From 0e86f3d3045fd3669e19824ff950b160438c26c1 Mon Sep 17 00:00:00 2001 From: alpharush <0xalpharush@protonmail.com> Date: Fri, 23 Jun 2023 11:23:22 -0500 Subject: [PATCH 1/5] 0.9.4 --- setup.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/setup.py b/setup.py index 70d4f71fd4..798d439369 100644 --- a/setup.py +++ b/setup.py @@ -8,15 +8,15 @@ description="Slither is a Solidity static analysis framework written in Python 3.", url="https://github.com/crytic/slither", author="Trail of Bits", - version="0.9.3", + version="0.9.4", packages=find_packages(), python_requires=">=3.8", install_requires=[ "packaging", "prettytable>=3.3.0", "pycryptodome>=3.4.6", - # "crytic-compile>=0.3.1,<0.4.0", - "crytic-compile@git+https://github.com/crytic/crytic-compile.git@dev#egg=crytic-compile", + "crytic-compile>=0.3.2,<0.4.0", + # "crytic-compile@git+https://github.com/crytic/crytic-compile.git@dev#egg=crytic-compile", "web3>=6.0.0", "eth-abi>=4.0.0", "eth-typing>=3.0.0", From 6cb36a2efdf820ca143f9c371b274659271a9889 Mon Sep 17 00:00:00 2001 From: alpharush <0xalpharush@protonmail.com> Date: Mon, 26 Jun 2023 13:23:53 -0500 Subject: [PATCH 2/5] use published release of solc-select --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index 798d439369..9695a8fc01 100644 --- a/setup.py +++ b/setup.py @@ -36,7 +36,7 @@ "coverage[toml]", "filelock", "pytest-insta", - "solc-select@git+https://github.com/crytic/solc-select.git@query-artifact-path#egg=solc-select", + "solc-select>=1.0.4", ], "doc": [ "pdoc", From 1f40e9269b0c3dc23d45ad2ee8e86237d266c4f9 Mon Sep 17 00:00:00 2001 From: alpharush <0xalpharush@protonmail.com> Date: Tue, 27 Jun 2023 08:20:54 -0500 Subject: [PATCH 3/5] 0.9.5 --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index 9695a8fc01..e7019b1aac 100644 --- a/setup.py +++ b/setup.py @@ -8,7 +8,7 @@ description="Slither is a Solidity static analysis framework written in Python 3.", url="https://github.com/crytic/slither", author="Trail of Bits", - version="0.9.4", + version="0.9.5", packages=find_packages(), python_requires=">=3.8", install_requires=[ From f3be9efad61672ba5e97189f73b055f7734d455a Mon Sep 17 00:00:00 2001 From: sam bacha Date: Thu, 6 Jul 2023 07:51:56 -0700 Subject: [PATCH 4/5] docs(readme): add new docs link (#2010) * docs(readme): add new docs link Fix the status badges and include a link to the documentation page that is now generated * docs(citation): create CITATION.cff This creates a `CITATION.cff` file. The information is taken from arXiv's bibtex for the whitepaper: ```bibtex @inproceedings{Feist_2019, doi = {10.1109/wetseb.2019.00008}, url = {https://doi.org/10.1109%2Fwetseb.2019.00008}, year = 2019, month = {may}, publisher = {{IEEE} }, author = {Josselin Feist and Gustavo Grieco and Alex Groce}, title = {Slither: A Static Analysis Framework for Smart Contracts}, booktitle = {2019 {IEEE}/{ACM} 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain ({WETSEB})} } ``` --- CITATION.cff | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++ README.md | 60 +++++++++++++++++++++++++++++++----------------- 2 files changed, 103 insertions(+), 21 deletions(-) create mode 100644 CITATION.cff diff --git a/CITATION.cff b/CITATION.cff new file mode 100644 index 0000000000..605bd60e5f --- /dev/null +++ b/CITATION.cff @@ -0,0 +1,64 @@ +cff-version: 1.2.0 +title: Slither Analyzer +message: >- + If you use this software, please cite it using the + metadata from this file. +type: software +authors: + - given-names: Josselin + family-names: Feist + - given-names: Gustavo + family-names: Grieco + - given-names: Alex + family-names: Groce +identifiers: + - type: doi + value: 10.48550/arXiv.1908.09878 + description: arXiv.1908.09878 + - type: url + value: 'https://arxiv.org/abs/1908.09878' + description: arxiv + - type: doi + value: 10.1109/wetseb.2019.00008 +repository-code: 'https://github.com/crytic/slither' +url: 