Test Quarkus
This project is a Model Context Protocol (MCP) server implementation built with Quarkus that provides security vulnerability information and best practices for Java development.
Ask AI about Test Quarkus
Powered by Claude Β· Grounded in docs
I know everything about Test Quarkus. Ask me about installation, configuration, usage, or troubleshooting.
0/500
Reviews
Documentation
Java Security Vulnerability Scanner - MCP Server
Project Purpose
This project is a Model Context Protocol (MCP) server implementation built with Quarkus that provides security vulnerability information and best practices for Java development. It demonstrates how to create a practical, domain-specific MCP server that can extend AI assistants like IBM Bob with actionable security intelligence.
Instead of returning simple data, this server provides real-world value by helping developers:
- π Identify common Java security vulnerabilities
- π Learn about OWASP Top 10 security risks
- β Get remediation steps with code examples
- π‘οΈ Follow security best practices
π Want to understand more about MCP endpoint? See the MCP Endpoint Explanation for a detailed breakdown of the URL structure and transport mechanism.
π Available MCP Tools
The MCP server exposes the following security-focused tools:
1. listVulnerabilities
Get a complete list of all detectable Java security vulnerabilities.
Parameters: None
Returns: List of vulnerabilities with:
- Vulnerability names
- Severity levels (CRITICAL, HIGH, MEDIUM, LOW)
- OWASP classifications
- Vulnerability IDs
Example usage in Bob:
"List all Java security vulnerabilities"
"What vulnerabilities can you detect?"
2. getVulnerabilityDetails
Get comprehensive information about a specific vulnerability including remediation steps.
Parameters:
vulnerabilityId(required): The vulnerability ID (e.g., "SQL_INJECTION", "HARDCODED_CREDENTIALS")
Returns: Detailed information including:
- Full description
- Severity and category
- OWASP and CWE classifications
- Code examples showing the vulnerability
- Detailed remediation steps with secure code examples
Example usage in Bob:
"Get details about SQL_INJECTION vulnerability"
"Tell me about HARDCODED_CREDENTIALS security issue"
"How do I fix XSS_VULNERABILITY?"
3. getOwaspTop10
Get information about the OWASP Top 10 - 2021 security risks.
Parameters: None
Returns: Complete OWASP Top 10 list with:
- Risk descriptions
- Impact explanations
- Prevention strategies
Example usage in Bob:
"Show me the OWASP Top 10"
"What are the top security risks according to OWASP?"
4. searchBySeverity
Find vulnerabilities filtered by severity level.
Parameters:
severity(required): CRITICAL, HIGH, MEDIUM, or LOW
Returns: Filtered list of vulnerabilities matching the severity level with descriptions.
Example usage in Bob:
"Show me all CRITICAL severity vulnerabilities"
"Find HIGH severity security issues"
"What are the MEDIUM severity risks?"
5. getSecurityBestPractices
Get comprehensive security best practices for Java development.
Parameters: None
Returns: Detailed guidelines covering:
- Input validation
- Authentication & authorization
- Data protection
- Secure coding principles
- Dependency management
- Logging & monitoring
- Code review & testing
- Configuration security
Example usage in Bob:
"What are Java security best practices?"
"Give me security recommendations for Java"
"How should I secure my Java application?"
π Vulnerability Database
The server includes information about these critical vulnerabilities:
| Vulnerability | Severity | OWASP Category | CWE |
|---|---|---|---|
| SQL Injection | CRITICAL | A03:2021 - Injection | CWE-89 |
| Hardcoded Credentials | CRITICAL | A07:2021 - Authentication Failures | CWE-798 |
| Path Traversal | HIGH | A01:2021 - Broken Access Control | CWE-22 |
| Weak Cryptography | HIGH | A02:2021 - Cryptographic Failures | CWE-327 |
| Cross-Site Scripting (XSS) | HIGH | A03:2021 - Injection | CWE-79 |
Each vulnerability includes:
- β Detailed description
- β Severity classification
- β OWASP Top 10 mapping
- β CWE reference
- β Remediation steps with code examples
π€ Connecting to IBM Bob
Add this configuration to ~/.bob/settings/mcp_settings.json:
{
"mcpServers": {
"java-security-scanner": {
"url": "http://localhost:8080/mcp/sse",
"alwaysAllow": []
}
}
}
Restart Bob, and you can now ask security-related questions!
π‘ Real-World Use Cases
Use Case 1: Code Review Assistant
Developer: "What should I look for regarding SQL injection?"
Bob: [Calls getVulnerabilityDetails("SQL_INJECTION")]
Bob: "SQL injection occurs when untrusted data is sent to an interpreter...
