8个版本
使用旧Rust 2015
| 0.1.7 | 2018年7月27日 |
|---|---|
| 0.1.6 | 2018年7月5日 |
| 0.1.5 | 2018年6月16日 |
在#aggregator中排名第17
42KB
877 行
智能合约工具聚合器
此存储库的目标是找到一种将智能合约静态分析工具集成到CI管道中的良好方法。理想情况下,这应该对任何使用智能合约的项目(dapps、钱包等)都容易上手和使用。
要克服的主要挑战似乎有
- seamless installation and configuration of all tools
- invocation of each tool taking into account its specifics (sometimes on things as simple as where contracts need to be located)
策略
创建一个静态二进制文件,该文件调用每个工具的最小自包含Docker容器。聚合所有调用结果并以良好的方式呈现(如solhydra中的网页或作为命令行以包含在CI管道中)
这样,开发者几乎不需要付出任何努力就可以获得智能合约的全面详细分析。
关键的代码审查和静态分析工具
- solc - compile (portable)
- Solium - lint (depends on npm)
- solgraph - function control flow visualiation (depends on npm)
- Oyente - static analysis (depends on pip)
- MAIAN - static analysis (python, but no distributable release, must get from source) (removed due to lack of maintenance)
- mythril - static analysis (depends on pip)
- echidna - fuzz tester (haskell compiled binary)
安装
solsa是可在crates.io上找到的Rust独立二进制文件,但它依赖于几个它期望已安装的Docker镜像。
要安装solsa命令,请执行
cargo install solsa
要安装它所依赖的Docker镜像,请执行
docker pull enhancedsociety/solc
docker pull enhancedsociety/solium
docker pull enhancedsociety/oyente
docker pull enhancedsociety/mythril
这些镜像经过优化,以尺寸和易用性为目标,因此它们可以独立运行,并且比官方或原始构建的版本小得多。
用法
$ solsa -h
solsa 0.1.5
Enhanced Society
Aggregates static analysis tooling for ethereum smart contracts.
USAGE:
solsa [FLAGS] [OPTIONS] --contract-file <contract-file>
FLAGS:
--error-exit Exit with error code if issues are found
-h, --help Prints help information
--html Output the report as an html file
--json Output the report as JSON
-p, --preload Preload docker containers necessary for execution
--silent Do not output the report, but only basic pass/fail info
-V, --version Prints version information
OPTIONS:
-f, --contract-file <contract-file> Path to Solidity smart contract
-d, --depth <depth> Depth of analysis, the deeper the more thorough, but also the slower
[default: shallow] [possible values: shallow, deep]
-o <output> File to write report into
示例运行
$ solsa -f contracts/BurnableCrowdsaleToken.sol -o BurnableCrowdsaleToken.html
将生成包含完整报告的文件BurnableCrowdsaleToken.html
独立的Docker镜像
此存储库中的Docker镜像可以独立调用,以使用可用的工具而无需solsa。它们假定可以访问一个包含所有必需合约和元数据的目录,位于/src,例如,调用soliunm的外观如下
$ docker run -it --rm -v $(pwd):/src:ro enhancedsociety/solium -f contracts/UpgradeableToken.sol
contracts/UpgradeableToken.sol
53:2 error No visibility specified explicitly for UpgradeableToken function. security/enforce-explicit-visibility
65:8 error Consider using 'revert()' in place of deprecated 'throw'. security/no-throw
69:22 error Consider using 'revert()' in place of deprecated 'throw'. security/no-throw
79:6 warning Use emit statements for triggering events. emit
89:8 error Consider using 'revert()' in place of deprecated 'throw'. security/no-throw
92:24 error Consider using 'revert()' in place of deprecated 'throw'. security/no-throw
94:39 error Consider using 'revert()' in place of deprecated 'throw'. security/no-throw
96:55 error Consider using 'revert()' in place of deprecated 'throw'. security/no-throw
101:41 error Consider using 'revert()' in place of deprecated 'throw'. security/no-throw
103:57 error Consider using 'revert()' in place of deprecated 'throw'. security/no-throw
105:6 warning Use emit statements for triggering events. emit
111:36 warning Use 'view' instead of deprecated 'constant'. no-constant
124:25 error Consider using 'revert()' in place of deprecated 'throw'. security/no-throw
125:39 error Consider using 'revert()' in place of deprecated 'throw'. security/no-throw
132:31 warning Use 'view' instead of deprecated 'constant'. no-constant
✖ 11 errors, 4 warnings found.
为了便于使用,您可以设置以下别名(将其放入您的.bashrc或等效文件中)
function docker-run-here () { docker run -it --rm -v $(pwd):/src:ro $@ }
这将使初始命令变为
docker-run-here enhancedsociety/solium -f contracts/UpgradeableToken.sol
待办事项
- 改进README的用法部分,并添加示例截图/asciinema演示
- 重新引入echidna
- 添加solgraph
- 添加测试
- 重新引入MAIAN(等待上游/端口到py3)或完全放弃它
- [永无止境]不断寻找、评估和集成工具以改进开发合同的品质
依赖关系
~15MB
~299K SLoC