'https://www.trailofbits.com/' +repository-artifact: 'https://github.com/crytic/slither/releases' +abstract: >- + Slither is a static analysis framework designed to provide + rich information about Ethereum smart contracts. + + It works by converting Solidity smart contracts into an + intermediate representation called SlithIR. + + SlithIR uses Static Single Assignment (SSA) form and a + reduced instruction set to ease implementation of analyses + while preserving semantic information that would be lost + in transforming Solidity to bytecode. + + Slither allows for the application of commonly used + program analysis techniques like dataflow and taint + tracking. + + + Our framework has four main use cases: + + (1) automated detection of vulnerabilities, + + (2) automated detection of code optimization + opportunities, + + (3) improvement of the user's understanding of the + contracts, and + + (4) assistance with code review. +keywords: + - Ethereum + - Static Analysis + - Smart contracts + - EVM + - bug detection + - Software Engineering +license: AGPL-3.0-only +commit: 3d4f934d3228f072b7df2c5e7252c64df4601bc8 +version: 0.9.5 +date-released: '2023-06-28' diff --git a/README.md b/README.md index cb815561e8..18c1c62268 100644 --- a/README.md +++ b/README.md @@ -1,23 +1,40 @@ -# Slither, the Solidity source analyzer +Slither Static Analysis Framework Logo -Logo +# [Slither, the Solidity source analyzer](https://crytic.github.io/slither/slither.html) [![Build Status](https://img.shields.io/github/actions/workflow/status/crytic/slither/ci.yml?branch=master)](https://github.com/crytic/slither/actions?query=workflow%3ACI) -[![Slack Status](https://empireslacking.herokuapp.com/badge.svg)](https://empireslacking.herokuapp.com) -[![PyPI version](https://badge.fury.io/py/slither-analyzer.svg)](https://badge.fury.io/py/slither-analyzer) - -Slither is a Solidity static analysis framework written in Python3. It runs a suite of vulnerability detectors, prints visual information about contract details, and provides an API to easily write custom analyses. Slither enables developers to find vulnerabilities, enhance their code comprehension, and quickly prototype custom analyses. - -- [Features](#features) -- [Usage](#usage) -- [How to Install](#how-to-install) -- [Detectors](#detectors) -- [Printers](#printers) -- [Tools](#tools) -- [API Documentation](#api-documentation) -- [Getting Help](#getting-help) -- [FAQ](#faq) -- [Publications](#publications) +![PyPI](https://img.shields.io/pypi/v/slither-analyzer?logo=python&logoColor=white&label=slither-analyzer) +[![Slither - Read the Docs](https://img.shields.io/badge/Slither-Read_the_Docs-2ea44f)](https://crytic.github.io/slither/slither.html) +[![Slither - Wiki](https://img.shields.io/badge/Slither-Wiki-2ea44f)](https://github.com/crytic/slither/wiki/SlithIR) + +> Join the Empire Hacking Slack +> +> [![Slack Status](https://slack.empirehacking.nyc/badge.svg)](https://slack.empirehacking.nyc/) +> > - Discussions and Support + + +**Slither** is a Solidity static analysis framework written in Python3. It runs a suite of vulnerability detectors, prints visual information about contract details, and provides an API to easily write custom analyses. Slither enables developers to find vulnerabilities, enhance their code comprehension, and quickly prototype custom analyses. + + * [Features](#features) + * [Usage](#usage) + * [How to install](#how-to-install) + + [Using Pip](#using-pip) + + [Using Git](#using-git) + + [Using Docker](#using-docker) + + [Integration](#integration) + * [Detectors](#detectors) + * [Printers](#printers) + + [Quick Review Printers](#quick-review-printers) + + [In-Depth Review Printers](#in-depth-review-printers) + * [Tools](#tools) + * [API Documentation](#api-documentation) + * [Getting Help](#getting-help) + * [FAQ](#faq) + * [License](#license) + * [Publications](#publications) + + [Trail of Bits publication](#trail-of-bits-publication) + + [External publications](#external-publications) + ## Features @@ -36,7 +53,7 @@ Slither is a Solidity static analysis framework written in Python3. It runs a su Run Slither on a Hardhat/Foundry/Dapp/Brownie application: -```bash +```console slither . ``` @@ -44,18 +61,19 @@ This is the preferred option if your project has dependencies as Slither relies However, you can run Slither on a single file that does not import dependencies: -```bash +```console slither tests/uninitialized.sol ``` ## How to install -Slither requires Python 3.8+. +> **Note**
