search

crytic / slither

Static Analyzer for Solidity and Vyper
https://blog.trailofbits.com/2018/10/19/slither-a-solidity-static-analysis-framework/
GNU Affero General Public License v3.0
5.13k stars 943 forks source link

[Bug]: info from `solc-version` detector displays misleading message #2478

Open penandlim opened 4 weeks ago

penandlim commented 4 weeks ago

Describe the issue:

With slither 0.10.3 on a new foundry repo w/ pragma solidity 0.8.23, running slither reports below info message.

INFO:Detectors:
Version constraint 0.8.23 contains known severe issues (https://solidity.readthedocs.io/en/latest/bugs.html)
.
It is used by:
        - 0.8.23 (src/Counter.sol#2)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#incorrect-versions-of-solidity

But afaik there are no known issues for solidity 0.8.23 yet. https://solidity.readthedocs.io/en/latest/bugs.html https://github.com/crytic/slither/blob/798c1f6387ea0ce94ff792292095e4f9d0075bc9/slither/utils/buggy_versions.py#L1585-L1587

Is this the intended info message from solc-version detector for ^0.8.23?

Code example to reproduce the issue:

// SPDX-License-Identifier: UNLICENSED
pragma solidity 0.8.23;

contract Counter {
    uint256 public number;

    function setNumber(uint256 newNumber) public {
        number = newNumber;
    }

    function increment() public {
        number++;
    }
}

Version:

0.10.3

Relevant log output:

❯ slither . 
'forge clean' running (wd: /home/me/project)
'forge config --json' running
'forge build --build-info --skip */test/** */script/** --force' running (wd: /home/me/project)
INFO:Detectors:
Version constraint 0.8.23 contains known severe issues (https://solidity.readthedocs.io/en/latest/bugs.html)
.
It is used by:
        - 0.8.23 (src/Counter.sol#2)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#incorrect-versions-of-solidity
INFO:Slither:. analyzed (1 contracts with 94 detectors), 1 result(s) found
0xalpharush commented 1 week ago

I think this is missing a length check on bugs_by_version and should be something like if version_number in bugs_by_version and len(bugs_by_version): https://github.com/crytic/slither/blob/798c1f6387ea0ce94ff792292095e4f9d0075bc9/slither/detectors/attributes/incorrect_solc.py#L74

MukulKolpe commented 1 week ago

Hey @0xalpharush, can I work on this issue?

0xalpharush commented 1 week ago

Yes you're welcome to work on this

Tony-S201 commented 8 hours ago

Hi, I have the same problem on 0.8.24.