JavaSinkTracer
Enables AI-powered Java source code vulnerability auditing through function-level taint analysis. Performs reverse tracking from dangerous functions to external entry points to automatically discover potential security vulnerability chains.
What is JavaSinkTracer?
JavaSinkTracer is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to enables ai-powered java source code vulnerability auditing through function-level taint analysis. performs reverse tracking from dangerous functions to external entry points to automatically discover ...
Enables AI-powered Java source code vulnerability auditing through function-level taint analysis. Performs reverse tracking from dangerous functions to external entry points to automatically discover potential security vulnerability chains.
This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.
Features
- Enables AI-powered Java source code vulnerability auditing t
Use Cases
Maintainer
Works with
Installation
Manual Installation
npx javasinktracer-mcpConfiguration
Configuration Details
claude_desktop_config.json
Performance
Response Metrics
Resource Usage
How to Set Up and Use JavaSinkTracer
JavaSinkTracer MCP is a security-focused MCP server that enables AI-powered vulnerability auditing of Java source code through function-level taint analysis. It performs reverse tracking from known dangerous sink functions (SQL queries, command execution, deserialization, SSRF, XXE, and more) back to external entry points, automatically discovering end-to-end vulnerability chains. Security engineers and developers use it to audit Java applications for OWASP-class vulnerabilities without manual code tracing.
Prerequisites
- Python 3.8 or later with pip for installing dependencies
- Claude Desktop or another MCP-compatible client
- The JavaSinkTracer_MCP repository cloned to your local machine
- A Java source code project to audit (local directory path required)
Clone the repository
Clone the JavaSinkTracer_MCP repository to your local machine.
git clone https://github.com/Zacarx/JavaSinkTracer_MCP.git
cd JavaSinkTracer_MCPInstall Python dependencies
Install all required Python packages from the requirements file.
pip install -r requirements.txtConfigure Claude Desktop
Add the MCP server to your Claude Desktop configuration file. Replace /path/to/JavaSinkTracer with the absolute path where you cloned the repository.
{
"mcpServers": {
"javasinktracer": {
"command": "python",
"args": ["/path/to/JavaSinkTracer_MCP/server.py"]
}
}
}Restart Claude Desktop
Restart Claude Desktop to load the JavaSinkTracer MCP server. The vulnerability analysis tools will become available in your Claude sessions.
Build the call graph for your project
Start a vulnerability audit by asking Claude to build the call graph for your Java project. Provide the absolute path to the project's source root. This constructs the function call relationships used for taint tracing.
Find vulnerabilities and analyze chains
After the call graph is built, use find_vulnerabilities to scan for weakness patterns, then analyze_vulnerability_chain to examine specific chains and determine if they represent real exploitable vulnerabilities.
JavaSinkTracer Examples
Client configuration
Claude Desktop config for the JavaSinkTracer MCP server using the local Python script.
{
"mcpServers": {
"javasinktracer": {
"command": "python",
"args": ["/path/to/JavaSinkTracer_MCP/server.py"]
}
}
}Prompts to try
Example security audit prompts to use with JavaSinkTracer MCP.
- "Help me scan /home/user/my-java-app/src for security vulnerabilities"
- "Check if the project contains SQL injection or command execution vulnerabilities"
- "Is this vulnerability chain legitimate? Analyze the call path and show me the source code"
- "List all configured sink rules for detecting XXE and deserialization vulnerabilities"
- "Show project statistics — how many classes and methods are in the call graph?"
- "Find all SSRF vulnerability chains starting from the HTTP controller layer"Troubleshooting JavaSinkTracer
Python dependencies fail to install or import errors at startup
Use a virtual environment to avoid conflicts: python -m venv venv && source venv/bin/activate && pip install -r requirements.txt. Then update your Claude Desktop config to point to the venv Python: /path/to/JavaSinkTracer_MCP/venv/bin/python.
build_callgraph takes very long or runs out of memory on large projects
Large Java projects with thousands of classes can be resource-intensive to parse. Start with a specific sub-module or package directory rather than the entire project root. The tool accepts a directory path, so you can scope the analysis to a single service.
find_vulnerabilities returns no results even for known-vulnerable code
Ensure the call graph was built successfully first by checking the response from build_callgraph. Run list_sink_rules to confirm the vulnerability types you expect are configured. The tool uses static pattern matching against sink function signatures, so code must be parseable Java source.
Frequently Asked Questions about JavaSinkTracer
What is JavaSinkTracer?
JavaSinkTracer is a Model Context Protocol (MCP) server that enables ai-powered java source code vulnerability auditing through function-level taint analysis. performs reverse tracking from dangerous functions to external entry points to automatically discover potential security vulnerability chains. It connects AI assistants to external tools and data sources through a standardized interface.
How do I install JavaSinkTracer?
Follow the installation instructions on the JavaSinkTracer GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.
Which AI clients work with JavaSinkTracer?
JavaSinkTracer works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.
Is JavaSinkTracer free to use?
Yes, JavaSinkTracer is open source and available under the MIT license. You can use it freely in both personal and commercial projects.
JavaSinkTracer Alternatives — Similar Security Servers
Looking for alternatives to JavaSinkTracer? Here are other popular security servers you can use with Claude, Cursor, and VS Code.
Casdoor
★ 13.6kAn open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD
ghidraMCP
★ 9.0kAn Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through
HexStrike AI
★ 8.9kHexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b
IDA Pro MCP
★ 8.7kEnables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.
Anthropic Cybersecurity Skills
★ 6.6k754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform
Hooker
★ 5.1k🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u
Browse More Security MCP Servers
Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.
Set Up JavaSinkTracer in Your Editor
Choose your AI client for step-by-step setup instructions.
Quick Config Preview
Add this to your claude_desktop_config.json or .cursor/mcp.json
Ready to use JavaSinkTracer?
Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.