+> Slither requires Python 3.8+. If you're **not** going to use one of the [supported compilation frameworks](https://github.com/crytic/crytic-compile), you need [solc](https://github.com/ethereum/solidity/), the Solidity compiler; we recommend using [solc-select](https://github.com/crytic/solc-select) to conveniently switch between solc versions. ### Using Pip -```bash +```console pip3 install slither-analyzer ``` From e5f2a86f0906fd62c6c4eccb9dbfa5ab30671a78 Mon Sep 17 00:00:00 2001 From: alpharush <0xalpharush@protonmail.com> Date: Thu, 6 Jul 2023 11:05:58 -0500 Subject: [PATCH 5/5] 0.9.6 (#2031) * 0.9.6 * lint readme --- README.md | 125 +++++++++++++++++++++++++++--------------------------- setup.py | 5 +-- 2 files changed, 64 insertions(+), 66 deletions(-) diff --git a/README.md b/README.md index 18c1c62268..1a0d203c7d 100644 --- a/README.md +++ b/README.md @@ -1,53 +1,51 @@ -Slither Static Analysis Framework Logo - # [Slither, the Solidity source analyzer](https://crytic.github.io/slither/slither.html) +Slither Static Analysis Framework Logo + [![Build Status](https://img.shields.io/github/actions/workflow/status/crytic/slither/ci.yml?branch=master)](https://github.com/crytic/slither/actions?query=workflow%3ACI) ![PyPI](https://img.shields.io/pypi/v/slither-analyzer?logo=python&logoColor=white&label=slither-analyzer) [![Slither - Read the Docs](https://img.shields.io/badge/Slither-Read_the_Docs-2ea44f)](https://crytic.github.io/slither/slither.html) [![Slither - Wiki](https://img.shields.io/badge/Slither-Wiki-2ea44f)](https://github.com/crytic/slither/wiki/SlithIR) > Join the Empire Hacking Slack -> +> > [![Slack Status](https://slack.empirehacking.nyc/badge.svg)](https://slack.empirehacking.nyc/) > > - Discussions and Support - **Slither** is a Solidity static analysis framework written in Python3. It runs a suite of vulnerability detectors, prints visual information about contract details, and provides an API to easily write custom analyses. Slither enables developers to find vulnerabilities, enhance their code comprehension, and quickly prototype custom analyses. - * [Features](#features) - * [Usage](#usage) - * [How to install](#how-to-install) - + [Using Pip](#using-pip) - + [Using Git](#using-git) - + [Using Docker](#using-docker) - + [Integration](#integration) - * [Detectors](#detectors) - * [Printers](#printers) - + [Quick Review Printers](#quick-review-printers) - + [In-Depth Review Printers](#in-depth-review-printers) - * [Tools](#tools) - * [API Documentation](#api-documentation) - * [Getting Help](#getting-help) - * [FAQ](#faq) - * [License](#license) - * [Publications](#publications) - + [Trail of Bits publication](#trail-of-bits-publication) - + [External publications](#external-publications) - +* [Features](#features) +* [Usage](#usage) +* [How to install](#how-to-install) + * [Using Pip](#using-pip) + * [Using Git](#using-git) + * [Using Docker](#using-docker) + * [Integration](#integration) +* [Detectors](#detectors) +* [Printers](#printers) + * [Quick Review Printers](#quick-review-printers) + * [In-Depth Review Printers](#in-depth-review-printers) +* [Tools](#tools) +* [API Documentation](#api-documentation) +* [Getting Help](#getting-help) +* [FAQ](#faq) +* [License](#license) +* [Publications](#publications) + * [Trail of Bits