Configure slither and add to CI

.github/workflows/build.yml

@@ -56,17 +56,17 @@ jobs:
           key: cape-v5-${{ hashFiles('Cargo.lock') }}
 
       - name: Linting
-        run: nix-shell --run "prepend-timestamps lint-ci"
+        run: nix-shell --run "lint-ci"
 
       - name: Build Slow Tests
         # Make sure the slow tests build, but don't run them (we have another workflow for that).
-        run: nix-shell --run "prepend-timestamps cargo test --release --features=slow-tests --no-run"
+        run: nix-shell --run "cargo test --release --features=slow-tests --no-run"
 
       - name: Run Tests
-        run: nix-shell --run "prepend-timestamps cape-test-geth"
+        run: nix-shell --run "cape-test-geth"
 
       - name: Generate Docs
-        run: nix-shell --run "prepend-timestamps make-doc"
+        run: nix-shell --run "make-doc"
 
       - name: Build all executables
         run: nix-shell --run "cargo build --release"

.github/workflows/slither.yml

@@ -0,0 +1,42 @@
+name: Slither
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  slither:
+    runs-on: [self-hosted, X64]
+    container:
+      image: ghcr.io/espressosystems/nix:main
+      volumes:
+        - github_nix_281:/nix
+    steps:
+      - uses: styfle/[email protected]
+        name: Cancel Outdated Builds
+        with:
+          access_token: ${{ github.token }}
+
+      - uses: cachix/cachix-action@v10
+        with:
+          name: espresso-systems-private
+          authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"
+
+      - uses: actions/checkout@v2
+        name: Checkout Repository
+
+      - name: Work around git issue after git CVE-2022-24765 fix.
+        run: git config --global --add safe.directory "$PWD"
+
+      - name: Run slither
+        run: nix-shell --run "slither ./contracts --sarif slither.sarif"
+        continue-on-error: true
+
+      - name: Upload slither SARIF file
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: slither.sarif
+

.github/workflows/slow-tests.yml

@@ -29,7 +29,7 @@ jobs:
       - uses: cachix/cachix-action@v10
         with:
           name: espresso-systems-private
-          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+          authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"
 
       - name: Potential broken submodules fix
         run: |
@@ -53,4 +53,4 @@ jobs:
           key: cape-v5-${{ hashFiles('Cargo.lock') }}
 
       - name: Run Tests
-        run: nix-shell --run "prepend-timestamps cape-test-geth-slow"
+        run: nix-shell --run "cape-test-geth-slow"

.gitignore

@@ -28,3 +28,6 @@ __pycache__/
 .*.sw*
 
 scratch/
+
+# Slither analysis results
+slither.sarif

.gitlab-ci.yml

@@ -16,13 +16,13 @@ lint:
   tags:
     - docker
   script:
-    - nix-shell --run "prepend-timestamps lint-ci"
+    - nix-shell --run "lint-ci"
 
 test:
   tags:
     - docker
   script:
-    - nix-shell --run "prepend-timestamps cape-test-geth"
+    - nix-shell --run "cape-test-geth"
   cache:
     key: cape-test
     paths:
@@ -33,7 +33,7 @@ doc:
   tags:
     - docker
   script:
-    - nix-shell --run "prepend-timestamps make-doc"
+    - nix-shell --run "make-doc"
   artifacts:
     paths:
       - doc

Slither.md

@@ -0,0 +1,21 @@
+<!--
+ ~ Copyright (c) 2022 Espresso Systems (espressosys.com)
+ ~ This file is part of the Configurable Asset Privacy for Ethereum (CAPE) library.
+ ~
+ ~ This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
+ ~ This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+ ~ You should have received a copy of the GNU General Public License along with this program. If not, see <https://www.gnu.org/licenses/>.
+ -->
+
+# Slither
+
+Run `run-slither` to analyze the contracts.
+
+To disable warnings add a code comment, for example
+
+    // slither-disable-next-line variable-scope
+
+The configuration file is [slither.config.json](./slither.config.json).
+
+The slither github workflow file is
+[.github/workflows/slither.yml](./.github/workflows/slither.yml).

bin/run-ci-tests

@@ -10,6 +10,7 @@ set -euo pipefail
 
 make-doc
 lint-ci
+run-slither
 cape-test-geth
 
 echo Ok!

bin/run-slither

@@ -9,5 +9,4 @@
 
 set -euo pipefail
 
-slither --solc-remaps @openzeppelin/=`pwd`/node_modules/.pnpm/@[email protected]/node_modules/@openzeppelin/,@rari-capital/=`pwd`/node_modules/.pnpm/@[email protected]/node_modules/@rari-capital/,solidity-bytes-utils/=`pwd`/node_modules/.pnpm/[email protected]/node_modules/solidity_bytes_utils/ contracts
-
+slither contracts