search

Consensys / truffle-security

MythX smart contract security verification plugin for Truffle Framework
https://mythx.io
124 stars 28 forks source link

Cannot read property issues of undefined #234

Closed area closed 4 years ago

area commented 5 years ago

Consistently seeing this error running against our codebase (see e.g. https://circleci.com/gh/JoinColony/colonyNetwork/9694) with a specific file (the library DSMath). A UUID of a run that shows this is a7f3f1c8-57f0-4026-8869-54e9618d9eab

The error is thrown in remapMythXOutput. The mythObject that is passed in is:

{  
   "issues":[  
      {  
         "swcID":"SWC-131",
         "swcTitle":"Presence of unused variables",
         "description":{  
            "head":"Unused state variable \"WAD\"",
            "tail":"The state variable \"WAD\" is created within the contract \"DSMath\" but does not seem to be used anywhere. "
         },
         "severity":"Medium",
         "locations":[  
            {  
               "sourceMap":"1562:28:10",
               "sourceType":"solidity-file",
               "sourceFormat":"text",
               "sourceList":[  
                  "/home/circleci/colonyNetwork/contracts/ColonyDataTypes.sol",
                  "/home/circleci/colonyNetwork/contracts/ColonyNetworkDataTypes.sol",
                  "/home/circleci/colonyNetwork/contracts/ColonyNetworkStorage.sol",
                  "/home/circleci/colonyNetwork/contracts/CommonStorage.sol",
                  "/home/circleci/colonyNetwork/contracts/ERC20Extended.sol",
                  "/home/circleci/colonyNetwork/contracts/IColony.sol",
                  "/home/circleci/colonyNetwork/contracts/IMetaColony.sol",
                  "/home/circleci/colonyNetwork/contracts/IRecovery.sol",
                  "/home/circleci/colonyNetwork/lib/dappsys/auth.sol",
                  "/home/circleci/colonyNetwork/lib/dappsys/erc20.sol",
                  "/home/circleci/colonyNetwork/lib/dappsys/math.sol"
               ]
            }
         ],
         "extra":{  
            "discoveryTime":1143733000,
            "toolName":"maru"
         }
      },
      {  
         "swcID":"SWC-131",
         "swcTitle":"Presence of unused variables",
         "description":{  
            "head":"Unused state variable \"RAY\"",
            "tail":"The state variable \"RAY\" is created within the contract \"DSMath\" but does not seem to be used anywhere. "
         },
         "severity":"Medium",
         "locations":[  
            {  
               "sourceMap":"1596:28:10",
               "sourceType":"solidity-file",
               "sourceFormat":"text",
               "sourceList":[  
                  "/home/circleci/colonyNetwork/contracts/ColonyDataTypes.sol",
                  "/home/circleci/colonyNetwork/contracts/ColonyNetworkDataTypes.sol",
                  "/home/circleci/colonyNetwork/contracts/ColonyNetworkStorage.sol",
                  "/home/circleci/colonyNetwork/contracts/CommonStorage.sol",
                  "/home/circleci/colonyNetwork/contracts/ERC20Extended.sol",
                  "/home/circleci/colonyNetwork/contracts/IColony.sol",
                  "/home/circleci/colonyNetwork/contracts/IMetaColony.sol",
                  "/home/circleci/colonyNetwork/contracts/IRecovery.sol",
                  "/home/circleci/colonyNetwork/lib/dappsys/auth.sol",
                  "/home/circleci/colonyNetwork/lib/dappsys/erc20.sol",
                  "/home/circleci/colonyNetwork/lib/dappsys/math.sol"
               ]
            }
         ],
         "extra":{  
            "discoveryTime":1147609387,
            "toolName":"maru"
         }
      },
      {  
         "swcID":"SWC-103",
         "swcTitle":"Floating Pragma",
         "description":{  
            "head":"A floating pragma is set.",
            "tail":"It is recommended to make a conscious choice on what version of Solidity is used for compilation. Currently multiple versions \">0.4.13\" are allowed."
         },
         "severity":"Low",
         "locations":[  
            {  
               "sourceMap":"696:24:10",
               "sourceType":"solidity-file",
               "sourceFormat":"text",
               "sourceList":[  
                  "/home/circleci/colonyNetwork/contracts/ColonyDataTypes.sol",
                  "/home/circleci/colonyNetwork/contracts/ColonyNetworkDataTypes.sol",
                  "/home/circleci/colonyNetwork/contracts/ColonyNetworkStorage.sol",
                  "/home/circleci/colonyNetwork/contracts/CommonStorage.sol",
                  "/home/circleci/colonyNetwork/contracts/ERC20Extended.sol",
                  "/home/circleci/colonyNetwork/contracts/IColony.sol",
                  "/home/circleci/colonyNetwork/contracts/IMetaColony.sol",
                  "/home/circleci/colonyNetwork/contracts/IRecovery.sol",
                  "/home/circleci/colonyNetwork/lib/dappsys/auth.sol",
                  "/home/circleci/colonyNetwork/lib/dappsys/erc20.sol",
                  "/home/circleci/colonyNetwork/lib/dappsys/math.sol"
               ]
            }
         ],
         "extra":{  
            "discoveryTime":1067710159,
            "toolName":"maru"
         }
      }
   ],
   "sourceType":"raw-bytecode",
   "sourceFormat":"evm-byzantium-bytecode",
   "sourceList":[  
      "0x2b8876dd537eba53375ea3fd0713675c51fe4f36556ca9ef2243cf43670faf9f"
   ],
   "meta":{  
      "selectedCompiler":"Unknown",
      "logs":[  

      ],
      "toolName":"maru"
   }
}

The error occurs because of how mapped is set up here - one such object for each string in mythObject.sourceList. Here, that's one. However, when the errors are tried to be added here, it is attempting to do so at index 10 (because of the sourcemap location being 696:24:10. I note that the sourceList in the individual issues is populated correctly with 11 files for each issue, so my guess is something is amiss in in the mythObject.sourceList.

danielrea commented 5 years ago

Hi area,

Are you currently running the latest version ( v1.5.5 ). If not can you update and let me know if you still get this issue.

area commented 5 years ago

It does appear we are running an older version. Closing for now assuming that was the issue.

area commented 5 years ago

Reopening - we are seeing the same error on 1.5.5, though I am unable to find a minimum working example now, unfortunately. I've done a little investigation / logging which will hopefully point you in the right direction though.

EDIT: Sorry for the double post - my VPN dropped just as I clicked 'Submit'

danielrea commented 5 years ago

Hi area, Thanks for checking on this version, and for looking into it in more detail. This is very similar to an issue that has been fixed already in the next major release. 1.6.0 should fix this issue and should be released within the week.

Sorry for any inconvenience

area commented 5 years ago

Great, I'll hang tight until that release then.

danielrea commented 5 years ago

@area do you have these contracts public that I can test with?

area commented 4 years ago

Yes, they can be found at https://github.com/JoinColony/colonyNetwork/. To reproduce, after cloning the repository:

git checkout bug/security-analysis
yarn
git submodule update --remote --init
truffle run verify --mode quick --style json --limit 1 --swc-blacklist 128

(I don't think many of those flags are required to see the error, but including for completeness)

danielrea commented 4 years ago

Sorry for the delay. Can you try this with 1.6.0 and reopen if it's not resolved.