Skip to content
Solidity language support and visual security auditor for Visual Studio Code
JavaScript Python
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
examples added parser Mar 1, 2019
images
src function sigs and uml rocks Sep 12, 2019
.gitignore update gitignore Sep 12, 2019
CHANGELOG.md
README.md
create_asm_hover.py
package.json function sigs and uml rocks Sep 12, 2019

README.md

get in touch with Consensys Diligence
[ 🌐 📩 🔥 ]

Solidity Visual Auditor

  • Solidity Language Support
  • Solidity Source Exploration and Visual Security Auditing

This extension contributes security centric syntax and semantic highlighting, a detailed class outline and advanced Solidity code insights to Visual Studio Code (Marketplace).

This extension is compatible with vscode-solidity.

We ❤ feedback! Bug or Feature → file an issue

Marketplace: ext tintinweb.solidity-visual-auditor

vscode-solidity-auditor-interactive-graph

visual-auditor-new

vscode-solidity-auditor-uml


Features

Semantic highlighting and solidity insights for passive security awareness. Most features are configurable (preferences -> Settings -> Solidity Visual Auditor)

Themes (preferences -> Color Theme):

dark_small light_small solarized_small

  • Visual Auditor Dark - based on the "Atom One" theme
  • Visual Auditor Light (Visual Studio) - based on the standard "light (VSCode)" theme
  • Visual Auditor Solarized Light - based on the standard "Solarized Light" theme
Syntax Highlighting
  • access modifiers (external, public, payable, ...)
  • security relevant built-ins, globals, methods and user/miner-tainted information (address.call(),tx.origin,msg.data, block.*, now)
  • storage access modifiers (memory, storage)
  • developer notes in comments (TODO,FIXME,HACK, ...)
  • custom function modifiers
  • contract creation / event invocations
  • easily differentiate between arithmetics vs. logical operations
  • make Constructor and Fallback function more prominent

Code fragments are highlighted to draw your attention to Secure code (#c5f015) and Insecure code (#f03c15).

Semantic Highlighting
  • highlights StateVars (constant, inherited)
  • detects and alerts about StateVar shadowing
  • highlights function arguments in the function body
Audit Features
  • audit annotations/bookmarks - @audit - <msg> @audit-ok - <msg> (see below)
  • generic interface for importing external scanner results - cdili json format (see below)
  • codelens inline action: graph, report, dependencies, inheritance, parse, ftrace, flatten, generate unittest stub, function signature hashes, uml
Code Insights
  • populates VS Code outline view with sourceUnit and contract layout
    • contracts, stateVars, methods, inherited names
    • annotates security relevant information (visibility, ...)
    • calculates complexity rating
    • annotations functions with information about whether they are accessing stateVars
  • 💒🤵👰 vscode-solidity-auditorSūrya
    • access your favorite Sūrya features from within vscode!
    • interactive call graphs with call flow highlighting and more!#
  • 📈🎉 generate UML diagrams
  • command: suggest top level contracts / find most derived contracts
  • command: flatten most derived contracts
  • command: calculate function signature hashes
  • command: open Remix-IDE in external browser window
  • onHover ASM instruction signatures
  • onHover Security Notes for certain keywords
  • onHover StateVar declaration information, including the line of declaration

Installation

Method 1: Install by going to Visual Studio Market Place and click Install.

Method 2: Bring up the Extension view in VS Code and search for Solidity Visual Auditor and click Install

Method 3 (Manual):

  1. Download the latest compiled extension as *.vsix
  2. Fire up Terminal and install the extension by running code --install-extension "solidity-visual-auditor-0.0.x.vsix"
  3. vscode --> preferences --> color scheme --> Solidity Visual Auditor Dark

Tour

Scroll down and take the tour.

visual_auditor_new

  • semantic highlighting for state variables (constant=green, statevar=golden, inherited=blue)
  • semantic highlighting for function arguments
  • outline view with security annotations and inherited names
  • tooltips (asm instruction signatures, security notes)
  • @audit tags
  • graph's and uml
  • generic interface to import issues from external scanners

semantic function argument highlighting

  • arguments are assigned different colors in the scope of the function

semantic-arg-dark

semantic-arg-light

@audit bookmarks

  • @audit - <msg> ... flag lines for security review or start a security review discussion
  • @audit-ok - <msg> ... flag that a line was checked for security or a security discussion on that line turned out to be a non-issue

audit-tags

code annotations / hover / tooltip

  • additional information for various keywords (including security notes)

code_token_hover

  • asm instruction signatures

code_asm_tooltip

stateVar tracing

  • highlight contract local stateVars (golden box)

