def parseSarif(self, osiris_output_results, file_path_in_repo):
resultsList = []
logicalLocationsList = []
rulesList = []
for analysis in osiris_output_results["analysis"]:
for result in analysis["errors"]:
rule = parseRule(tool="osiris", vulnerability=result["message"])
result = parseResult(tool="osiris", vulnerability=result["message"], level="warning",
uri=file_path_in_repo, line=result["line"], column=result["column"])
resultsList.append(result)
if isNotDuplicateRule(rule, rulesList):
rulesList.append(rule)
logicalLocation = parseLogicalLocation(name=analysis["name"])
if isNotDuplicateLogicalLocation(logicalLocation, logicalLocationsList):
logicalLocationsList.append(logicalLocation)
artifact = parseArtifact(uri=file_path_in_repo)
tool = Tool(driver=ToolComponent(name="Osiris", version="1.0", rules=rulesList,
information_uri="https://github.com/christoftorres/Osiris",
full_description=MultiformatMessageString(
text="Osiris is an analysis tool to detect integer bugs in Ethereum smart contracts. Osiris is based on Oyente.")))
run = Run(tool=tool, artifacts=[artifact], logical_locations=logicalLocationsList, results=resultsList)
return run
def parseSarif(self, maian_output_results, file_path_in_repo):
resultsList = []
rulesList = []
for vulnerability in maian_output_results["analysis"].keys():
if maian_output_results["analysis"][vulnerability]:
rule = parseRule(tool="maian", vulnerability=vulnerability)
result = parseResult(tool="maian",
vulnerability=vulnerability,
level="error",
uri=file_path_in_repo)
rulesList.append(rule)
resultsList.append(result)
artifact = parseArtifact(uri=file_path_in_repo)
tool = Tool(driver=ToolComponent(
name="Maian",
version="5.10",
rules=rulesList,
information_uri="https://github.com/ivicanikolicsg/MAIAN",
full_description=MultiformatMessageString(
text=
"Maian is a tool for automatic detection of buggy Ethereum smart contracts of three different types prodigal, suicidal and greedy."
)))
run = Run(tool=tool, artifacts=[artifact], results=resultsList)
return run
def parseSarif(self, manticore_output_results, file_path_in_repo):
rulesList = []
resultsList = []
artifact = parseArtifact(uri=file_path_in_repo)
for multipleAnalysis in manticore_output_results["analysis"]:
for analysis in multipleAnalysis:
rule = parseRule(tool="manticore", vulnerability=analysis["name"])
result = parseResult(tool="manticore", vulnerability=analysis["name"], level="warning",
uri=file_path_in_repo,
line=analysis["line"], snippet=analysis["code"])
resultsList.append(result)
if isNotDuplicateRule(rule, rulesList):
rulesList.append(rule)
tool = Tool(driver=ToolComponent(name="Manticore", version="0.3.5", rules=rulesList,
information_uri="https://github.com/trailofbits/manticore",
full_description=MultiformatMessageString(
text="Manticore is a symbolic execution tool for analysis of smart contracts and binaries.")))
run = Run(tool=tool, artifacts=[artifact], results=resultsList)
return run
def parseSarif(self, mythril_output_results, file_path_in_repo):
resultsList = []
logicalLocationsList = []
rulesList = []
for issue in mythril_output_results["analysis"]["issues"]:
rule = parseRule(tool="mythril", vulnerability=issue["title"], full_description=issue["description"])
result = parseResult(tool="mythril", vulnerability=issue["title"], level=issue["type"],
uri=file_path_in_repo,
line=issue["lineno"], snippet=issue["code"] if "code" in issue.keys() else None,
logicalLocation=parseLogicalLocation(issue["function"],
kind="function"))
logicalLocation = parseLogicalLocation(name=issue["function"], kind="function")
if isNotDuplicateLogicalLocation(logicalLocation, logicalLocationsList):
logicalLocationsList.append(logicalLocation)
resultsList.append(result)
if isNotDuplicateRule(rule, rulesList):
rulesList.append(rule)
artifact = parseArtifact(uri=file_path_in_repo)
tool = Tool(driver=ToolComponent(name="Mythril", version="0.4.25", rules=rulesList,
information_uri="https://mythx.io/",
full_description=MultiformatMessageString(
text="Mythril analyses EVM bytecode using symbolic analysis, taint analysis and control flow checking to detect a variety of security vulnerabilities.")))