publication](#trail-of-bits-publication) + * [External publications](#external-publications) ## Features -- Detects vulnerable Solidity code with low false positives (see the list of [trophies](./trophies.md)) -- Identifies where the error condition occurs in the source code -- Easily integrates into continuous integration and Hardhat/Foundry builds -- Built-in 'printers' quickly report crucial contract information -- Detector API to write custom analyses in Python -- Ability to analyze contracts written with Solidity >= 0.4 -- Intermediate representation ([SlithIR](https://github.com/trailofbits/slither/wiki/SlithIR)) enables simple, high-precision analyses -- Correctly parses 99.9% of all public Solidity code -- Average execution time of less than 1 second per contract -- Integrates with Github's code scanning in [CI](https://github.com/marketplace/actions/slither-action) +* Detects vulnerable Solidity code with low false positives (see the list of [trophies](./trophies.md)) +* Identifies where the error condition occurs in the source code +* Easily integrates into continuous integration and Hardhat/Foundry builds +* Built-in 'printers' quickly report crucial contract information +* Detector API to write custom analyses in Python +* Ability to analyze contracts written with Solidity >= 0.4 +* Intermediate representation ([SlithIR](https://github.com/trailofbits/slither/wiki/SlithIR)) enables simple, high-precision analyses +* Correctly parses 99.9% of all public Solidity code +* Average execution time of less than 1 second per contract +* Integrates with Github's code scanning in [CI](https://github.com/marketplace/actions/slither-action) ## Usage @@ -102,9 +100,9 @@ docker run -it -v /home/share:/share trailofbits/eth-security-toolbox ### Integration -- For GitHub action integration, use [slither-action](https://github.com/marketplace/actions/slither-action). -- To generate a Markdown report, use `slither [target] --checklist`. -- To generate a Markdown with GitHub source code highlighting, use `slither [target] --checklist --markdown-root https://github.com/ORG/REPO/blob/COMMIT/` (replace `ORG`, `REPO`, `COMMIT`) +* For GitHub action integration, use [slither-action](https://github.com/marketplace/actions/slither-action). +* To generate a Markdown report, use `slither [target] --checklist`. +* To generate a Markdown with GitHub source code highlighting, use `slither [target] --checklist --markdown-root https://github.com/ORG/REPO/blob/COMMIT/` (replace `ORG`, `REPO`, `COMMIT`) ## Detectors @@ -200,23 +198,24 @@ Num | Detector | What it Detects | Impact | Confidence For more information, see -- The [Detector Documentation](https://github.com/crytic/slither/wiki/Detector-Documentation) for details on each detector -- The [Detection Selection](https://github.com/crytic/slither/wiki/Usage#detector-selection) to run only selected detectors. By default, all the detectors are run. -- The [Triage Mode](https://github.com/crytic/slither/wiki/Usage#triage-mode) to filter individual results +* The [Detector Documentation](https://github.com/crytic/slither/wiki/Detector-Documentation) for details on each detector +* The [Detection Selection](https://github.com/crytic/slither/wiki/Usage#detector-selection) to run only selected detectors. By default, all the detectors are run. +* The [Triage Mode](https://github.com/crytic/slither/wiki/Usage#triage-mode) to filter individual results ## Printers + ### Quick Review Printers -- `human-summary`: [Print a human-readable summary of the contracts](https://github.com/trailofbits/slither/wiki/Printer-documentation#human-summary) -- `inheritance-graph`: [Export the inheritance graph of each contract to a dot file](https://github.com/trailofbits/slither/wiki/Printer-documentation#inheritance-graph) -- `contract-summary`: [Print a summary of the contracts](https://github.com/trailofbits/slither/wiki/Printer-documentation#contract-summary) -- `loc`: [Count the total number lines of code (LOC), source lines of code (SLOC), and comment lines of code (CLOC) found in source files (SRC), dependencies (DEP), and test files (TEST).](https://github.com/trailofbits/slither/wiki/Printer-documentation#loc) +* `human-summary`: [Print a human-readable summary of the contracts](https://github.com/trailofbits/slither/wiki/Printer-documentation#human-summary) +* `inheritance-graph`: [Export the inheritance graph of each contract to a dot file](https://github.com/trailofbits/slither/wiki/Printer-documentation#inheritance-graph) +* `contract-summary`: [Print a summary of the contracts](https://github.com/trailofbits/slither/wiki/Printer-documentation#contract-summary) +* `loc`: [Count the total number lines of code (LOC), source lines of code (SLOC), and comment lines of code (CLOC) found in source files (SRC), dependencies (DEP), and test files (TEST).](https://github.com/trailofbits/slither/wiki/Printer-documentation#loc) ### In-Depth Review Printers -- `call-graph`: [Export the call-graph of the contracts to a dot file](https://github.com/trailofbits/slither/wiki/Printer-documentation#call-graph) -- `cfg`: [Export the CFG of each functions](https://github.com/trailofbits/slither/wiki/Printer-documentation#cfg) -- `function-summary`: [Print a summary of the functions](https://github.com/trailofbits/slither/wiki/Printer-documentation#function-summary) -- `vars-and-auth`: [Print the state variables written and the authorization of the functions](https://github.com/crytic/slither/wiki/Printer-documentation#variables-written-and-authorization) -- `not-pausable`: [Print functions that do not use `whenNotPaused` modifier](https://github.com/trailofbits/slither/wiki/Printer-documentation#when-not-paused). +* `call-graph`: [Export the call-graph of the contracts to a dot file](https://github.com/trailofbits/slither/wiki/Printer-documentation#call-graph) +* `cfg`: [Export the CFG of each functions](https://github.com/trailofbits/slither/wiki/Printer-documentation#cfg) +* `function-summary`: [Print a summary of the functions](https://github.com/trailofbits/slither/wiki/Printer-documentation#function-summary) +* `vars-and-auth`: [Print the state variables written and the authorization of the functions](https://github.com/crytic/slither/wiki/Printer-documentation#variables-written-and-authorization) +* `not-pausable`: [Print functions that do not use `whenNotPaused` modifier](https://github.com/trailofbits/slither/wiki/Printer-documentation#when-not-paused). To run a printer, use `--print` and a comma-separated list of printers. @@ -224,13 +223,13 @@ See the [Printer documentation](https://github.com/crytic/slither/wiki/Printer-d ## Tools -- `slither-check-upgradeability`: [Review `delegatecall`-based upgradeability](https://github.com/crytic/slither/wiki/Upgradeability-Checks) -- `slither-prop`: [Automatic unit test and property generation](https://github.com/crytic/slither/wiki/Property-generation) -- `slither-flat`: [Flatten a codebase](https://github.com/crytic/slither/wiki/Contract-Flattening) -- `slither-check-erc`: [Check the ERC's conformance](https://github.com/crytic/slither/wiki/ERC-Conformance) -- `slither-format`: [Automatic patch generation](https://github.com/crytic/slither/wiki/Slither-format) -- `slither-read-storage`: [Read storage values from contracts](./slither/tools/read_storage/README.md) -- `slither-interface`: [Generate an interface for a contract](./slither/tools/interface/README.md) +* `slither-check-upgradeability`: [Review `delegatecall`-based upgradeability](https://github.com/crytic/slither/wiki/Upgradeability-Checks) +* `slither-prop`: [Automatic unit test and property generation](https://github.com/crytic/slither/wiki/Property-generation) +* `slither-flat`: [Flatten a codebase](https://github.com/crytic/slither/wiki/Contract-Flattening) +* `slither-check-erc`: [Check the ERC's