search

crytic / slither

Static Analyzer for Solidity and Vyper
https://blog.trailofbits.com/2018/10/19/slither-a-solidity-static-analysis-framework/
GNU Affero General Public License v3.0
5.35k stars 971 forks source link

[False Negative]: Not show the correct report on unused imports #2535

Open DamirS09 opened 3 months ago

DamirS09 commented 3 months ago

What bug did Slither miss and which detector did you anticipate would catch it?

I have unused imports and it doesn't detect them.

slither . --skip-assembly --detect "unused-import"

Frequency

Very Frequently

Code example to reproduce the issue:

pragma solidity ^0.8.26;

import {FixedPointMathLib} from "solady/utils/FixedPointMathLib.sol"; import {IPoolManager} from "v4-core/interfaces/IPoolManager.sol"; import {Hooks} from "v4-core/libraries/Hooks.sol"; import {LPFeeLibrary} from "v4-core/libraries/LPFeeLibrary.sol"; import {StateLibrary} from "v4-core/libraries/StateLibrary.sol"; import {BeforeSwapDelta, BeforeSwapDeltaLibrary} from "v4-core/types/BeforeSwapDelta.sol"; import {Currency, CurrencyLibrary} from "v4-core/types/Currency.sol"; import {PoolId, PoolIdLibrary} from "v4-core/types/PoolId.sol"; import {PoolKey} from "v4-core/types/PoolKey.sol"; import {BaseHook} from "v4-periphery/BaseHook.sol";

import {MyImport} from "./MyImport.sol"; <---- this unused import

Version:

slither --version 0.10.3

Relevant log output:

slither . --skip-assembly  --detect "unused-import"
'forge clean' running (wd: C:\Users\user\Desktop\project\project)
'forge config --json' running
'forge build --build-info --skip */test/** */script/** --force' running (wd: C:\Users\user\Desktop\project\project)
INFO:Slither:. analyzed (37 contracts with 1 detectors), 0 result(s) found
0xalpharush commented 3 months ago

Can you provide a link to a repo that builds so we can reproduce this? The code snippet is incomplete

DamirS09 commented 3 months ago

Can you provide a link to a repo that builds so we can reproduce this? The code snippet is incomplete

repository

in Сontract1, I used two imports from Сontract2 and interface IMyImport. Also in Сontract2, I used the interface, but in Сontract1 it does not show an unused Сontract2, when i used command.

slither . --skip-assembly --detect "unused-import".

the terminal Outputs

 slither . --skip-assembly  --detect "unused-import"
'forge clean' running (wd: C:\Users\user\Desktop\project\SimpleContract)
'forge config --json' running
'forge build --build-info --skip */test/** */script/** --force' running (wd: C:\Users\user\Desktop\project\SimpleContract)
INFO:Slither:. analyzed (3 contracts with 1 detectors), 0 result(s) found
PS C:\Users\user\Desktop\project\SimpleContract>
DamirS09 commented 2 months ago

@0xalpharush please take a look

0xalpharush commented 2 months ago

I haven't had a chance to look at this, but the detector was disabled in the latest release bc it was slow and flagging imports that were used https://github.com/crytic/slither/releases/tag/0.10.4