contract analisys

Author: mpetrunic

Dockerfile

@@ -1,12 +1,17 @@
 FROM node:carbon-alpine
 
+RUN apk add --update  git build-base libgit2-dev make python curl-dev g++  && \
+  rm -rf /tmp/* /var/cache/apk/*
+
+RUN ln -s /usr/lib/libcurl.so.4 /usr/lib/libcurl-gnutls.so.4
+
 WORKDIR /usr/app
 
 # Install node dependencies - done in a separate step so Docker can cache it.
 COPY yarn.lock .
 COPY package.json .
 
-RUN yarn install --frozen-lockfile && yarn cache clean
+RUN BUILD_ONLY=true yarn install --frozen-lockfile && yarn cache clean
 
 COPY . .
 

package.json

@@ -15,7 +15,7 @@
     "migrate": "npm run compile && sequelize --config sequelizecli.js db:migrate",
     "prebuild": "npm run clean && npm run init",
     "build": "tsc --sourceMap false --outDir dist --copyFiles",
-    "compile": "tsc",
+    "compile": "tsc  --sourceMap",
     "pretest": "npm run compile && npm run lint",
     "test": "tape \"test/**/*.js\" | tap-spec",
     "coverage": "nyc --reporter=text --all --include \"src/**/*.js\" npm test",
@@ -38,19 +38,23 @@
     "helmet": "^3.13.0",
     "joi": "^13.5.2",
     "morgan": "^1.9.0",
+    "nodegit": "^0.24.2",
     "nodemon": "^1.17.4",
     "pg": "^7.4.3",
     "pug": "^2.0.3",
     "reflect-metadata": "^0.1.12",
+    "remix-lib": "^0.4.5",
     "sequelize": "^4.38.0",
     "sequelize-typescript": "^0.6.6",
+    "solc": "^0.5.7",
     "umzug": "^2.1.0",
     "winston": "^3.0.0"
   },
   "devDependencies": {
     "@types/express": "^4.16.0",
     "@types/isomorphic-fetch": "^0.0.35",
     "@types/node": "^11.13.6",
+    "@types/nodegit": "^0.24.6",
     "@types/supertest": "^2.0.5",
     "@types/tape": "^4.2.32",
     "coveralls": "^3.0.3",

src/Services/GitMythXConfig.ts

@@ -0,0 +1,10 @@
+export interface IGitMythXConfig {
+    solidityVersion: string;
+    contracts: IContractConfig[];
+}
+
+interface IContractConfig {
+    name: string;
+    // relative to giithub repo root
+    path: string;
+}

src/Services/GitRepo.ts

@@ -0,0 +1,67 @@
+import {file} from "babel-types";
+import * as fs from "fs";
+import {Clone, Repository} from "nodegit";
+import os from "os";
+import path from "path";
+import rimraf from "rimraf";
+import {IGitMythXConfig} from "./GitMythXConfig";
+import logger from "./Logger";
+
+export class GitRepo {
+
+    private repo: Repository;
+
+    public constructor(
+        private readonly ownerId: number,
+        private readonly fullRepoName: string,
+        private readonly repository: string,
+        private readonly branch: string,
+        private readonly ref: string,
+        private readonly installationToken: string) {
+
+    }
+
+    public async clone(): Promise<GitRepo> {
+        const repoDir = path.join(os.tmpdir(), `${this.repository}-${this.ref}`);
+        this.deleteDirectory(repoDir);
+        this.repo = await Clone.clone(
+          `https://x-access-token:${this.installationToken}@github.com/${this.fullRepoName}.git`,
+            repoDir,
+            {
+                checkoutBranch: this.branch,
+            },
+        );
+        const commit = await this.repo.getCommit(this.ref);
+        await this.repo.setHeadDetached(commit.id());
+        return this;
+    }
+
+    public getDirectory(): string {
+        return this.repo.workdir();
+    }
+
+    public getMythXConfigFile(): IGitMythXConfig {
+        const rawData = this.getFile("./gitmythx.json");
+        if (!rawData) { return null; }
+        return JSON.parse(rawData);
+    }
+
+    public getFile(filePath: string): string {
+        filePath = path.join(this.repo.workdir(), filePath);
+        if (!fs.existsSync(filePath)) {
+            return null;
+        }
+        return  fs.readFileSync(filePath, "utf-8");
+    }
+
+    public getOwner(): string {
+        return this.ownerId.toString(10);
+    }
+
+    private deleteDirectory(dir: string): void {
+        try {
+            rimraf.sync(dir);
+        } catch (ignored) {}
+    }
+
+}

