mirror of https://github.com/ConsenSys/mythril
blockchainethereumsmart-contractssoliditysecurityprogram-analysissecurity-analysissymbolic-execution
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
143 lines
5.2 KiB
143 lines
5.2 KiB
# syntax=docker/dockerfile:1
|
|
ARG PYTHON_VERSION=3.10
|
|
ARG INSTALLED_SOLC_VERSIONS
|
|
|
|
|
|
FROM python:${PYTHON_VERSION:?} AS python-wheel
|
|
WORKDIR /wheels
|
|
|
|
|
|
FROM python-wheel AS python-wheel-with-cargo
|
|
# Enable cargo sparse-registry to prevent it using large amounts of memory in
|
|
# docker builds, and speed up builds by downloading less.
|
|
# https://github.com/rust-lang/cargo/issues/10781#issuecomment-1163819998
|
|
ENV CARGO_UNSTABLE_SPARSE_REGISTRY=true
|
|
|
|
RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
|
|
ENV PATH=/root/.cargo/bin:$PATH
|
|
|
|
|
|
# z3-solver needs to build from src on arm, and it takes a long time, so
|
|
# building it in a separate stage helps parallelise the build and helps it stay
|
|
# in the build cache.
|
|
FROM python-wheel AS python-wheel-z3-solver
|
|
RUN pip install auditwheel
|
|
RUN --mount=source=requirements.txt,target=/run/requirements.txt \
|
|
pip wheel "$(grep z3-solver /run/requirements.txt)"
|
|
# The wheel z3-solver builds does not install in arm64 because it generates
|
|
# incorrect platform compatibility metadata for arm64 builds. (It uses the
|
|
# platform manylinux1_aarch64 but manylinux1 is only defined for x86 systems,
|
|
# not arm: https://peps.python.org/pep-0600/#legacy-manylinux-tags). To work
|
|
# around this, we use pypa's auditwheel tool to infer and apply a compatible
|
|
# platform tag.
|
|
RUN ( auditwheel addtag ./z3_solver-* \
|
|
# replace incorrect wheel with the re-tagged one
|
|
&& rm ./z3_solver-* && mv wheelhouse/z3_solver-* . ) \
|
|
# addtag exits with status 1 if no tags need adding, which is fine
|
|
|| true
|
|
|
|
|
|
FROM python-wheel-with-cargo AS python-wheel-blake2b
|
|
# blake2b-py doesn't publish ARM builds, and also don't publish source packages
|
|
# on PyPI (other than the old 0.1.3 version) so we need to build from from a git
|
|
# tag. They do publish binaries for linux amd64, but their binaries only support
|
|
# certain platform versions and the amd64 python image isn't supported, so we
|
|
# have to build from src for that as well.
|
|
|
|
# Try to get a binary build or a source release on PyPI first, then fall back
|
|
# to building from the git repo.
|
|
RUN pip wheel 'blake2b-py>=0.2.0,<1' \
|
|
|| pip wheel git+https://github.com/ethereum/blake2b-py.git@v0.2.0
|
|
|
|
|
|
FROM python-wheel AS mythril-wheels
|
|
# cython is needed to build some wheels, such as cytoolz
|
|
RUN pip install cython
|
|
RUN --mount=source=requirements.txt,target=/run/requirements.txt \
|
|
# ignore blake2b and z3-solver as we've already built them
|
|
grep -v -e blake2b -e z3-solver /run/requirements.txt > /tmp/requirements-remaining.txt