run = Run(tool=tool, artifacts=[artifact], logical_locations=logicalLocationsList, results=resultsList)
return run
def parseSarif(self, smartcheck_output_results, file_path_in_repo):
resultsList = []
rulesList = []
artifact = parseArtifact(uri=file_path_in_repo)
for analysis in smartcheck_output_results["analysis"]:
rule = parseRule(tool="smartcheck", vulnerability=analysis["name"])
result = parseResult(tool="smartcheck", vulnerability=analysis["name"], level=analysis["severity"],
uri=file_path_in_repo,
line=analysis["line"], column=analysis["column"], snippet=analysis["content"])
resultsList.append(result)
if isNotDuplicateRule(rule, rulesList):
rulesList.append(rule)
logicalLocation = parseLogicalLocation(name=smartcheck_output_results["contract"])
tool = Tool(driver=ToolComponent(name="SmartCheck", version="0.0.12", rules=rulesList,
information_uri="https://tool.smartdec.net/",
full_description=MultiformatMessageString(
text="Securify automatically checks for vulnerabilities and bad coding practices. It runs lexical and syntactical analysis on Solidity source code.")))
run = Run(tool=tool, artifacts=[artifact], logical_locations=[logicalLocation], results=resultsList)
return run
def parseSarifFromLiveJson(self, securify_output_results, file_path_in_repo):
resultsList = []
rulesList = []
for name, analysis in securify_output_results["analysis"].items():
for vuln, analysisResult in analysis["results"].items():
rule = parseRule(tool="securify", vulnerability=vuln)
# Extra loop to add unique rule to tool in sarif
for level, lines in analysisResult.items():
if not isinstance(lines, list):
continue
if len(lines) > 0:
rulesList.append(rule)
break
for level, lines in analysisResult.items():
if not isinstance(lines, list):
continue
for lineNumber in list(numpy.unique(lines)):
result = parseResult(tool="securify", vulnerability=vuln, level=level, uri=file_path_in_repo,
line=int(lineNumber)) # without int() lineNumber returns null??!
resultsList.append(result)
artifact = parseArtifact(uri=file_path_in_repo)
tool = Tool(driver=ToolComponent(name="Securify", version="0.4.25", rules=rulesList,
information_uri="https://github.com/eth-sri/securify2",
full_description=MultiformatMessageString(
text="Securify uses formal verification, also relying on static analysis checks. Securify’s analysis consists of two steps. First, it symbolically analyzes the contract’s dependency graph to extract precise semantic information from the code. Then, it checks compliance and violation patterns that capture sufficient conditions for proving if a property holds or not.")))
run = Run(tool=tool, artifacts=[artifact], results=resultsList)
return run
def parseSarif(self, slither_output_results, file_path_in_repo):
rulesList = []
resultsList = []
for analysis in slither_output_results["analysis"]:
level = analysis["impact"]
message = analysis["description"]
locations = []
for element in analysis["elements"]:
location = Location(physical_location=PhysicalLocation(
artifact_location=ArtifactLocation(uri=file_path_in_repo),
region=Region(start_line=element["source_mapping"]["lines"][0],
end_line=element["source_mapping"]["lines"][-1])), logical_locations=[])
if "name" in element.keys():
if "type" in element.keys():
location.logical_locations.append(LogicalLocation(name=element["name"], kind=element["type"]))
if "target" in element.keys():
location.logical_locations.append(LogicalLocation(name=element["name"], kind=element["target"]))
if "expression" in element.keys():
location.physical_location.region.snippet = ArtifactContent(text=element["expression"])
if "contract" in element.keys():
location.logical_locations.append(
LogicalLocation(name=element["contract"]["name"], kind=element["contract"]["type"]))
locations.append(location)
result = parseResult(tool="slither", vulnerability=analysis["check"], level=level)
result.locations = locations
rule = parseRule(tool="slither", vulnerability=analysis["check"], full_description=message)
if isNotDuplicateRule(rule, rulesList):
rulesList.append(rule)
resultsList.append(result)
artifact = parseArtifact(uri=file_path_in_repo)
tool = Tool(driver=ToolComponent(name="Slither", version="0.7.0", rules=rulesList,
information_uri="https://github.com/crytic/slither",
full_description=MultiformatMessageString(
text="Slither is a Solidity static analysis framework written in Python 3. It runs a suite of vulnerability detectors and prints visual information about contract details. Slither enables developers to find vulnerabilities, enhance their code comphrehension, and quickly prototype custom analyses.")))
