mythos

A CLI client for MythX

• Installation
• Usage
• Commands
• Development
• Changelog

Installation

Install globally using:

$ npm -g install @cleanunicorn/mythos

Usage

Use this to scan Solidity source code.

You need to provide your MythX address and password.

As an env variable:

$ export MYTHX_ETH_ADDRESS='mythxEthAddress'
$ export MYTHX_PASSWORD='mythxPassword'
$ mythos analyze ./contract.sol Contract

Or as flags:

$ mythos analyze ./contract.sol Contract \
  --mythxEthAddress=mythxEthAddress \
  --mythxPassword=mythxPassword

Example:

$ mythos analyze no-pragma.sol NoPragma

Reading contract no-pragma.sol... done
Compiling with Solidity version: latest
 ›   Warning: no-pragma.sol:1:1: Warning: Source file does not specify required compiler version! Consider adding "pragma solidity ^0.5.7;"
 ›   contract NoPragma {
 ›   ^ (Relevant source part starts here and spans across multiple lines).
 ›
Compiling contract no-pragma.sol... done
Analyzing contract NoPragma... done

UUID: 9350d5c4-b89f-43ef-b1f7-48840fee8a02
API Version: v1.4.12
Harvey Version: 0.0.16
Maestro Version: 1.2.6
Maru Version: 0.4.2
Mythril Version: 0.20.3

Report found 2 issues
Meta:
Covered instructions: 40
Covered paths: 4
Selected compiler version: v0.4.25

Title: (SWC-106) Unprotected SELFDESTRUCT Instruction
Severity: High
Head: The contract can be killed by anyone.
Description: Anyone can kill this contract and withdraw its balance to an arbitrary address.
Source code:

no-pragma.sol 3:8
--------------------------------------------------
selfdestruct(msg.sender)
--------------------------------------------------

==================================================

Title: (SWC-103) Floating Pragma
Severity: Medium
Head: No pragma is set.
Description: It is recommended to make a conscious choice on what version of Solidity is used for compilation. Currently no version is set in the Solidity file.
Source code:

no-pragma.sol 1:0
--------------------------------------------------

--------------------------------------------------

==================================================

Done

Basic usage

$ npm install -g @cleanunicorn/mythos
$ mythos COMMAND
running command...
$ mythos (-v|--version|version)
@cleanunicorn/mythos/0.13.0 linux-x64 node-v10.19.0
$ mythos --help [COMMAND]
USAGE
  $ mythos COMMAND
...

Commands

• mythos analyze CONTRACTFILE CONTRACTNAME
• mythos get-analysis UUID
• mythos help [COMMAND]

mythos analyze CONTRACTFILE CONTRACTNAME

Scan a smart contract with MythX API

USAGE
  $ mythos analyze CONTRACTFILE CONTRACTNAME

ARGUMENTS
  CONTRACTFILE  Contract file to scan
  CONTRACTNAME  Contract name

OPTIONS
  -h, --help                         show CLI help

  --analysisMode=analysisMode        [default: quick] Define the analysis mode when requesting a scan. Choose one from:
                                     quick, full.

  --mythxEthAddress=mythxEthAddress  (required)

  --mythxPassword=mythxPassword      (required)

  --solcVersion=solcVersion          Solidity version to use when compiling (example: 0.4.21). If none is specified it
                                     will try to identify the version from the source code.

  --timeout=timeout                  [default: 180] How many seconds to wait for the result

See code: src/commands/analyze.ts

mythos get-analysis UUID

Retrieve analysis results scanned with MythX API

USAGE
  $ mythos get-analysis UUID

ARGUMENTS
  UUID  uuid to retrive analysis results

OPTIONS
  -h, --help                         show CLI help
  --mythxEthAddress=mythxEthAddress  (required)
  --mythxPassword=mythxPassword      (required)

See code: src/commands/get-analysis.ts

mythos help [COMMAND]

display help for mythos

USAGE
  $ mythos help [COMMAND]

ARGUMENTS
  COMMAND  command to show help for

OPTIONS
  --all  see all commands in CLI

See code: @oclif/plugin-help

Development

Before you start hacking away, make sure to install dependencies.

$ npm i

Add your tests, code and make sure tests work.

$ npm test

If you need to update the test golden files you need to enable GENERATE_GOLDEN when running tests.

$ GENERATE_GOLDEN=true npm test

Update version number in package.json version to the new number without v (i.e. 0.12.3)

{
  "name": "@cleanunicorn/mythos",
  "description": "A CLI client for MythX",
  "version": "0.12.3",
...

Update the Changelog section in readme and add a description of what was changed.

* [0.12.3](https://github.com/cleanunicorn/mythos/releases/tag/v0.12.3)
  * Describe new functionality added.

And run oclif to update other sections of the readme.

$ npx oclif-dev readme

Tag your commit with the same version number preceded by a v (i.e. v0.12.3).

$ git add .
$ git commit -m "Describe new functionality added."
$ git tag v0.12.3

Finally publish the package.

$ npm publish --access public

Changelog

• 0.13.0

  • Fixed compile compatibility with solc-js.

• 0.12.4

  • Fix build process.
  • Add steps to help with development and publishing in readme.

• 0.12.1

  • Fix version matching in some cases. Now the version must start with the version

• 0.11.0

  • Update eslint-utils to 1.4.2 because of a security issue.

• 0.10.5

  • Update lodash.template to 4.5.0 because of a security issue.

• 0.10.4

  • Fix Microsoft Windows backslash path issue when specifying contract filename the paths like folder\file.sol are transformed to folder/file.sol.
  • Remove sample output.txt file from repo.

• 0.10.3

  • Upgrade dependencies.

• 0.10.2

  • Update tests.
  • Do not use nightly solidity version when compiling.

• 0.10.1

  • Improve regex expression which matches for linked libs.
  • Slightly improve output.

• 0.10.0

  • Add newly added required parameter in request: mainSource.
  • Display errors in a more consistent way.

• 0.9.0

  • Update to new armlet version and to new API changes

• 0.8.1

  • Fix off by one source mapping

• 0.8.0

  • Fix file name when running get-analysis to save response as issues-${uuid}.json
  • Make compilation errors more obvious
  • Display more information from report: compiler version used, API versions, SWC-ID, report's UUID
  • Display clear error when incorrect contract name is specified
  • Display compilation warnings

• 0.7.0

  • Send the AST when requesting an analysis

• 0.6.0

  • Fix external lib import, it sends the library information to MythX
  • Dump issues in a file as issues-[uuid].json for easy manual inspection

• 0.5.2

  • Setup automatic tests

• 0.5.1

  • Fix dynamic linking issue (thanks to @eswarasai).

• 0.5.0

  • Automatically import other files (thanks to @eswarasai).
  • Fix minor issue when picking Solidty version (thanks to @eswarasai).
  • Fix issue count (thanks to @tagomaru).

• 0.4.1

  • Update npm dependencies

• 0.4.0

  • Correctly pick solidity version when an interval is set (thanks to @nanspro).
  • Add get-analysis command to retrieve a scanned result (thanks to @tagomaru).
  • Fix displaying severity in output list.

• 0.3.2

  • Display message on syntax error.

• 0.3.1

  • Add Severity to output.

• 0.3.0

  • Request different depths of analyses with --analysisMode can be full or quick.
  • Add changelog.

• 0.2.0

  • Stable version, first release.