From 888dcb220ef52d730dac45819c5e648ba04efde6 Mon Sep 17 00:00:00 2001 From: Tong Shi Date: Wed, 20 Nov 2024 09:15:09 -0800 Subject: [PATCH 1/2] [STABLE-7559]: Migrate from Slither to Mythril for static analysis --- .github/workflows/ci.yml | 11 +++++++---- Makefile | 10 ++++++---- README.md | 4 ++-- mythril.config.json | 8 ++++++++ requirements.txt | 1 - slither.config.json | 9 --------- 6 files changed, 23 insertions(+), 20 deletions(-) create mode 100644 mythril.config.json delete mode 100644 slither.config.json diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9dfec98..4844e86 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -27,13 +27,16 @@ jobs: - name: Run Unit Tests run: make test + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: '3.10' + - name: Run Integration Tests run: make anvil-test - - name: Run Slither - uses: crytic/slither-action@v0.3.0 - with: - fail-on: none + - name: Run Static Analysis with Mythril + run: make analyze scan: needs: lint-and-test diff --git a/Makefile b/Makefile index 3fa14cf..e2e697b 100644 --- a/Makefile +++ b/Makefile @@ -17,7 +17,7 @@ deploy: anvil: docker rm -f anvil || true - @${ANVIL} "anvil --host 0.0.0.0 -a 13 --code-size-limit 250000" + @${ANVIL} "anvil --host 0.0.0.0 -a 13 --code-size-limit 250000" anvil-test: anvil pip3 install -r requirements.txt @@ -31,10 +31,12 @@ cast-call: cast-send: @docker exec anvil cast send ${contract_address} "${function}" --rpc-url http://localhost:8545 --private-key 0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80 - + clean: @${FOUNDRY} "forge clean" analyze: - pip3 install -r requirements.txt - slither . + pip3 install mythril==0.24.8 + myth -v4 analyze src/MessageTransmitter.sol --solc-json mythril.config.json --solv 0.7.6 + myth -v4 analyze src/TokenMessenger.sol --solc-json mythril.config.json --solv 0.7.6 + myth -v4 analyze src/TokenMinter.sol --solc-json mythril.config.json --solv 0.7.6 diff --git a/README.md b/README.md index 2e0cdd9..f8117d8 100644 --- a/README.md +++ b/README.md @@ -38,7 +38,7 @@ Run `make anvil-test` to setup `anvil` test node in docker container and run int Run `yarn lint` to lint all `.sol` files in the `src` and `test` directories. ### Static analysis -Run `make analyze` to set up Python dependencies from `requirements.txt` and run Slither on all source files, requiring the foundry cli to be installed locally. If all dependencies have been installed, alternatively run `slither .` to run static analysis on all `.sol` files in the `src` directory. +Run `make analyze` to set up Mythril dependency and run Mythril on all source files. If Mythril dependency has been installed, alternatively run `myth -v4 analyze $FILE_PATH --solc-json mythril.config.json --solv 0.7.6` to run static analysis on a `.sol` file at the given `$FILE_PATH`. Please note that this can take several minutes. ### Continuous Integration using Github Actions We use Github actions to run linter and all the tests. The workflow configuration can be found in [.github/workflows/ci.yml](.github/workflows/ci.yml) @@ -79,4 +79,4 @@ The contracts are deployed using [Forge Scripts](https://book.getfoundry.sh/tuto 3. Run `make deploy RPC_URL= SENDER=` to deploy the contracts ## License -For license information, see LICENSE and additional notices stored in NOTICES. \ No newline at end of file +For license information, see LICENSE and additional notices stored in NOTICES. diff --git a/mythril.config.json b/mythril.config.json new file mode 100644 index 0000000..62a08ae --- /dev/null +++ b/mythril.config.json @@ -0,0 +1,8 @@ +{ + "remappings": [ + "@memview-sol/=lib/memview-sol/", + "@openzeppelin/=lib/openzeppelin-contracts/", + "ds-test/=lib/ds-test/src/", + "forge-std/=lib/forge-std/src/" + ] +} diff --git a/requirements.txt b/requirements.txt index 5d92b31..76697de 100644 --- a/requirements.txt +++ b/requirements.txt @@ -34,7 +34,6 @@ requests==2.28.1 rlp==2.0.1 semantic-version==2.10.0 six==1.16.0 -slither-analyzer==0.8.3 toolz==0.12.0 urllib3==1.26.11 varint==1.0.2 diff --git a/slither.config.json b/slither.config.json deleted file mode 100644 index 14d940b..0000000 --- a/slither.config.