Hacker News new | ask | show | jobs
by schwag09 1718 days ago
Interesting tool. This looks like the Java equivalent of Facebook's Python taint analysis tool Pysa: https://pyre-check.org/docs/pysa-basics/.

From what I can tell by the documentation, it looks like Mariana's requires you to bring your own sources/sinks/sanitizers, so expect a lot of up front cost to integrate this into your toolchain. This as opposed to including commonly used rules or heuristics. Not a huge deal since users can write and share there own rules, but this looks like a framework for sophisticated static analysis and not a batteries included solution.
1 comments
notyourwork 1718 days ago
It literally says on the `Getting started` that it is similar to Pysa.
link
schwag09 1717 days ago
Good catch. I went straight to "Documentation", which links to https://mariana-tren.ch/docs/getting-started, while the "Getting Started" button somewhat confusingly links to https://mariana-tren.ch/docs/overview.

After a deeper dive I also noticed that my second statement about "batteries included" isn't totally true. Digging around in the Github repository I found a dozen or so heuristics here: https://github.com/facebook/mariana-trench/tree/main/configu.... It'll be cool to watch this fill out a bit.

link
moneil971 1718 days ago
It is the latest system in that same family - more details here: https://engineering.fb.com/2021/09/29/security/mariana-trenc...
link