Maven Tools MCP Server

Dependency intelligence infrastructure for AI assistants and agents working with JVM projects.

🎯 Why This Exists

The Developer Problem

Traditional upgrade workflow:

1. Google "Spring Boot 2.7 to 3.2 migration guide" (5 minutes)
2. Read 50-page migration docs, cross-reference breaking changes (15 minutes)
3. Check Maven Central for compatible dependency versions (5 minutes)
4. Update pom.xml, compile, fix breaking changes (30 minutes)
5. Debug mysterious runtime errors from incompatible transitive dependencies (2 hours)

Total: ~3 hours, high error rate, production risks

The Solution

AI-powered workflow:

1. Ask your AI assistant: "Should I upgrade Spring Boot from 2.7.18 to 3.2.1? What will break?"
2. Get instant analysis + migration plan:
   • Latest stable: 3.2.1 available
   • Breaking changes: javax.* → jakarta.*, Hibernate 5→6, Security API changes
   • Compatible dependency versions provided
   • Step-by-step migration plan with code fixes
   • Documentation links for each breaking change

Total: 30 seconds for complete plan, ~30 minutes for AI-assisted implementation vs 3+ hours manual

The AI Agent Opportunity

Traditional dependency bots (Renovate, Dependabot) can update version numbers but can't fix the code when APIs break.

AI agents with Maven Tools MCP can:

• Detect outdated dependencies
• Understand breaking changes (via documentation lookup)
• Update both version numbers AND fix code changes
• Run tests and debug failures
• Create PRs with complete, working upgrades

This is infrastructure for the next generation of automated dependency management.

⚡ See It In Action

Interactive Development (Primary Use Case)

Developer → GitHub Copilot Chat (VS Code): "Check all latest versions of the dependencies in my pom.xml"

Copilot (via MCP): Instantly analyzes all dependencies and provides:

• Current version vs latest available
• Stability classification (stable/RC/beta/etc.)
• Update recommendations (major/minor/patch)
• Security and compatibility insights
• Complete upgrade guidance

Time: Seconds vs minutes of manual checking Confidence: High (real-time data from Maven Central)

AI Agent Automation (Emerging Use Case)

Developer → Aider/Claude Code: "Upgrade my Spring Boot project from 2.7 to 3.2"

AI Agent workflow:

1. Scans pom.xml with Maven Tools MCP
2. Identifies Spring Boot 2.7.18 → 3.2.1 available
3. Fetches documentation (via Context7) for breaking changes
4. Updates pom.xml versions
5. Fixes code: javax.* → jakarta.*, deprecated APIs, config changes
6. Runs tests, debugs failures
7. Creates PR with working upgrade

Traditional bots stop at step 4. AI agents complete the job.

See also: 🤖 Dogfooding: Weekly Self-Updating Dependencies for the real in-repo GitHub Actions + agent workflow that applies this pattern to Maven Tools MCP itself.

🎬 Real-World Examples

Starting a New Feature

Ask: "I'm building a REST API for IoT data ingestion. I need high-throughput JSON parsing, time-series data structures, and async HTTP client. What libraries should I use with Spring Boot 3.2?"

Get:

• Jackson 2.17.0 for JSON (included in Spring Boot)
• Chronicles Wire 2.25.x for time-series
• Spring WebClient (reactive, built-in)
• Complete dependency blocks with reasoning

Result: Production-ready stack in 30 seconds vs hours of research

Choosing Between Alternatives

Ask: "Should I use Redis or Caffeine for caching ~10k req/min in Spring Boot?"

Get: Comparative analysis:

• Caffeine recommended for your throughput
• In-memory, sub-millisecond latency
• Latest version: 3.1.8
• Use Redis only if multi-instance with shared state
• Complete reasoning + dependency blocks for both options

Result: Architectural decision made with confidence, not guesswork

Reviewing Upgrade PRs

Ask: "This Renovate PR upgrades Spring Boot 2.7.18 → 3.2.1. What will break?"

