A CLI client for MythX
Install globally using:
$ npm -g install @cleanunicorn/mythos
Use this to scan Solidity source code.
You need to provide your MythX address and password.
As an env variable:
$ export MYTHX_ETH_ADDRESS='mythxEthAddress'
$ export MYTHX_PASSWORD='mythxPassword'
$ mythos analyze ./contract.sol Contract
Or as flags:
$ mythos analyze ./contract.sol Contract \
--mythxEthAddress=mythxEthAddress \
--mythxPassword=mythxPassword
Example:
$ mythos analyze no-pragma.sol NoPragma
Reading contract no-pragma.sol... done
Compiling with Solidity version: latest
› Warning: no-pragma.sol:1:1: Warning: Source file does not specify required compiler version! Consider adding "pragma solidity ^0.5.7;"
› contract NoPragma {
› ^ (Relevant source part starts here and spans across multiple lines).
›
Compiling contract no-pragma.sol... done
Analyzing contract NoPragma... done
UUID: 9350d5c4-b89f-43ef-b1f7-48840fee8a02
API Version: v1.4.12
Harvey Version: 0.0.16
Maestro Version: 1.2.6
Maru Version: 0.4.2
Mythril Version: 0.20.3
Report found 2 issues
Meta:
Covered instructions: 40
Covered paths: 4
Selected compiler version: v0.4.25
Title: (SWC-106) Unprotected SELFDESTRUCT Instruction
Severity: High
Head: The contract can be killed by anyone.
Description: Anyone can kill this contract and withdraw its balance to an arbitrary address.
Source code:
no-pragma.sol 3:8
--------------------------------------------------
selfdestruct(msg.sender)
--------------------------------------------------
==================================================
Title: (SWC-103) Floating Pragma
Severity: Medium
Head: No pragma is set.
Description: It is recommended to make a conscious choice on what version of Solidity is used for compilation. Currently no version is set in the Solidity file.
Source code:
no-pragma.sol 1:0
--------------------------------------------------
--------------------------------------------------
==================================================
Done
$ npm install -g @cleanunicorn/mythos
$ mythos COMMAND
running command...
$ mythos (-v|--version|version)
@cleanunicorn/mythos/0.10.5 linux-x64 node-v10.16.0
$ mythos --help [COMMAND]
USAGE
$ mythos COMMAND
...
Scan a smart contract with MythX API
USAGE
$ mythos analyze CONTRACTFILE CONTRACTNAME
ARGUMENTS
CONTRACTFILE Contract file to scan
CONTRACTNAME Contract name
OPTIONS
-h, --help show CLI help
--analysisMode=analysisMode [default: quick] Define the analysis mode when requesting a scan. Choose one from:
quick, full.
--mythxEthAddress=mythxEthAddress (required)
--mythxPassword=mythxPassword (required)
--solcVersion=solcVersion Solidity version to use when compiling (example: 0.4.21). If none is specified it
will try to identify the version from the source code.
--timeout=timeout [default: 180] How many seconds to wait for the result
See code: src/commands/analyze.ts
Retrieve analysis results scanned with MythX API
USAGE
$ mythos get-analysis UUID
ARGUMENTS
UUID uuid to retrive analysis results
OPTIONS
-h, --help show CLI help
--mythxEthAddress=mythxEthAddress (required)
--mythxPassword=mythxPassword (required)
See code: src/commands/get-analysis.ts
display help for mythos
USAGE
$ mythos help [COMMAND]
ARGUMENTS
COMMAND command to show help for
OPTIONS
--all see all commands in CLI
See code: @oclif/plugin-help
-
- Update
lodash.template
to 4.5.0 because of a security issue.
- Update
-
- Fix Microsoft Windows backslash path issue when specifying contract filename the paths like
folder\file.sol
are transformed tofolder/file.sol
. - Remove sample
output.txt
file from repo.
- Fix Microsoft Windows backslash path issue when specifying contract filename the paths like
-
- Upgrade dependencies.
-
- Update tests.
- Do not use nightly solidity version when compiling.
-
- Improve regex expression which matches for linked libs.
- Slightly improve output.
-
- Add newly added required parameter in request:
mainSource
. - Display errors in a more consistent way.
- Add newly added required parameter in request:
-
- Update to new armlet version and to new API changes
-
- Fix off by one source mapping
-
- Fix file name when running
get-analysis
to save response asissues-${uuid}.json
- Make compilation errors more obvious
- Display more information from report: compiler version used, API versions, SWC-ID, report's UUID
- Display clear error when incorrect contract name is specified
- Display compilation warnings
- Fix file name when running
-
- Send the AST when requesting an analysis
-
- Fix external lib import, it sends the library information to MythX
- Dump issues in a file as issues-[uuid].json for easy manual inspection
-
- Setup automatic tests
-
- Fix dynamic linking issue (thanks to @eswarasai).
-
- Automatically import other files (thanks to @eswarasai).
- Fix minor issue when picking Solidty version (thanks to @eswarasai).
- Fix issue count (thanks to @tagomaru).
-
- Update npm dependencies
-
- Display message on syntax error.
-
- Add
Severity
to output.
- Add
-
- Request different depths of analyses with
--analysisMode
can befull
orquick
. - Add changelog.
- Request different depths of analyses with
-
- Stable version, first release.