src/Services/Github/GithubAppService.ts

@@ -1,4 +1,7 @@
 import Octokit from "@octokit/rest";
+import {GitRepo} from "../GitRepo";
+import logger from "../Logger";
+import {Analysis} from "../MythX/Analysis";
 import githubAppInstallationService from "./GithubAppInstallationService";
 import {CheckRunConclusion, CheckRunStatus, GithubEvent} from "./types";
 
@@ -19,11 +22,34 @@ export default class GithubAppService {
     }
 
     public async initiateCheckRun(payload: GithubEvent): Promise<boolean> {
+        logger.info(
+            `Seting check run status to "started" for
+            checkrun ${payload.check_run.id} (${payload.repository.full_name})`,
+        );
         await this.setCheckStartedStatus(payload);
-
-        // TODO: run analisys
-
-        await this.setCheckCompletedStatus(payload, CheckRunConclusion.SUCCESS);
+        try {
+            logger.info("Fetching installation token...");
+            const installationToken = await githubAppInstallationService.getInstallationToken(
+                payload.repository.owner.login,
+                payload.repository.name,
+            );
+            const repo = new GitRepo(
+                payload.repository.owner.id,
+                payload.repository.full_name,
+                payload.repository.name,
+                payload.check_run.head_branch,
+                payload.check_run.head_sha,
+                installationToken,
+            );
+            logger.info(`Cloning ${payload.repository.full_name}#${payload.check_run.head_sha}`);
+            await repo.clone();
+            const analysis = new Analysis(repo);
+            await analysis.run();
+            await this.setCheckCompletedStatus(payload, CheckRunConclusion.SUCCESS);
+        } catch (e) {
+            logger.error(e.message);
+            await this.setCheckCompletedStatus(payload, CheckRunConclusion.FAILURE);
+        }
         return true;
     }
 

