fix(ci): aderyn target. (#1073)

consensus-shipyard · Jul 16, 2024 · 2bccfb4 · 2bccfb4
1 parent d9cc781
commit 2bccfb4
Show file tree

Hide file tree

Showing 3 changed files with 59 additions and 43 deletions.
diff --git a/.github/workflows/contracts-sast.yaml b/.github/workflows/contracts-sast.yaml
@@ -41,8 +41,19 @@ jobs:
       - name: Install aderyn
         run: cargo install aderyn
 
+      - name: Make deps
+        run: cd contracts && make deps
+
+      # We need a normal npm install because pnpm hoists node_modules and creates symlinks.
+      # Aderyn performs local compilation calling solc directly. Solc requires the target of symlinks to be whitelisted
+      # in allowed-paths. Unfortunately, Aderyn doesn't support passing in allowed-paths, nor does it pick them up from
+      # Foundry config. I also wasn't able to mimic a standard node_modules layout with pnpm, after trying various
+      # hoisting and linking settings. So we bite the bullet and perform an ordinary npm install to make Aderyn happy.
+      - name: Force an ordinary npm install
+        run: cd contracts && rm -rf node_modules && npm install
+
       - name: Run aderyn
-        run: cd contracts && make deps && aderyn ./ -o report.json
+        run: aderyn ./ -o report.json
 
       - name: Check results
         run: cd contracts && ./tools/check_aderyn.sh

diff --git a/contracts/foundry.toml b/contracts/foundry.toml
@@ -15,6 +15,7 @@ memory_limit =  2147483648 # 2GB
 remappings = [
     "murky/=lib/murky/src/",
 ]
+allow_paths = ["../node_modules"]
 
 [fuzz]
 runs = 512

diff --git a/contracts/tools/check_aderyn.sh b/contracts/tools/check_aderyn.sh
@@ -1,57 +1,61 @@
-#!/usr/bin/env bash
-set -eux
-set -o pipefail
+#!/bin/sh
+set -eu
 
 # Path to the report file
 REPORT_FILE="./report.json"
 
 # List of severities that make us fail
-SEVERITIES=(critical high medium)
-
-# List of vulnerability titles to ignore
-IGNORE_TITLES=("Centralization Risk for trusted owners")
-
-# Specific vulnerabilities to ignore with path and line number
-declare -A IGNORE_SPECIFIC
-IGNORE_SPECIFIC["src/lib/LibDiamond.sol:204:Unprotected initializer"]=1
-IGNORE_SPECIFIC["src/lib/LibDiamond.sol:203:Unprotected initializer"]=1
+SEVERITIES="critical high medium"
+
+# Function to check if a vulnerability title should be ignored
+ignore_title() {
+    case "$1" in
+        "Centralization Risk for trusted owners") return 0 ;;
+        # Add more titles to ignore here, one per line
+        *) return 1 ;;
+    esac
+}
 
-containsElement() {
-  local e match="$1"
-  shift
-  for e; do [[ "$e" == "$match" ]] && return 0; done
-  return 1
+# Function to check if a specific vulnerability should be ignored
+ignore_specific() {
+    case "$1" in
+        "src/lib/LibDiamond.sol:204:Unprotected initializer") return 0 ;;
+        "src/lib/LibDiamond.sol:203:Unprotected initializer") return 0 ;;
+        *) return 1 ;;
+    esac
 }
 
 # Read vulnerabilities from the report
-readVulnerabilities() {
-  level="$1"
-  jq -c --argjson ignoreTitles "$(printf '%s\n' "${IGNORE_TITLES[@]}" | jq -R . | jq -s .)" ".${level}_issues.issues[] | select(.title as \$title | .instances[].contract_path as \$path | .instances[].line_no as \$line | \$ignoreTitles | index(\$title) | not)" $REPORT_FILE
+read_vulnerabilities() {
+    level="$1"
+    jq -c ".${level}_issues.issues[]? // empty" "$REPORT_FILE"
 }
 
 # Main function to process the report
-processReport() {
-  local hasVulnerabilities=0
-
-  for level in ${SEVERITIES[@]}; do
-    while IFS= read -r vulnerability; do
-      title=$(echo "$vulnerability" | jq -r ".title")
-      path=$(echo "$vulnerability" | jq -r ".instances[].contract_path")
-      line=$(echo "$vulnerability" | jq -r ".instances[].line_no")
-      specificKey="${path}:${line}:${title}"
-
-      if [[ ${IGNORE_SPECIFIC[$specificKey]+_} ]]; then
-        echo "Ignoring specific vulnerability: $title at $path line $line"
-      else
-        echo "Found $level vulnerability: $title at $path line $line"
-        hasVulnerabilities=1
-      fi
-    done < <(readVulnerabilities "$level")
-  done
-
-  return $hasVulnerabilities
+process_report() {
+    has_vulnerabilities=0
+
+    for level in $SEVERITIES; do
+        read_vulnerabilities "$level" | while IFS= read -r vulnerability; do
+            title=$(printf '%s' "$vulnerability" | jq -r ".title")
+            path=$(printf '%s' "$vulnerability" | jq -r ".instances[].contract_path")
+            line=$(printf '%s' "$vulnerability" | jq -r ".instances[].line_no")
+            specific_key="${path}:${line}:${title}"
+
+            if ignore_specific "$specific_key"; then
+                printf "Ignoring specific vulnerability: %s at %s line %s\n" "$title" "$path" "$line"
+            elif ignore_title "$title"; then
+                printf "Ignoring vulnerability by title: %s at %s line %s\n" "$title" "$path" "$line"
+            else
+                printf "Found %s vulnerability: %s at %s line %s\n" "$level" "$title" "$path" "$line"
+                has_vulnerabilities=1
+            fi
+        done
+    done
+
+    return $has_vulnerabilities
 }
 
-# Process the report and exit with the code returned by processReport
-processReport
+# Process the report and exit with the code returned by process_report
+process_report
 exit $?