Interesting tool. This looks like the Java equivalent of Facebook's Python taint analysis tool Pysa: https://pyre-check.org/docs/pysa-basics/.

From what I can tell by the documentation, it looks like Mariana's requires you to bring your own sources/sinks/sanitizers, so expect a lot of up front cost to integrate this into your toolchain. This as opposed to including commonly used rules or heuristics. Not a huge deal since users can write and share there own rules, but this looks like a framework for sophisticated static analysis and not a batteries included solution.

It literally says on the `Getting started` that it is similar to Pysa.

Good catch. I went straight to "Documentation", which links to https://mariana-tren.ch/docs/getting-started, while the "Getting Started" button somewhat confusingly links to https://mariana-tren.ch/docs/overview.

After a deeper dive I also noticed that my second statement about "batteries included" isn't totally true. Digging around in the Github repository I found a dozen or so heuristics here: https://github.com/facebook/mariana-trench/tree/main/configu.... It'll be cool to watch this fill out a bit.

It is the latest system in that same family - more details here: https://engineering.fb.com/2021/09/29/security/mariana-trenc...

How does this differ from Facebook's Infer's "Quandary" checker, which also does taint analysis for Java? Only in that it supports Dalvik instead of JVM bytecode? https://fbinfer.com/docs/checker-quandary

Contributor here: conceptually they are similar but Quandary is no longer under active development whereas Mariana Trench will be supported long term.

_Security-Focused Static Analysis for Android and Java Applications_

But it seems it's not for the JVM, only for Android APKs.

Edit: https://mariana-tren.ch/docs/configuration#command-line-opti...

Indeed, only APK.