JavaSinkTracer_MCP

# JavaSinkTracer_MCP Java source code vulnerability auditing tool JavaSinkTracer based on function-level taint analysis, providing security analysis capabilities for AI assistants through Model Context Protocol (MCP). ## Quick Start ### 1. Install Dependencies ```bash pip install -r requirements.txt ``` ### 2. Configure Claude Desktop Edit the configuration file and add the MCP server configuration: **macOS**: `~/Library/Application Support/Claude/claude_desktop_config.json` **Windows**: `%APPDATA%/Claude/claude_desktop_config.json` ```json { "mcpServers": { "javasinktracer": { "command": "python", "args": [ "/path/to/JavaSinkTracer/mcp_server.py" ], "description": "Java source code vulnerability auditing tool - based on function-level taint analysis" } } } ``` **Note**: Replace `/path/to/JavaSinkTracer` with the actual project path. ### 3. Restart Claude Desktop Restart Claude Desktop after configuration, and the MCP tool will be automatically loaded. ## Video Demo https://www.bilibili.com/video/BV1XrxDz1EvF ## Core Features ### Vulnerability Scanning Reverse tracing from dangerous functions (Sink) to external entry points (Source) to automatically discover potential security vulnerability chains. ### Call Graph Analysis Build a complete function call relationship graph for Java projects, supporting cross-file and cross-class call tracing. ### Intelligent Analysis Based on function-level taint analysis, effectively avoid the problem of broken chains in complex scenarios (threads, reflection, callbacks) of variable-level tracing. ### Code Extraction Automatically extract the complete source code of each function in the vulnerability chain for in-depth analysis by humans or AI. ## Available Tools | Tool Name | Description | |---------|---------| | `build_callgraph` | Build project call graph | | `find_vulnerabilities` | Scan for security vulnerabilities | | `analyze_vulnerability_chain` | Analyze vulnerability call chain source code | | `extract_method_code` | Extract specified method source code | | `list_sink_rules` | View vulnerability rule configuration | | `get_project_statistics` | Get project statistics | ## Usage Examples ### Example 1: Comprehensive Vulnerability Scanning ``` Please help me scan the /path/to/java-project project for security vulnerabilities ``` AI will automatically: 1. Build a call graph 2. Scan for all types of vulnerabilities 3. Analyze and report discovered issues ### Example 2: Targeted Detection ``` Check if there are SQL injection and command execution vulnerabilities in the project ``` AI will scan for specific types of vulnerabilities (SQLI, RCE). ### Example 3: In-depth Analysis ``` Is this vulnerability chain a real vulnerability? Please analyze the source code of the call chain ``` AI will extract the complete call chain code and analyze it. ## Supported Vulnerability Types - **RCE** - Remote Code Execution (CWE-78) - **SQLI** - SQL Injection (CWE-89) - **XXE** - XML External Entity Injection (CWE-611) - **SSRF** - Server-Side Request Forgery (CWE-918) - **PATH_TRAVERSAL** - Path Traversal (CWE-22) - **DESERIALIZE** - Deserialization Vulnerability (CWE-502) - **XPATH_INJECTION** - XPath Injection (CWE-643) - **TEMPLATE_INJECTION** - Template Injection (CWE-94) - **JNDI_INJECTION** - JNDI Injection (CWE-74) - **REFLECTION_INJECTION** - Reflection Injection (CWE-470) - **LOG_INJECTION** - Log Injection (CWE-117) - **CRYPTO_WEAKNESS** - Cryptographic Weakness (CWE-327) ## Supported Frameworks - Spring Boot / Spring MVC - MyBatis / Hibernate / JPA - Fastjson / Jackson / Gson - OkHttp / Apache HttpClient - Freemarker / Velocity / Thymeleaf - Log4j / SLF4J ## Working Principle ### Function-Level Taint Analysis Different from the "variable-level" taint analysis of traditional SAST tools, this tool adopts "function-level" taint analysis: - **Advantage**: Effectively avoids the problem of broken chains in scenarios such as thread calls, listener callbacks, and reflection calls - **Trade-off**: May produce false positives, requiring further analysis and confirmation by AI or humans ### Analysis Process 1. Parse Java source code and build AST 2. Extract all class and method information 3. Build a function call relationship graph 4. Reverse trace from Sink points (dangerous functions) 5. Identify call chains that reach Source points (external entry points) 6. Filter out functions without parameters (exclude uncontrollable variables) 7. Extract the source code of all functions on the call chain ## Configuration Instructions ### Rule Files The rule configuration file is located at `Rules/rules.json`, including: - **sink_rules**: Dangerous function rules (such as `Runtime.exec`) - **source_rules**: External input sources (such as `HttpServletRequest.getParameter`) - **sanitizer_rules**: Sanitization functions (such as `StringEscapeUtils.escapeHtml`) ### Custom Rules You can edit `rules.json` to add new Sink, Source, or Sanitizer rules according to actual needs: ```json { "sink_rules": [ { "sink_name": "CUSTOM_VULN", "sink_desc": "Custom vulnerability type", "severity_level": "High", "cwe": "CWE-XXX", "sinks": [ "com.example.DangerousClass:dangerousMethod" ] } ] } ``` ## Performance Optimization ### Caching Mechanism - Build AST and call graph when analyzing the project for the first time - Subsequent calls automatically reuse the cache, greatly improving speed - Cache key: `project_path:rules_path` ### Lightweight Mode The `find_vulnerabilities` tool uses lightweight mode by default: - Only returns vulnerability chain information - Does not extract source code immediately - Use `analyze_vulnerability_chain` to get detailed code when needed ## Common Issues ### Tool Not Loaded? 1. Check if the path in the configuration file is correct 2. Confirm that all Python dependencies are installed 3. View Claude Desktop's developer tool logs ### Slow Analysis Speed? - The first analysis of large projects takes time to build AST - The speed will be significantly improved after using the cache - You can call `build_callgraph` to warm up the cache first ### False Positives in Results? - Function-level taint analysis can produce some false positives - Use `analyze_vulnerability_chain` to view the source code - Combine AI analysis or manually confirm the authenticity of the vulnerability ## Extended Development ### Add New MCP Tools Edit `mcp_server.py`: ```python @app.list_tools() async def list_tools() -> list[Tool]: return [ Tool( name="your_tool", description="Tool description", inputSchema={...} ) ] @app.call_tool() async def call_tool(name: str, arguments: Any): if name == "your_tool": # Implement your tool logic pass ``` ## Related Resources - **Detailed Usage Guide**: See `MCP_GUIDE.md` - **Principle Description**: See `README.md` - **Optimization Log**: See `UPGRADE_SUMMARY.md` ## Acknowledgements JavaSinkTracer developer [Tr0e](https://github.com/Tr0e) ## Disclaimer This project is for learning and research purposes only and should not be used for commercial or illegal purposes. The user is solely responsible for any consequences arising from the use of this project.