truffle-sca2t v0.5.3
truffle-sca2t (Smart Contract Audit Assistant Tool): A set of utilities for auditing Solidity contracts.
truffle-sca2t is a plugin of Truffle framework and an assistant tool for smart contract auditing. This provides some utilities to help your smart contract auditing and make your smart contract more secure and safe. The plugin is compatible with Truffle 5.0 or higher.
sca2t pronunciation is like skärt.
Getting Started
Install it via npm:
$ npm install truffle-sca2tIf you want to install it globally, you need to install it with mocha and mocha-simple-html-reporter.
$ npm install -g truffle-sca2t mocha mocha-simple-html-reporterConfiguration
Add the following to truffle-config.js in the root directory of your Truffle project:
module.exports = {
plugins: [ "truffle-sca2t" ]
};Command List
1. mythx
The mythx command generate test code files for MythX. The test files work as MythX client and report vulnerabilies, and some errors, and MythX Log. You can integrate the test code files in your CI because the test code files never depend on specific CI products such as Circle CI, Travis CI, Jenkins, and so on. You can see sample project and the test result on CircleCI.
Also this command can generate Postman Collection File for lovers of Postman.
If you just want to use this as MythX client tool, you can use command line interface mode.
1-1. Generate Test Code File of mocha
1-1-1. MythX Account
You can set up an account on the MythX website to get full access.
After setting up an account, set the following enviromment variables to your ETH address and password (add this to your .bashrc or .bash_profile for added convenience):
export MYTHX_ETH_ADDRESS=0x1234567891235678900000000000000000000000
export MYTHX_PASSWORD='Put your password in here!'1-1-2. Generate Test Code Files
$ truffle run mythx fileA.solor multiple selection
$ truffle run mythx fileA.sol fileB.solThe below is also fine. (tab autocompletion support)
$ truffle run mythx contracts/fileA.sol contracts/fileB.solYou can set multiple files, however this command automatically searches dependencies. For example,
A.sol
pragma solidity ^0.5.0;
import "my-npm-pkg/contracts/C.sol";
contract A is C {}
contract B {}C.sol
pragma solidity ^0.5.0;
contract C {
uint public a;
function add(uint b) public {
a = a + b;
}
}The command truffle run mythx A.sol generates test code file 'testA.sol.js' and the file include tests for A and B. The test for A also includes the test for C. The test code file sends AST and source code for not only A but also C to MythX API at the same time. You can see the sent data here.
That is why, you do not need to set files which the main contract file depends on.
1-1-3. Configuration For Your CI
This command automatically generates sca2t-config.js file on your project root for your setting. You can set report format, skipped SWCs, and so on.
1-1-4. Run The Test Code Files
If test code files are successfully generated, you can run mocha test.
$ npm run test:securityIf you want a beautiful html report (recommended), execute the below command.
$ npm run test:security:htmlsecurity-report.html is generated on your project root. The report file of the above A is like below. As you can see, the file reports the vulnerability of C.
And you can see the report here.
1-1-5. Get analysis (if timeout happens)
If timeout happens, you can get analysis later with UUID which the test shows.
$ truffle run mythx --uuid='your UUID'1-2. Postman Support
1-2-1. Genereta Postman Collection File
If you want to dive into http raw request/response, use postman option. This generates Postman Collection file which sends same requests as the mocha test code does.
$ truffle run mythx contracts/fileA.sol --postmanor multiple selection
$ truffle run mythx contracts/fileA.sol contracts/fileB.sol --postman1-2-2. Import Postman Collection File in Postman
Import the generated file in Postman.
You should set ethAddress and password in Postman environment variables.
Currently, this supports the below requests. 1. login 2. submit analysis 3. get status 4. get issues
1-3. Command Line Interface Mode
If you do not need test code files, you can analyze without test code files. Just add --cli option.
$ truffle run mythx contracts/fileA.sol contracts/fileB.sol --cliBy adding --markdown option, you can get markdown format report.
$ truffle run mythx contracts/fileA.sol contracts/fileB.sol --cli --markdown- report image
The sample is here.
(the emoji is option.)
1-4. Advanced Options
Run truffle run mythx --help to show advanced configutation options.
$ truffle run mythx --help
Usage: truffle run mythx [*file-name1* [*file-name2*] ...]
e.g.: truffle run mythx contracts/fileA.sol contracts/sub/fileB.sol
Options:
--help print help.
--uuid get analysis report with UUID.
--postman generate Postman collection file.
--cli analyze in cli mode.
--markdown generate markdown format report in cli mode.
--emoji insert emoji in markdown format report. (Only support GitHub Flavored Markdown)2. dependencies
The dependencies command outputs a draggable report to visualize dependencies among contracts.
Also this generates list of information of such as contract, function, etc.
This supports dependencies of inheritance, using declaration, and user defined type.
This searches package of EthPM and NPM for contracts
$ truffle run dependencies fileA.solor
$ truffle run dependencies fileA.sol fileB.sol3. eventgen
The eventgen command inserts event decalaration and its call into all of the contracts and functions except view functions.
This helps you know which contract and function is called for contracts which rely on many other contracts.
Don't forget to backup your solidity files before doing this.
$ truffle run eventgen contracts/fileA.sol contracts/fileB.solor
$ find contracts -name "*.sol" | xargs truffle run eventgenLicense
MIT