Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

@cleanunicorn/mythos

Package Overview
Dependencies
Maintainers
4
Versions
34
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@cleanunicorn/mythos

A CLI client for MythX

  • 0.13.0
  • latest
  • Source
  • npm
  • Socket score

Version published
Weekly downloads
2
decreased by-95%
Maintainers
4
Weekly downloads
 
Created
Source

mythos

A CLI client for MythX

oclif Version Downloads Codacy Badge License: MIT CircleCI Discord

Installation

Install globally using:

$ npm -g install @cleanunicorn/mythos

Usage

Use this to scan Solidity source code.

You need to provide your MythX address and password.

As an env variable:

$ export MYTHX_ETH_ADDRESS='mythxEthAddress'
$ export MYTHX_PASSWORD='mythxPassword'
$ mythos analyze ./contract.sol Contract

Or as flags:

$ mythos analyze ./contract.sol Contract \
  --mythxEthAddress=mythxEthAddress \
  --mythxPassword=mythxPassword

Example:

$ mythos analyze no-pragma.sol NoPragma

Reading contract no-pragma.sol... done
Compiling with Solidity version: latest
 ›   Warning: no-pragma.sol:1:1: Warning: Source file does not specify required compiler version! Consider adding "pragma solidity ^0.5.7;"
 ›   contract NoPragma {
 ›   ^ (Relevant source part starts here and spans across multiple lines).
 ›
Compiling contract no-pragma.sol... done
Analyzing contract NoPragma... done

UUID: 9350d5c4-b89f-43ef-b1f7-48840fee8a02
API Version: v1.4.12
Harvey Version: 0.0.16
Maestro Version: 1.2.6
Maru Version: 0.4.2
Mythril Version: 0.20.3

Report found 2 issues
Meta:
Covered instructions: 40
Covered paths: 4
Selected compiler version: v0.4.25

Title: (SWC-106) Unprotected SELFDESTRUCT Instruction
Severity: High
Head: The contract can be killed by anyone.
Description: Anyone can kill this contract and withdraw its balance to an arbitrary address.
Source code:

no-pragma.sol 3:8
--------------------------------------------------
selfdestruct(msg.sender)
--------------------------------------------------

==================================================

Title: (SWC-103) Floating Pragma
Severity: Medium
Head: No pragma is set.
Description: It is recommended to make a conscious choice on what version of Solidity is used for compilation. Currently no version is set in the Solidity file.
Source code:

no-pragma.sol 1:0
--------------------------------------------------

--------------------------------------------------

==================================================

Done

Basic usage

$ npm install -g @cleanunicorn/mythos
$ mythos COMMAND
running command...
$ mythos (-v|--version|version)
@cleanunicorn/mythos/0.13.0 linux-x64 node-v10.19.0
$ mythos --help [COMMAND]
USAGE
  $ mythos COMMAND
...

Commands

mythos analyze CONTRACTFILE CONTRACTNAME

Scan a smart contract with MythX API

USAGE
  $ mythos analyze CONTRACTFILE CONTRACTNAME

ARGUMENTS
  CONTRACTFILE  Contract file to scan
  CONTRACTNAME  Contract name

OPTIONS
  -h, --help                         show CLI help

  --analysisMode=analysisMode        [default: quick] Define the analysis mode when requesting a scan. Choose one from:
                                     quick, full.

  --mythxEthAddress=mythxEthAddress  (required)

  --mythxPassword=mythxPassword      (required)

  --solcVersion=solcVersion          Solidity version to use when compiling (example: 0.4.21). If none is specified it
                                     will try to identify the version from the source code.

