search

crytic / slither

Static Analyzer for Solidity and Vyper
https://blog.trailofbits.com/2018/10/19/slither-a-solidity-static-analysis-framework/
GNU Affero General Public License v3.0
5.33k stars 967 forks source link

only warn once per compilation unit for `solc-version` detector #1593

Closed 0xalpharush closed 7 months ago

0xalpharush commented 1 year ago

Describe the desired feature

Currently a result is created for every file but we could only warn once for each version that is considered too recent

EnbangWu commented 1 year ago

Can I take on this issue? I think it's incorrect_solc.py detector right?

0xalpharush commented 1 year ago

@EnbangWu That would be great! Yes, it's incorrect_solc.py. I think a good way to fix this would be to make disallowed_pragmas a set instead of list so that only unique results are kept. https://github.com/crytic/slither/blob/4c976d5af56219eeef079e03a35009af3e03644d/slither/detectors/attributes/incorrect_solc.py#L128-L141 Then, you'll may need to update the detector's tests using python ./tests/test_detectors.py --overwrite as explained here. Lmk if you need help or have questions!

EnbangWu commented 1 year ago

That's a great help! Thanks a lot, @0xalpharush !

EnbangWu commented 1 year ago

OK just wrote two test solidity files using version 0.8.17 ( as how the too_recent_versions are defined in incorrect.sol) Running slither . would give us Pragma version^0.8.17 (test1.sol#2) necessitates a version too recent to be trusted. Consider deploying with 0.6.12/0.7.6/0.8.16 solc-0.8.17 is not recommended for deployment Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#incorrect-versions-of-solidity Pragma version^0.8.17 (test2.sol#2) necessitates a version too recent to be trusted. Consider deploying with 0.6.12/0.7.6/0.8.16 solc-0.8.17 is not recommended for deployment Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#incorrect-versions-of-solidity

would like to see something like this: Pragma version^0.8.17 (test1.sol#2), (test2.sol#2) necessitates a version too recent to be trusted. Consider deploying with 0.6.12/0.7.6/0.8.16 solc-0.8.17 is not recommended for deployment Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#incorrect-versions-of-solidity

EnbangWu commented 1 year ago

Just made the pull request. Is there a way I can run the slither and see the changed output locally? Or should I duplicate the detector file and customize it and then run python3 incorrect_solc.py by taking some test sol files as inputs? Sorry, it's a lot, thank you!