Merge branch 'dev' into fix/unused-imports

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -3,9 +3,13 @@ body:
   - 
     attributes: 
       value: |
-          Please check the issues tab to avoid duplicates.
+          Please check the issues tab to avoid duplicates, and 
+          confirm that the bug exists on the latest release (upgrade
+          by running `python3 -m pip install --upgrade slither-analyzer`).
+          
           If you are having difficulty installing slither,
           please head over to the "Discussions" page.
+          
           Thanks for taking the time to fill out this bug report!
     type: markdown
   - 
@@ -17,7 +21,7 @@ body:
       required: true
   - 
     attributes: 
-      description: "It can be a github repo, etherscan link, or code snippet."
+      description: "It can be a github repo (preferred), etherscan link, or code snippet."
       label: "Code example to reproduce the issue:"
       placeholder: "`contract A {}`\n"
     id: reproduce
@@ -27,7 +31,7 @@ body:
   - 
     attributes: 
       description: |
-          What version of slither are you running? 
+          What version of slither are you running?
           Run `slither --version`
       label: "Version:"
     id: version

.github/actions/upload-coverage/action.yml

@@ -27,4 +27,5 @@ runs:
         path: |
           .coverage.*
           *.lcov
-        if-no-files-found: ignore
+        if-no-files-found: ignore
+        include-hidden-files: true

.github/scripts/tool_test_runner.sh

@@ -2,11 +2,11 @@
 
 # used to pass --cov=$path and --cov-append to pytest
 if [ "$1" != "" ]; then
-    pytest "$1" tests/tools/read-storage/test_read_storage.py
+    pytest "$1" tests/tools
     status_code=$?
     python -m coverage report
 else
-    pytest tests/tools/read-storage/test_read_storage.py
+    pytest tests/tools
     status_code=$?
 fi
 

.github/workflows/docker.yml

@@ -47,7 +47,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Docker Build and Push
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           platforms: linux/amd64,linux/arm64/v8,linux/arm/v7
           target: final

.github/workflows/pip-audit.yml

@@ -34,6 +34,6 @@ jobs:
           python -m pip install .
 
       - name: Run pip-audit
-        uses: pypa/gh-action-pip-audit@v1.0.8
+        uses: pypa/gh-action-pip-audit@v1.1.0
         with:
           virtual-environment: /tmp/pip-audit-env

.github/workflows/publish.yml

@@ -44,10 +44,10 @@ jobs:
           path: dist/
 
       - name: publish
-        uses: pypa/gh-action-pypi-publish@v1.8.14
+        uses: pypa/gh-action-pypi-publish@v1.9.0
 
       - name: sign
-        uses: sigstore/gh-action-sigstore-python@v2.1.1
+        uses: sigstore/gh-action-sigstore-python@v3.0.0
         with:
           inputs: ./dist/*.tar.gz ./dist/*.whl
           release-signing-artifacts: true

.pre-commit-hooks.yaml

@@ -0,0 +1,9 @@
+- id: slither
+  name: Slither
+  description: Run Slither on your project
+  entry: slither
+  args:
+    - .
+  pass_filenames: false
+  language: python
+  files: \.sol$

Dockerfile

@@ -3,6 +3,7 @@ FROM ubuntu:jammy AS python-wheels
 RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
     gcc \
     git \
+    make \
     python3-dev \
     python3-pip \
   && rm -rf /var/lib/apt/lists/*

FUNDING.json

@@ -3,5 +3,10 @@
         "op-mainnet": {
             "ownedBy": "0xc44F30Be3eBBEfdDBB5a85168710b4f0e18f4Ff0"
         }
+    },
+    "drips": {
+        "ethereum": {
+            "ownedBy": "0x5e2BA02F62bD4efa939e3B80955bBC21d015DbA0"
+        }
     }
 }

README.md

@@ -102,6 +102,13 @@ docker run -it -v /home/share:/share trailofbits/eth-security-toolbox
 ### Integration
 
