[HN Gopher] Mariana Trench: Security-Focused Static Analysis for...
       ___________________________________________________________________
        
       Mariana Trench: Security-Focused Static Analysis for Android and
       Java
        
       Author : afrcnc
       Score  : 42 points
       Date   : 2021-09-29 18:20 UTC (4 hours ago)
        
 (HTM) web link (mariana-tren.ch)
 (TXT) w3m dump (mariana-tren.ch)
        
       | arxanas wrote:
       | How does this differ from Facebook's Infer's "Quandary" checker,
       | which also does taint analysis for Java? Only in that it supports
       | Dalvik instead of JVM bytecode? https://fbinfer.com/docs/checker-
       | quandary
        
         | derpderpderpd wrote:
         | Contributor here: conceptually they are similar but Quandary is
         | no longer under active development whereas Mariana Trench will
         | be supported long term.
        
       | schwag09 wrote:
       | Interesting tool. This looks like the Java equivalent of
       | Facebook's Python taint analysis tool Pysa: https://pyre-
       | check.org/docs/pysa-basics/.
       | 
       | From what I can tell by the documentation, it looks like
       | Mariana's requires you to bring your own
       | sources/sinks/sanitizers, so expect a lot of up front cost to
       | integrate this into your toolchain. This as opposed to including
       | commonly used rules or heuristics. Not a huge deal since users
       | can write and share there own rules, but this looks like a
       | framework for sophisticated static analysis and not a batteries
       | included solution.
        
         | notyourwork wrote:
         | It literally says on the `Getting started` that it is similar
         | to Pysa.
        
       ___________________________________________________________________
       (page generated 2021-09-29 23:01 UTC)