Usage of the tool to normal java applications(Non android)

[akshayprasad]

Dear Team,

I am trying to apply this tool for normal java existing projects and it says it needs apk mandatorily. Any help on this would be grateful.

Looking forward to hearing from you.

Regards,
Akshay Prasad

[yuhshin-oss]

Hi @akshayprasad, thanks for trying out Mariana Trench!

In order to run against non-android java projects, you would need to run it through a jar-to-apk converter. Mariana Trench should be able to run on the resulting APK.

Hope that helps!

[akshayprasad]

Thank you for the reply and I also see that this works for Dalvik code. The native java application that I have is bytecode, so,
Is there any way that Marian-Trench works for bytecode?

Also, I am a little curious about how the tool identifies the sources and the sinks.

Looking forward to hearing from you.
Thanks in advance.

[yuhshin-oss]

No, unfortunately, Mariana Trench does not work on java bytecode which is one reason the jar needs to be converted to an apk first.

As for how the tool identifies sources and sinks, these are user-configurable. See https://mariana-tren.ch/docs/customize-sources-and-sinks for how they can be configured.

We also have some default configurations checked in: https://github.com/facebook/mariana-trench/tree/main/configuration

[firmianay]

error: /tmp/mt-static-0e5jbn05/build/redex-master/libredex/DexLoader.cpp:50: void validate_dex_header(const dex_header*, size_t, int): assertion `supported' failed.
Bad dex magic dex
038 for support_dex_version 37

I have the source code, but it will be compiled into a high version of dex, which is not supported. So can I directly analyze the source code without providing the apk file?