run = Run(tool=tool, artifacts=[artifact], results=resultsList)
return run
def parseSarif(self, securify_output_results, file_path_in_repo):
resultsList = []
logicalLocationsList = []
rulesList = []
for name, analysis in securify_output_results["analysis"].items():
contractName = name.split(':')[1]
logicalLocation = parseLogicalLocation(name=contractName)
if isNotDuplicateLogicalLocation(logicalLocation,
logicalLocationsList):
logicalLocationsList.append(logicalLocation)
for vuln, analysisResult in analysis["results"].items():
rule = parseRule(tool="securify", vulnerability=vuln)
for level, lines in analysisResult.items():
for lineNumber in lines:
# GH1003 & SARIF1007: Every result must provide a 'region' that specifies its location with "startLine"
if lineNumber == -1:
continue
if isNotDuplicateRule(rule, rulesList):
rulesList.append(rule)
result = parseResult(tool="securify",
vulnerability=vuln,
level=level,
uri=file_path_in_repo,
line=lineNumber)
resultsList.append(result)
artifact = parseArtifact(uri=file_path_in_repo)
tool = Tool(driver=ToolComponent(
name="Securify",
version="0.4.25",
rules=rulesList,
information_uri="https://github.com/eth-sri/securify2",
full_description=MultiformatMessageString(
text=
"Securify uses formal verification, also relying on static analysis checks. Securify’s analysis consists of two steps. First, it symbolically analyzes the contract’s dependency graph to extract precise semantic information from the code. Then, it checks compliance and violation patterns that capture sufficient conditions for proving if a property holds or not."
)))
run = Run(tool=tool,
artifacts=[artifact],
logical_locations=logicalLocationsList,
results=resultsList)
return run
def parseSarif(self, conkas_output_results, file_path_in_repo):
resultsList = []
rulesList = []
logicalLocationsList = []
for analysis_result in conkas_output_results["analysis"]:
rule = parseRule(tool="conkas",
vulnerability=analysis_result["vuln_type"])
logicalLocation = parseLogicalLocation(
analysis_result["maybe_in_function"], kind="function")
# GH1003 & SARIF1007: Every result must provide a 'region' that specifies its location with "startLine"
if analysis_result["line_number"] == '':
continue
result = parseResult(tool="conkas",
vulnerability=analysis_result["vuln_type"],
uri=file_path_in_repo,
line=int(analysis_result["line_number"]),
logicalLocation=logicalLocation)
resultsList.append(result)
if isNotDuplicateRule(rule, rulesList):
rulesList.append(rule)
if isNotDuplicateLogicalLocation(logicalLocation,
logicalLocationsList):
logicalLocationsList.append(logicalLocation)
artifact = parseArtifact(uri=file_path_in_repo)
tool = Tool(driver=ToolComponent(
name="Conkas",
version="1.0.0",
rules=rulesList,
information_uri="https://github.com/nveloso/conkas",
full_description=MultiformatMessageString(
text=
"Conkas is based on symbolic execution, determines which inputs cause which program branches to execute, to find potential security vulnerabilities. Conkas uses rattle to lift bytecode to a high level representation."
