smart-contract-analysis-tools's People
Forkers
zizzkatasmart-contract-analysis-tools's Issues
Templating engine for Rust
Make the docker images smaller
Currently, (commit 738ce57) the docker image (build for arm64) is around 18GB. This is of course quite large.
There should be an attempt to make it smaller.
Add docs on conventional commits
Update docker to install kevm with kup
Sort the printed issues based on Impact
We should sort this descending, mean high impact issues should be printed on top.
Second sorting criteria (not as important but nice to have) could be confidence, ranging from high to low as well.
Define a workflow for using kevm from this repository as a submodule
Improve documentation
The documentation can be improved by:
- Referring to usage examples.
- More information about the tools that can be used.
Show a message when Docker is not running
When Docker is not running, the tool will output a message saying that it can't read certain files for example. For user-friendliness it should be made clear that Docker should be running before running any analysis.
Fix solc-install in script
Some runner scripts are using solc-select use
without first installing the version to use.
Update readme w.r.t. remappings
Change hard-coded path into pathToSourceFileFromRoot
Format mythril JSON output
Build docker image for arm64
Things tried for kevm: ruthttps://github.com/Byont-Ventures/smart-contract-analysis-tools-example/issues/1
- After the issue I created on the k repository they created kup. Maybe that can work.
Determine if it is possible to simulate other contract while scanning a contract.
Currently, all tools (except KEVM but that is something else) work on one contract. When it finds an external function it doesn't know what to do with it. Depending on the tool the function will revert, return a default value or does something else.
If we know the source we might could create an option where for certain stages in the scanning process we replace the external call with the known code. This should of course only be done for certain checks since otherwise, the tools may find problems in the replaced code and say it's from the original contract even though it isn't in reality.
Unable to get the example running
This example is for the openchrono repo
cd src/apps/contracts
git submodule add [email protected]:Byont-Ventures/smart-contract-analysis-tools.git security-scans
- Based on example
yarn --cwd ./ run scan:generate-report \
/Users/rick/Documents/projects/openchrono/apps/contracts/security-scans/ \
../ \
/Users/rick/Documents/projects/openchrono/apps/contracts/analysis-config.toml
Result:
yarn run v1.22.19
warning package.json: No license field
warning ../package.json: No license field
$ cargo run --manifest-path ./report_generator/Cargo.toml -- /Users/rick/Documents/projects/openchrono/apps/contracts/security-scans ../ /Users/rick/Documents/projects/openchrono/apps/contracts/analysis-config.toml
warning: function `type_of` is never used
--> /Users/rick/Documents/projects/openchrono/apps/contracts/security-scans/slither/slither_runner/src/lib.rs:12:4
|
[..... Lots of warnings]
warning: `report_generator` (bin "report_generator") generated 12 warnings (run `cargo fix --bin "report_generator"` to apply 3 suggestions)
Finished dev [unoptimized + debuginfo] target(s) in 0.09s
Running `report_generator/target/debug/report_generator /Users/rick/Documents/projects/openchrono/apps/contracts/security-scans/ ../ /Users/rick/Documents/projects/openchrono/apps/contracts/analysis-config.toml`
thread 'main' panicked at /Users/rick/Documents/projects/openchrono/apps/contracts/security-scans/slither/slither_runner/src/lib.rs:39:62:
called `Result::unwrap()` on an `Err` value: Os { code: 2, kind: NotFound, message: "No such file or directory" }
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
error Command failed with exit code 101.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.
Copy call graph from mythril to the report folder configured in the config toml
Write (basic) tests for the Rust runners
Currently, the runners in Rust are all untested. This is of course not good. So tests should be made.
Add the examples in this repository instead for easier development.
Analyse Slither output and write this to the intermediate-data representation
This issue build on #30.
Remove the need to give the absolute path to the project in the toml file
List of interesting links
Place mythril json output in json codeblock
Define data structure for scan result aggregation
See if Securify2 is worth adding
https://github.com/eth-sri/securify2
Reading the articles below gives the impression that Securify2 does some interesting analysis, but that there are quite some false positives because of this.
Update version of the tools in the docker image
Remove the sudo requirement for docker
Either we have to put in the readme that the installed docker should be able to run without sudo, or we should find an alternative way to run this repository.
Research how the different tools deal with external calls during analysis
Refactor the rust code to be better scalable
- The report generators for the different tools are using sometimes the same code. We should create a library for this kind of code.
- In general split the code per tool over more logical files.
Define different output forms for different target audiences
Some users might want to see the whole transaction flow of a problem while others only want to see if the contract is safe.
First, it needs to be defined what target readers there are and what they want. After that, we can create separate issues for creating the individual generator.
Create a config file to be filled by the user of this submodule
Make Mythril output JSON
Running slither causes compiler error
Issue
When attempting to run Slither with the ghcr.io/byont-ventures/analysis-toolbox:latest image, the following error occurs:
Warning: This is a pre-release compiler version, please do not use it in production.
Error: Source file requires different compiler version (current compiler is 0.8.17-develop.2022.12.9+commit.8df45f5f.Linux.g++) - note that nightly builds are considered to be strictly less than the released version
It appears that there is a mismatch between the version of the Solidity compiler that is being used and the version that is required by the source file.
An example implementation can be found at https://github.com/Byont-Ventures/metaseum/pull/13.
Steps to reproduce
- Pull the ghcr.io/byont-ventures/analysis-toolbox:latest image
- Attempt to run Slither with the src/AquariumDeParis.sol file
Expected behavior
Slither should run successfully and produce the expected output.