 * For GitHub action integration, use [slither-action](https://github.com/marketplace/actions/slither-action).
+* For pre-commit integration, use (replace `$GIT_TAG` with real tag)
+  ```YAML
+  - repo: https://github.com/crytic/slither
+    rev: $GIT_TAG
+    hooks:
+      - id: slither
+  ```
 * To generate a Markdown report, use `slither [target] --checklist`.
 * To generate a Markdown with GitHub source code highlighting, use `slither [target] --checklist --markdown-root https://github.com/ORG/REPO/blob/COMMIT/` (replace `ORG`, `REPO`, `COMMIT`)
 

scripts/ci_test_upgradability.sh

@@ -2,7 +2,8 @@
 
 ### Test slither-check-upgradeability
 
-DIR_TESTS="tests/check-upgradeability"
+DIR_TESTS="tests/tools/check_upgradeability"
+solc-select install "0.5.0"
 solc-select use "0.5.0"
 
 slither-check-upgradeability  "$DIR_TESTS/contractV1.sol" ContractV1 --proxy-filename "$DIR_TESTS/proxy.sol" --proxy-name Proxy  > test_1.txt 2>&1
@@ -181,6 +182,32 @@ then
     exit 255
 fi
 
+slither-check-upgradeability "$DIR_TESTS/contract_initialization.sol" Contract_no_bug_reinitializer --proxy-filename "$DIR_TESTS/proxy.sol" --proxy-name Proxy   > test_14.txt 2>&1
+DIFF=$(diff test_14.txt "$DIR_TESTS/test_14.txt")
+if [  "$DIFF" != "" ]
+then
+    echo "slither-check-upgradeability 14 failed"
+    cat test_14.txt
+    echo ""
+    cat "$DIR_TESTS/test_14.txt"
+    echo ""
+    echo "$DIFF"
+    exit 255
+fi
+
+slither-check-upgradeability "$DIR_TESTS/contract_initialization.sol" Contract_reinitializer_V2 --new-contract-name Counter_reinitializer_V3_V4 > test_15.txt 2>&1
+DIFF=$(diff test_15.txt "$DIR_TESTS/test_15.txt")
+if [  "$DIFF" != "" ]
+then
+    echo "slither-check-upgradeability 14 failed"
+    cat test_15.txt
+    echo ""
+    cat "$DIR_TESTS/test_15.txt"
+    echo ""
+    echo "$DIFF"
+    exit 255
+fi
+
 rm test_1.txt
 rm test_2.txt
 rm test_3.txt
@@ -194,3 +221,5 @@ rm test_10.txt
 rm test_11.txt
 rm test_12.txt
 rm test_13.txt
+rm test_14.txt
+rm test_15.txt

setup.py

@@ -8,16 +8,16 @@
     description="Slither is a Solidity and Vyper static analysis framework written in Python 3.",
     url="https://github.com/crytic/slither",
     author="Trail of Bits",
-    version="0.10.3",
+    version="0.10.4",
     packages=find_packages(),
     python_requires=">=3.8",
     install_requires=[
         "packaging",
-        "prettytable>=3.3.0",
+        "prettytable>=3.10.2",
         "pycryptodome>=3.4.6",
         "crytic-compile>=0.3.7,<0.4.0",
         # "crytic-compile@git+https://github.com/crytic/crytic-compile.git@master#egg=crytic-compile",
-        "web3>=6.0.0",
+        "web3>=6.20.2, <7",
         "eth-abi>=4.0.0",
         "eth-typing>=3.0.0",
         "eth-utils>=2.1.0",

slither/__main__.py

@@ -14,7 +14,7 @@
 from typing import Any, Dict, List, Optional, Sequence, Set, Tuple, Type, Union
 
