Mariana Trench, Facebook's open source code analysis tool

Facebook Our security team announced a new open source project to the open source community this week —— Mariana Trench, This is a tool for identifying Android and Java Open source tools for application vulnerabilities ,Facebook It has been used inside the company before .

This application security focused tool can analyze tens of millions of lines of large code base , Help developers find vulnerabilities before they occur in code , Significantly reduce the risk of delivery security and privacy errors .

Facebook According to , Internal engineers are using Mariana Trench after , Found in all of the company's Applications 50% The above security vulnerabilities .

Mariana Trench How it works ：

Mariana Trench Through analysis from " Source "( User sensitive data , Such as password or geographical location ) To " Remit "( Use functions or methods from source data ) Work with the flow of information .Mariana Trench It is specially designed to automatically detect such problems , in the majority of cases , These problems can lead to serious privacy and security vulnerabilities .

Facebook Explained in the documentation of the tool ：" By default ,Mariana Trench Can analyze dalvik Bytecode , So it works whether you access the source code or not ."

Developers can also adjust and train it by adding new rules and model generators , Focus on areas where sensitive data should not appear , To focus on specific security and privacy issues .

Mariana Trench Is the 2019 Published in Zoncolan and 2021 Published in Pysa after ,Facebook The third code analysis tool disclosed , although Mariana Trench It works much like Zoncolan and Pysa, But the three of them target different fields , among Zoncolan and Pysa Used to detect and prevent Hack and Python Security issues in code , and Mariana Trench Mainly aimed at Android and Java.

at present Facebook The project has been hosted to GitHub, Interested developers can click the link to learn more . To help developers use the tool ,Facebook Also released a tutorial on the official website .

In this paper, from OSCHINA

In this paper, the title ：Facebook Open source code analysis tools —— Mariana Trench

This paper addresses ：https://www.oschina.net/news/162572/facebook-open-sources-mariana-trench