search

Consensys / truffle-security

MythX smart contract security verification plugin for Truffle Framework
https://mythx.io
123 stars 28 forks source link

Can't verify contracts that import npm packages #133

Closed barlock closed 5 years ago

barlock commented 5 years ago

I tried installing truffle-security into my project and it's having a hard time compiling my contracts.

Might be possible that the compat version of truffle-compile is out of date?

Steps to Reproduce Clone https://github.com/barlock/web3studio-bootleg/tree/truffle-security (Specifically the truffle-security branch)

$ yarn
$ yarn verify

Error

,/Users/michael/workspace/consensys/web3studio-bootleg/packages/bootleg-tokens/contracts/ERC721/IERC721.sol:9:21: DeclarationError: Identifier not found or not unique.
contract IERC721 is IERC165 {
                    ^-----^
    at CompileError.ExtendableError (/Users/michael/workspace/consensys/web3studio-bootleg/node_modules/truffle-error/index.js:10:17)
    at new CompileError (/Users/michael/workspace/consensys/web3studio-bootleg/node_modules/truffle-security/compat/truffle-compile/compileerror.js:12:23)
    at supplier.load.then.solc (/Users/michael/workspace/consensys/web3studio-bootleg/node_modules/truffle-security/compat/truffle-compile/index.js:307:11)
Truffle v5.0.5 (core: 5.0.5)
Node v10.15.0

Details A normal truffle compile runs just fine. (in the root package yarn lerna run build).

There are 3 packages with contracts bootleg-tokens, bootleg-app-contracts and examples. examples is the only one that has no issues, but it's also a very simple MetaCoin example.

Example is a monorepo using lerna and yarn workspaces so node_modules have been symlinked in some places and there located two dirs out from where the code is running.

rocky commented 5 years ago

https://github.com/barlock/web3studio-bootleg/commit/3e3a9828ebd10e3c15a590daa047fb3450f7f7cd seems to indicate that your truffle config is in a weird place relative to where your node_modulies is located. If you change the "truffle run verify" to "truffle compile" does that compile? See https://github.com/barlock/web3studio-bootleg/commit/3e3a9828ebd10e3c15a590daa047fb3450f7f7cd#r32927634

barlock commented 5 years ago

Yes, truffle-compile runs fine. My node_modules are hoisted to the top of the monorepo.

rocky commented 5 years ago

If I can beg your indulgence a little more, could you try with the master branch now? Recently https://github.com/ConsenSys/truffle-security/pull/149 was merged and there is a small chance that addresses this (or moves things forward). Thanks.

PaulRBerg commented 5 years ago

I can confirm that just like @barlock I have the same issue with contracts that import other contracts from node_modules (specifically, from openzeppelin-solidity).

Same behaviour when installing from npm (version 1.3.1) and when pulling from master and npm link-ing the plugin on my local machine.

barlock commented 5 years ago

Sorry for the slow responses. Yes, using the master branch resolves this issue 🎉

Do you have an idea for when the next release might be?

nbanmp commented 5 years ago

@barlock The next release will be today or tomorrow. :tada:

As master currently resolves this, I will be closing this issue. If anything comes up, please reopen it or create a new issue.