Merge pull request #2303 from crytic/dev-super-linter

ci: linter, pylint: upgrade superlinter to v6

.github/workflows/linter.yml

@@ -45,7 +45,7 @@ jobs:
           echo "::add-matcher::.github/workflows/matchers/yamllint.json"
 
       - name: Lint everything else
-        uses: super-linter/super-linter/slim@v4.9.2
+        uses: super-linter/super-linter/slim@v6.1.1
         if: always()
         env:
           # run linter on everything to catch preexisting problems
@@ -58,14 +58,16 @@ jobs:
           VALIDATE_PYTHON_BLACK: false
           VALIDATE_PYTHON_ISORT: false
           VALIDATE_JSON: false
+          VALIDATE_JAVASCRIPT_ES: false
           VALIDATE_JAVASCRIPT_STANDARD: false
           VALIDATE_PYTHON_FLAKE8: false
           VALIDATE_DOCKERFILE: false
           VALIDATE_DOCKERFILE_HADOLINT: false
           VALIDATE_EDITORCONFIG: false
           VALIDATE_JSCPD: false
           VALIDATE_PYTHON_MYPY: false
-          # Until we upgrade the super linter for actionlintÒ
-          VALIDATE_GITHUB_ACTIONS: false
+          VALIDATE_CHECKOV: false
+          # TODO: consider enabling
+          VALIDATE_SHELL_SHFMT: false
           SHELLCHECK_OPTS: "-e SC1090"
           FILTER_REGEX_EXCLUDE: .*tests/.*.(json|zip|sol)

.github/workflows/pylint.yml

@@ -43,7 +43,7 @@ jobs:
           echo "::add-matcher::.github/workflows/matchers/pylint.json"
 
       - name: Pylint
-        uses: super-linter/super-linter/slim@v4.9.2
+        uses: super-linter/super-linter/slim@v6.1.1
         if: always()
         env:
           # Run linters only on new files for pylint to speed up the CI

.github/workflows/test.yml

@@ -80,11 +80,11 @@ jobs:
         # Only run coverage on ubuntu-latest.
         run: |
           if [ ${{ matrix.os }} = "ubuntu-latest" ]; then
-            TEST_ARGS="--cov=slither --cov-append"
+            TEST_ARGS=(--cov=slither --cov-append)
           elif [ ${{ matrix.os }} = "windows-2022" ]; then
-            TEST_ARGS=""
+            TEST_ARGS=()
           fi
-          bash "./.github/scripts/${TEST_TYPE}_test_runner.sh" $TEST_ARGS
+          bash "./.github/scripts/${TEST_TYPE}_test_runner.sh" "${TEST_ARGS[@]}"
 
 
       - name: Upload coverage
@@ -119,5 +119,5 @@ jobs:
         run: |
           set +e
           python -m coverage combine
-          echo "## python coverage" >> $GITHUB_STEP_SUMMARY
-          python -m coverage report -m --format=markdown >> $GITHUB_STEP_SUMMARY
+          echo "## python coverage" >> "$GITHUB_STEP_SUMMARY"
+          python -m coverage report -m --format=markdown >> "$GITHUB_STEP_SUMMARY"

CONTRIBUTING.md

@@ -6,15 +6,15 @@ If you're unsure where to start, we recommend our [`good first issue`](https://g
 
 ## Bug reports and feature suggestions
 
-Bug reports and feature suggestions can be submitted to our issue tracker. For bug reports, attaching the contract that caused the bug will help us in debugging and resolving the issue quickly. If you find a security vulnerability, do not open an issue; email opensource@trailofbits.com instead.
+Bug reports and feature suggestions can be submitted to our issue tracker. For bug reports, attaching the contract that caused the bug will help us in debugging and resolving the issue quickly. If you find a security vulnerability, do not open an issue; email <opensource@trailofbits.com> instead.
 
