bob-mcp-vuln-analysis
v0.0.4
Published
MCP server for vulnerability analysis - resolves component mappings, inspects codebases, and classifies remediation paths
Downloads
37
Maintainers
Readme
bob-mcp-vuln-analysis
MCP server for vulnerability analysis - resolves component mappings, inspects codebases, and classifies remediation paths.
Quick Start
npx -y bob-mcp-vuln-analysisPrerequisites
- Node.js 18+
- GitHub Enterprise token (for GitHub API access)
- Write access to mapping file path
Environment Variables
| Variable | Required | Description |
|----------|----------|-------------|
| GITHUB_BASE_URL | Yes | GitHub Enterprise API base URL (e.g., https://github.ibm.com/api/v3) |
| GITHUB_TOKEN | Yes | GitHub Enterprise personal access token |
| MAPPING_FILE_PATH | No | Path to mapping registry (default: ~/.mcp-vuln-remediator/mappings.yaml) |
| LOG_LEVEL | No | Logging level (info, warn, error, debug) |
| REQUEST_TIMEOUT_MS | No | Request timeout in milliseconds |
Global MCP Configuration
Add to your VS Code User Settings (Cmd+Shift+P → "Open User Settings (JSON)"):
{
"mcpServers": {
"bob-mcp-vuln-analysis": {
"type": "stdio",
"command": "npx",
"args": ["-y", "bob-mcp-vuln-analysis"],
"env": {
"GITHUB_BASE_URL": "https://github.ibm.com/api/v3",
"GITHUB_TOKEN": "your-token-here",
"MAPPING_FILE_PATH": "~/.mcp-vuln-remediator/mappings.yaml"
}
}
}
}How This Server Fits Into the Vuln Workflow
This MCP server is one of four related bob-mcp-vuln-* servers:
bob-mcp-vuln-intake: Fetch and normalize Jira/GitHub vulnerability issues, then prioritize them for review.bob-mcp-vuln-analysis: Resolve Jira component → repo/local-path mapping, inspect the codebase, and classify whether a vulnerability is locally fixable, needs more input, or is likely vendor/deviation-bound.bob-mcp-vuln-remediation: From an approved plan, create a branch, apply code/Dockerfile/dependency changes, optionally run basic build/test, and open a pull request.bob-mcp-vuln-workflow: Write structured comments back to Jira or GitHub and transition Jira status once remediation reaches specific milestones.
Each server is designed to be useful on its own and can be wired together by your MCP client or agentic IDE mode to form an end-to-end vulnerability remediation flow.
Common Orchestration Command
A global command exists that orchestrates all four bob-mcp-vuln-* servers together in a single guided session. This is useful when you want an end-to-end flow without manually chaining servers.
Setup
The orchestration command file is included in this repository at bob-isv-vuln-helper.md. To use it, copy it to your Bob commands directory:
mkdir -p ~/.bob/commands
cp <path-to-repo>/bob-mcp-vuln-analysis/bob-isv-vuln-helper.md ~/.bob/commands/bob-isv-vuln-helper.mdUsage
Invoke the orchestration command with /bob-isv-vuln-remediate (or alias /vuln-remediate). It will:
- Ask whether you're working with Jira or GitHub
- Collect a JQL query or GitHub issue URL
- Use intake server to fetch and prioritize issues (Critical → Minor)
- Use analysis server to resolve component mapping and classify remediation path
- Ask for your approval before applying fixes
- Use remediation server to create branch, apply fix, and open PR
- Use workflow server to post comment and transition Jira status
- Ask if you want to continue with the next issue
When to Use This vs Individual Servers
- Use this command: For guided end-to-end remediation, especially if you're new to the workflow
- Use individual servers: When you need to focus on a specific part of the workflow (e.g., only analyze issues, or only create PRs)
Tools
- check_setup: Validate server configuration, mapping file accessibility, and GitHub connectivity
- load_component_mapping: Resolve Jira component to repository/local-path configuration
- save_component_mapping: Create or update persistent mapping entries
- inspect_codebase_context: Identify relevant files (Dockerfile, package manifests, etc.)
- infer_build_commands: Propose likely build/test commands from repository contents
- classify_issue_remediation: Determine remediation path (fixable, vendor dependency, needs input, etc.)
- generate_analysis_report: Produce detailed human-readable analysis summary
Prompts
- analyze-vulnerability-issue: Interactively analyze a vulnerability issue
- map-component-to-repo: Interactively create/update component-to-repo mappings
- inspect-local-code-for-vuln-fix: Interactively inspect local checkout for remediation points
Mapping Registry
The mapping file stores component-to-repository mappings in YAML format at ~/.mcp-vuln-remediator/mappings.yaml:
mappings:
- component: my-service
jira_project: SEC
repo:
provider: github
url: https://github.ibm.com/my-org/my-service
default_branch: main
local_path: /Users/me/repos/my-service
build:
command: npm run build
test_command: npm test
image_patterns:
- my-service
notes: Main frontend serviceIBM Bob Limitations
This server has the following limitations specific to IBM Bob integration:
- Runs as stdio transport only (no HTTP server)
- Requires GITHUB_TOKEN for GitHub Enterprise API access
- Mapping file must be accessible and writable
- Does not create branches, commits, or PRs directly (delegates to remediation server)