code_statevar

  • alert on a shadowed variable (red box)

code_shadowed

  • highlight const stateVar (green box)

code_const

  • highlight inherited stateVar (blue box Approval)

code_inherited

codelenses

  • surya - interactive graph

vscode-solidity-auditor-interactive-graph

  • surya - generate report, show inheritance, show AST

vscode-auditor-surya-report

vscode-auditor-unittest

  • surya - ftrace

vscode-auditor-ftrace

  • UML - auto-generate UML for source-units or specific contracts

vscode-solidity-auditor-uml

  • Function Signature Hashes

sva_light_vscode

outline view

  • library with function parameters T and declarations

outline_lib

  • class and events, functions annotated (stateMutability, visibility)

outline_class_event

  • class and events, functions annotated (stateMutability, visibility)

outline_class_2

  • inheritance browser - resolves inheritance, only shows inherited names

outline_inherit

  • extra information (subjective function complexity; accesses stateVar?)

outline_extra

commands

  • suggest top level contracts aka "entrypoint contracts" (most derived)
  • flatten current (codelens) or all suggested top level contracts (command) vscode-auditor-flaterra
  • list all function signatures (human readable or json format)
    vscode-auditor-funcsigs
  • open remix in external browser

Theme: Solidity Visual Auditor Light (VSCode)

theme_light_vs

Theme: Solidity Visual Auditor Dark

Simple DAO screenshot 2019-02-09 at 12 30 30

Vulnerable Contract

highlight

Theme: Solidity Visual Auditor Solarized Light

Simple DAO

screenshot 2019-02-11 at 21 52 11

Extension Settings

  • solidity-va.mode.active .. Enable/Disable all active components of this extension (emergency master-switch).
  • Solidity-va.parser.parseImports ... Whether to recursively parse imports or not
  • Solidity-va.hover ... Enable or Disable generic onHover information (asm instruction signatures, security notes)
  • Solidity-va.deco.statevars ... decorate statevars in code view (golden, green, blue boxes)
  • Solidity-va.deco.arguments ... whether to enable/disable semantic highlighting for function arguments
  • Solidity-va.outline.enable ... enable/disable outline and symbolprovider
  • Solidity-va.outline.decorations ... decorate functions according to state mutability function visibility
  • Solidity-va.outline.inheritance.show ... add inherited functions to outline view
  • Solidity-va.outline.extras ... annotate functions with extra information (complexity, statevar access)
  • Solidity-va.outline.var.storage_annotations ... Whether to show/hide storage annotations for variables in the outline view
  • Solidity-va.outline.pragmas.show ... Whether to show/hide pragmas in the outline view
  • Solidity-va.outline.imports.show ... Whether to show/hide imports in the outline view
  • Solidity-va.diagnostics.import.cdili-json ... Automatically import diagnostic issues from external scanners using the cdili-issue.json format:
    {
        "onInputFile": "contracts/BountiesMetaTxRelayer.sol", 
        "atLineNr": "10", 
        "ruleType": "code_smell", 
        "severity": "major", 
        "linterVersion": "0.1", 
        "linterName": "maru", 
        "message": "State Variable  Default Visibility - It is best practice to set the visibility of state variables explicitly. The default           visibility for \"bountiesContract\" is internal. Other possible visibility values are public and private.",         
        "forRule": "State_Variable_Default_Visibility"
    }
  • Solidity-va.audit.tags.enable ... enable/disable audit tags
  • Solidity-va.codelens.enable ... enable/disable codelens support (inline code actions)
  • solidity-va.preview.dot ... open dot output in graphviz rendered form
  • solidity-va.preview.markdown ... open markdown output in rendered form
  • Solidity-va.tools.surya.input.contracts ... Define whether surya should take cached files or all contracts in the workspace as input

Known Issues

  • changing settings may require a vscode reload.
  • outline view does not always refresh. TempFix: modify and save the file to trigger a refresh.
  • codelenses do not appear. TempFix: modify and save the file to trigger a refresh.
  • github issues

Acknowledgements

Release Notes

v0.0.18

  • new: UML diagrams just arrived 🎉! auto-generate uml for source-units or contracts.

sva_light_vscode

  • new: codelense next to functions to generate sighash.
  • fix: function signature hashes are now generated for all functions (even internal ones, just ignore them for now :)). Canonicalization of types before calculating hashes #27.
  • new: alert on function sighash collision within the same contract.

sva_light_vscode

  • new: AST parser now keeps track of usingFor's

Changelog

You can’t perform that action at this time.