 ## Questions
 
 Questions can be submitted to the "Discussions" page, and you may also join our [chat room](https://empireslacking.herokuapp.com/) (in the #ethereum channel).
 
 ## Code
 
-Slither uses the pull request contribution model. Please make an account on Github, fork this repo, and submit code contributions via pull request. For more documentation, look [here](https://guides.github.com/activities/forking/).
+Slither uses the pull request contribution model. Please make an account on GitHub, fork this repository, and submit code contributions via pull request. For more documentation, look [here](https://guides.github.com/activities/forking/).
 
 Some pull request guidelines:
 
@@ -63,7 +63,7 @@ To automatically reformat the code:
 
 - `make reformat`
 
-We use pylint `2.13.4`, black `22.3.0`.
+We use pylint `3.0.3`, black `22.3.0`.
 
 ### Testing
 
@@ -82,7 +82,7 @@ For each new detector, at least one regression tests must be present.
 1. Create a folder in `tests/e2e/detectors/test_data` with the detector's argument name.
 2. Create a test contract in `tests/e2e/detectors/test_data/<detector_name>/`.
 3. Update `ALL_TESTS` in `tests/e2e/detectors/test_detectors.py`.
-4. Run `python tests/e2e/detectors/test_detectors.py --compile` to create a zip file of the compilation artifacts.
+4. Run `python tests/e2e/detectors/test_detectors.py --compile` to create a ZIP file of the compilation artifacts.
 5. `pytest tests/e2e/detectors/test_detectors.py --insta update-new`. This will generate a snapshot of the detector output in `tests/e2e/detectors/snapshots/`. If updating an existing detector, run `pytest tests/e2e/detectors/test_detectors.py --insta review` and accept or reject the updates.
 6. Run `pytest tests/e2e/detectors/test_detectors.py` to ensure everything worked. Then, add and commit the files to git.
 

README.md

@@ -288,16 +288,16 @@ Slither is licensed and distributed under the AGPLv3 license. [Contact us](mailt
 
