def parseSarif(self, mythril_output_results, file_path_in_repo):
resultsList = []
logicalLocationsList = []
rulesList = []
for issue in mythril_output_results["analysis"]["issues"]:
rule = parseRule(tool="mythril", vulnerability=issue["title"], full_description=issue["description"])
result = parseResult(tool="mythril", vulnerability=issue["title"], level=issue["type"],
uri=file_path_in_repo,
line=issue["lineno"], snippet=issue["code"] if "code" in issue.keys() else None,
logicalLocation=parseLogicalLocation(issue["function"],
kind="function"))
logicalLocation = parseLogicalLocation(name=issue["function"], kind="function")
if isNotDuplicateLogicalLocation(logicalLocation, logicalLocationsList):
logicalLocationsList.append(logicalLocation)
resultsList.append(result)
if isNotDuplicateRule(rule, rulesList):
rulesList.append(rule)
artifact = parseArtifact(uri=file_path_in_repo)
tool = Tool(driver=ToolComponent(name="Mythril", version="0.4.25", rules=rulesList,
information_uri="https://mythx.io/",
full_description=MultiformatMessageString(
text="Mythril analyses EVM bytecode using symbolic analysis, taint analysis and control flow checking to detect a variety of security vulnerabilities.")))
run = Run(tool=tool, artifacts=[artifact], logical_locations=logicalLocationsList, results=resultsList)
return run
def parseSarif(self, osiris_output_results, file_path_in_repo):
resultsList = []
logicalLocationsList = []
rulesList = []
for analysis in osiris_output_results["analysis"]:
for result in analysis["errors"]:
rule = parseRule(tool="osiris", vulnerability=result["message"])
result = parseResult(tool="osiris", vulnerability=result["message"], level="warning",
uri=file_path_in_repo, line=result["line"], column=result["column"])
resultsList.append(result)
if isNotDuplicateRule(rule, rulesList):
rulesList.append(rule)
logicalLocation = parseLogicalLocation(name=analysis["name"])
if isNotDuplicateLogicalLocation(logicalLocation, logicalLocationsList):
logicalLocationsList.append(logicalLocation)
artifact = parseArtifact(uri=file_path_in_repo)
tool = Tool(driver=ToolComponent(name="Osiris", version="1.0", rules=rulesList,
information_uri="https://github.com/christoftorres/Osiris",
full_description=MultiformatMessageString(
text="Osiris is an analysis tool to detect integer bugs in Ethereum smart contracts. Osiris is based on Oyente.")))
run = Run(tool=tool, artifacts=[artifact], logical_locations=logicalLocationsList, results=resultsList)
return run
def parseSarif(self, smartcheck_output_results, file_path_in_repo):
resultsList = []
rulesList = []
artifact = parseArtifact(uri=file_path_in_repo)
for analysis in smartcheck_output_results["analysis"]:
rule = parseRule(tool="smartcheck", vulnerability=analysis["name"])
result = parseResult(tool="smartcheck", vulnerability=analysis["name"], level=analysis["severity"],
uri=file_path_in_repo,
line=analysis["line"], column=analysis["column"], snippet=analysis["content"])
resultsList.append(result)
if isNotDuplicateRule(rule, rulesList):
rulesList.append(rule)
logicalLocation = parseLogicalLocation(name=smartcheck_output_results["contract"])
tool = Tool(driver=ToolComponent(name="SmartCheck", version="0.0.12", rules=rulesList,
information_uri="https://tool.smartdec.net/",
full_description=MultiformatMessageString(
text="Securify automatically checks for vulnerabilities and bad coding practices. It runs lexical and syntactical analysis on Solidity source code.")))
run = Run(tool=tool, artifacts=[artifact], logical_locations=[logicalLocation], results=resultsList)
return run
def parseSarif(self, securify_output_results, file_path_in_repo):
resultsList = []
logicalLocationsList = []
rulesList = []
for name, analysis in securify_output_results["analysis"].items():
contractName = name.split(':')[1]
logicalLocation = parseLogicalLocation(name=contractName)
if isNotDuplicateLogicalLocation(logicalLocation,
logicalLocationsList):
logicalLocationsList.append(logicalLocation)
for vuln, analysisResult in analysis["results"].items():
rule = parseRule(tool="securify", vulnerability=vuln)
for level, lines in analysisResult.items():
for lineNumber in lines:
# GH1003 & SARIF1007: Every result must provide a 'region' that specifies its location with "startLine"
if lineNumber == -1:
continue
if isNotDuplicateRule(rule, rulesList):
rulesList.append(rule)
result = parseResult(tool="securify",
vulnerability=vuln,
level=level,
uri=file_path_in_repo,
line=lineNumber)
resultsList.append(result)
artifact = parseArtifact(uri=file_path_in_repo)
tool = Tool(driver=ToolComponent(
name="Securify",
version="0.4.25",
rules=rulesList,
information_uri="https://github.com/eth-sri/securify2",
full_description=MultiformatMessageString(
text=
"Securify uses formal verification, also relying on static analysis checks. Securify’s analysis consists of two steps. First, it symbolically analyzes the contract’s dependency graph to extract precise semantic information from the code. Then, it checks compliance and violation patterns that capture sufficient conditions for proving if a property holds or not."