|
|
RUN pip wheel -r /tmp/requirements-remaining.txt
|
|
|
|
COPY . /mythril
|
|
RUN pip wheel --no-deps /mythril
|
|
|
|
COPY --from=python-wheel-blake2b /wheels/blake2b* /wheels
|
|
COPY --from=python-wheel-z3-solver /wheels/z3_solver* /wheels
|
|
|
|
|
|
# Solidity Compiler Version Manager. This provides cross-platform solc builds.
|
|
# It's used by foundry to provide solc. https://github.com/roynalnaruto/svm-rs
|
|
FROM python-wheel-with-cargo AS solidity-compiler-version-manager
|
|
RUN cargo install svm-rs
|
|
# put the binaries somewhere obvious for later stages to use
|
|
RUN mkdir -p /svm-rs/bin && cd ~/.cargo/bin/ && cp svm solc /svm-rs/bin/
|
|
|
|
|
|
FROM python:${PYTHON_VERSION:?}-slim AS myth
|
|
ARG PYTHON_VERSION
|
|
# Space-separated version string without leading 'v' (e.g. "0.4.21 0.4.22")
|
|
ARG INSTALLED_SOLC_VERSIONS
|
|
|
|
COPY --from=solidity-compiler-version-manager /svm-rs/bin/* /usr/local/bin/
|
|
|
|
RUN --mount=from=mythril-wheels,source=/wheels,target=/wheels \
|
|
export PYTHONDONTWRITEBYTECODE=1 && pip install /wheels/*.whl
|
|
|
|
RUN adduser --disabled-password mythril
|
|
USER mythril
|
|
WORKDIR /home/mythril
|
|
|
|
# pre-install solc versions
|
|
RUN set -x; [ -z "${INSTALLED_SOLC_VERSIONS}" ] || svm install ${INSTALLED_SOLC_VERSIONS}
|
|
|
|
COPY --chown=mythril:mythril \
|
|
./mythril/support/assets/signatures.db \
|
|
/home/mythril/.mythril/signatures.db
|
|
|
|
COPY --chown=root:root --chmod=755 ./docker/docker-entrypoint.sh /
|
|
COPY --chown=root:root --chmod=755 \
|
|
./docker/sync-svm-solc-versions-with-solcx.sh \
|
|
/usr/local/bin/sync-svm-solc-versions-with-solcx
|
|
ENTRYPOINT ["/docker-entrypoint.sh"]
|
|
|
|
|
|
# Basic sanity checks to make sure the build is functional
|
|
FROM myth AS myth-smoke-test-execution
|
|
SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
|
|
WORKDIR /smoke-test
|
|
COPY --chmod=755 <<"EOT" /smoke-test.sh
|
|
#!/usr/bin/env bash
|
|
set -x -euo pipefail
|
|
|
|
# Check solcx knows about svm solc versions
|
|
svm install 0.5.0
|
|
sync-svm-solc-versions-with-solcx
|
|
python -c '
|
|
import solcx
|
|
print("\n".join(str(v) for v in solcx.get_installed_solc_versions()))
|
|
' | grep -P '^0\.5\.0$' || {
|
|
echo "solcx did not report svm-installed solc version";
|
|
exit 1
|
|
}
|
|
|
|
# Check myth can run
|
|
myth version
|
|
myth function-to-hash 'function transfer(address _to, uint256 _value) public returns (bool success)'
|
|
myth analyze /solidity_examples/timelock.sol > timelock.log || true
|
|
grep 'SWC ID: 116' timelock.log || {
|
|
error "Failed to detect SWC ID: 116 in timelock.sol";
|
|
exit 1
|
|
}
|
|
|
|
# Check that the entrypoint works
|
|
[[ $(/docker-entrypoint.sh version) == $(myth version) ]]
|
|
[[ $(/docker-entrypoint.sh echo hi) == hi ]]
|
|
[[ $(/docker-entrypoint.sh bash -c "printf '>%s<' 'foo bar'") == ">foo bar<" ]]
|
|
EOT
|
|
|
|
RUN --mount=source=./solidity_examples,target=/solidity_examples \
|
|
/smoke-test.sh 2>&1 | tee smoke-test.log
|
|
|
|
|
|
FROM scratch as myth-smoke-test
|
|
COPY --from=myth-smoke-test-execution /smoke-test/* /
|
|
|