The goal of this repo is to find a good way of integrating static analysis tools for smart contracts into CI pipelines. Ideally, this should be be easy to pick up and use by any project using smart contracts (dapps, wallets, etc).
The main challenges to overcome appear to be:
- seamless installation and configuration of all tools
- invocation of each tool taking into account its specifics (sometimes on things as simple as where contracts need to be located)
Create a static binary that invokes minimal self contained docker containers for each tool. Aggregate all invocation results and present them nicely (in a webpage like solhydra or in a cli as to include in CI pipelines)
This way, at little to no effort to the developer a full, detailed analysis of a smart contract can be obtained.
- solc - compile (portable)
- Solium - lint (depends on npm)
- solgraph - function control flow visualiation (depends on npm)
- Oyente - static analysis (depends on pip)
- MAIAN - static analysis (python, but no distributable release, must get from source) (removed due to lack of maintenance)
- mythril - static analysis (depends on pip)
- echidna - fuzz tester (haskell compiled binary)
solsa is a rust standalone binary available on crates.io, but it does depend on a few docker images it expects to find already installed.
To install the solsa command, do
sh
cargo install solsa
To install the docker images it depends on do
sh
docker pull enhancedsociety/solc
docker pull enhancedsociety/solium
docker pull enhancedsociety/oyente
docker pull enhancedsociety/mythril
these images have been optimized for size and ease of use, so they are prepared to be run independently, and are much much MUCH smaller than their official or naively built counterparts.
``` $ solsa -h
solsa 1.0 Enhanced Society Aggregates static analysis tooling for ethereum smart contracts.
USAGE:
solsa [OPTIONS] -f
FLAGS: -h, --help Prints help information -V, --version Prints version information
OPTIONS:
-f
-o
Example run
$ solsa -f contracts/BurnableCrowdsaleToken.sol -o BurnableCrowdsaleToken.html
would produce file BurnableCrowdsaleToken.html with the full report
The docker images in this repository can be independently summoned to use the available tools without solsa. They assume access to a directory with all the required contracts and metadata at /src, which would make invoking solium, for example, look like this:
``` $ docker run -it --rm -v $(pwd):/src:ro enhancedsociety/solium -f contracts/UpgradeableToken.sol
contracts/UpgradeableToken.sol 53:2 error No visibility specified explicitly for UpgradeableToken function. security/enforce-explicit-visibility 65:8 error Consider using 'revert()' in place of deprecated 'throw'. security/no-throw 69:22 error Consider using 'revert()' in place of deprecated 'throw'. security/no-throw 79:6 warning Use emit statements for triggering events. emit 89:8 error Consider using 'revert()' in place of deprecated 'throw'. security/no-throw 92:24 error Consider using 'revert()' in place of deprecated 'throw'. security/no-throw 94:39 error Consider using 'revert()' in place of deprecated 'throw'. security/no-throw 96:55 error Consider using 'revert()' in place of deprecated 'throw'. security/no-throw 101:41 error Consider using 'revert()' in place of deprecated 'throw'. security/no-throw 103:57 error Consider using 'revert()' in place of deprecated 'throw'. security/no-throw 105:6 warning Use emit statements for triggering events. emit 111:36 warning Use 'view' instead of deprecated 'constant'. no-constant 124:25 error Consider using 'revert()' in place of deprecated 'throw'. security/no-throw 125:39 error Consider using 'revert()' in place of deprecated 'throw'. security/no-throw 132:31 warning Use 'view' instead of deprecated 'constant'. no-constant
✖ 11 errors, 4 warnings found.
```
for ease of use you can set up the following alias (drop it in your .bashrc or equivalent)
sh
function docker-run-here () { docker run -it --rm -v $(pwd):/src:ro $@ }
which would turn the initial command into
sh
docker-run-here enhancedsociety/solium -f contracts/UpgradeableToken.sol