Use PreparedStatement with parameterized queries..."
Use Case 2: Learning Security
Developer: "Explain the OWASP Top 10 to me"
Bob: [Calls getOwaspTop10()]
Bob: "Here are the OWASP Top 10 - 2021 security risks:
A01:2021 - Broken Access Control..."
Use Case 3: Security Audit
Developer: "Show me all CRITICAL vulnerabilities I should fix first"
Bob: [Calls searchBySeverity("CRITICAL")]
Bob: "Here are the CRITICAL severity vulnerabilities:
β’ SQL Injection - SQL injection occurs when...
β’ Hardcoded Credentials - Hardcoded passwords..."
About Quarkus
This project uses Quarkus, the Supersonic Subatomic Java Framework.
If you want to learn more about Quarkus, please visit its website: https://quarkus.io/.
Running the application in dev mode
You can run your application in dev mode that enables live coding using:
./gradlew quarkusDev
The MCP server will be available at:
- SSE Endpoint:
http://localhost:8080/mcp/sse - Dev UI:
http://localhost:8080/q/dev/
NOTE: Quarkus now ships with a Dev UI, which is available in dev mode only at http://localhost:8080/q/dev/.
Testing the MCP Server
Test with cURL
# Connect to SSE endpoint
curl -N http://localhost:8080/mcp/sse
# You'll get a session ID, then you can call tools:
curl -X POST http://localhost:8080/mcp/messages/{SESSION_ID} \
-H "Content-Type: application/json" \
-d '{
"jsonrpc": "2.0",
"method": "tools/call",
"params": {
"name": "listVulnerabilities",
"arguments": {}
},
"id": 1
}'
Test with Bob
Once configured in Bob's MCP settings, simply ask:
- "List all security vulnerabilities"
- "What are critical Java security issues?"
- "Show me the OWASP Top 10"
Packaging and running the application
The application can be packaged using:
./gradlew build
It produces the quarkus-run.jar file in the build/quarkus-app/ directory.
Be aware that it's not an ΓΌber-jar as the dependencies are copied into the build/quarkus-app/lib/ directory.
The application is now runnable using java -jar build/quarkus-app/quarkus-run.jar.
If you want to build an ΓΌber-jar, execute the following command:
./gradlew build -Dquarkus.package.jar.type=uber-jar
The application, packaged as an ΓΌber-jar, is now runnable using java -jar build/*-runner.jar.
Creating a native executable
You can create a native executable using:
./gradlew build -Dquarkus.native.enabled=true
Or, if you don't have GraalVM installed, you can run the native executable build in a container using:
./gradlew build -Dquarkus.native.enabled=true -Dquarkus.native.container-build=true
You can then execute your native executable with: ./build/test-mcp-server-quarkus-1.0.0-SNAPSHOT-runner
If you want to learn more about building native executables, please consult https://quarkus.io/guides/gradle-tooling.
π Extending the Server
Add More Vulnerabilities
Edit src/main/resources/vulnerabilities.json and add new entries:
{
"id": "NEW_VULNERABILITY",
"name": "New Vulnerability Name",
"severity": "HIGH",
"category": "Category",
"owasp": "A0X:2021 - Category",
"description": "Description here",
"remediation": "How to fix it",
"cwe": "CWE-XXX"
}
Add New Tools
Create new methods in SecurityScannerTool.java:
@Tool(description = "Your new tool description")
public String yourNewTool(
@ToolArg(description = "Parameter description", required = true)
String parameter) {
// Your implementation
}
π Project Structure
src/
βββ main/
β βββ java/org/acme/
β β βββ SecurityScannerTool.java # MCP tools implementation
β βββ resources/
β βββ application.properties # Server configuration
β βββ vulnerabilities.json # Vulnerability database
Related Guides
- MCP Server - HTTP (guide): The HTTP/SSE transport for the MCP server
- OWASP Top 10: Web application security risks
- CWE - Common Weakness Enumeration: Software weakness classification
- MCP Specification: Model Context Protocol documentation
π― Why This Server?
This MCP server demonstrates:
- Practical Value: Provides actionable security intelligence, not just demo data
- Real-World Application: Helps developers write more secure code
- Extensibility: Easy to add more vulnerabilities or security patterns
- Educational: Teaches security while demonstrating MCP capabilities
- Integration: Shows how AI assistants can access domain-specific knowledge
Built with: Quarkus + MCP Server Extension
Purpose: Demonstrate practical MCP server development for IBM Bob integration
Focus: Java security vulnerability detection and remediation guidance