A CLI client for MythX
Install globally using:
$ npm -g install @cleanunicorn/mythos
Use this to scan Solidity source code.
You need to provide your MythX address and password.
As an env variable:
$ export MYTHX_ETH_ADDRESS='mythxEthAddress'
$ export MYTHX_PASSWORD='mythxPassword'
$ mythos analyze ./contract.sol Contract
Or as flags:
$ mythos analyze ./contract.sol Contract \
--mythxEthAddress=mythxEthAddress \
--mythxPassword=mythxPassword
Example:
$ mythos analyze no-pragma.sol NoPragma
Reading contract no-pragma.sol... done
Compiling with Solidity version: latest
› Warning: no-pragma.sol:1:1: Warning: Source file does not specify required compiler version! Consider adding "pragma solidity ^0.5.7;"
› contract NoPragma {
› ^ (Relevant source part starts here and spans across multiple lines).
›
Compiling contract no-pragma.sol... done
Analyzing contract NoPragma... done
UUID: 9350d5c4-b89f-43ef-b1f7-48840fee8a02
API Version: v1.4.12
Harvey Version: 0.0.16
Maestro Version: 1.2.6
Maru Version: 0.4.2
Mythril Version: 0.20.3
Report found 2 issues
Meta:
Covered instructions: 40
Covered paths: 4
Selected compiler version: v0.4.25
Title: (SWC-106) Unprotected SELFDESTRUCT Instruction
Severity: High
Head: The contract can be killed by anyone.
Description: Anyone can kill this contract and withdraw its balance to an arbitrary address.
Source code:
no-pragma.sol 3:8
--------------------------------------------------
selfdestruct(msg.sender)
--------------------------------------------------
==================================================
Title: (SWC-103) Floating Pragma
Severity: Medium
Head: No pragma is set.
Description: It is recommended to make a conscious choice on what version of Solidity is used for compilation. Currently no version is set in the Solidity file.
Source code:
no-pragma.sol 1:0
--------------------------------------------------
--------------------------------------------------
==================================================
Done
$ npm install -g @cleanunicorn/mythos
$ mythos COMMAND
running command...
$ mythos (-v|--version|version)
@cleanunicorn/mythos/0.13.0 linux-x64 node-v10.19.0
$ mythos --help [COMMAND]
USAGE
$ mythos COMMAND
...
mythos analyze CONTRACTFILE CONTRACTNAME
Scan a smart contract with MythX API
USAGE
$ mythos analyze CONTRACTFILE CONTRACTNAME
ARGUMENTS
CONTRACTFILE Contract file to scan
CONTRACTNAME Contract name
OPTIONS
-h, --help show CLI help
--analysisMode=analysisMode [default: quick] Define the analysis mode when requesting a scan. Choose one from:
quick, full.
--mythxEthAddress=mythxEthAddress (required)
--mythxPassword=mythxPassword (required)
--solcVersion=solcVersion Solidity version to use when compiling (example: 0.4.21). If none is specified it
will try to identify the version from the source code.
--timeout=timeout [default: 180] How many seconds to wait for the result
See code: src/commands/analyze.ts
mythos get-analysis UUID
Retrieve analysis results scanned with MythX API
USAGE
$ mythos get-analysis UUID
ARGUMENTS
UUID uuid to retrive analysis results
OPTIONS
-h, --help show CLI help
--mythxEthAddress=mythxEthAddress (required)
--mythxPassword=mythxPassword (required)
See code: src/commands/get-analysis.ts
mythos help [COMMAND]
display help for mythos
USAGE
$ mythos help [COMMAND]
ARGUMENTS
COMMAND command to show help for
OPTIONS
--all see all commands in CLI
See code: @oclif/plugin-help
Before you start hacking away, make sure to install dependencies.
$ npm i
Add your tests, code and make sure tests work.
$ npm test
If you need to update the test golden files you need to enable GENERATE_GOLDEN
when running tests.
$ GENERATE_GOLDEN=true npm test
Update version number in package.json
version to the new number without v
(i.e. 0.12.3
)
{
"name": "@cleanunicorn/mythos",
"description": "A CLI client for MythX",
"version": "0.12.3",
...
Update the Changelog
section in readme and add a description of what was changed.
* [0.12.3](https://github.com/cleanunicorn/mythos/releases/tag/v0.12.3)
* Describe new functionality added.
And run oclif
to update other sections of the readme.
$ npx oclif-dev readme
Tag your commit with the same version number preceded by a v
(i.e. v0.12.3
).
$ git add .
$ git commit -m "Describe new functionality added."
$ git tag v0.12.3
Finally publish the package.
$ npm publish --access public
eslint-utils
to 1.4.2 because of a security issue.lodash.template
to 4.5.0 because of a security issue.folder\file.sol
are transformed to folder/file.sol
.output.txt
file from repo.mainSource
.get-analysis
to save response as issues-${uuid}.json
Severity
to output.--analysisMode
can be full
or quick
.