truffle-plus-analyze

truffle-plus-analyze

NOTE: unless you have an Mythril API key, the analyze function added here will not work. In other words, for most people this package cannot be used right now.

Check back in January though for more general-use availability. However: this package will ultimately be part of truffle. So this package it will ultimately disappear.

This npm package patches truffle, truffle-core specifically, to add an "analyze" command which can be used perform security analysis.

The security analysis is performed by the Mythril Platform.

Installing

$ npm -g install truffle-plus-analyze  # may need sudo

Using

Set up environment variables

For now you need to have some shell environment variables set up. In a POSIX shell:

$ export MYTHRIL_API_KEY=the-key-provided-by-the-mythril-team
$ export MYTHRIL_API_URL='http://staging.api.mythril.ai:3100'
$ export EMAIL=test@example.com

The value of MYTHRIL_API_KEY is provided by the Mythril team. Right now these are given out on an extremely-limited basis.

$ mkdir mycontract
$ cd mycontract
$ truffle-analyze init

[ write some contracts, build them ]

$ truffle+analyze compile
$ truffle+analyze analyze

Patch building

The following was done to create the patch found in patches directory:

$ npm install

$ # [ modify node_modules/truffle-core as needed ]
$ # bash ./tools/create-patch.sh might you figure out the manual changes needed

$ npx patch-package truffle-core
$ git add patches/*
$ git commit -m"new patch added..."

npm package patching of truffle-core is done via patch-package.

It is not expected patches will change much, other than possibly of changing "analyze" help text. The bulk of the code to run the "analyze" is found in the truffle-analyze package.