Actual behavior
Slither produces the above error message and the following stack trace:
=================================================================
Pulling latest ghcr.io/byont-ventures/analysis-toolbox:latest
=================================================================
=================================================================
Run Slither
=================================================================
WARNING: The requested image's platform (linux/arm64) does not match the detected host platform (linux/amd64) and no specific platform was requested
Compilation warnings/errors on src/AquariumDeParis.sol:
Warning: This is a pre-release compiler version, please do not use it in production.
Error: Source file requires different compiler version (current compiler is 0.8.17-develop.2022.12.9+commit.8df45f5f.Linux.g++) - note that nightly builds are considered to be strictly less than the released version
--> src/AquariumDeParis.sol:2:1:
|
2 | pragma solidity ^0.8.17;
| ^^^^^^^^^^^^^^^^^^^^^^^^
Traceback (most recent call last):
File "/usr/local/lib/python3.8/dist-packages/crytic_compile/platform/solc.py", line 544, in _run_solc
ret: Dict = json.loads(stdout)
File "/usr/lib/python3.8/json/__init__.py", line 357, in loads
return _default_decoder.decode(s)
File "/usr/lib/python3.8/json/decoder.py", line 337, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/lib/python3.8/json/decoder.py", line 355, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.8/dist-packages/slither/__main__.py", line 826, in main_impl
) = process_all(filename, args, detector_classes, printer_classes)
File "/usr/local/lib/python3.8/dist-packages/slither/__main__.py", line 86, in process_all
compilations = compile_all(target, **vars(args))
File "/usr/local/lib/python3.8/dist-packages/crytic_compile/crytic_compile.py", line 637, in compile_all
compilations.append(CryticCompile(target, **kwargs))
File "/usr/local/lib/python3.8/dist-packages/crytic_compile/crytic_compile.py", line 117, in __init__
self._compile(**kwargs)
File "/usr/local/lib/python3.8/dist-packages/crytic_compile/crytic_compile.py", line 548, in _compile
self._platform.compile(self, **kwargs)
File "/usr/local/lib/python3.8/dist-packages/crytic_compile/platform/solc.py", line 154, in compile
targets_json = _get_targets_json(compilation_unit, self._target, **kwargs)
File "/usr/local/lib/python3.8/dist-packages/crytic_compile/platform/solc.py", line 276, in _get_targets_json
return _run_solc(
File "/usr/local/lib/python3.8/dist-packages/crytic_compile/platform/solc.py", line 548, in _run_solc
raise InvalidCompilation(f"Invalid solc compilation {stderr}")
crytic_compile.platform.exceptions.InvalidCompilation: Invalid solc compilation Warning: This is a pre-release compiler version, please do not use it in production.
Error: Source file requires different compiler version (current compiler is 0.8.17-develop.2022.12.9+commit.8df45f5f.Linux.g++) - note that nightly builds are considered to be strictly less than the released version
--> src/AquariumDeParis.sol:2:1:
|
2 | pragma solidity ^0.8.17;
| ^^^^^^^^^^^^^^^^^^^^^^^^
Error in src/AquariumDeParis.sol
Traceback (most recent call last):
File "/usr/local/lib/python3.8/dist-packages/crytic_compile/platform/solc.py", line 544, in _run_solc
ret: Dict = json.loads(stdout)
File "/usr/lib/python3.8/json/__init__.py", line 357, in loads
return _default_decoder.decode(s)
File "/usr/lib/python3.8/json/decoder.py", line 337, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/lib/python3.8/json/decoder.py", line 355, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.8/dist-packages/slither/__main__.py", line 826, in main_impl
) = process_all(filename, args, detector_classes, printer_classes)
File "/usr/local/lib/python3.8/dist-packages/slither/__main__.py", line 86, in process_all
compilations = compile_all(target, **vars(args))
File "/usr/local/lib/python3.8/dist-packages/crytic_compile/crytic_compile.py", line 637, in compile_all
compilations.append(CryticCompile(target, **kwargs))
File "/usr/local/lib/python3.8/dist-packages/crytic_compile/crytic_compile.py", line 117, in __init__
self._compile(**kwargs)
File "/usr/local/lib/python3.8/dist-packages/crytic_compile/crytic_compile.py", line 548, in _compile
self._platform.compile(self, **kwargs)
File "/usr/local/lib/python3.8/dist-packages/crytic_compile/platform/solc.py", line 154, in compile
targets_json = _get_targets_json(compilation_unit, self._target, **kwargs)
File "/usr/local/lib/python3.8/dist-packages/crytic_compile/platform/solc.py", line 276, in _get_targets_json
return _run_solc(
File "/usr/local/lib/python3.8/dist-packages/crytic_compile/platform/solc.py", line 548, in _run_solc
raise InvalidCompilation(f"Invalid solc compilation {stderr}")
crytic_compile.platform.exceptions.InvalidCompilation: Invalid solc compilation Warning: This is a pre-release compiler version, please do not use it in production.
Error: Source file requires different compiler version (current compiler is 0.8.17-develop.2022.12.9+commit.8df45f5f.Linux.g++) - note that nightly builds are considered to be strictly less than the released version
--> src/AquariumDeParis.sol:2:1:
|
2 | pragma solidity ^0.8.17;
| ^^^^^^^^^^^^^^^^^^^^^^^^
Analyse Mythril output and write this to the intermediate-data representation
Fix order of parameters
Remove overlooked usage of sudo
Parse jsonv2 output from mythril
Show progress or timer while running the analyzers
Running the tools can take quite some time. So to have a visual indicator that the tools still runs this would be useful.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.