diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 000000000..8e02f12ac --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,42 @@ +name: CI + +on: + push: + branches: + - master + - dev + pull_request: + schedule: + # run CI every day even if no PRs/merges occur + - cron: '0 12 * * *' + +jobs: + tests: + runs-on: ubuntu-latest + strategy: + matrix: + type: ["4", "5", "cli", "dapp", "data_dependency", "embark", "erc", "etherlime", "etherscan", "find_paths", "kspec", "printers", "simil", "slither_config", "truffle", "upgradability"] + steps: + - uses: actions/checkout@v1 + - name: Set up Python 3.6 + uses: actions/setup-python@v1 + with: + python-version: 3.6 + - name: Install dependencies + run: | + pip install . + # Used by travis_test.sh + pip install deepdiff + + sudo wget -O /usr/bin/solc-0.4.25 https://github.com/ethereum/solidity/releases/download/v0.4.25/solc-static-linux + sudo chmod +x /usr/bin/solc-0.4.25 + sudo wget -O /usr/bin/solc-0.5.1 https://github.com/ethereum/solidity/releases/download/v0.5.1/solc-static-linux + sudo chmod +x /usr/bin/solc-0.5.1 + sudo wget -O /usr/bin/solc-0.5.0 https://github.com/ethereum/solidity/releases/download/v0.5.0/solc-static-linux + sudo chmod +x /usr/bin/solc-0.5.0 + sudo cp /usr/bin/solc-0.5.1 /usr/bin/solc + - name: Run Tests + env: + TEST_TYPE: ${{ matrix.type }} + run: | + bash scripts/travis_test_${TEST_TYPE}.sh diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 088d1a14f..000000000 --- a/.travis.yml +++ /dev/null @@ -1,36 +0,0 @@ -sudo: required -os: - - linux -language: python -python: - - 3.6 -env: - - TEST_SUITE=scripts/travis_test_4.sh - - TEST_SUITE=scripts/travis_test_5.sh - - TEST_SUITE=scripts/travis_test_upgradability.sh - - TEST_SUITE=scripts/travis_test_data_dependency.sh - - TEST_SUITE=scripts/travis_test_find_paths.sh - - TEST_SUITE=scripts/travis_test_truffle.sh - - TEST_SUITE=scripts/travis_test_embark.sh - - TEST_SUITE=scripts/travis_test_etherscan.sh - - TEST_SUITE=scripts/travis_test_dapp.sh - - TEST_SUITE=scripts/travis_test_etherlime.sh - - TEST_SUITE=scripts/travis_test_cli.sh - - TEST_SUITE=scripts/travis_test_printers.sh - - TEST_SUITE=scripts/travis_test_slither_config.sh - - TEST_SUITE=scripts/travis_test_simil.sh - - TEST_SUITE=scripts/travis_test_erc.sh - - TEST_SUITE=scripts/travis_test_kspec.sh -branches: - only: - - master - - dev - -install: - - scripts/travis_install.sh - -script: - - $TEST_SUITE - - - diff --git a/README.md b/README.md index 10da90885..5a913926d 100644 --- a/README.md +++ b/README.md @@ -1,12 +1,18 @@ # Slither, the Solidity source analyzer Logo -[![Build Status](https://travis-ci.com/crytic/slither.svg?token=JEF97dFy1QsDCfQ2Wusd&branch=master)](https://travis-ci.com/crytic/slither) +[![Build Status](https://img.shields.io/github/workflow/status/crytic/slither/CI/master)](https://github.com/crytic/slither/actions?query=workflow%3ACI) [![Slack Status](https://empireslacking.herokuapp.com/badge.svg)](https://empireslacking.herokuapp.com) [![PyPI version](https://badge.fury.io/py/slither-analyzer.svg)](https://badge.fury.io/py/slither-analyzer) Slither is a Solidity static analysis framework written in Python 3. It runs a suite of vulnerability detectors, prints visual information about contract details, and provides an API to easily write custom analyses. Slither enables developers to find vulnerabilities, enhance their code comprehension, and quickly prototype custom analyses. +- [Features](#features) +- [Bugs and Optimizations Detection](#bugs-and-optimizations-detection) +- [Printers](#printers) +- [Tools](#tools) +- [How to Install](#how-to-install) + ## Features * Detects