  --timeout=timeout                  [default: 180] How many seconds to wait for the result

See code: src/commands/analyze.ts

mythos get-analysis UUID

Retrieve analysis results scanned with MythX API

USAGE
  $ mythos get-analysis UUID

ARGUMENTS
  UUID  uuid to retrive analysis results

OPTIONS
  -h, --help                         show CLI help
  --mythxEthAddress=mythxEthAddress  (required)
  --mythxPassword=mythxPassword      (required)

See code: src/commands/get-analysis.ts

mythos help [COMMAND]

display help for mythos

USAGE
  $ mythos help [COMMAND]

ARGUMENTS
  COMMAND  command to show help for

OPTIONS
  --all  see all commands in CLI

See code: @oclif/plugin-help

Development

Before you start hacking away, make sure to install dependencies.

$ npm i

Add your tests, code and make sure tests work.

$ npm test

If you need to update the test golden files you need to enable GENERATE_GOLDEN when running tests.

$ GENERATE_GOLDEN=true npm test

Update version number in package.json version to the new number without v (i.e. 0.12.3)

{
  "name": "@cleanunicorn/mythos",
  "description": "A CLI client for MythX",
  "version": "0.12.3",
...

Update the Changelog section in readme and add a description of what was changed.

* [0.12.3](https://github.com/cleanunicorn/mythos/releases/tag/v0.12.3)
  * Describe new functionality added.

And run oclif to update other sections of the readme.

$ npx oclif-dev readme

Tag your commit with the same version number preceded by a v (i.e. v0.12.3).

$ git add .
$ git commit -m "Describe new functionality added."
$ git tag v0.12.3

Finally publish the package.

$ npm publish --access public

Changelog

  • 0.13.0

    • Fixed compile compatibility with solc-js.
  • 0.12.4

    • Fix build process.
    • Add steps to help with development and publishing in readme.
  • 0.12.1

    • Fix version matching in some cases. Now the version must start with the version
  • 0.11.0

    • Update eslint-utils to 1.4.2 because of a security issue.
  • 0.10.5

    • Update lodash.template to 4.5.0 because of a security issue.
  • 0.10.4

    • Fix Microsoft Windows backslash path issue when specifying contract filename the paths like folder\file.sol are transformed to folder/file.sol.
    • Remove sample output.txt file from repo.
  • 0.10.3

    • Upgrade dependencies.
  • 0.10.2

    • Update tests.
    • Do not use nightly solidity version when compiling.
  • 0.10.1

    • Improve regex expression which matches for linked libs.
    • Slightly improve output.
  • 0.10.0

    • Add newly added required parameter in request: mainSource.
    • Display errors in a more consistent way.
  • 0.9.0

    • Update to new armlet version and to new API changes
  • 0.8.1

    • Fix off by one source mapping
  • 0.8.0

    • Fix file name when running get-analysis to save response as issues-${uuid}.json
    • Make compilation errors more obvious
    • Display more information from report: compiler version used, API versions, SWC-ID, report's UUID
    • Display clear error when incorrect contract name is specified
    • Display compilation warnings
  • 0.7.0

    • Send the AST when requesting an analysis
  • 0.6.0

    • Fix external lib import, it sends the library information to MythX
    • Dump issues in a file as issues-[uuid].json for easy manual inspection
  • 0.5.2

    • Setup automatic tests
  • 0.5.1

  • 0.5.0

    • Automatically import other files (thanks to @eswarasai).
    • Fix minor issue when picking Solidty version (thanks to @eswarasai).
    • Fix issue count (thanks to @tagomaru).
  • 0.4.1

    • Update npm dependencies
  • 0.4.0

    • Correctly pick solidity version when an interval is set (thanks to @nanspro).
    • Add get-analysis command to retrieve a scanned result (thanks to @tagomaru).
    • Fix displaying severity in output list.
  • 0.3.2

    • Display message on syntax error.
  • 0.3.1

    • Add Severity to output.
  • 0.3.0

    • Request different depths of analyses with --analysisMode can be full or quick.
    • Add changelog.
  • 0.2.0

    • Stable version, first release.

Keywords

FAQs

Package last updated on 08 Jul 2020

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc