Open mds1 opened 9 months ago
0xalpharush
commented
9 months ago This doesn't really address the issue but would it be helpful to only show results from the current diff so that the CI and local results match up (https://github.com/crytic/slither/issues/1954)?
mds1
commented
9 months ago Oh yes that would be very helpful! One of the issues with code scanning integration is that the local DB doesn't sync with what's been triaged in github, so running slither . locally stays noisy. Being able to run slither . --diff {baseBranchName} and have CI behavior match that would be great.
I think that would be sufficient for me to not need this issue's feature anytime soon
mds1
commented
1 month ago Any updates on #1954?
montyly
commented
1 month ago Thanks for the reminder @mds1.
I definitely see that this is an important usability issue. We are going to brainstorm internally to see what we can do
Describe the desired feature
There are two ways to triage an issue:
// slither-disablecommentsI prefer (2) because (1) can get noisy and result in many source code comments.
In https://github.com/crytic/slither-action/issues/70#issuecomment-1933104976 @elopez helped me notice that the triage database isn't robust to unrelated to source code changes. In that example, a contract had 8
incorrect-returnfindings ignored via triage, and after removing 2 unusederrordeclarations in that contract, those resurfaced.It seems this happens because the ID of the finding changed. I'm not sure how IDs are determined, but my guess is they are a function of line number.
I'm not sure of the best way to implement this feature, but it would be very helpful if the database findings were most robust to source code changes.