{"id":16741527,"url":"https://github.com/duaraghav8/solium-plugin-security","last_synced_at":"2025-05-07T10:43:24.252Z","repository":{"id":57365974,"uuid":"108829207","full_name":"duaraghav8/solium-plugin-security","owner":"duaraghav8","description":"The Official Security Plugin for Ethlint (formerly Solium)","archived":false,"fork":false,"pushed_at":"2023-04-19T09:22:05.000Z","size":253,"stargazers_count":44,"open_issues_count":5,"forks_count":12,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-04-20T09:18:25.202Z","etag":null,"topics":["ethereum","linter","security","smart-contracts","solidity","solium","soliumplugin"],"latest_commit_sha":null,"homepage":"http://npmjs.com/package/solium-plugin-security","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/duaraghav8.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-10-30T09:29:47.000Z","updated_at":"2022-06-22T11:15:07.000Z","dependencies_parsed_at":"2024-06-18T14:05:24.879Z","dependency_job_id":"2b827d92-ac95-4514-8b9e-b249b061db4d","html_url":"https://github.com/duaraghav8/solium-plugin-security","commit_stats":{"total_commits":97,"total_committers":10,"mean_commits":9.7,"dds":0.5360824742268041,"last_synced_commit":"16cd8d86f568b1e8ef9cb9d97683ad8d77ec6c8e"},"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/duaraghav8%2Fsolium-plugin-security","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/duaraghav8%2Fsolium-plugin-security/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/duaraghav8%2Fsolium-plugin-security/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/duaraghav8%2Fsolium-plugin-security/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/duaraghav8","download_url":"https://codeload.github.com/duaraghav8/solium-plugin-security/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252862305,"owners_count":21815834,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ethereum","linter","security","smart-contracts","solidity","solium","soliumplugin"],"created_at":"2024-10-13T01:03:09.761Z","updated_at":"2025-05-07T10:43:24.222Z","avatar_url":"https://github.com/duaraghav8.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# The official Security Plugin for Ethlint (formerly Solium)\n\n[![Build Status](https://travis-ci.org/duaraghav8/solium-plugin-security.svg?branch=master)](https://travis-ci.org/duaraghav8/solium-plugin-security)\n\nThis Plugin provides security-focused lint rules for [Ethlint](https://github.com/duaraghav8/Ethlint) (formerly Solium).\n\nThe rules have been taken from Consensys' [Recommended Smart Contract Practices](https://consensys.github.io/smart-contract-best-practices/recommendations/) and Solium's [Rule Wishlist](https://github.com/duaraghav8/Solium/issues/44).\n\n## Installation\n**NOTE:** If you're using Solium `v1.0.1` or above, this plugin comes pre-installed as a local dependency and you can skip this section.\n\n`npm install -g solium-plugin-security`\n\n## Usage\n**NOTE:** If you've installed Solium `v1.0.1` or above and created `soliumrc.json` using `solium --init`, you can skip this step since solium automatically applies the security plugin for you.\n\nAdd `security` to your `soliumrc.json`'s `plugins` array. Your configuration file should look like:\n\n```json\n{\n \"extends\": \"solium:all\",\n \"plugins\": [\"security\"],\n \"rules\": {\n ...\n }\n}\n```\n\n## List of rules\nBelow are the rules supplied by this plugin and the information on passing options to them and their auto-fixing capabilities.\n\nSome of them aren't always desirable and are therefore disabled by default (marked below as `OFF`). You should explicitly enable them in your `.soliumrc.json`.\n\n| Name | Description | Options | Defaults | Fixes | Default Setting |\n|--------------------------------------|--------------------------------------------------------------------------------------------------|-----------------------------------|--------------------------------------|-------|-----------------|\n| no-throw | Discourage use of `throw` statement for error flagging | | | YES | `ENABLED` |\n| no-tx-origin | Discourage use of `tx.origin` global variable | | | | `ENABLED` |\n| enforce-explicit-visibility | Encourage user to explicitly specify visibility of function | | | YES | `ENABLED` |\n| no-block-members | Discourage use of members `blockhash` \u0026 `timestamp` (and alias `now`) of `block` global variable | List of members to warn against | [\"blockhash\", \"timestamp\"] | | `ENABLED` |\n| no-call-value | Discourage use of `.call.value()()` | | | | `ENABLED` |\n| no-assign-params | Disallow assigning to function parameters | | | | `ENABLED` |\n| no-fixed | Disallow fixed point types | | | | `ENABLED` |\n| no-inline-assembly | Discourage use of inline assembly | | | | `ENABLED` |\n| no-low-level-calls | Discourage the use of low-level functions - call(), callcode() \u0026 delegatecall() | List