Skip to content
Shell scripts to run curl to interface with the MythX security platform (https://mythx.io)
Branch: master
Clone or download

README.md

Table of Contents

Introduction

These shell scripts demonstrate how to use to the MythX API at the most basic level using curl. In using these scripts you will see the HTTP requests that get sent along with JSON output returned as a result of each request.

This may be useful for developers writing a programming language interfaces to MythX, or are writing a MythX service and want the most fine-grained control over what the API has to offer. It may be useful also in experimenting with MythX at the API level. Note however that some programming languages like JavaScript there is already a library that can simplify interaction with MythX.

Requirements

To run the MythX API shell scripts you need a couple of command-line utilities:

  • bash,
  • curl to make the HTTPS requests, and
  • jq to make the JSON output prettier

Those tools are already installed on most operation systems. Run ./prerequisites.sh to double check though.

After installing the required dependencies, set MYTHX_PASSWORD to and MYTHX_ETH_ADDRESS to the values that have been registered. For example:

$ export MYTHX_API_URL=https://mythx.io
$ export MYTHX_PASSWORD=MyPassword!
$ export MYTHX_ETH_ADDRESS=0x.............

Note that MYTHX_API_URL is optional and will be set to the default value unless specified otherwise.

After setting the above environment variables, you need to retrieve a JWT access token and store it in the MYTHX_ACCESS_TOKEN environment variable. To do that run:

$ . ./login.sh
Successfully logged into MythX

The scripts below will use the environment variable MYTHX_ACCESS_TOKEN. At some point this access token will time out, and running commands will return a HTTP 401 error.

When that happens, then just run . ./login.sh again.

Examples

Once you are set up, you can:

  • Get the current versions of Mythril API and its core sub-modules
  • Submit a contract for analysis, creating a job run with a UUID
  • See the status of job using the UUID of a previously submitted analysis
  • Get the results of a previously finished analysis using the UUID
  • See a list of previously submitted analyses
  • Get tool usage statistics
  • Get the OpenAPI specification

Get the API version number

This is a good thing to try initially because it doesn't require any authentication. So it is a good first thing to try.

$ ./api-version.sh
Issuing HTTP GET https://api.mythx.io/v1/version
curl completed sucessfully. Output follows...
HTTP/1.1 200 OK
{
  "api": "v1.3.2",
  "maru": "0.3.4",
  "mythril": "0.20.0"
  "harvey": "0.0.7",
}

To submit a job for use analyses.sh for analysis:

$ ./analyses.sh sample-json/PublicArray.js
  (with MYTHX_ACCESS_TOKEN on file sample-json/Token.json)

curl completed sucessfully. See /tmp/curljs.err24426 for verbose logs.
Processed output from /tmp/curljs.out24426 follows...
HTTP/2 200
{
  "apiVersion": "v1.3.3",
  "mythrilVersion": "0.20.0",
  "maruVersion": "0.3.4",
  "harveyVersion": "0.0.7",
  "queueTime": 0,
  "status": "Queued",
  "submittedAt": "2019-02-12T17:20:24.965Z",
  "submittedBy": "2bf80...",
  "uuid": "a21ee3dd-(...)-874b400ecf92"
}

To job status of a job run (UUID)

$ ./analyses-status.sh "a21ee3dd-8c9f-4dc4-9313-874b427ecf92"
Issuing HTTP GET https://api.mythx.io/v1/analyses/a21ee3dd-8c9f-4dc4-9313-874b427ecf92
  (with MYTHX_ACCESS_TOKEN)
curl completed sucessfully. See /tmp/curljs.err24743 for verbose logs.
Processed output from /tmp/curljs.out24743 follows...
HTTP/2 200
{
  "apiVersion": "v1.3.3",
  "mythrilVersion": "0.20.0",
  "maruVersion": "0.3.4",
  "harveyVersion": "0.0.7",
  "queueTime": 20,
  "runTime": 300,
  "status": "Finished",
  "submittedAt": "2019-02-12T17:20:24.965Z",
  "submittedBy": "2bf80...",
  "uuid": "a21ee3dd-(...)-874b400ecf92"
}

To see the results of status:

$ ./analyses-results.sh "bf9fe267-d322-4641-aae2-a89e62f40770"
Issuing HTTP GET http://api.mythx.io/v1/analyses/bf9fe267-d322-4641-aae2-a89e62f40770/issues
curl completed sucessfully. Output follows...
HTTP/1.1 200 OK
[
  {
    "address": 499,
    "contract": "MAIN",
    "debug": "callvalue: 0xd7ee0142c5f24581862400cc4785a2910417ad282802609755ac30ac4c9e435d\nstorage_keccac_1461501637330902918203684832716283019655932542975_&\n1461501637330902918203684832716283019655932542975_&\n1461501637330902918203684832716283019655932542975_&\ncalldata_MAIN[4]: 0x744240060f11ee8302555055dccca6b72611ae29090e239231b0a7b8f29ae057\ncalldata_MAIN[0]: 0x362a9500000000000000000000000000000000000000000000000000000000\ncalldatasize_MAIN: 0x4\n",
    "description": "A possible integer overflow exists in the function `fallback`.\nThe addition or multiplication may result in a value higher than the maximum representable integer.",
    "function": "fallback",
    "title": "Integer Overflow",
    "type": "Warning"
  },
  {
    "address": 648,
    "contract": "MAIN",
    "debug": "",
    "description": "This contract executes a message call to the address of the transaction sender. Generally, it is not recommended to call user-supplied addresses using Solidity's call() construct. Note that attackers might leverage reentrancy attacks to exploit race conditions or manipulate this contract's state.",
    "function": "_function_0x2e1a7d4d",
    "title": "Message call to external contract",
    "type": "Warning"
  },
  ...
]

Get Tool Statistics

$ ./mythx-tool-use.sh truffle mythos
Running: curl  --header 'Content-Type: application/json' -v GET https://staging.api.mythx.io/v1/client-tool-stats/truffle
curl completed sucessfully. See /tmp/curljs.err18423 for verbose logs.
Processed output from /tmp/curljs.out18423 follows...
{
  "numAnalyses": 9501
}
Running: curl  --header 'Content-Type: application/json' -v GET https://staging.api.mythx.io/v1/client-tool-stats/mythos
curl completed sucessfully. See /tmp/curljs.err18423 for verbose logs.
Processed output from /tmp/curljs.out18423 follows...
{
  "numAnalyses": 1
}

Get the OpenAPI specification

$ ./get-openapi-spec.sh
Running: curl -v GET https://api.mythx.io/v1/openapi.yaml
curl completed sucessfully. See /tmp/curljs.err26342 for verbose logs.
Processed output from /tmp/curljs.out26342 follows...
-----------------------------------
openapi: 3.0.1
servers:
  - url: 'https://api.mythx.io/v1'
info:
  version: v1.3
  title: API for MythX
...

See also

You can’t perform that action at this time.