search

crytic / slither

Static Analyzer for Solidity and Vyper
https://blog.trailofbits.com/2018/10/19/slither-a-solidity-static-analysis-framework/
GNU Affero General Public License v3.0
5.37k stars 975 forks source link

[Bug]: detectors `unused-import`, `solc-version` and `pragma` ignore `filter_paths` config #2415

Closed cruzdanilo closed 6 months ago

cruzdanilo commented 7 months ago

Describe the issue:

the detectors unused-import, solc-version and pragma report issues in files that should be filtered out by path, via filter_paths option.

Code example to reproduce the issue:

src/Contracts.sol:

// SPDX-License-Identifier: GPL-3.0
pragma solidity ^0.8.25;

import { IMultiOwnerPlugin } from "modular-account/src/plugins/owner/IMultiOwnerPlugin.sol";

contract Contract {
  IMultiOwnerPlugin public plugin;
}

slither.config.json:

{
  "filter_paths": "lib/"
}

.gitsubmodules:

[submodule "lib/modular-account"]
  path = lib/modular-account
  url = https://github.com/alchemyplatform/modular-account

Version:

0.10.2

Relevant log output:

INFO:Detectors:
2 different versions of Solidity are used:
    - Version constraint ^0.8.22 is used by:
        - lib/modular-account/src/interfaces/erc4337/UserOperation.sol#7
        - lib/modular-account/src/plugins/owner/IMultiOwnerPlugin.sol#18
    - Version constraint ^0.8.25 is used by:
        - src/Contract.sol#2
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#different-pragma-directives-are-used
INFO:Detectors:
Version constraint ^0.8.22 contains known severe issues (https://solidity.readthedocs.io/en/latest/bugs.html)
    - VerbatimInvalidDeduplication.
 It is used by:
    - lib/modular-account/src/interfaces/erc4337/UserOperation.sol#7
    - lib/modular-account/src/plugins/owner/IMultiOwnerPlugin.sol#18
Version constraint ^0.8.25 contains known severe issues (https://solidity.readthedocs.io/en/latest/bugs.html)
.
 It is used by:
    - src/Contract.sol#2
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#incorrect-versions-of-solidity
INFO:Detectors:
The following unused import(s) in lib/modular-account/src/plugins/owner/IMultiOwnerPlugin.sol should be removed:
    -import {UserOperation} from "../../interfaces/erc4337/UserOperation.sol"; (lib/modular-account/src/plugins/owner/IMultiOwnerPlugin.sol#20)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#unused-imports
INFO:Slither:. analyzed (2 contracts with 95 detectors), 4 result(s) found
zeGzD commented 7 months ago

More generally it seems slither.config.json is not used even if forced with the CLI option --config-file slither.config.json.

0xalpharush commented 7 months ago

@zeGzD Can you open an issue with more info on what you're running into and how to reproduce please? This issue is related to the detector metadata not containing the file name and thus not getting filtered out, and it is not related to the configuration.