 
-from crytic_compile import cryticparser, CryticCompile, InvalidCompilation
+from crytic_compile import cryticparser, CryticCompile
 from crytic_compile.platform.standard import generate_standard_export
 from crytic_compile.platform.etherscan import SUPPORTED_NETWORK
 from crytic_compile import compile_all, is_supported
@@ -93,13 +93,7 @@ def process_all(
     detector_classes: List[Type[AbstractDetector]],
     printer_classes: List[Type[AbstractPrinter]],
 ) -> Tuple[List[Slither], List[Dict], List[Output], int]:
-
-    try:
-        compilations = compile_all(target, **vars(args))
-    except InvalidCompilation:
-        logger.error("Unable to compile all targets.")
-        sys.exit(2)
-
+    compilations = compile_all(target, **vars(args))
     slither_instances = []
     results_detectors = []
     results_printers = []
@@ -239,6 +233,7 @@ def choose_detectors(
             set(detectors_to_run), args.detectors_to_include, detectors
         )
 
+    detectors_to_run = sorted(detectors_to_run, key=lambda x: x.IMPACT)
     return detectors_to_run
 
 
@@ -255,7 +250,6 @@ def __include_detectors(
         else:
             raise ValueError(f"Error: {detector} is not a detector")
 
-    detectors_to_run = sorted(detectors_to_run, key=lambda x: x.IMPACT)
     return detectors_to_run
 
 

slither/core/cfg/node.py

@@ -529,7 +529,8 @@ def contains_require_or_assert(self) -> bool:
             bool: True if the node has a require or assert call
         """
         return any(
-            c.name in ["require(bool)", "require(bool,string)", "assert(bool)"]
+            c.name
+            in ["require(bool)", "require(bool,string)", "require(bool,error)", "assert(bool)"]
             for c in self.internal_calls
         )
 

slither/core/declarations/solidity_variables.py

@@ -50,6 +50,7 @@
     "assert(bool)": [],
     "require(bool)": [],
     "require(bool,string)": [],
+    "require(bool,error)": [],  # Solidity 0.8.26 via-ir and Solidity >= 0.8.27
     "revert()": [],
     "revert(string)": [],
     "revert ": [],

slither/detectors/all_detectors.py

@@ -97,4 +97,5 @@
 from .statements.tautological_compare import TautologicalCompare
 from .statements.return_bomb import ReturnBomb
 from .functions.out_of_order_retryable import OutOfOrderRetryable
-from .statements.unused_import import UnusedImport
+
+# from .statements.unused_import import UnusedImport

slither/detectors/attributes/incorrect_solc.py

@@ -71,7 +71,7 @@ def _check_version(self, version: Tuple[str, str, str, str, str]) -> Optional[st
         if op and op not in [">", ">=", "^"]:
             return self.LESS_THAN_TXT
         version_number = ".".join(version[2:])
-        if version_number in bugs_by_version:
+        if version_number in bugs_by_version and len(bugs_by_version[version_number]):
             bugs = "\n".join([f"\t- {bug}" for bug in bugs_by_version[version_number]])
             return self.BUGGY_VERSION_TXT + f"\n{bugs}"
         return None

slither/detectors/functions/arbitrary_send_eth.py

@@ -30,6 +30,7 @@
     SolidityCall,
     Transfer,
 )
+from slither.core.variables.state_variable import StateVariable
 
 # pylint: disable=too-many-nested-blocks,too-many-branches
 from slither.utils.output import Output
@@ -67,6 +68,8 @@ def arbitrary_send(func: Function) -> Union[bool, List[Node]]:
                     continue
                 if ir.call_value == SolidityVariableComposed("msg.value"):
                     continue
+                if isinstance(ir.destination, StateVariable) and ir.destination.is_immutable:
+                    continue
                 if is_dependent(
                     ir.call_value,
                     SolidityVariableComposed("msg.value"),

slither/detectors/functions/dead_code.py

@@ -25,7 +25,7 @@ class DeadCode(AbstractDetector):
     WIKI = "https://github.com/crytic/slither/wiki/Detector-Documentation#dead-code"
 
     WIKI_TITLE = "Dead-code"
-    WIKI_DESCRIPTION = "Functions that are not sued."
+    WIKI_DESCRIPTION = "Functions that are not used."
 