src/Services/Github/types.ts

@@ -38,6 +38,7 @@ interface CheckRun extends Check {
 }
 
 interface Owner {
+    id: number;
     login: string;
 }
 

src/Services/MythX/Analysis.ts

@@ -0,0 +1,185 @@
+import * as armlet from "armlet";
+import * as path from "path";
+import User from "../../Models/User";
+import {IGitMythXConfig} from "../GitMythXConfig";
+import {GitRepo} from "../GitRepo";
+import logger from "../Logger";
+import {SolidityUtils} from "../SolidityUtils";
+import {AnalysisReport} from "./AnalysisReport";
+
+export class Analysis {
+
+    private readonly config: IGitMythXConfig;
+
+    constructor(private readonly repo: GitRepo) {
+        this.config = repo.getMythXConfigFile();
+    }
+
+    public async run(): Promise<AnalysisReport[] | AnalysisReport> {
+        if (!this.config) {
+            logger.error("Missing gitmythx.json config in repo");
+            return new AnalysisReport(
+                false,
+                "Missing gitmythx.json config in repo",
+            );
+        }
+        return await Promise.all(
+          this.config.contracts.map((contractConfig) => {
+            return this.runAnalyses(contractConfig.name, this.repo.getFile(contractConfig.path));
+          }),
+        );
+
+    }
+
+    private async runAnalyses(contractFilePath: string, contractSource: string): Promise<AnalysisReport> {
+        const contractFileName = path.basename(contractFilePath);
+        const solcInput = {
+            language: "Solidity",
+            sources: {
+                [contractFileName]: {
+                    content: contractSource,
+                },
+            },
+            settings: {
+                outputSelection: {
+                    "*": {
+                        "*": ["*"],
+                        "": ["ast"],
+                    },
+                },
+                optimizer: {
+                    enabled: true,
+                    runs: 200,
+                },
+            },
+        };
+        logger.info("Processing contract import paths");
+        const importPaths = SolidityUtils.getImportPaths(contractSource);
+        let sourceList = {};
+        importPaths.forEach((importPath) => {
+            const newSourceList = SolidityUtils.parseImports(path.dirname(contractFilePath), importPath, false);
+            sourceList = {
+                ...sourceList,
+                ...newSourceList,
+            };
+        });
+        solcInput.sources = {
+            ...solcInput.sources,
+            ...sourceList,
+        };
+        const mythxSourceList = Object.keys(sourceList);
+        mythxSourceList.push(contractFileName);
+        const compiled =  await SolidityUtils.compile(solcInput, this.config.solidityVersion);
+        if (!compiled.contracts || !Object.keys(compiled.contracts).length) {
+            if (compiled.errors) {
+                for (const compiledError of compiled.errors) {
+                    logger.error(compiledError.formattedMessage);
+                }
+            }
+            return new AnalysisReport(
+                false,
+                "Failed to compšile contracts",
+            );
+        }
+
+        const inputfile = compiled.contracts[contractFileName];
+        let contract;
+        let contractName;
+
+        if (inputfile.length === 0) {
+            logger.error("✖ No contracts found");
+            return new AnalysisReport(
+                false,
+                "✖ No contracts found",
+            );
+        } else if (inputfile.length === 1) {
+            contractName = Object.keys(inputfile)[0];
+            contract = inputfile[contractName];
+        } else {
+
+            /*
+             * Get the contract with largest bytecode object to generate MythX analysis report.
+             * If inheritance is used, the main contract is the largest as it contains the bytecode of all others.
+            */
+
+            const bytecodes = {};
+
+            for (const key in inputfile) {
+                if (inputfile.hasOwnProperty(key)) {
+                    bytecodes[inputfile[key].evm.bytecode.object.length] = key;
+                }
+            }
+
+            const largestBytecodeKey = Object.keys(bytecodes).reverse()[0];
+            contractName = bytecodes[largestBytecodeKey];
+            contract = inputfile[contractName];
+        }
+
+        /* Bytecode would be empty if contract is only an interface */
+
+        if (!contract.evm.bytecode.object) {
+            logger.error(
+                "✖ Compiling the Solidity code did not return any bytecode." +
+                " Note that abstract contracts cannot be analyzed.",
+            );
+            return new AnalysisReport(
+                false,
+                "✖ Compiling the Solidity code did not return any bytecode." +
+                " Note that abstract contracts cannot be analyzed.");
+        }
+
+        /* Format data for MythX API */
+        logger.info("Formatting mythx request...");
+        const data = {
+            contractName,
+            bytecode: SolidityUtils.replaceLinkedLibs(contract.evm.bytecode.object),
+            sourceMap: contract.evm.deployedBytecode.sourceMap,
+            deployedBytecode: SolidityUtils.replaceLinkedLibs(contract.evm.deployedBytecode.object),
+            deployedSourceMap: contract.evm.deployedBytecode.sourceMap,
+            mythxSourceList,
+            analysisMode: "quick",
+            sources: {},
+            mainSource: contractFileName,
+        } as any;
+
+        // tslint:disable-next-line:forin
+        for (const key in solcInput.sources) {
+            data.sources[key] = { source: solcInput.sources[key].content };
+        }
+        logger.info(`Fetching mythx credentials for user ${this.repo.getOwner()}`);
+        const mythxUser = await User.findOne({ where: { id: this.repo.getOwner() }});
+        if (!mythxUser) {
+            logger.error(`Missing mythx credentials for user ${this.repo.getOwner()}`);
+            return new AnalysisReport(false, `Missing mythx credentials for user ${this.repo.getOwner()}`);
+        }
+        const client = new armlet.Client({
+            ethAddress: "0x",
+            password: "sample",
+        });
+        client.accessToken = mythxUser.accessToken;
+        client.refreshToken = mythxUser.refreshToken;
+        logger.info("Submitting contracts to mythx analysis");
+        try {
+            const result = await client.analyzeWithStatus({
+                data,
+                timeout: 300000,
+                clientToolName: "GitMythX",
+            });
+
+            /* Add `solidity_file_path` to display the result in the ESLint format with the provided input path */
+            data.filePath = contractFilePath;
+
+            /* Add all the imported contracts source code to the `data` to sourcemap the issue location */
+            data.sources = { ...solcInput.sources };
+            logger.info("Creating analysis report...");
+            const report = new AnalysisReport(true, "", data, result);
+            logger.info("Created report!");
+            logger.info(JSON.stringify(report));
+            return report;
+        } catch (e) {
+            logger.error(e.message);
+        }
+
+    }
+
+}