feat: Setup Slither #7
Conversation
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
I'm ignoring the Slither warning because the actual contracts of OpenZeppelin are with |
src/NftReward.sol
Outdated
| @@ -197,6 +199,7 @@ contract NftReward is Initializable, ERC721Upgradeable, OwnableUpgradeable, Paus | |||
| * @param _newMinter New minter address | |||
| */ | |||
| function setMinter(address _newMinter) external onlyOwner { | |||
| require(_newMinter != address(0), "Minter cannot be zero address"); | |||
There was a problem hiding this comment.
Pls add tests for all newly added require() statements
|
should I add the merged changes to this PR? (about #4) |
Yes, you should merge the |
|
Done @rndquu ! |
There was a problem hiding this comment.
- There is still this warning:
NftReward.safeMint(NftReward.MintRequest,bytes) (src/NftReward.sol#145-176) uses timestamp for comparisons
Dangerous comparisons:
- require(bool,string)(block.timestamp < _mintRequest.deadline,Signature expired) (src/NftReward.sol#155)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#block-timestamp
I think we can simply exclude the block-timestamp detector.
- There is still this warning:
Pragma version^0.8.20 (src/NftReward.sol#2) necessitates a version too recent to be trusted. Consider deploying with 0.8.18.
solc-0.8.24 is not recommended for deployment
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#incorrect-versions-of-solidity
What if we use solidity v0.8.18?
- There is still this info warning:
Parameter NftReward.invalidateNonce(uint256)._nonceValue (src/NftReward.sol#223) is not in mixedCase
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#conformance-to-solidity-naming-conventions
Either exclude this detector either refactor the code.
-
Pls make sure the slither check workflow fails on any warning in the
NftReward.solcontract -
Pls update the slither worflow to run only when
*.solfiles are changed
In 2, I tested before and there is still the warning because of the OZ libraries |
But there is no warning for |
correct! |
Then it makes sense to update |
|
Should we fail on medium or low? Also I think we should Ignore the OZ libraries 🤔 |
Yes, we use this strategy (fall on any slither warning or compiler warning) in our main repo https://github.com/ubiquity/ubiquity-dollar/ Not all of the slither detectors are included in our main repo because it makes sense to be reasonable (for example, |
yep, I added a detector ignore about OZ libraries & timestamp |
|
@rndquu should I add this: |
If we remove the exclude_informational config the slither workflow still passes, right? |
No, I think that is because is like a low vuln. |
I don't understand from the log output, what file causes the |
That is because slither only recommends deployment with the version 0.8.18 and the OZ contracts are in ^0.8.20 so there is no way to not recognize that error. |
|
I just added a line in |
But that doesn't solve the warning as far as I understand Overall we shouldn't exclude all low level issues. This is getting out of hand so lets:
|
done! |
Resolves #3 issue.