The goal of this repo is to find a good way of integrating static analisys tools for smart contracts into CI pipelines. Ideally, this should be be easy to pick up and use by any project using smart contracts (dapps, wallets, etc).
The main challenges to overcome appear to be: - seamless installation and configuration of all tools - invocation of each tools taking into account its specificities (sometimes on things as simple as where contracts need to be located) - resolution of contract dependencies!!! (biggest identified PITA so far)
Create a self contained docker container for which an alias can be easily set so a seamless command line interface is provided.
This way, at little to no effort to the developer a full, detailed analysis of a smart contract can be obtained.
- solc - compile (portable)
- Solium - lint (depends on npm)
- Oyente - static analisys (depends on pip)
- MAIAN - static analisys (python, but no distributable release, must get from source) (removed due to lack of maintenance)
- mythril - static analisys (depends on pip)
- echidna - fuzz tester (haskell compiled binary)
```
docker run -it --rm -v $(pwd):/src:ro enhancedsociety/solsa -a example_contract.sol
function solsa () { docker run -it --rm -v $(pwd):/src:ro enhancedsociety/solsa $@ }
```
solsa is the alias to the full docker command as described at the top of the Dockerfile.
filipe@filipe-imp solsa master solsa -h
Usage:
/opt/run_analysis.sh -h
Display this help message
/opt/run_analysis.sh -a CONTRACT_PATH
Run all tools
/opt/run_analysis.sh -t TOOL [-t TOOL] CONTRACT_PATH
Run selected tools (out of solc,oyente,solium,mythril,echidna,maian)
alpine base image)