vulnerable Solidity code with low false positives @@ -28,24 +34,60 @@ slither . ``` Run Slither on a single file: -``` -$ slither tests/uninitialized.sol -``` +``` +$ slither tests/uninitialized.sol +``` -For additional configuration, see the [usage](https://github.com/trailofbits/slither/wiki/Usage) documentation. +For additional configuration, see the [usage](https://github.com/trailofbits/slither/wiki/Usage) documentation. Use [solc-select](https://github.com/crytic/solc-select) if your contracts require older versions of solc. ### Detectors -Slither has more than 30 public detectors, including: -- `shadowing-state`: [State variables shadowing](https://github.com/crytic/slither/wiki/Detector-Documentation#state-variable-shadowing) -- `reentrancy-eth`: [Reentrancy vulnerabilities](https://github.com/crytic/slither/wiki/Detector-Documentation#reentrancy-vulnerabilities) -- `erc20-interface`: [Incorrect ERC20 interfaces](https://github.com/crytic/slither/wiki/Detector-Documentation#incorrect-erc20-interface) -- `incorrect-equality`: [Dangerous strict equalities](https://github.com/crytic/slither/wiki/Detector-Documentation#dangerous-strict-equalities) -- `constable-states`: [State variables that could be declared constant](https://github.com/crytic/slither/wiki/Detector-Documentation#state-variables-that-could-be-declared-constant) -See the [Detectors Documentation](https://github.com/crytic/slither/wiki/Detector-Documentation) for the complete list. +Num | Detector | What it Detects | Impact | Confidence +--- | --- | --- | --- | --- +1 | `rtlo` | [Right-To-Left-Override control character is used](https://github.com/crytic/slither/wiki/Detector-Documentation#right-to-left-override-character) | High | High +2 | `shadowing-state` | [State variables shadowing](https://github.com/crytic/slither/wiki/Detector-Documentation#state-variable-shadowing) | High | High +3 | `suicidal` | [Functions allowing anyone to destruct the contract](https://github.com/crytic/slither/wiki/Detector-Documentation#suicidal) | High | High +4 | `uninitialized-state` | [Uninitialized state variables](https://github.com/crytic/slither/wiki/Detector-Documentation#uninitialized-state-variables) | High | High +5 | `uninitialized-storage` | [Uninitialized storage variables](https://github.com/crytic/slither/wiki/Detector-Documentation#uninitialized-storage-variables) | High | High +6 | `arbitrary-send` | [Functions that send ether to arbitrary destinations](https://github.com/crytic/slither/wiki/Detector-Documentation#functions-that-send-ether-to-arbitrary-destinations) | High | Medium +7 | `controlled-delegatecall` | [Controlled delegatecall destination](https://github.com/crytic/slither/wiki/Detector-Documentation#controlled-delegatecall) | High | Medium +8 | `reentrancy-eth` | [Reentrancy vulnerabilities (theft of ethers)](https://github.com/crytic/slither/wiki/Detector-Documentation#reentrancy-vulnerabilities) | High | Medium +9 | `erc20-interface` | [Incorrect ERC20 interfaces](https://github.com/crytic/slither/wiki/Detector-Documentation#incorrect-erc20-interface) | Medium | High +10 | `erc721-interface` | [Incorrect ERC721 interfaces](https://github.com/crytic/slither/wiki/Detector-Documentation#incorrect-erc721-interface) | Medium | High +11 | `incorrect-equality` | [Dangerous strict equalities](https://github.com/crytic/slither/wiki/Detector-Documentation#dangerous-strict-equalities) | Medium | High +12 | `locked-ether` | [Contracts that lock ether](https://github.com/crytic/slither/wiki/Detector-Documentation#contracts-that-lock-ether) | Medium | High +13 | `shadowing-abstract` | [State variables shadowing from