This project is a Model Context Protocol (MCP) server implementation built with Quarkus that provides security vulnerability information and best practices for Java development.
Java Security Vulnerability Scanner - MCP Server
Project Purpose
This project is a Model Context Protocol (MCP) server implementation built with Quarkus that provides security vulnerability information and best practices for Java development. It demonstrates how to create a practical, domain-specific MCP server that can extend AI assistants like IBM Bob with actionable security intelligence.
Instead of returning simple data, this server provides real-world value by helping developers:
- 🔍 Identify common Java security vulnerabilities
- 📚 Learn about OWASP Top 10 security risks
- ✅ Get remediation steps with code examples
- 🛡️ Follow security best practices
📖 Want to understand more about MCP endpoint? See the MCP Endpoint Explanation for a detailed breakdown of the URL structure and transport mechanism.
🚀 Available MCP Tools
The MCP server exposes the following security-focused tools:
1. listVulnerabilities
Get a complete list of all detectable Java security vulnerabilities.
Parameters: None
Returns: List of vulnerabilities with:
- Vulnerability names
- Severity levels (CRITICAL, HIGH, MEDIUM, LOW)
- OWASP classifications
- Vulnerability IDs
Example usage in Bob:
"List all Java security vulnerabilities"
"What vulnerabilities can you detect?"
2. getVulnerabilityDetails
Get comprehensive information about a specific vulnerability including remediation steps.
Parameters:
vulnerabilityId(required): The vulnerability ID (e.g., "SQL_INJECTION", "HARDCODED_CREDENTIALS")
Returns: Detailed information including:
- Full description
- Severity and category
- OWASP and CWE classifications
- Code examples showing the vulnerability
- Detailed remediation steps with secure code examples
Example usage in Bob:
"Get details about SQL_INJECTION vulnerability"
"Tell me about HARDCODED_CREDENTIALS security issue"
"How do I fix XSS_VULNERABILITY?"
3. getOwaspTop10
Get information about the OWASP Top 10 - 2021 security risks.
Parameters: None
Returns: Complete OWASP Top 10 list with:
- Risk descriptions
- Impact explanations
- Prevention strategies
Example usage in Bob:
"Show me the OWASP Top 10"
"What are the top security risks according to OWASP?"
4. searchBySeverity
Find vulnerabilities filtered by severity level.
Parameters:
severity(required): CRITICAL, HIGH, MEDIUM, or LOW
Returns: Filtered list of vulnerabilities matching the severity level with descriptions.
Example usage in Bob:
"Show me all CRITICAL severity vulnerabilities"
"Find HIGH severity security issues"
"What are the MEDIUM severity risks?"
5. getSecurityBestPractices
Get comprehensive security best practices for Java development.
Parameters: None
Returns: Detailed guidelines covering:
- Input validation
- Authentication & authorization
- Data protection
- Secure coding principles
- Dependency management
- Logging & monitoring
- Code review & testing
- Configuration security
Example usage in Bob:
"What are Java security best practices?"
"Give me security recommendations for Java"
"How should I secure my Java application?"
📊 Vulnerability Database
The server includes information about these critical vulnerabilities:
| Vulnerability | Severity | OWASP Category | CWE | |--------------|----------|----------------|-----| | SQL Injection | CRITICAL | A03:2021 - Injection | CWE-89 | | Hardcoded Credentials | CRITICAL | A07:2021 - Authentication Failures | CWE-798 | | Path Traversal | HIGH | A01:2021 - Broken Access Control | CWE-22 | | Weak Cryptography | HIGH | A02:2021 - Cryptographic Failures | CWE-327 | | Cross-Site Scripting (XSS) | HIGH | A03:2021 - Injection | CWE-79 |
Each vulnerability includes:
- ✅ Detailed description
- ✅ Severity classification
- ✅ OWASP Top 10 mapping
- ✅ CWE reference
- ✅ Remediation steps with code examples
🤖 Connecting to IBM Bob
Add this configuration to ~/.bob/settings/mcp_settings.json:
{
"mcpServers": {
"java-security-scanner": {
"url": "http://localhost:8080/mcp/sse",
"alwaysAllow": []
}
}
}
Restart Bob, and you can now ask security-related questions!
💡 Real-World Use Cases
Use Case 1: Code Review Assistant
Developer: "What should I look for regarding SQL injection?"
Bob: [Calls getVulnerabilityDetails("SQL_INJECTION")]
Bob: "SQL injection occurs when untrusted data is sent to an interpreter...