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "filter_paths": "lib|test", - "solc_remaps": [ - "@memview-sol/=lib/memview-sol", - "@openzeppelin/=lib/openzeppelin-contracts", - "ds-test/=lib/ds-test/src/", - "forge-std/=lib/forge-std/src/" - ] - } \ No newline at end of file From 5a4cbd51e2e80ec089709d10a4859d57c12f3a2f Mon Sep 17 00:00:00 2001 From: Tong Shi Date: Thu, 21 Nov 2024 09:39:11 -0800 Subject: [PATCH 2/2] update ci --- .github/workflows/ci.yml | 33 +++++++++++++++++++++++++++++++-- Makefile | 5 ++++- README.md | 2 +- 3 files changed, 36 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4844e86..a4ba35d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,8 +35,37 @@ jobs: - name: Run Integration Tests run: make anvil-test - - name: Run Static Analysis with Mythril - run: make analyze + analyze-message-transmitter: + runs-on: ubuntu-latest + steps: + - name: Check out repository code + uses: actions/checkout@v4 + with: + submodules: 'true' + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: '3.10' + + - name: Run Static Analysis on Message Transmitter + run: make analyze-message-transmitter + + analyze-token-messenger-minter: + runs-on: ubuntu-latest + steps: + - name: Check out repository code + uses: actions/checkout@v4 + with: + submodules: 'true' + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: '3.10' + + - name: Run Static Analysis on Token Messenger Minter + run: make analyze-token-messenger-minter scan: needs: lint-and-test diff --git a/Makefile b/Makefile index e2e697b..81470a7 100644 --- a/Makefile +++ b/Makefile @@ -35,8 +35,11 @@ cast-send: clean: @${FOUNDRY} "forge clean" -analyze: +analyze-message-transmitter: pip3 install mythril==0.24.8 myth -v4 analyze src/MessageTransmitter.sol --solc-json mythril.config.json --solv 0.7.6 + +analyze-token-messenger-minter: + pip3 install mythril==0.24.8 myth -v4 analyze src/TokenMessenger.sol --solc-json mythril.config.json --solv 0.7.6 myth -v4 analyze src/TokenMinter.sol --solc-json mythril.config.json --solv 0.7.6 diff --git a/README.md b/README.md index f8117d8..039d996 100644 --- a/README.md +++ b/README.md @@ -38,7 +38,7 @@ Run `make anvil-test` to setup `anvil` test node in docker container and run int Run `yarn lint` to lint all `.sol` files in the `src` and `test` directories. ### Static analysis -Run `make analyze` to set up Mythril dependency and run Mythril on all source files. If Mythril dependency has been installed, alternatively run `myth -v4 analyze $FILE_PATH --solc-json mythril.config.json --solv 0.7.6` to run static analysis on a `.sol` file at the given `$FILE_PATH`. Please note that this can take several minutes. +Run `make analyze-{message-transmitter | token-messenger-minter}` to set up Mythril dependency and run Mythril on all source files. If Mythril dependency has been installed, alternatively run `myth -v4 analyze $FILE_PATH --solc-json mythril.config.json --solv 0.7.6` to run static analysis on a `.sol` file at the given `$FILE_PATH`. Please note that this can take several minutes. ### Continuous Integration using Github Actions We use Github actions to run linter and all the tests. The workflow configuration can be found in [.github/workflows/ci.yml](.github/workflows/ci.yml)