Security News
ESLint is Now Language-Agnostic: Linting JSON, Markdown, and Beyond
ESLint has added JSON and Markdown linting support with new officially-supported plugins, expanding its versatility beyond JavaScript.
This is an open source project for linting Solidity code. This project provide both Security and Style Guide validations.
For install project you need to execute next commands
npm install -g solhint
solhint -V
For linting Solidity files you need to execute next command
solhint *.sol **/*.sol <any_other_glob_pattern>
Solhint command description
Usage: solhint [options] <file> [...other_files]
Linter for Solidity programming language
Options:
-V, --version output the version number
-f, --formatter [name] report formatter name (stylish, table, tap, unix)
-h, --help output usage information
Commands:
stdin [options] put source code to stdin of this utility
init-config create sample solhint config in current folder
Configuration file has next format:
{
"extends": "default",
"rules": {
"avoid-throw": false,
"avoid-suicide": "error",
"avoid-sha3": "warn",
"indent": ["warn", 4]
}
}
Disable validation on next line
// solhint-disable-next-line
uint[] a;
Disable validation of fixed compiler version validation on next line
// solhint-disable-next-line compiler-fixed, compiler-gt-0_4
pragma solidity ^0.4.4;
Disable validation on current line
pragma solidity ^0.4.4; // solhint-disable-line
Disable validation of fixed compiler version validation on current line
pragma solidity ^0.4.4; // solhint-disable-line compiler-fixed, compiler-gt-0_4
Disable linter rules for code fragment
/* solhint-disable avoid-throw */
if (a > 1) {
throw;
}
/* solhint-enable avoid-throw */
Disable all linter rules for code fragment
/* solhint-disable */
if (a > 1) {
throw;
}
/* solhint-enable */
Rule ID | Error |
---|---|
reentrancy | Possible reentrancy vulnerabilities. Avoid state changes after transfer. |
avoid-sha3 | Use "keccak256" instead of deprecated "sha3" |
avoid-suicide | Use "selfdestruct" instead of deprecated "suicide" |
avoid-throw | "throw" is deprecated, avoid to use it |
func-visibility | Explicitly mark visibility in function |
state-visibility | Explicitly mark visibility of state |
check-send-result | Check result of "send" call |
avoid-call-value | Avoid to use ".call.value()()" |
compiler-fixed | Compiler version must be fixed |
compiler-gt-0_4 | Use at least '0.4' compiler version |
no-complex-fallback | Fallback function must be simple |
mark-callable-contracts | Explicitly mark all external contracts as trusted or untrusted |
multiple-sends | Avoid multiple calls of "send" method in single transaction |
no-simple-event-func-name | Event and function names must be different |
avoid-tx-origin | Avoid to use tx.origin |
no-inline-assembly | Avoid to use inline assembly. It is acceptable only in rare cases |
not-rely-on-block-hash | Do not rely on "block.blockhash". Miners can influence its value. |
avoid-low-level-calls | Avoid to use low level calls. |
* - All security rules implemented according ConsenSys Guide for Smart Contracts
Rule ID | Error |
---|---|
func-name-mixedcase | Function name must be in camelCase |
func-param-name-mixedcase | Function param name must be in mixedCase |
var-name-mixedcase | Variable name must be in mixedCase |
event-name-camelcase | Event name must be in CamelCase |
const-name-snakecase | Constant name must be in SNAKE_CASE |
modifier-name-mixedcase | Modifier name must be in mixedCase |
contract-name-camelcase | Contract name must be in CamelCase |
use-forbidden-name | Avoid to use letters 'I', 'l', 'O' as identifiers |
visibility-modifier-order | Visibility modifier must be first in list of modifiers |
imports-on-top | Import statements must be on top |
two-lines-top-level-separator | Definition must be surrounded with two blank line indent |
func-order | Function order is incorrect |
quotes | Use double quotes for string literals |
no-mix-tabs-and-spaces | Mixed tabs and spaces |
indent | Indentation is incorrect |
bracket-align | Open bracket must be on same line. It must be indented by other constructions by space |
array-declaration-spaces | Array declaration must not contains spaces |
separate-by-one-line-in-contract | Definitions inside contract / library must be separated by one line |
expression-indent | Expression indentation is incorrect. |
statement-indent | Statement indentation is incorrect. |
space-after-comma | Comma must be separated from next element by space |
no-spaces-before-semicolon | Semicolon must not have spaces before |
* - All style guide rules implemented according Solidity Style Guide
Rule ID | Error |
---|---|
max-line-length | Line length must be no more than 120 but current length is 121. |
payable-fallback | When fallback is not payable you will not be able to receive ethers |
no-empty-blocks | Code contains empty block |
no-unused-vars | Variable "name" is unused |
function-max-lines | Function body contains "count" lines but allowed no more than "maxLines" lines |
code-complexity | Function has cyclomatic complexity "current" but allowed no more than "max" |
max-states-count | Contract has "curCount" states declarations but allowed no more than "max" |
Related documentation you may find there.
MIT
FAQs
Solidity Code Linter
The npm package solhint receives a total of 61,559 weekly downloads. As such, solhint popularity was classified as popular.
We found that solhint demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
ESLint has added JSON and Markdown linting support with new officially-supported plugins, expanding its versatility beyond JavaScript.
Security News
Members Hub is conducting large-scale campaigns to artificially boost Discord server metrics, undermining community trust and platform integrity.
Security News
NIST has failed to meet its self-imposed deadline of clearing the NVD's backlog by the end of the fiscal year. Meanwhile, CVE's awaiting analysis have increased by 33% since June.