Add static analysis action (#848)

* Add static analysis github action setup python and install slither * Add nvmrc file for setting node to v14.17 * Update slither command run to link missing contract packages from monorepo root * Add steps for installing dependencies * Add yarn build step to github action * Enable colour in github action for static analysis * Disable certain detectors * Ensure slither does not fail build * Add instructions on running static analysis to monorepo readme

Add static analysis action (#848)
* Add static analysis github action setup python and install slither * Add nvmrc file for setting node to v14.17 * Update slither command run to link missing contract packages from monorepo root * Add steps for installing dependencies * Add yarn build step to github action * Enable colour in github action for static analysis * Disable certain detectors * Ensure slither does not fail build * Add instructions on running static analysis to monorepo readme
11a9296f · Elena Gesheva · GitHub · a64f8161 · 11a9296f · 11a9296f
Commit 11a9296f authored May 31, 2021 by Elena Gesheva Committed by GitHub May 31, 2021
6 changed files
--- a/.github/workflows/static-analysis.yml
+++ b/.github/workflows/static-analysis.yml
+name: Static analysis
+on:
+  push:
+    branches:
+      - master
+      - develop
+  pull_request:
+  workflow_dispatch:
+env:
+  PYTEST_ADDOPTS: "--color=yes"
+jobs:
+  slither:
+    name: Slither run
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Fetch history
+        run: git fetch
+      - name: Setup node
+        uses: actions/setup-node@v1
+        with:
+          node-version: '12.x'
+      - name: Get yarn cache directory path
+        id: yarn-cache-dir-path
+        run: echo "::set-output name=dir::$(yarn cache dir)"
+      - uses: actions/cache@v2
+        id: yarn-cache
+        with:
+          path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
+          key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-yarn-
+      - name: Install Dependencies
+        # only install dependencies if there was a change in the deps
+        # if: steps.yarn-cache.outputs.cache-hit != 'true'
+        run: yarn install
+      - name: Build
+        run: yarn build
+      - name: Set up Python 3.8
+        uses: actions/setup-python@v2
+        with:
+          python-version: '3.8'
+      - name: Install Slither
+        run: pip3 install slither-analyzer
+      - name: Run analysis
+        working-directory: ./packages/contracts
+        shell: bash
+        run: yarn test:slither
+        continue-on-error: true
--- a/.gitignore
+++ b/.gitignore
@@ -14,6 +14,9 @@ cache-ovm
 l2geth/build/bin
 packages/contracts/deployments/custom
 packages/contracts/coverage*
+packages/contracts/@ens*
+packages/contracts/@openzeppelin*
+packages/contracts/hardhat*
 packages/data-transport-layer/db

--- a/.nvmrc
+++ b/.nvmrc
+14.17.0
--- a/README.md
+++ b/README.md
@@ -23,14 +23,14 @@ Extensive documentation is available [here](http://community.optimism.io/docs/)
    * [`message-relayer`](./packages/message-relayer): Service for relaying L2 messages to L1
 * [`l2geth`](./l2geth): Fork of [go-ethereum v1.9.10](https://github.com/ethereum/go-ethereum/tree/v1.9.10) implementing the [OVM](https://research.paradigm.xyz/optimism#optimistic-geth).
 * [`integration-tests`](./integration-tests): Integration tests between a L1 testnet, `l2geth`,
-* [`ops`](./ops): Contains Dockerfiles for containerizing each service involved in the protocol, 
+* [`ops`](./ops): Contains Dockerfiles for containerizing each service involved in the protocol,
 as well as a docker-compose file for bringing up local testnets easily
 ## Quickstart
 ### Installation
-Dependency management is done using `yarn`. 
+Dependency management is done using `yarn`.
 ```bash
 git clone git@github.com:ethereum-optimism/optimism.git
@@ -67,7 +67,7 @@ you can run `yarn lerna run test --parallel --since master`
 #### Running the integration tests
 The integration tests first require bringing up the Optimism stack. This is done via
-a Docker Compose network. For better performance, we also recommend enabling Docker 
+a Docker Compose network. For better performance, we also recommend enabling Docker
 BuildKit
 ```bash
@@ -110,3 +110,11 @@ can be hard to filter through. In order to view the logs from a specific service
 ```
 docker-compose logs --follow <service name>
 ```
+### Static analysis
+To run `slither` locally in `./packages/contracts` do
+```
+pip3 install slither-analyzer
+yarn test:slither
+```
--- a/packages/contracts/package.json
+++ b/packages/contracts/package.json
@@ -32,6 +32,9 @@
    "test:contracts": "hardhat test --show-stack-traces",
    "test:gas": "hardhat test \"test/contracts/OVM/execution/OVM_StateManager.gas-spec.ts\" --no-compile --show-stack-traces",
    "test:coverage": "NODE_OPTIONS=--max_old_space_size=8192 hardhat coverage",
+    "test:slither": "slither .",
+    "pretest:slither": "rm -f @openzeppelin && rm -f @ens && rm -f hardhat && ln -s ../../node_modules/@openzeppelin @openzeppelin && ln -s ../../node_modules/@ens @ens && ln -s ../../node_modules/hardhat hardhat",
+    "posttest:slither": "rm -f @openzeppelin && rm -f @ens && rm -f hardhat",
    "lint": "yarn lint:fix && yarn lint:check",
    "lint:fix": "yarn run lint:fix:typescript",
    "lint:fix:typescript": "prettier --config .prettierrc.json --write \"hardhat.config.ts\" \"{src,test}/**/*.ts\"",

--- a/packages/contracts/slither.config.json
+++ b/packages/contracts/slither.config.json
+{
+  "detectors_to_exclude": "conformance-to-solidity-naming-conventions,assembly-usage,low-level-calls,block-timestamp",
+  "exclude_informational": false,
+  "exclude_low": false,
+  "exclude_medium": false,
+  "exclude_high": false,
+  "solc_disable_warnings": false,
+  "hardhat_ignore_compile": true,
+  "disable_color": false,
+  "exclude_dependencies": true,
+  "filter_paths": "@openzeppelin|hardhat|contracts/test-helpers|contracts/test-libraries"
+}