)))
run = Run(tool=tool,
artifacts=[artifact],
logical_locations=logicalLocationsList,
results=resultsList)
return run
def parseSarif(self, conkas_output_results, file_path_in_repo):
resultsList = []
rulesList = []
logicalLocationsList = []
for analysis_result in conkas_output_results["analysis"]:
rule = parseRule(tool="conkas",
vulnerability=analysis_result["vuln_type"])
logicalLocation = parseLogicalLocation(
analysis_result["maybe_in_function"], kind="function")
# GH1003 & SARIF1007: Every result must provide a 'region' that specifies its location with "startLine"
if analysis_result["line_number"] == '':
continue
result = parseResult(tool="conkas",
vulnerability=analysis_result["vuln_type"],
uri=file_path_in_repo,
line=int(analysis_result["line_number"]),
logicalLocation=logicalLocation)
resultsList.append(result)
if isNotDuplicateRule(rule, rulesList):
rulesList.append(rule)
if isNotDuplicateLogicalLocation(logicalLocation,
logicalLocationsList):
logicalLocationsList.append(logicalLocation)
artifact = parseArtifact(uri=file_path_in_repo)
tool = Tool(driver=ToolComponent(
name="Conkas",
version="1.0.0",
rules=rulesList,
information_uri="https://github.com/nveloso/conkas",
full_description=MultiformatMessageString(
text=
"Conkas is based on symbolic execution, determines which inputs cause which program branches to execute, to find potential security vulnerabilities. Conkas uses rattle to lift bytecode to a high level representation."
)))
run = Run(tool=tool,
artifacts=[artifact],
logical_locations=logicalLocationsList,
results=resultsList)
return run
def parseSarif(self, honeybadger_output_results, file_path_in_repo):
resultsList = []
logicalLocationsList = []
rulesList = []
for analysis in honeybadger_output_results["analysis"]:
for result in analysis["errors"]:
rule = parseRule(tool="honeybadger",
vulnerability=result["message"])
result = parseResult(tool="honeybadger",
vulnerability=result["message"],
level="warning",
uri=file_path_in_repo,
line=result["line"],
column=result["column"])
resultsList.append(result)
if isNotDuplicateRule(rule, rulesList):
rulesList.append(rule)
logicalLocation = parseLogicalLocation(analysis["name"])
if logicalLocation is not None and isNotDuplicateLogicalLocation(
logicalLocation, logicalLocationsList):
logicalLocationsList.append(logicalLocation)
artifact = parseArtifact(uri=file_path_in_repo)
tool = Tool(driver=ToolComponent(
name="HoneyBadger",
version="1.8.16",
rules=rulesList,
information_uri="https://honeybadger.uni.lu/",
full_description=MultiformatMessageString(
text=
"An analysis tool to detect honeypots in Ethereum smart contracts"
)))
run = Run(tool=tool,
artifacts=[artifact],
logical_locations=logicalLocationsList,
results=resultsList)
return run
def parseSarif(self, oyente_output_results, file_path_in_repo):
resultsList = []
logicalLocationsList = []
rulesList = []
for analysis in oyente_output_results["analysis"]:
for result in analysis["errors"]:
rule = parseRule(tool="oyente",
vulnerability=result["message"])
result = parseResult(tool="oyente",
vulnerability=result["message"],
level=result["level"],
uri=file_path_in_repo,
line=result["line"],
column=result["column"])
resultsList.append(result)
if isNotDuplicateRule(rule, rulesList):
rulesList.append(rule)
logicalLocation = parseLogicalLocation(name=analysis["name"])
if isNotDuplicateLogicalLocation(logicalLocation,
logicalLocationsList):
logicalLocationsList.append(logicalLocation)
artifact = parseArtifact(uri=file_path_in_repo)
tool = Tool(driver=ToolComponent(
name="Oyente",
version="0.4.25",
rules=rulesList,
information_uri="https://oyente.tech/",
full_description=MultiformatMessageString(
text=
"Oyente runs on symbolic execution, determines which inputs cause which program branches to execute, to find potential security vulnerabilities. Oyente works directly with EVM bytecode without access high level representation and does not provide soundness nor completeness."
)))
run = Run(tool=tool,
artifacts=[artifact],
logical_locations=logicalLocationsList,
results=resultsList)
return run
def parseSarif(self, solhint_output_results, file_path_in_repo):
resultsList = []
rulesList = []
for analysis in solhint_output_results["analysis"]:
rule = parseRule(tool="solhint",
vulnerability=analysis["type"],
full_description=analysis["message"])
result = parseResult(tool="solhint",
vulnerability=analysis["type"],
level=analysis["level"],
uri=file_path_in_repo,
line=int(analysis["line"]),
column=int(analysis["column"]))
resultsList.append(result)
if isNotDuplicateRule(rule, rulesList):
rulesList.append(rule)
artifact = parseArtifact(uri=file_path_in_repo)
logicalLocation = parseLogicalLocation(
name=solhint_output_results["contract"], kind="contract")
tool = Tool(driver=ToolComponent(
name="Solhint",
version="3.3.2",
rules=rulesList,
information_uri="https://protofire.github.io/solhint/",
full_description=MultiformatMessageString(
text=
"Open source project for linting solidity code. This project provide both security and style guide validations."
)))
run = Run(tool=tool,
artifacts=[artifact],
logical_locations=[logicalLocation],
results=resultsList)
return run