache-sling-app-cms
Import maven dependencies, find the sling dependencies in the local warehouse, for example, my path here is: C:\Users\miaoj\.m2\repository\org\apache\sling:
These dependencies contain the core code of Sling CMS, which needs to be decompiled and copied to the code repository.
After completing the above steps, specify the code repository as the project root path of Sling CMS, run the server-side code, start building the AST index for the code repository and save it to the cache file, and start an SSE listener:
Use Cherry Studio as the MCP client to connect to this server, let's let Deepseek start analyzing from the login logic LoginServlet, LoginServlet is located in the decompiled code of the dependency org.apache.sling.auth.core:
Let's take a look at the performance of the large model:
- First, we can see that for large projects like Apache Sling CMS, it can also correctly perform AST parsing.
- Secondly, decompiled code can also be correctly parsed and found.
- Again, deepseek drew a call graph showing its chain call process, reflecting the powerful function of this tool's automated chain search and analysis.
- Finally, deepseek pointed out the code segments with security risks and gave repair suggestions, completing the code audit.
## Tips
- Currently, it only supports building AST indexes for Java code (including decompiled code)
- The actual audit effect depends on the ability of the large model
- In actual use, the prompt words should be purposefully fine-tuned
## Contribution Guide
1. Fork the project
2. Create a feature branch (`git checkout -b feature/AmazingFeature`)
3. Commit changes (`git commit -m 'Add some AmazingFeature'`)
4. Push to the branch (`git push origin feature/AmazingFeature`)
5. Create a Pull Request
## License
This project uses the Apache 2.0 license - see [LICENSE](LICENSE) file
## Acknowledgements
- [Tree-sitter](https://tree-sitter.github.io/tree-sitter/) - for code parsing
- [Go AST](https://golang.org/pkg/go/ast/) - Go language AST support
- [Java Parser](https://github.com/smacker/go-tree-sitter-java) - Java language parsing support
## New Feature Addition
Function design
Support multiple code sources:
ZIP archive URL download
Git repository clone
Local path direct analysis
Automation process:
Automatic download/cloning code
Automatic decompression (if it's a compressed package)
Automatic setting of configuration file path
Automatic building/loading AST
Return audit results
-----------------------------------
Main modifications and new features:
Server status management: Add ServerState structure to manage server status, including readiness status, AST index, and query engine
Conditional waiting: Use sync.Cond to implement conditional variables, allowing other tools to wait until AST initialization is complete
Dynamic initialization: If code_audit.repository_path is empty, the server starts and waits for the user to provide a remote warehouse address through MCP call
Tool dependency relationship:
remote_code_audit: Always available, used to set remote warehouse and initialize AST
code_search and class_hierarchy: Only available after AST initialization, will wait until ready
Complete error handling: Ensure correct error handling in various situations
Usage:
Start server (no local warehouse):
bash
./fenrir
Provide remote warehouse through MCP client:
json
{
"tool": "remote_code_audit",
"arguments": {
"repository_url": "zip:https://example.com/project.zip"
}
}
Then use other tools for code audit:
json
{
"tool": "code_search",
"arguments": {
"className": "LoginServlet",
"methodName": "",
"fieldName": ""
}
}
This design makes the server more flexible, can dynamically accept remote code warehouses, and perform audits.