conformance](https://github.com/crytic/slither/wiki/ERC-Conformance) +* `slither-format`: [Automatic patch generation](https://github.com/crytic/slither/wiki/Slither-format) +* `slither-read-storage`: [Read storage values from contracts](./slither/tools/read_storage/README.md) +* `slither-interface`: [Generate an interface for a contract](./slither/tools/interface/README.md) See the [Tool documentation](https://github.com/crytic/slither/wiki/Tool-Documentation) for additional tools. @@ -244,23 +243,23 @@ Documentation on Slither's internals is available [here](https://crytic.github.i Feel free to stop by our [Slack channel](https://empireslacking.herokuapp.com) (#ethereum) for help using or extending Slither. -- The [Printer documentation](https://github.com/trailofbits/slither/wiki/Printer-documentation) describes the information Slither is capable of visualizing for each contract. +* The [Printer documentation](https://github.com/trailofbits/slither/wiki/Printer-documentation) describes the information Slither is capable of visualizing for each contract. -- The [Detector documentation](https://github.com/trailofbits/slither/wiki/Adding-a-new-detector) describes how to write a new vulnerability analyses. +* The [Detector documentation](https://github.com/trailofbits/slither/wiki/Adding-a-new-detector) describes how to write a new vulnerability analyses. -- The [API documentation](https://github.com/crytic/slither/wiki/Python-API) describes the methods and objects available for custom analyses. +* The [API documentation](https://github.com/crytic/slither/wiki/Python-API) describes the methods and objects available for custom analyses. -- The [SlithIR documentation](https://github.com/trailofbits/slither/wiki/SlithIR) describes the SlithIR intermediate representation. +* The [SlithIR documentation](https://github.com/trailofbits/slither/wiki/SlithIR) describes the SlithIR intermediate representation. ## FAQ How do I exclude mocks or tests? -- View our documentation on [path filtering](https://github.com/crytic/slither/wiki/Usage#path-filtering). +* View our documentation on [path filtering](https://github.com/crytic/slither/wiki/Usage#path-filtering). How do I fix "unknown file" or compilation issues? -- Because slither requires the solc AST, it must have all dependencies available. +* Because slither requires the solc AST, it must have all dependencies available. If a contract has dependencies, `slither contract.sol` will fail. Instead, use `slither .` in the parent directory of `contracts/` (you should see `contracts/` when you run `ls`). If you have a `node_modules/` folder, it must be in the same directory as `contracts/`. To verify that this issue is related to slither, @@ -275,7 +274,7 @@ Slither is licensed and distributed under the AGPLv3 license. [Contact us](mailt ### Trail of Bits publication -- [Slither: A Static Analysis Framework For Smart Contracts](https://arxiv.org/abs/1908.09878), Josselin Feist, Gustavo Grieco, Alex Groce - WETSEB '19 +* [Slither: A Static Analysis Framework For Smart Contracts](https://arxiv.org/abs/1908.09878), Josselin Feist, Gustavo Grieco, Alex Groce - WETSEB '19 ### External publications diff --git a/setup.py b/setup.py index e7019b1aac..182b91d35b 100644 --- a/setup.py +++ b/setup.py @@ -8,14 +8,14 @@ description="Slither is a Solidity static analysis framework written in Python 3.", url="https://github.com/crytic/slither", author="Trail of Bits", - version="0.9.5", + version="0.9.6", packages=find_packages(), python_requires=">=3.8", install_requires=[ "packaging", "prettytable>=3.3.0", "pycryptodome>=3.4.6", - "crytic-compile>=0.3.2,<0.4.0", + "crytic-compile>=0.3.3,<0.4.0", # "crytic-compile@git+https://github.com/crytic/crytic-compile.git@dev#egg=crytic-compile", "web3>=6.0.0", "eth-abi>=4.0.0", @@ -36,7 +36,6 @@ "coverage[toml]", "filelock", "pytest-insta", - "solc-select>=1.0.4", ], "doc": [ "pdoc",