Content
# Fenrir Code Audit Tool
Fenrir is a code audit tool based on the MCP protocol and AST (Abstract Syntax Tree) technology, designed to address the inefficiencies and inaccuracies of traditional code search and analysis methods when dealing with large-scale, complex structures, or even decompiled code in the fields of security research and automated code auditing.
The project centers around AST, integrating advanced technologies such as the MCP protocol and go-tree-sitter to achieve structured parsing, indexing, and efficient retrieval of source code in languages like Java. Its main features include precise code segment searches for classes, methods, fields, parent classes, and child classes based on AST, persistent caching of AST indexes, intelligent tool registration and AI collaboration under the MCP protocol, and good compatibility with decompiled code. The innovation of the project lies in the deep integration of AST structure with AI intelligent dialogue, significantly enhancing the practicality and intelligence of large models in code security analysis scenarios. The overall architecture is modular and easily extensible, making it suitable for integration into larger automated security platforms, with high engineering practicality and industry promotion prospects.
## Features
### 1. AST Abstract Syntax Tree
The core principle of this tool's code search functionality is to construct an AST (抽象语法树) Abstract Syntax Tree for the code.
### 2. Code Structure Analysis
Based on the AST (Abstract Syntax Tree), we implement precise code segment search functionality for classes, methods, properties, parent classes, and child classes, enabling the large model to accurately search for the desired code segments. It is well known that a significant pain point when using the MCP (Message Communication Protocol) is that the context sent to the large model can easily become too lengthy. This approach can eliminate redundant information, addressing the issue of excessive context length, and also helps the large model make more effective judgments.
### 3. MCP Protocol
Empower AI using the popular MCP (Model Communication Protocol) by providing powerful MCP tools, allowing large models to engage in equal dialogue with security researchers within the same code context, fully leveraging the "subjective initiative" of AI.
### 4. Efficient AST Cache Mechanism
Supports persistent caching of AST (抽象语法树, Abstract Syntax Tree) indexes to avoid re-parsing the source code during each analysis, significantly improving the analysis speed for large projects. The caching mechanism is configurable and supports automatic reconstruction and manual cleanup.
## Installation Instructions
### System Requirements
- The build version is Go 1.23.0 (if you encounter version issues, it is recommended to use Go 1.23.0 for building)
- Other dependencies can be found in the go.mod file
- The new version of go-tree-sitter has compatibility issues: undefined: Node. This is because the library code calls import "C", which enables cgo support. If you need to use cgo (for example, to call certain local C libraries), you need to install a C compiler that can be recognized by Go, such as MinGW-w64. Once installed, the issue will be resolved.
### Installation Steps
1. Clone the repository
```bash
git clone https://github.com/yourusername/Fenrir-CodeAuditTool.git
cd Fenrir-CodeAuditTool
```
2. Install dependencies
```bash
go mod download
```
3. Build the project
```bash
go build -o fenrir
```
## Usage
Step 1: Run the exe file, or the application/server/main.go file. You can specify the code repository path using the -i parameter in the command line, or specify the code repository path in the resources\config.yaml file (be sure to use double slashes) to start the MCP server. Example of command line specification:
.\Fenrir-CodeAuditTool.exe -i "D:\CodeAudit\Apache Sling CMS 1.1.8\apache-sling-cms-1.1.8"
Step 2: Use Cherry Studio or other client tools to configure this MCP server, and configure the large model API key to start the conversation. (The API key for the large model needs to be purchased separately).
Note: You can check the corresponding code repository's AST (抽象语法树, Abstract Syntax Tree) cache files in the cache directory.