abstract contracts](https://github.com/crytic/slither/wiki/Detector-Documentation#state-variable-shadowing-from-abstract-contracts) | Medium | High +14 | `constant-function` | [Constant functions changing the state](https://github.com/crytic/slither/wiki/Detector-Documentation#constant-functions-changing-the-state) | Medium | Medium +15 | `reentrancy-no-eth` | [Reentrancy vulnerabilities (no theft of ethers)](https://github.com/crytic/slither/wiki/Detector-Documentation#reentrancy-vulnerabilities-1) | Medium | Medium +16 | `tx-origin` | [Dangerous usage of `tx.origin`](https://github.com/crytic/slither/wiki/Detector-Documentation#dangerous-usage-of-txorigin) | Medium | Medium +17 | `unchecked-lowlevel` | [Unchecked low-level calls](https://github.com/crytic/slither/wiki/Detector-Documentation#unchecked-low-level-calls) | Medium | Medium +18 | `unchecked-send` | [Unchecked send](https://github.com/crytic/slither/wiki/Detector-Documentation#unchecked-send) | Medium | Medium +19 | `uninitialized-local` | [Uninitialized local variables](https://github.com/crytic/slither/wiki/Detector-Documentation#uninitialized-local-variables) | Medium | Medium +20 | `unused-return` | [Unused return values](https://github.com/crytic/slither/wiki/Detector-Documentation#unused-return) | Medium | Medium +21 | `shadowing-builtin` | [Built-in symbol shadowing](https://github.com/crytic/slither/wiki/Detector-Documentation#builtin-symbol-shadowing) | Low | High +22 | `shadowing-local` | [Local variables shadowing](https://github.com/crytic/slither/wiki/Detector-Documentation#local-variable-shadowing) | Low | High +23 | `void-cst` | [Constructor called not implemented](https://github.com/crytic/slither/wiki/Detector-Documentation#void-constructor) | Low | High +24 | `calls-loop` | [Multiple calls in a loop](https://github.com/crytic/slither/wiki/Detector-Documentation/#calls-inside-a-loop) | Low | Medium +25 | `reentrancy-benign` | [Benign reentrancy vulnerabilities](https://github.com/crytic/slither/wiki/Detector-Documentation#reentrancy-vulnerabilities-2) | Low | Medium +26 | `reentrancy-events` | [Reentrancy vulnerabilities leading to out-of-order Events](https://github.com/crytic/slither/wiki/Detector-Documentation#reentrancy-vulnerabilities-3) | Low | Medium +27 | `timestamp` | [Dangerous usage of `block.timestamp`](https://github.com/crytic/slither/wiki/Detector-Documentation#block-timestamp) | Low | Medium +28 | `assembly` | [Assembly usage](https://github.com/crytic/slither/wiki/Detector-Documentation#assembly-usage) | Informational | High +29 | `deprecated-standards` | [Deprecated Solidity Standards](https://github.com/crytic/slither/wiki/Detector-Documentation#deprecated-standards) | Informational | High +30 | `erc20-indexed` | [Un-indexed ERC20 event parameters](https://github.com/crytic/slither/wiki/Detector-Documentation#unindexed-erc20-event-parameters) | Informational | High +31 | `low-level-calls` | [Low level calls](https://github.com/crytic/slither/wiki/Detector-Documentation#low-level-calls) | Informational | High +32 | `naming-convention` | [Conformance to Solidity naming conventions](https://github.com/crytic/slither/wiki/Detector-Documentation#conformance-to-solidity-naming-conventions) | Informational | High +33 | `pragma` | [If different pragma directives are used](https://github.com/crytic/slither/wiki/Detector-Documentation#different-pragma-directives-are-used) | Informational | High +34 | `solc-version` | [Incorrect Solidity version (< 0.4.24 or complex pragma)](https://github.com/crytic/slither/wiki/Detector-Documentation#incorrect-versions-of-solidity) | Informational | High +35 | `unused-state` | [Unused state variables](https://github.com/crytic/slither/wiki/Detector-Documentation#unused-state-variables) | Informational | High +36 | `reentrancy-unlimited-gas` | [Reentrancy vulnerabilities through send and transfer](https://github.com/crytic/slither/wiki/Detector-Documentation#reentrancy-vulnerabilities-4) | Informational | Medium +37 | `too-many-digits` | [Conformance to numeric notation best practices](https://github.com/crytic/slither/wiki/Detector-Documentation#too-many-digits) | Informational | Medium +38 | `constable-states` | [State variables that could be declared constant](https://github.com/crytic/slither/wiki/Detector-Documentation#state-variables-that-could-be-declared-constant) | Optimization | High +39 | `external-function` | [Public function that could be declared as external](https://github.com/crytic/slither/wiki/Detector-Documentation#public-function-that-could-be-declared-as-external) | Optimization | High + +See the [Detectors Documentation](https://github.com/crytic/slither/wiki/Detector-Documentation) for more information. By default, all the detectors are run. Check out [Crytic](https://crytic.io/) to get access to additional Slither's detectors and GitHub integration. @@ -80,7 +122,7 @@ See the [Tool documentation](https://github.com/crytic/slither/wiki/Tool-Documen ## How to install -Slither requires Python 3.6+ and [solc](https://github.com/ethereum/solidity/), the Solidity compiler. +Slither requires Python 3.6+ and [solc](https://github.com/ethereum/solidity/), the Solidity compiler. ### Using Pip @@ -99,7 +141,7 @@ We recommend using an Python virtual environment, as detailed in the [Developer ### Using Docker -Use the [`eth-security-toolbox`](https://github.com/trailofbits/eth-security-toolbox/) docker image. It includes all of our security tools and every major version of Solidity in a single image. `/home/share` will be mounted to `/share` in the container. +Use the [`eth-security-toolbox`](https://github.com/trailofbits/eth-security-toolbox/) docker image. It includes all of our security tools and every major version of Solidity in a single image. `/home/share` will be mounted to `/share` in the container. ``` docker pull trailofbits/eth-security-toolbox diff --git a/scripts/travis_install.sh b/scripts/travis_install.sh deleted file mode 100755 index 2f55834a3..000000000 --- a/scripts/travis_install.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/usr/bin/env bash - -python setup.py install -# Used by travis_test.sh -pip install deepdiff - -function install_solc { - sudo wget -O /usr/bin/solc-0.4.25 https://github.com/ethereum/solidity/releases/download/v0.4.25/solc-static-linux - sudo chmod +x /usr/bin/solc-0.4.25 - sudo wget -O /usr/bin/solc-0.5.1 https://github.com/ethereum/solidity/releases/download/v0.5.1/solc-static-linux - sudo chmod +x /usr/bin/solc-0.5.1 - sudo wget -O /usr/bin/solc-0.5.0 https://github.com/ethereum/solidity/releases/download/v0.5.0/solc-static-linux - sudo chmod +x /usr/bin/solc-0.5.0 - - sudo cp /usr/bin/solc-0.5.1 /usr/bin/solc -} - -install_solc - diff --git a/scripts/travis_test_dapp.sh b/scripts/travis_test_dapp.sh index 05a0b823f..4fbe787c9 100755 --- a/scripts/travis_test_dapp.sh +++ b/scripts/travis_test_dapp.sh @@ -4,6 +4,9 @@ mkdir test_dapp cd test_dapp +# The dapp init process makes a temporary local git repo and needs certain values to be set +git config --global user.email "ci@trailofbits.com" +git config --global user.name "CI User" curl https://nixos.org/nix/install | sh . "$HOME/.nix-profile/etc/profile.d/nix.sh" @@ -18,7 +21,7 @@ dapp init slither . if [ $? -eq 22 ] -then +then exit 0 fi