solhint
Advanced tools
Readme
This is an open source project for linting Solidity code. This project provide both Security and Style Guide validations.
For install project you need to execute next commands
npm install -g solhint
solhint -V
For linting Solidity files you need to execute next command
solhint *.sol **/*.sol <any_other_glob_pattern>
Solhint command description
Usage: solhint [options] <file> [...other_files]
Linter for Solidity programming language
Options:
-V, --version output the version number
-f, --formatter [name] report formatter name (stylish, table, tap, unix)
-h, --help output usage information
Commands:
stdin [options] put source code to stdin of this utility
init-config create sample solhint config in current folder
Configuration file has next format:
{
"extends": "default",
"rules": {
"avoid-throw": false,
"avoid-suicide": "error",
"avoid-sha3": "warn",
"indent": ["warn", 4]
}
}
Disable validation on next line
// solhint-disable-next-line
uint[] a;
Disable validation of fixed compiler version validation on next line
// solhint-disable-next-line compiler-fixed, compiler-gt-0_4
pragma solidity ^0.4.4;
Disable validation on current line
pragma solidity ^0.4.4; // solhint-disable-line
Disable validation of fixed compiler version validation on current line
pragma solidity ^0.4.4; // solhint-disable-line compiler-fixed, compiler-gt-0_4
Disable linter rules for code fragment
/* solhint-disable avoid-throw */
if (a > 1) {
throw;
}
/* solhint-enable avoid-throw */
Disable all linter rules for code fragment
/* solhint-disable */
if (a > 1) {
throw;
}
/* solhint-enable */
| Rule ID | Error |
|---|---|
| reentrancy | Possible reentrancy vulnerabilities. Avoid state changes after transfer. |
| avoid-sha3 | Use "keccak256" instead of deprecated "sha3" |
| avoid-suicide | Use "selfdestruct" instead of deprecated "suicide" |
| avoid-throw | "throw" is deprecated, avoid to use it |
| func-visibility | Explicitly mark visibility in function |
| state-visibility | Explicitly mark visibility of state |
| check-send-result | Check result of "send" call |
| avoid-call-value | Avoid to use ".call.value()()" |
| compiler-fixed | Compiler version must be fixed |
| compiler-gt-0_4 | Use at least '0.4' compiler version |
| no-complex-fallback | Fallback function must be simple |
| mark-callable-contracts | Explicitly mark all external contracts as trusted or untrusted |
| multiple-sends | Avoid multiple calls of "send" method in single transaction |
| no-simple-event-func-name | Event and function names must be different |
| avoid-tx-origin | Avoid to use tx.origin |
| no-inline-assembly | Avoid to use inline assembly. It is acceptable only in rare cases |
| not-rely-on-block-hash | Do not rely on "block.blockhash". Miners can influence its value. |
| avoid-low-level-calls | Avoid to use low level calls. |
* - All security rules implemented according ConsenSys Guide for Smart Contracts
| Rule ID | Error |
|---|---|
| func-name-mixedcase | Function name must be in camelCase |
| func-param-name-mixedcase | Function param name must be in mixedCase |
| var-name-mixedcase | Variable name must be in mixedCase |
| event-name-camelcase | Event name must be in CamelCase |
| const-name-snakecase | Constant name must be in capitalized SNAKE_CASE |
| modifier-name-mixedcase | Modifier name must be in mixedCase |
| contract-name-camelcase | Contract name must be in CamelCase |
| use-forbidden-name | Avoid to use letters 'I', 'l', 'O' as identifiers |
| visibility-modifier-order | Visibility modifier must be first in list of modifiers |
| imports-on-top | Import statements must be on top |
| two-lines-top-level-separator | Definition must be surrounded with two blank line indent |
| func-order | Function order is incorrect |
| quotes | Use double quotes for string literals |
| no-mix-tabs-and-spaces | Mixed tabs and spaces |
| indent | Indentation is incorrect |
| bracket-align | Open bracket must be on same line. It must be indented by other constructions by space |
| array-declaration-spaces | Array declaration must not contains spaces |
| separate-by-one-line-in-contract | Definitions inside contract / library must be separated by one line |
| expression-indent | Expression indentation is incorrect. |
| statement-indent | Statement indentation is incorrect. |
| space-after-comma | Comma must be separated from next element by space |
| no-spaces-before-semicolon | Semicolon must not have spaces before |
* - All style guide rules implemented according Solidity Style Guide
| Rule ID | Error |
|---|---|
| max-line-length | Line length must be no more than 120 but current length is 121. |
| payable-fallback | When fallback is not payable you will not be able to receive ethers |
| no-empty-blocks | Code contains empty block |
| no-unused-vars | Variable "name" is unused |
| function-max-lines | Function body contains "count" lines but allowed no more than "maxLines" lines |
| code-complexity | Function has cyclomatic complexity "current" but allowed no more than "max" |
| max-states-count | Contract has "curCount" states declarations but allowed no more than "max" |
Related documentation you may find there.
MIT
FAQs
Unknown package
We found that solhint demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
A threat actor on BreachForums is selling an unverified npm vulnerability for account takeover, but npm has not officially confirmed the existence of this security concern.
Security News
Cyber insurance rates are dropping as the market matures, according to a new report projecting global premiums to reach $43 billion by 2030, driven by international market uptake and growth in the SME sector.
Research
Security News
Socket researchers unpack a typosquatting package with malicious code that logs keystrokes and exfiltrates sensitive data to a remote server.