 Title | Usage | Authors | Venue | Code
 --- | --- | --- | --- | ---
-[ReJection: A AST-Based Reentrancy Vulnerability Detection Method](https://www.researchgate.net/publication/339354823_ReJection_A_AST-Based_Reentrancy_Vulnerability_Detection_Method) | AST-based analysis built on top of Slither | Rui Ma, Zefeng Jian, Guangyuan Chen, Ke Ma, Yujia Chen | CTCIS 19
+[ReJection: A AST-Based Reentrancy Vulnerability Detection Method](https://www.researchgate.net/publication/339354823_ReJection_A_AST-Based_Reentrancy_Vulnerability_Detection_Method) | AST-based analysis built on top of Slither | Rui Ma, Zefeng Jian, Guangyuan Chen, Ke Ma, Yujia Chen | CTCIS 19 | -
 [MPro: Combining Static and Symbolic Analysis forScalable Testing of Smart Contract](https://arxiv.org/pdf/1911.00570.pdf) | Leverage data dependency through Slither | William Zhang, Sebastian Banescu, Leodardo Pasos, Steven Stewart, Vijay Ganesh | ISSRE 2019 | [MPro](https://github.com/QuanZhang-William/M-Pro)
-[ETHPLOIT: From Fuzzing to Efficient Exploit Generation against Smart Contracts](https://wcventure.github.io/FuzzingPaper/Paper/SANER20_ETHPLOIT.pdf) | Leverage data dependency through Slither | Qingzhao Zhang, Yizhuo Wang, Juanru Li, Siqi Ma | SANER 20
-[Verification of Ethereum Smart Contracts: A Model Checking Approach](http://www.ijmlc.org/vol10/977-AM0059.pdf) | Symbolic execution built on top of Slither’s CFG | Tam Bang, Hoang H Nguyen, Dung Nguyen, Toan Trieu, Tho Quan | IJMLC 20
+[ETHPLOIT: From Fuzzing to Efficient Exploit Generation against Smart Contracts](https://wcventure.github.io/FuzzingPaper/Paper/SANER20_ETHPLOIT.pdf) | Leverage data dependency through Slither | Qingzhao Zhang, Yizhuo Wang, Juanru Li, Siqi Ma | SANER 20 | -
+[Verification of Ethereum Smart Contracts: A Model Checking Approach](http://www.ijmlc.org/vol10/977-AM0059.pdf) | Symbolic execution built on top of Slither’s CFG | Tam Bang, Hoang H Nguyen, Dung Nguyen, Toan Trieu, Tho Quan | IJMLC 20 | -
 [Smart Contract Repair](https://arxiv.org/pdf/1912.05823.pdf) | Rely on Slither’s vulnerabilities detectors | Xiao Liang Yu, Omar Al-Bataineh, David Lo, Abhik Roychoudhury | TOSEM 20 | [SCRepair](https://github.com/xiaoly8/SCRepair/)
-[Demystifying Loops in Smart Contracts](https://www.microsoft.com/en-us/research/uploads/prod/2020/08/loops_solidity__camera_ready-5f3fec3f15c69.pdf) | Leverage data dependency through Slither | Ben Mariano, Yanju Chen, Yu Feng, Shuvendu Lahiri, Isil Dillig | ASE 20
-[Trace-Based Dynamic Gas Estimation of Loops in Smart Contracts](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=9268144) | Use Slither’s CFG to detect loops | Chunmiao Li, Shijie Nie, Yang Cao, Yijun Yu, Zhenjiang Hu | IEEE Open J. Comput. Soc. 1 (2020)
+[Demystifying Loops in Smart Contracts](https://www.microsoft.com/en-us/research/uploads/prod/2020/08/loops_solidity__camera_ready-5f3fec3f15c69.pdf) | Leverage data dependency through Slither | Ben Mariano, Yanju Chen, Yu Feng, Shuvendu Lahiri, Isil Dillig | ASE 20 | -
+[Trace-Based Dynamic Gas Estimation of Loops in Smart Contracts](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=9268144) | Use Slither’s CFG to detect loops | Chunmiao Li, Shijie Nie, Yang Cao, Yijun Yu, Zhenjiang Hu | IEEE Open J. Comput. Soc. 1 (2020) | -
 [SAILFISH: Vetting Smart Contract State-Inconsistency Bugs in Seconds](https://arxiv.org/pdf/2104.08638.pdf) | Rely on SlithIR to build a *storage dependency graph* | Priyanka Bose, Dipanjan Das, Yanju Chen, Yu Feng, Christopher Kruegel, and Giovanni Vigna | S&P 22 | [Sailfish](https://github.com/ucsb-seclab/sailfish)
-[SolType: Refinement Types for Arithmetic Overflow in Solidity](https://arxiv.org/abs/2110.00677) | Use Slither as frontend to build refinement type system | Bryan Tan, Benjamin Mariano, Shuvendu K. Lahiri, Isil Dillig, Yu Feng | POPL 22
-[Do Not Rug on Me: Leveraging Machine Learning Techniques for Automated Scam Detection](https://www.mdpi.com/2227-7390/10/6/949) | Use Slither to extract tokens' features (mintable, pausable, ..) | Mazorra, Bruno, Victor Adan, and Vanesa Daza | Mathematics 10.6 (2022)
+[SolType: Refinement Types for Arithmetic Overflow in Solidity](https://arxiv.org/abs/2110.00677) | Use Slither as frontend to build refinement type system | Bryan Tan, Benjamin Mariano, Shuvendu K. Lahiri, Isil Dillig, Yu Feng | POPL 22 | -
+[Do Not Rug on Me: Leveraging Machine Learning Techniques for Automated Scam Detection](https://www.mdpi.com/2227-7390/10/6/949) | Use Slither to extract tokens' features (mintable, pausable, ..) | Mazorra, Bruno, Victor Adan, and Vanesa Daza | Mathematics 10.6 (2022) | -
 [MANDO: Multi-Level Heterogeneous Graph Embeddings for Fine-Grained Detection of Smart Contract Vulnerabilities](https://arxiv.org/abs/2208.13252) | Use Slither to extract the CFG and call graph | Hoang Nguyen, Nhat-Minh Nguyen, Chunyao Xie, Zahra Ahmadi, Daniel Kudendo, Thanh-Nam Doan and Lingxiao Jiang| IEEE 9th International Conference on Data Science and Advanced Analytics (DSAA, 2022) | [ge-sc](https://github.com/MANDO-Project/ge-sc)
 [Automated Auditing of Price Gouging TOD Vulnerabilities in Smart Contracts](https://www.cs.toronto.edu/~fanl/papers/price-icbc22.pdf) | Use Slither to extract the CFG and data dependencies| Sidi Mohamed Beillahi, Eric Keilty, Keerthi Nelaturu, Andreas Veneris, and Fan Long | 2022 IEEE International Conference on Blockchain and Cryptocurrency (ICBC) | [Smart-Contract-Repair](https://github.com/Veneris-Group/TOD-Location-Rectification)
 