## Project Structure
```
Fenrir-CodeAuditTool/
├── application/ # Server startup program, includes MCP tools and prompt registration
├── cache/ # AST cache file directory
├── configs/ # Configuration program
├── docs/ # Demonstration images
├── internal/ # AST parsing core program
├── prompts/ # Code audit prompts
├── resources/ # Configuration files
├── test/ # Test program
└── tools/ # Cache file management program
```
## Live Demonstration
We chose the Apache open-source project Sling CMS as the project to be audited, with the project address: https://github.com/apache/sling-org-apache-sling-app-cms
Import the Maven dependencies and locate the Sling dependencies in the local repository. For example, my path is: C:\Users\miaoj\.m2\repository\org\apache\sling:
These dependencies contain the core code of Sling CMS, which needs to be fully decompiled and the decompiled code copied to the code repository.
After completing the above steps, specify the code repository as the root path of the Sling CMS project, run the server-side code, and start building the AST (抽象语法树, Abstract Syntax Tree) index for the code repository and save it to a cache file, while also enabling an SSE (服务器发送事件, Server-Sent Events) listener:
Use Cherry Studio as the MCP (多通道处理, Multi-Channel Processing) client to connect to this server. Next, we will let Deepseek analyze from the login logic LoginServlet, which is located in the decompiled code of the dependency org.apache.sling.auth.core:
Let's take a look at the performance of the large model:
- First, we can see that AST parsing can be correctly performed even for large projects like Apache Sling CMS.
- Second, the decompiled code can also be correctly parsed and located.
- Third, Deepseek generated a call graph that illustrates its chain call process, demonstrating the powerful capability of this tool for automated chain searching and analysis.
- Finally, Deepseek identified code segments with security risks and provided repair suggestions, completing the code audit.
## Friendly Reminder
- Currently, only Java code AST (Abstract Syntax Tree) indexing is supported (including decompiled code).
- The actual auditing effectiveness depends on the capabilities of the large model.
- When using it in practice, prompts should be purposefully fine-tuned.
## Contribution Guidelines
1. Fork the project
2. Create a feature branch (`git checkout -b feature/AmazingFeature`)
3. Commit your changes (`git commit -m 'Add some AmazingFeature'`)
4. Push to the branch (`git push origin feature/AmazingFeature`)
5. Create a Pull Request
## License
This project is licensed under the Apache 2.0 License - see the [LICENSE](LICENSE) file for details.
## Acknowledgments
- [Tree-sitter](https://tree-sitter.github.io/tree-sitter/) - For code parsing
- [Go AST](https://golang.org/pkg/go/ast/) - Go language AST support
- [Java Parser](https://github.com/smacker/go-tree-sitter-java) - Java language parsing support
## New Features Added
Feature Design
Support for multiple code sources:
- ZIP archive URL download
- Git repository cloning
- Direct analysis from local path
Automation Process:
- Automatic download/clone of code
- Automatic extraction (if it is a compressed package)
- Automatic configuration file path setup
- Automatic construction/loading of AST
- Return audit results
-----------------------------------
Major modifications and new features:
- Server State Management: Added ServerState structure to manage server status, including readiness state, AST indexing, and query engine.
- Conditional Waiting: Implemented condition variables using sync.Cond, allowing other tools to wait until AST initialization is complete.
- Dynamic Initialization: If code_audit.repository_path is empty, the server will wait for the user to provide the remote repository address via MCP after startup.
Tool Dependencies:
- remote_code_audit: Always available for setting up remote repositories and initializing AST.
- code_search and class_hierarchy: Only available after AST initialization, will wait until ready.
- Comprehensive Error Handling: Ensures correct error handling in various situations.
Usage:
Start the server (without a local repository):
```bash
./fenrir
```
Provide remote repository via MCP client:
```json
{
"tool": "remote_code_audit",
"arguments": {
"repository_url": "zip:https://example.com/project.zip"
}
}
```
Then use other tools for code auditing:
```json
{
"tool": "code_search",
"arguments": {
"className": "LoginServlet",
"methodName": "",
"fieldName": ""
}
}
```
This design makes the server more flexible, allowing it to dynamically accept remote code repositories for auditing.
