JavaSinkTracer

v1.0.0Securitystable

Enables AI-powered Java source code vulnerability auditing through function-level taint analysis. Performs reverse tracking from dangerous functions to external entry points to automatically discover potential security vulnerability chains.

javasinktracer-mcpmcpai-integration
Share:
112
Stars
0
Downloads
0
Weekly
0/5

What is JavaSinkTracer?

JavaSinkTracer is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to enables ai-powered java source code vulnerability auditing through function-level taint analysis. performs reverse tracking from dangerous functions to external entry points to automatically discover ...

Enables AI-powered Java source code vulnerability auditing through function-level taint analysis. Performs reverse tracking from dangerous functions to external entry points to automatically discover potential security vulnerability chains.

This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.

Features

  • Enables AI-powered Java source code vulnerability auditing t

Use Cases

Audit Java source code for security vulnerabilities using AI.
Perform function-level taint analysis to identify security vulnerability chains.
Track data flow from dangerous functions to external entry points.
Zacarx

Maintainer

LicenseMIT
Languagepython
Versionv1.0.0
UpdatedMay 21, 2026
Statushealthy
Maintenanceactive

Works with

ClaudeOpenAIwindowsmacoslinux

Installation

Manual Installation

npx javasinktracer-mcp

Configuration

Configuration Details

Config File

claude_desktop_config.json

Performance

Response Metrics

Response Time< 200ms
ThroughputMedium

Resource Usage

Memory UsageLow
CPU UsageLow

How to Set Up and Use JavaSinkTracer

JavaSinkTracer MCP is a security-focused MCP server that enables AI-powered vulnerability auditing of Java source code through function-level taint analysis. It performs reverse tracking from known dangerous sink functions (SQL queries, command execution, deserialization, SSRF, XXE, and more) back to external entry points, automatically discovering end-to-end vulnerability chains. Security engineers and developers use it to audit Java applications for OWASP-class vulnerabilities without manual code tracing.

Prerequisites

  • Python 3.8 or later with pip for installing dependencies
  • Claude Desktop or another MCP-compatible client
  • The JavaSinkTracer_MCP repository cloned to your local machine
  • A Java source code project to audit (local directory path required)
1

Clone the repository

Clone the JavaSinkTracer_MCP repository to your local machine.

git clone https://github.com/Zacarx/JavaSinkTracer_MCP.git
cd JavaSinkTracer_MCP
2

Install Python dependencies

Install all required Python packages from the requirements file.

pip install -r requirements.txt
3

Configure Claude Desktop

Add the MCP server to your Claude Desktop configuration file. Replace /path/to/JavaSinkTracer with the absolute path where you cloned the repository.

{
  "mcpServers": {
    "javasinktracer": {
      "command": "python",
      "args": ["/path/to/JavaSinkTracer_MCP/server.py"]
    }
  }
}
4

Restart Claude Desktop

Restart Claude Desktop to load the JavaSinkTracer MCP server. The vulnerability analysis tools will become available in your Claude sessions.

5

Build the call graph for your project

Start a vulnerability audit by asking Claude to build the call graph for your Java project. Provide the absolute path to the project's source root. This constructs the function call relationships used for taint tracing.

6

Find vulnerabilities and analyze chains

After the call graph is built, use find_vulnerabilities to scan for weakness patterns, then analyze_vulnerability_chain to examine specific chains and determine if they represent real exploitable vulnerabilities.

JavaSinkTracer Examples

Client configuration

Claude Desktop config for the JavaSinkTracer MCP server using the local Python script.

{
  "mcpServers": {
    "javasinktracer": {
      "command": "python",
      "args": ["/path/to/JavaSinkTracer_MCP/server.py"]
    }
  }
}

Prompts to try

Example security audit prompts to use with JavaSinkTracer MCP.

- "Help me scan /home/user/my-java-app/src for security vulnerabilities"
- "Check if the project contains SQL injection or command execution vulnerabilities"
- "Is this vulnerability chain legitimate? Analyze the call path and show me the source code"
- "List all configured sink rules for detecting XXE and deserialization vulnerabilities"
- "Show project statistics — how many classes and methods are in the call graph?"
- "Find all SSRF vulnerability chains starting from the HTTP controller layer"

Troubleshooting JavaSinkTracer

Python dependencies fail to install or import errors at startup

Use a virtual environment to avoid conflicts: python -m venv venv && source venv/bin/activate && pip install -r requirements.txt. Then update your Claude Desktop config to point to the venv Python: /path/to/JavaSinkTracer_MCP/venv/bin/python.

build_callgraph takes very long or runs out of memory on large projects

Large Java projects with thousands of classes can be resource-intensive to parse. Start with a specific sub-module or package directory rather than the entire project root. The tool accepts a directory path, so you can scope the analysis to a single service.

find_vulnerabilities returns no results even for known-vulnerable code

Ensure the call graph was built successfully first by checking the response from build_callgraph. Run list_sink_rules to confirm the vulnerability types you expect are configured. The tool uses static pattern matching against sink function signatures, so code must be parseable Java source.

Frequently Asked Questions about JavaSinkTracer

What is JavaSinkTracer?

JavaSinkTracer is a Model Context Protocol (MCP) server that enables ai-powered java source code vulnerability auditing through function-level taint analysis. performs reverse tracking from dangerous functions to external entry points to automatically discover potential security vulnerability chains. It connects AI assistants to external tools and data sources through a standardized interface.

How do I install JavaSinkTracer?

Follow the installation instructions on the JavaSinkTracer GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.

Which AI clients work with JavaSinkTracer?

JavaSinkTracer works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.

Is JavaSinkTracer free to use?

Yes, JavaSinkTracer is open source and available under the MIT license. You can use it freely in both personal and commercial projects.

JavaSinkTracer Alternatives — Similar Security Servers

Looking for alternatives to JavaSinkTracer? Here are other popular security servers you can use with Claude, Cursor, and VS Code.

Casdoor

13.6k

An open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD

ghidraMCP

9.0k

An Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through

HexStrike AI

8.9k

HexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b

IDA Pro MCP

8.7k

Enables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.

Anthropic Cybersecurity Skills

6.6k

754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform

Hooker

5.1k

🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u

Browse More Security MCP Servers

Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.

Quick Config Preview

{ "mcpServers": { "javasinktracer-mcp": { "command": "npx", "args": ["-y", "javasinktracer-mcp"] } } }

Add this to your claude_desktop_config.json or .cursor/mcp.json

Read the full setup guide →

Ready to use JavaSinkTracer?

Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.

33,000+ ServersFree & Open SourceStep-by-Step Guides