Get: Breaking change analysis:

• javax.* → jakarta.* namespace migration
• Hibernate 5.6 → 6.4 (query syntax changes)
• Spring Security config API changes
• Compatible dependency versions provided

Result: Know before merging, not after production breaks

Security Response

Ask: "Check these dependencies for CVEs and show me safe upgrade paths: org.springframework:spring-core:5.3.20, com.fasterxml.jackson.core:jackson-databind:2.13.3"

Get:

• Spring Core 5.3.20: CVE-2023-20861 (RCE) - Upgrade to 5.3.30+
• Jackson 2.13.3: CVE-2022-42003 (DoS) - Upgrade to 2.13.5+
• Latest compatible versions with Spring Boot provided

Result: Immediate vulnerability awareness with clear remediation path

Bulk Project Analysis

Ask: "Analyze my project's dependency health" (paste pom.xml)

Get: Health report:

• 3 dependencies with CVEs (critical: 1, high: 2)
• 5 dependencies >2 years old (maintenance concern)
• 2 GPL dependencies (license risk)
• Recommended upgrades with stability classification

Result: Complete project health snapshot in 2yr)

• Release velocity trends (accelerating/stable/declining)
• Maintenance health indicators

🔒 Security & Compliance

CVE Vulnerability Scanning:

• Powered by OSV.dev (Google's Open Source Vulnerabilities database)
• Scans against known CVEs in Java ecosystem
• Severity ratings and remediation guidance
• Bulk scanning for entire projects

License Compliance:

• Automatic license detection
• GPL/LGPL identification (legal risk flagging)
• License compatibility analysis
• Enterprise compliance reporting

⚡ Performance

Production-Ready Speed:

• Single dependency: or an environment where Context7 requires auth and no API key is provided Solution (skip Context7 raw tools): Use Context7-free image:

{
  "mcpServers": {
    "maven-tools": {
      "command": "docker",
      "args": ["run", "-i", "--rm", "arvindand/maven-tools-mcp:latest-noc7"]
    }
  }
}

Solution (keep Context7 enabled): CONTEXT7_API_KEY is optional, but if your environment requires Context7 auth (or you want to avoid anonymous limits), export it and pass it through Docker with -e CONTEXT7_API_KEY in your MCP client config.

SSL Inspection / Corporate Certificates

Symptom: SSL handshake failures, certificate errors Cause: Corporate MITM proxy with custom CA certificates Solution: Build custom image with corporate certificates - see CORPORATE-CERTIFICATES.md

Slow First Query

Symptom: First query takes 2-3 seconds Cause: Cold start + uncached Maven Central request Expected behavior: Subsequent queries <100ms (cached). This is normal.

Docker Permission Issues

Symptom: "permission denied" when running Docker command Solution:

# Linux: Add user to docker group
sudo usermod -aG docker $USER
# Then logout/login

# Windows/Mac: Ensure Docker Desktop is running

🔬 Technical Architecture

Design Principles

1. Zero External State

• Stateless Spring Boot application
• All data from Maven Central (no database)
• Idempotent operations
• Horizontally scalable

2. Fail-Fast with Graceful Degradation

• Context7 unavailable? Provide fallback instructions
• OSV.dev timeout? Return results without CVE data
• Network issues? Clear error messages
• No silent failures

3. Production-Ready Performance

• Spring AOT + GraalVM native images
• HTTP client connection pooling
• Smart caching strategies
• <50ms startup time (native)

How It Works

AI Assistant → MCP Protocol → Maven Tools MCP Server

Workflow:
1. AI assistant parses user request and extracts dependency coordinates
2. AI assistant calls MCP tool with coordinates (groupId:artifactId)
3. Server fetches maven-metadata.xml from Maven Central
4. Server parses XML, classifies versions by stability
5. Optionally: Server queries OSV.dev for CVEs
6. Optionally: Server fetches license from POM
7. Server returns structured JSON to AI assistant
8. AI assistant interprets results and responds to user

Response time: <100ms (cached), <500ms (fresh)

Deployment Options

Docker STDIO (Recommended for Desktop):

• Multi-arch support (AMD64 + ARM64)
• Automatic platform selection
• Isolated environment
• docker run -i --rm arvindand/maven-tools-mcp:latest
• Optional (pass Context7 API key): docker run -i --rm -e CONTEXT7_API_KEY arvindand/maven-tools-mcp:latest

Docker HTTP (Streamable HTTP Transport):

• HTTP-based MCP protocol on port 8080
• Health probes: /actuator/health/liveness, /actuator/health/readiness
• docker run -p 8080:8080 arvindand/maven-tools-mcp:latest-http
• Optional (pass Context7 API key): docker run -p 8080:8080 -e CONTEXT7_API_KEY arvindand/maven-tools-mcp:latest-http