pyproject.toml

@@ -7,7 +7,6 @@ missing-module-docstring,
 missing-class-docstring,
 missing-function-docstring,
 unnecessary-lambda,
-bad-continuation,
 cyclic-import,
 line-too-long,
 invalid-name,
@@ -18,5 +17,6 @@ logging-fstring-interpolation,
 logging-not-lazy,
 duplicate-code,
 import-error,
-unsubscriptable-object
+unsubscriptable-object,
+unnecessary-lambda-assignment
 """

setup.py

@@ -25,7 +25,7 @@
     extras_require={
         "lint": [
             "black==22.3.0",
-            "pylint==2.13.4",
+            "pylint==3.0.3",
         ],
         "test": [
             "pytest",

slither/core/declarations/solidity_variables.py

@@ -139,7 +139,7 @@ def __init__(self, name: str) -> None:
         self._name = name
 
     # dev function, will be removed once the code is stable
-    def _check_name(self, name: str) -> None:  # pylint: disable=no-self-use
+    def _check_name(self, name: str) -> None:
         assert name in SOLIDITY_VARIABLES or name.endswith(("_slot", "_offset"))
 
     @property

slither/detectors/operations/unchecked_send_return_value.py

@@ -39,5 +39,5 @@ class UncheckedSend(UnusedReturnValues):
 
     WIKI_RECOMMENDATION = "Ensure that the return value of `send` is checked or logged."
 
-    def _is_instance(self, ir: Operation) -> bool:  # pylint: disable=no-self-use
+    def _is_instance(self, ir: Operation) -> bool:
         return isinstance(ir, Send)

slither/detectors/operations/unchecked_transfer.py

@@ -46,7 +46,7 @@ class UncheckedTransfer(UnusedReturnValues):
         "Use `SafeERC20`, or ensure that the transfer/transferFrom return value is checked."
     )
 
-    def _is_instance(self, ir: Operation) -> bool:  # pylint: disable=no-self-use
+    def _is_instance(self, ir: Operation) -> bool:
         return (
             isinstance(ir, HighLevelCall)
             and isinstance(ir.function, Function)

slither/detectors/operations/unused_return_values.py

@@ -49,7 +49,7 @@ class UnusedReturnValues(AbstractDetector):
 
     WIKI_RECOMMENDATION = "Ensure that all the return values of the function calls are used."
 
