Interesting tool. This looks like the Java equivalent of Facebook's Python taint analysis tool Pysa: <a href="https://pyre-check.org/docs/pysa-basics/" rel="nofollow">https://pyre-check.org/docs/pysa-basics/</a>.<p>From what I can tell by the documentation, it looks like Mariana's requires you to bring your own sources/sinks/sanitizers, so expect a lot of up front cost to integrate this into your toolchain. This as opposed to including commonly used rules or heuristics. Not a huge deal since users can write and share there own rules, but this looks like a framework for sophisticated static analysis and not a batteries included solution.
How does this differ from Facebook's Infer's "Quandary" checker, which also does taint analysis for Java? Only in that it supports Dalvik instead of JVM bytecode? <a href="https://fbinfer.com/docs/checker-quandary" rel="nofollow">https://fbinfer.com/docs/checker-quandary</a>
_Security-Focused Static Analysis for Android and Java Applications_<p>But it seems it's not for the JVM, only for Android APKs.<p>Edit: <a href="https://mariana-tren.ch/docs/configuration#command-line-options" rel="nofollow">https://mariana-tren.ch/docs/configuration#command-line-opti...</a><p>Indeed, only APK.