@cleanunicorn/mythos
v0.13.0
Published
A CLI client for MythX
Downloads
55
Keywords
Readme
mythos
A CLI client for MythX
Installation
Install globally using:
$ npm -g install @cleanunicorn/mythos
Usage
Use this to scan Solidity source code.
You need to provide your MythX address and password.
As an env variable:
$ export MYTHX_ETH_ADDRESS='mythxEthAddress'
$ export MYTHX_PASSWORD='mythxPassword'
$ mythos analyze ./contract.sol Contract
Or as flags:
$ mythos analyze ./contract.sol Contract \
--mythxEthAddress=mythxEthAddress \
--mythxPassword=mythxPassword
Example:
$ mythos analyze no-pragma.sol NoPragma
Reading contract no-pragma.sol... done
Compiling with Solidity version: latest
› Warning: no-pragma.sol:1:1: Warning: Source file does not specify required compiler version! Consider adding "pragma solidity ^0.5.7;"
› contract NoPragma {
› ^ (Relevant source part starts here and spans across multiple lines).
›
Compiling contract no-pragma.sol... done
Analyzing contract NoPragma... done
UUID: 9350d5c4-b89f-43ef-b1f7-48840fee8a02
API Version: v1.4.12
Harvey Version: 0.0.16
Maestro Version: 1.2.6
Maru Version: 0.4.2
Mythril Version: 0.20.3
Report found 2 issues
Meta:
Covered instructions: 40
Covered paths: 4
Selected compiler version: v0.4.25
Title: (SWC-106) Unprotected SELFDESTRUCT Instruction
Severity: High
Head: The contract can be killed by anyone.
Description: Anyone can kill this contract and withdraw its balance to an arbitrary address.
Source code:
no-pragma.sol 3:8
--------------------------------------------------
selfdestruct(msg.sender)
--------------------------------------------------
==================================================
Title: (SWC-103) Floating Pragma
Severity: Medium
Head: No pragma is set.
Description: It is recommended to make a conscious choice on what version of Solidity is used for compilation. Currently no version is set in the Solidity file.
Source code:
no-pragma.sol 1:0
--------------------------------------------------
--------------------------------------------------
==================================================
Done
Basic usage
$ npm install -g @cleanunicorn/mythos
$ mythos COMMAND
running command...
$ mythos (-v|--version|version)
@cleanunicorn/mythos/0.13.0 linux-x64 node-v10.19.0
$ mythos --help [COMMAND]
USAGE
$ mythos COMMAND
...
Commands
mythos analyze CONTRACTFILE CONTRACTNAME
Scan a smart contract with MythX API
USAGE
$ mythos analyze CONTRACTFILE CONTRACTNAME
ARGUMENTS
CONTRACTFILE Contract file to scan
CONTRACTNAME Contract name
OPTIONS
-h, --help show CLI help
--analysisMode=analysisMode [default: quick] Define the analysis mode when requesting a scan. Choose one from:
quick, full.
--mythxEthAddress=mythxEthAddress (required)
--mythxPassword=mythxPassword (required)
--solcVersion=solcVersion Solidity version to use when compiling (example: 0.4.21). If none is specified it
will try to identify the version from the source code.
--timeout=timeout [default: 180] How many seconds to wait for the result
See code: src/commands/analyze.ts
mythos get-analysis UUID
Retrieve analysis results scanned with MythX API
USAGE
$ mythos get-analysis UUID
ARGUMENTS
UUID uuid to retrive analysis results
OPTIONS
-h, --help show CLI help
--mythxEthAddress=mythxEthAddress (required)
--mythxPassword=mythxPassword (required)
See code: src/commands/get-analysis.ts
mythos help [COMMAND]
display help for mythos
USAGE
$ mythos help [COMMAND]
ARGUMENTS
COMMAND command to show help for
OPTIONS
--all see all commands in CLI
See code: @oclif/plugin-help
Development
Before you start hacking away, make sure to install dependencies.
$ npm i
Add your tests, code and make sure tests work.
$ npm test
If you need to update the test golden files you need to enable GENERATE_GOLDEN
when running tests.
$ GENERATE_GOLDEN=true npm test
Update version number in package.json
version to the new number without v
(i.e. 0.12.3
)
{
"name": "@cleanunicorn/mythos",
"description": "A CLI client for MythX",
"version": "0.12.3",
...
Update the Changelog
section in readme and add a description of what was changed.
* [0.12.3](https://github.com/cleanunicorn/mythos/releases/tag/v0.12.3)
* Describe new functionality added.
And run oclif
to update other sections of the readme.
$ npx oclif-dev readme
Tag your commit with the same version number preceded by a v
(i.e. v0.12.3
).
$ git add .
$ git commit -m "Describe new functionality added."
$ git tag v0.12.3
Finally publish the package.
$ npm publish --access public
Changelog
- Fixed compile compatibility with solc-js.
- Fix build process.
- Add steps to help with development and publishing in readme.
- Fix version matching in some cases. Now the version must start with the version
- Update
eslint-utils
to 1.4.2 because of a security issue.
- Update
- Update
lodash.template
to 4.5.0 because of a security issue.
- Update
- Fix Microsoft Windows backslash path issue when specifying contract filename the paths like
folder\file.sol
are transformed tofolder/file.sol
. - Remove sample
output.txt
file from repo.
- Fix Microsoft Windows backslash path issue when specifying contract filename the paths like
- Upgrade dependencies.
- Update tests.
- Do not use nightly solidity version when compiling.
- Improve regex expression which matches for linked libs.
- Slightly improve output.
- Add newly added required parameter in request:
mainSource
. - Display errors in a more consistent way.
- Add newly added required parameter in request:
- Update to new armlet version and to new API changes
- Fix off by one source mapping
- Fix file name when running
get-analysis
to save response asissues-${uuid}.json
- Make compilation errors more obvious
- Display more information from report: compiler version used, API versions, SWC-ID, report's UUID
- Display clear error when incorrect contract name is specified
- Display compilation warnings
- Fix file name when running
- Send the AST when requesting an analysis
- Fix external lib import, it sends the library information to MythX
- Dump issues in a file as issues-[uuid].json for easy manual inspection
- Setup automatic tests
- Fix dynamic linking issue (thanks to @eswarasai).
- Automatically import other files (thanks to @eswarasai).
- Fix minor issue when picking Solidty version (thanks to @eswarasai).
- Fix issue count (thanks to @tagomaru).
- Update npm dependencies
- Display message on syntax error.
- Add
Severity
to output.
- Add
- Request different depths of analyses with
--analysisMode
can befull
orquick
. - Add changelog.
- Request different depths of analyses with
- Stable version, first release.