-    def _is_instance(self, ir: Operation) -> bool:  # pylint: disable=no-self-use
+    def _is_instance(self, ir: Operation) -> bool:
         return (
             isinstance(ir, HighLevelCall)
             and (
@@ -64,9 +64,7 @@ def _is_instance(self, ir: Operation) -> bool:  # pylint: disable=no-self-use
             and isinstance(ir, (Assignment, Unpack))
         )
 
-    def detect_unused_return_values(
-        self, f: FunctionContract
-    ) -> List[Node]:  # pylint: disable=no-self-use
+    def detect_unused_return_values(self, f: FunctionContract) -> List[Node]:
         """
             Return the nodes where the return value of a call is unused
         Args:

slither/formatters/naming_convention/naming_convention.py

@@ -501,7 +501,7 @@ def _explore_variables_declaration(  # pylint: disable=too-many-arguments,too-ma
 
                         idx_beginning = func.source_mapping.start
                         idx_beginning += -func.source_mapping.starting_column + 1
-                        idx_beginning += -sum([len(c) for c in potential_comments])
+                        idx_beginning += -sum(len(c) for c in potential_comments)
 
                         old_comment = f"@param {old_str}".encode("utf8")
 

slither/slithir/operations/call.py

@@ -34,15 +34,14 @@ def arguments(self) -> List[Variable]:
     def arguments(self, v: List[Variable]) -> None:
         self._arguments = v
 
-    # pylint: disable=no-self-use
     def can_reenter(self, _callstack: Optional[List[Union[Function, Variable]]] = None) -> bool:
         """
         Must be called after slithIR analysis pass
         :return: bool
         """
         return False
 
-    def can_send_eth(self) -> bool:  # pylint: disable=no-self-use
+    def can_send_eth(self) -> bool:
         """
         Must be called after slithIR analysis pass
         :return: bool

slither/slithir/operations/high_level_call.py

@@ -54,7 +54,6 @@ def __init__(
 
     # Development function, to be removed once the code is stable
     # It is overridden by LibraryCall
-    # pylint: disable=no-self-use
     def _check_destination(self, destination: Union[Variable, SolidityVariable, Contract]) -> None:
         assert isinstance(destination, (Variable, SolidityVariable))
 

slither/slithir/utils/ssa.py

@@ -90,13 +90,13 @@ def transform_slithir_vars_to_ssa(
 
     tmp_variables = [v for v in variables if isinstance(v, TemporaryVariable)]
     for idx, _ in enumerate(tmp_variables):
-        tmp_variables[idx].index = idx
+        tmp_variables[idx].index = idx  # pylint: disable=unnecessary-list-index-lookup
     ref_variables = [v for v in variables if isinstance(v, ReferenceVariable)]
     for idx, _ in enumerate(ref_variables):
-        ref_variables[idx].index = idx
+        ref_variables[idx].index = idx  # pylint: disable=unnecessary-list-index-lookup
     tuple_variables = [v for v in variables if isinstance(v, TupleVariable)]
     for idx, _ in enumerate(tuple_variables):
-        tuple_variables[idx].index = idx
+        tuple_variables[idx].index = idx  # pylint: disable=unnecessary-list-index-lookup
 
 
 ###################################################################################

slither/solc_parsing/declarations/contract.py

@@ -727,7 +727,7 @@ def _analyze_enum(
         new_enum.set_offset(enum["src"], self._contract.compilation_unit)
         self._contract.enums_as_dict[canonicalName] = new_enum
 
-    def _analyze_struct(self, struct: StructureContractSolc) -> None:  # pylint: disable=no-self-use
+    def _analyze_struct(self, struct: StructureContractSolc) -> None:
         struct.analyze()
 
     def analyze_structs(self) -> None:

slither/solc_parsing/declarations/function.py

@@ -434,7 +434,7 @@ def _parse_while(self, whilte_statement: Dict, node: NodeSolc, scope: Scope) ->
 
         return node_endWhile
 
-    def _parse_for_compact_ast(  # pylint: disable=no-self-use
+    def _parse_for_compact_ast(
         self, statement: Dict
     ) -> Tuple[Optional[Dict], Optional[Dict], Optional[Dict], Dict]:
         body = statement["body"]
@@ -643,7 +643,6 @@ def _parse_dowhile(self, do_while_statement: Dict, node: NodeSolc, scope: Scope)
         link_underlying_nodes(node_condition, node_endDoWhile)
         return node_endDoWhile
 