Use PreparedStatement with parameterized queries..."
Use Case 2: Learning Security
Developer: "Explain the OWASP Top 10 to me"
Bob: [Calls getOwaspTop10()]
Bob: "Here are the OWASP Top 10 - 2021 security risks:
A01:2021 - Broken Access Control..."
Use Case 3: Security Audit
Developer: "Show me all CRITICAL vulnerabilities I should fix first"
Bob: [Calls searchBySeverity("CRITICAL")]
Bob: "Here are the CRITICAL severity vulnerabilities:
• SQL Injection - SQL injection occurs when...
• Hardcoded Credentials - Hardcoded passwords..."
About Quarkus
This project uses Quarkus, the Supersonic Subatomic Java Framework.
If you want to learn more about Quarkus, please visit its website: https://quarkus.io/.
Running the application in dev mode
You can run your application in dev mode that enables live coding using:
./gradlew quarkusDev
The MCP server will be available at:
- SSE Endpoint:
http://localhost:8080/mcp/sse - Dev UI:
http://localhost:8080/q/dev/
NOTE: Quarkus now ships with a Dev UI, which is available in dev mode only at http://localhost:8080/q/dev/.
Testing the MCP Server
Test with cURL
# Connect to SSE endpoint
curl -N http://localhost:8080/mcp/sse
# You'll get a session ID, then you can call tools:
curl -X POST http://localhost:8080/mcp/messages/{SESSION_ID} \
-H "Content-Type: application/json" \
-d '{
"jsonrpc": "2.0",
"method": "tools/call",
"params": {
"name": "listVulnerabilities",
"arguments": {}
},
"id": 1
}'
Test with Bob
Once configured in Bob's MCP settings, simply ask:
- "List all security vulnerabilities"
- "What are critical Java security issues?"
- "Show me the OWASP Top 10"
Packaging and running the application
The application can be packaged using:
./gradlew build
It produces the quarkus-run.jar file in the build/quarkus-app/ directory.
Be aware that it's not an über-jar as the dependencies are copied into the build/quarkus-app/lib/ directory.
The application is now runnable using java -jar build/quarkus-app/quarkus-run.jar.
If you want to build an über-jar, execute the following command:
./gradlew build -Dquarkus.package.jar.type=uber-jar
The application, packaged as an über-jar, is now runnable using java -jar build/*-runner.jar.
Creating a native executable
You can create a native executable using:
./gradlew build -Dquarkus.native.enabled=true
Or, if you don't have GraalVM installed, you can run the native executable build in a container using:
./gradlew build -Dquarkus.native.enabled=true -Dquarkus.native.container-build=true
You can then execute your native executable with: ./build/test-mcp-server-quarkus-1.0.0-SNAPSHOT-runner
If you want to learn more about building native executables, please consult https://quarkus.io/guides/gradle-tooling.
🔄 Extending the Server
Add More Vulnerabilities
Edit src/main/resources/vulnerabilities.json and add new entries:
{
"id": "NEW_VULNERABILITY",
"name": "New Vulnerability Name",
"severity": "HIGH",
"category": "Category",
"owasp": "A0X:2021 - Category",
"description": "Description here",
"remediation": "How to fix it",
"cwe": "CWE-XXX"
}
Add New Tools
Create new methods in SecurityScannerTool.java:
@Tool(description = "Your new tool description")
public String yourNewTool(
@ToolArg(description = "Parameter description", required = true)
String parameter) {
// Your implementation
}
📚 Project Structure
src/
├── main/
│ ├── java/org/acme/
│ │ └── SecurityScannerTool.java # MCP tools implementation
│ └── resources/
│ ├── application.properties # Server configuration
│ └── vulnerabilities.json # Vulnerability database
Related Guides
- MCP Server - HTTP (guide): The HTTP/SSE transport for the MCP server
- OWASP Top 10: Web application security risks
- CWE - Common Weakness Enumeration: Software weakness classification
- MCP Specification: Model Context Protocol documentation
🎯 Why This Server?
This MCP server demonstrates:
- Practical Value: Provides actionable security intelligence, not just demo data
- Real-World Application: Helps developers write more secure code
- Extensibility: Easy to add more vulnerabilities or security patterns
- Educational: Teaches security while demonstrating MCP capabilities
- Integration: Shows how AI assistants can access domain-specific knowledge
Built with: Quarkus + MCP Server Extension
Purpose: Demonstrate practical MCP server development for IBM Bob integration
Focus: Java security vulnerability detection and remediation guidance