)))
run = Run(tool=tool,
artifacts=[artifact],
logical_locations=logicalLocationsList,
results=resultsList)
return run
def parseSarif(self, honeybadger_output_results, file_path_in_repo):
resultsList = []
logicalLocationsList = []
rulesList = []
for analysis in honeybadger_output_results["analysis"]:
for result in analysis["errors"]:
rule = parseRule(tool="honeybadger",
vulnerability=result["message"])
result = parseResult(tool="honeybadger",
vulnerability=result["message"],
level="warning",
uri=file_path_in_repo,
line=result["line"],
column=result["column"])
resultsList.append(result)
if isNotDuplicateRule(rule, rulesList):
rulesList.append(rule)
logicalLocation = parseLogicalLocation(analysis["name"])
if logicalLocation is not None and isNotDuplicateLogicalLocation(
logicalLocation, logicalLocationsList):
logicalLocationsList.append(logicalLocation)
artifact = parseArtifact(uri=file_path_in_repo)
tool = Tool(driver=ToolComponent(
name="HoneyBadger",
version="1.8.16",
rules=rulesList,
information_uri="https://honeybadger.uni.lu/",
full_description=MultiformatMessageString(
text=
"An analysis tool to detect honeypots in Ethereum smart contracts"
)))
run = Run(tool=tool,
artifacts=[artifact],
logical_locations=logicalLocationsList,
results=resultsList)
return run
def parseSarif(self, oyente_output_results, file_path_in_repo):
resultsList = []
logicalLocationsList = []
rulesList = []
for analysis in oyente_output_results["analysis"]:
for result in analysis["errors"]:
rule = parseRule(tool="oyente",
vulnerability=result["message"])
result = parseResult(tool="oyente",
vulnerability=result["message"],
level=result["level"],
uri=file_path_in_repo,
line=result["line"],
column=result["column"])
resultsList.append(result)
if isNotDuplicateRule(rule, rulesList):
rulesList.append(rule)
logicalLocation = parseLogicalLocation(name=analysis["name"])
if isNotDuplicateLogicalLocation(logicalLocation,
logicalLocationsList):
logicalLocationsList.append(logicalLocation)
artifact = parseArtifact(uri=file_path_in_repo)
tool = Tool(driver=ToolComponent(
name="Oyente",
version="0.4.25",
rules=rulesList,
information_uri="https://oyente.tech/",
full_description=MultiformatMessageString(
text=
"Oyente runs on symbolic execution, determines which inputs cause which program branches to execute, to find potential security vulnerabilities. Oyente works directly with EVM bytecode without access high level representation and does not provide soundness nor completeness."
)))
run = Run(tool=tool,
artifacts=[artifact],
logical_locations=logicalLocationsList,
results=resultsList)
return run
def parseSarif(self, solhint_output_results, file_path_in_repo):
resultsList = []
rulesList = []
for analysis in solhint_output_results["analysis"]:
rule = parseRule(tool="solhint",
vulnerability=analysis["type"],
full_description=analysis["message"])
result = parseResult(tool="solhint",
vulnerability=analysis["type"],
level=analysis["level"],
uri=file_path_in_repo,
line=int(analysis["line"]),
column=int(analysis["column"]))
resultsList.append(result)
if isNotDuplicateRule(rule, rulesList):
rulesList.append(rule)
artifact = parseArtifact(uri=file_path_in_repo)
logicalLocation = parseLogicalLocation(
name=solhint_output_results["contract"], kind="contract")
tool = Tool(driver=ToolComponent(
name="Solhint",
version="3.3.2",
rules=rulesList,
information_uri="https://protofire.github.io/solhint/",
full_description=MultiformatMessageString(
text=
"Open source project for linting solidity code. This project provide both security and style guide validations."
)))
run = Run(tool=tool,
artifacts=[artifact],
logical_locations=[logicalLocation],
results=resultsList)
return run