Native Image:

• <50ms startup
• Lower memory footprint (~100MB vs 500MB JVM)
• Platform-specific binaries
• Download from Releases

JVM JAR:

• Maximum compatibility
• Dynamic configuration
• ~200ms startup
• java -jar maven-tools-mcp.jar

Network Requirements

Outbound HTTPS to:

• repo1.maven.org (Maven Central metadata)
• api.osv.dev (CVE vulnerability data)
• mcp.context7.com (optional documentation)

Corporate Networks:

• Proxy configuration supported
• Custom CA certificates supported (see CORPORATE-CERTIFICATES.md)
• Context7-free builds available (arvindand/maven-tools-mcp:latest-noc7)
• HTTP transport variant (arvindand/maven-tools-mcp:latest-http)

Alternative Setup Methods

Using Docker Compose

Alternative Claude Desktop configuration (if you prefer compose):

Download docker-compose.yml and configure:

{
  "mcpServers": {
    "maven-tools": {
      "command": "docker",
      "args": [
        "compose", "-f", "/absolute/path/to/docker-compose.yml",
        "run", "--rm", "maven-tools-mcp"
      ]
    }
  }
}

For development/testing only:

docker compose up -d  # Runs server in background for testing

Build from Source (for contributors)

Prerequisites:

• Java 24
• Maven 3.9+

# Clone the repository
git clone https://github.com/arvindand/maven-tools-mcp.git
cd maven-tools-mcp

# Quick build (CI-friendly - unit tests only)
./mvnw clean package -Pci

# Full build with all tests (requires network access)
./mvnw clean package -Pfull

# Run the JAR
java -jar target/maven-tools-mcp-2.0.5.jar

Claude Desktop configuration for JAR:

{
  "mcpServers": {
    "maven-tools": {
      "command": "java",
      "args": [
        "-jar",
        "/absolute/path/to/maven-tools-mcp-2.0.5.jar"
      ]
    }
  }
}

Build Scripts

For easier builds, use the provided scripts in the build/ folder:

Linux/macOS:

cd build
./build.sh        # Complete build helper
./build-docker.sh # Docker-focused helper

Windows:

cd build
build.cmd         # Complete build helper
build-docker.cmd  # Docker-focused helper

Configuration

The server can be configured via application.yaml:

# Cache configuration
spring:
  cache:
    type: caffeine

# Maven Central Repository settings
maven:
  central:
    repository-base-url: https://repo1.maven.org/maven2
    timeout: 10s
    max-results: 100

# Logging (minimal for MCP stdio transport)
logging:
  level:
    root: ERROR

Technical Details

• Framework: Spring Boot 3.5.11 with Spring AI MCP
• MCP Protocol: 2025-06-18
• Java Version: 24
• Transport: stdio
• HTTP Client: OkHttp 5.3.2 with HTTP/2 support
• Cache: Caffeine (24-hour TTL, 2000 entries max)
• Resilience: Circuit breaker, retry, and rate limiter patterns
• Data Source: Maven Central Repository (maven-metadata.xml files)

References & Resources

Model Context Protocol (MCP)

• Official Website: modelcontextprotocol.io
• GitHub Repository: modelcontextprotocol/specification
• Protocol Documentation: MCP Specification

Spring AI MCP

• Documentation: Spring AI MCP Reference
• GitHub: spring-projects/spring-ai

Maven Central Repository

• Repository: repo1.maven.org
• Metadata Format: Maven Metadata XML Reference
• Search API: search.maven.org (not used in v1.4.0+)

Context7 MCP Server

• GitHub Repository: upstash/context7
• NPM Package: @upstash/context7-mcp
• Documentation: Upstash Context7 Blog

📝 Community & Discussion

Blog Posts:

• How I Connected Claude to Maven Central (and Why You Should Too)
• Guided Delegation: Adding Context7 Documentation to My Maven Tools MCP Server

Get Involved

• 💬 Discuss: Share your experiences and ask questions on dev.to
• 🐛 Issues: Report bugs or request features
• ⭐ Support: Star this repo if it improves your workflow

License

This project is licensed under the MIT License - see the LICENSE file for details.

Author

Arvind Menon

• GitHub: @arvindand
• Version: 2.0.5