     # region wiki_exploit_scenario
     WIKI_EXPLOIT_SCENARIO = """
@@ -71,9 +71,10 @@ def _detect(self) -> List[Output]:
                 continue
             if isinstance(function, FunctionContract) and (
                 function.contract_declarer.is_from_dependency()
+                or function.contract_declarer.is_library
             ):
                 continue
-            # Continue if the functon is not implemented because it means the contract is abstract
+            # Continue if the function is not implemented because it means the contract is abstract
             if not function.is_implemented:
                 continue
             info: DETECTOR_INFO = [function, " is never used and should be removed\n"]

slither/printers/summary/loc.py

@@ -17,8 +17,8 @@
 
 class LocPrinter(AbstractPrinter):
     ARGUMENT = "loc"
-    HELP = """Count the total number lines of code (LOC), source lines of code (SLOC), \
-            and comment lines of code (CLOC) found in source files (SRC), dependencies (DEP), \
+    HELP = """Count the total number lines of code (LOC), source lines of code (SLOC),
+            and comment lines of code (CLOC) found in source files (SRC), dependencies (DEP),
             and test files (TEST)."""
 
     WIKI = "https://github.com/trailofbits/slither/wiki/Printer-documentation#loc"

slither/printers/summary/require_calls.py

@@ -11,6 +11,7 @@
     SolidityFunction("assert(bool)"),
     SolidityFunction("require(bool)"),
     SolidityFunction("require(bool,string)"),
+    SolidityFunction("require(bool,error)"),
 ]
 
 

slither/slithir/operations/assignment.py

@@ -45,10 +45,19 @@ def rvalue(self) -> Union[RVALUE, Function, TupleVariable]:
 
     def __str__(self) -> str:
         lvalue = self.lvalue
+
+        # When rvalues are functions, we want to properly display their return type
+        # Fix: https://github.com/crytic/slither/issues/2266
+        if isinstance(self.rvalue.type, list):
+            rvalue_type = ",".join(f"{rvalue_type}" for rvalue_type in self.rvalue.type)
+        else:
+            rvalue_type = f"{self.rvalue.type}"
+
         assert lvalue
         if lvalue and isinstance(lvalue, ReferenceVariable):
             points = lvalue.points_to
             while isinstance(points, ReferenceVariable):
                 points = points.points_to
-            return f"{lvalue}({lvalue.type}) (->{points}) := {self.rvalue}({self.rvalue.type})"
-        return f"{lvalue}({lvalue.type}) := {self.rvalue}({self.rvalue.type})"
+            return f"{lvalue}({lvalue.type}) (->{points}) := {self.rvalue}({rvalue_type})"
+
+        return f"{lvalue}({lvalue.type}) := {self.rvalue}({rvalue_type})"

slither/slithir/operations/member.py

@@ -1,5 +1,5 @@
 from typing import List, Union
-from slither.core.declarations import Contract, Function
+from slither.core.declarations import Contract, Function, Event
 from slither.core.declarations.custom_error import CustomError
 from slither.core.declarations.enum import Enum
 from slither.core.declarations.solidity_import_placeholder import SolidityImportPlaceHolder
@@ -33,14 +33,29 @@ def __init__(
         # Can be an ElementaryType because of bytes.concat, string.concat
         assert is_valid_rvalue(variable_left) or isinstance(
             variable_left,
-            (Contract, Enum, Function, CustomError, SolidityImportPlaceHolder, ElementaryType),
+            (
+                Contract,
+                Enum,
+                Function,
+                Event,
+                CustomError,
+                SolidityImportPlaceHolder,
+                ElementaryType,
+            ),
         )
 
         assert isinstance(variable_right, Constant)
         assert isinstance(result, ReferenceVariable)
         super().__init__()
         self._variable_left: Union[
-            RVALUE, Contract, Enum, Function, CustomError, SolidityImportPlaceHolder, ElementaryType
+            RVALUE,
+            Contract,
+            Enum,
+            Function,
+            Event,
+            CustomError,
+            SolidityImportPlaceHolder,
+            ElementaryType,
         ] = variable_left
         self._variable_right = variable_right
         self._lvalue = result