-    # pylint: disable=no-self-use
     def _construct_try_expression(self, externalCall: Dict, parameters_list: Dict) -> Dict:
         # if the parameters are more than 1 we make the leftHandSide of the Assignment node
         # a TupleExpression otherwise an Identifier

slither/solc_parsing/slither_compilation_unit_solc.py

@@ -73,7 +73,7 @@ def _handle_import_aliases(
 
 
 class SlitherCompilationUnitSolc(CallerContextExpression):
-    # pylint: disable=no-self-use,too-many-instance-attributes
+    # pylint: disable=too-many-instance-attributes
     def __init__(self, compilation_unit: SlitherCompilationUnit) -> None:
         super().__init__()
 
@@ -417,6 +417,7 @@ def parse_contracts(self) -> None:  # pylint: disable=too-many-statements,too-ma
                 f"No contracts were found in {self._compilation_unit.core.filename}, check the correct compilation"
             )
         if self._parsed:
+            # pylint: disable=broad-exception-raised
             raise Exception("Contract analysis can be run only once!")
 
         # First we save all the contracts in a dict

tests/tools/read-storage/conftest.py

@@ -23,13 +23,16 @@ def __init__(self, provider: str, eth_address: str, eth_privkey: str):
 def fixture_ganache() -> Generator[GanacheInstance, None, None]:
     """Fixture that runs ganache"""
     if not shutil.which("ganache"):
+        # pylint: disable=broad-exception-raised
         raise Exception(
             "ganache was not found in PATH, you can install it with `npm install -g ganache`"
         )
 
     # Address #1 when ganache is run with `--wallet.seed test`, it starts with 1000 ETH
     eth_address = "0xae17D2dD99e07CA3bF2571CCAcEAA9e2Aefc2Dc6"
-    eth_privkey = "0xe48ba530a63326818e116be262fd39ae6dcddd89da4b1f578be8afd4e8894b8d"
+    eth_privkey = (
+        "0xe48ba530a63326818e116be262fd39ae6dcddd89da4b1f578be8afd4e8894b8d"  # gitleaks:allow
+    )
     eth = int(1e18 * 1e6)
     port = 8545
     with subprocess.Popen(

trophies.md

@@ -4,8 +4,8 @@ The following lists security vulnerabilities that were found by Slither.
 If you found a security vulnerability using Slither,
 please submit a PR with the relevant information.
 
-| Project | Vulnerability | Date |
-|--|--|--|
+Project | Vulnerability | Date
+--|--|--
 [Parity](https://github.com/trailofbits/publications/blob/master/reviews/parity.pdf) | Incorrect constructor name | July 2018
 [Parity](https://github.com/trailofbits/publications/blob/master/reviews/parity.pdf) | Deletion of a mapping with structure | July 2018
 [Parity](https://github.com/trailofbits/publications/blob/master/reviews/parity.pdf) | Uninitialized state variables | July 2018
@@ -53,8 +53,8 @@ please submit a PR with the relevant information.
 ## Slither Rekt
 The following lists security incidents that could have been prevented using Slither.
 
-| Project | Vulnerability | Value loss | Date
-|--|--|--| -- |
+Project | Vulnerability | Value loss | Date
+---|---|---|---
 Dforce | [Reentrancy](https://peckshield.medium.com/uniswap-lendf-me-hacks-root-cause-and-loss-analysis-50f3263dcc09) | $25m (recovered) | Apr 2020
 Lendf.me | [Incorrect self-transfer](https://bzx.network/blog/incident) ([slither-prop](https://github.com/crytic/slither/wiki/Property-generation)) | $8m | Sep 2020
 Akropolis | [Reentrancy](https://blog.peckshield.com/2020/11/13/akropolis/) | $2m | Nov 2020