of functions to warn against | [\"call\", \"callcode\", \"delegatecall\"] | | `ENABLED` |\n| no-modify-for-iter-var | Discourage user to modify a for loop iteration counting variable in the loop body | | | | `ENABLED` |\n| no-send | Discourage the use of unsafe method `send()` | | | | `ENABLED` |\n| no-sha3 | Encourage use of `keccak256()` over `sha3()` function | | | YES | `ENABLED` |\n| no-unreachable-code | Disallow unreachable code | | | | `ENABLED` |\n| check-send-result | Enforce checking the result of `send()` call | | | | `ENABLED` |\n| else-after-elseif | Encourage user to use else statement after else-if statement | | | | `DISABLED` |\n| enforce-loop-bounds | Encourage use of loops with fixed bounds | | | | `DISABLED` |\n| enforce-placeholder-last | Enforce that the function placeholder is the last statement in the modifier | | | | `DISABLED` |\n| return-at-end | Discourage use of early returns in functions | | | | `DISABLED` |\n| one-break-per-loop | Discourage use of multiple breaks in while/for/do loops | | | | `DISABLED` |\n| max-statements-in-func | Enforce upper limit on number of statements inside a function | Maximum number of statements | 25 | | `DISABLED` |\n| no-abstract-func | Discourage use of abstract functions | | | | `DISABLED` |\n| no-bit-operations | Disallow bitwise operations | | | | `DISABLED` |\n| no-continue | Discourage use of `continue` statement | | | | `DISABLED` |\n| no-inheritance | Discourage use of inheritance | Disallow interface inheritance | { \"no-interface\": false } | | `DISABLED` |\n| no-multiple-inheritance | Discourage use of multiple inheritance | Disallow interface inheritance | { \"no-interface\": false } | | `DISABLED` |\n| no-named-params | Disallow named function parameters | | | | `DISABLED` |\n| no-named-returns | Discourage use of named returns in functions | | | | `DISABLED` |\n| 256-bit-ints-only | Disallow non-256 bit integers | | | | `DISABLED` |\n| no-suicide-or-selfdestruct | Disallow suicide and selfdestruct | | | | `DISABLED` |\n| no-var | Disallow type deduction via `var` | | | | `DISABLED` |\n| no-user-defined-modifiers | Disallow user-defined modifiers | | | | `DISABLED` |\n| no-void-returns | Discourage use of void returns in functions prototypes | | | | `DISABLED` |\n| no-func-overriding | Discourage function overriding | | | | `DISABLED` |\n\nAn example `soliumrc.json` configuring and applying this plugin is:\n\n```json\n{\n \"plugins\": [\"security\"],\n \"rules\": {\n \"some-other-solium-rule\": 1,\n \"security/no-low-level-calls\": [\"error\", [\"call\", \"delegatecall\"]],\n \"security/no-block-members\": [1, [\"timestamp\"]],\n \"security/no-throw\": \"off\"\n }\n}\n```\nThis tells solium to apply the 3 `security/` rules with special configuration provided and apply the remaining rules of the plugin with their default configurations. If you want to disable a plugin rule, you have to explicitly disable it inside `rules`.\n\nLint normally using `solium -d contracts/` or `solium -d contracts/ --fix` to apply fixes as well.\n\n## Developer Setup\n- `git clone \u003cURL-of-this-repo\u003e`\n- `cd solium-plugin-security`\n- `npm install --dev`\n- `npm link`\n- `npm link solium-plugin-security`\n- `npm test`\n\nIf you'd also like to use your develop build of this plugin with dev build of Solium, go to Solium's directory and run `npm link solium-plugin-security`. This will let Solium access your modified plugin instead of its pre-installed security module.\n\nSee [developing a plugin](https://ethlint.readthedocs.io/en/latest/developer-guide.html#developing-a-plugin).\n\n## Known Issues\n1. When installing the Linter from the `ethlint` NPM package, you might see the following warning:\n```\nnpm WARN solium-plugin-security@0.1.1 requires a peer of solium@^1.0.0 but none is installed. You must install peer dependencies yourself.\n```\n\nYou can safely ignore this warning.\n\nSolium was recently [renamed](https://medium.com/solium/renaming-solium-to-ethlint-18b3cf043d15) to Ethlint and the linter is available for download from both `solium` and `ethlint` NPM packages. Ethlint comes shipped with this Security plugin. This plugin checks to ensure whether `solium` NPM package is installed or not.\n\nThere is currently no way in NPM to *allow any one of the specified packages to satisfy as peer dependency*, so we can't specify `solium OR ethlint`. We also cannot change `solium` to `ethlint` in `peerDependencies` because its a potential breaking change. See the [original issue](https://github.com/duaraghav8/solium-plugin-security/issues/33).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fduaraghav8%2Fsolium-plugin-security","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fduaraghav8%2Fsolium-plugin-security","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fduaraghav8%2Fsolium-plugin-security/lists"}