Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/bitfancy/rust-analyzer


https://github.com/bitfancy/rust-analyzer

Last synced: 11 months ago
JSON representation

Awesome Lists containing this project

README 

          
# ![](assets/banner.png)



A security-focused static analyzer for Sway written in Rust. The tool makes use of the existing [`sway-ast`](https://github.com/FuelLabs/sway/tree/master/sway-ast) and [`sway-parse`](https://github.com/FuelLabs/sway/tree/master/sway-parse) crates in order to parse Sway source code into its abstract syntax tree (AST). A recursive AST visitor is implemented on top of this, which will walk the AST structures top-down in a context-sensitive manner. Detectors leverage the AST visitor in order to implement their logic by inspecting the values contained in certain parts of the AST structures.



## Requirements



The `sway-analyzer` binary requires the Rust compiler and its package manager, cargo.



See the [Rust Install](https://www.rust-lang.org/tools/install) page for installation options.



## Installation



The `sway-analyzer` binary can be installed using the following commands:



```bash

cargo install sway-analyzer

```



The `sway-analyzer` binary can be uninstalled using the following command:



```bash

cargo uninstall sway-analyzer

```



## Usage



`sway-analyzer [OPTIONS]`



| Flags | |

|-|-|

| `-h`, `--help` | Prints help information |

| `-V`, `--version` | Prints version information |



| Options | |

|-|-|

| `--detectors ...` | The specific detectors to utilize. (Optional; Leave unused for all) |

| `--directory ` | The path to the Forc project directory. (Optional) |

| `--display-format ` | The display format of the report. Can be "Text" or "Json". (Default = Text) |

| `--files ...` | The paths to the Sway source files. (Optional) |

| `--sorting ` | The order to sort report entries by. Can be "Line" or "Severity". (Default = Line) |



## Detectors



| Color | Severity |

|-|-|

| 🔴 | High |

| 🟡 | Medium |

| 🟢 | Low |



|  | Name | Description |

|-|-|-|

| 🔴 | [`arbitrary_asset_transfer`](https://github.com/camden-smallwood/sway-analyzer/wiki/Detectors#arbitrary-asset-transfer) | Checks for functions that transfer native assets to an arbitrary address without access restriction. |

| 🔴 | [`arbitrary_code_execution`](https://github.com/camden-smallwood/sway-analyzer/wiki/Detectors#arbitrary-code-execution) | Checks for functions that make use of the `LDC` assembly instruction without access restriction. |

| 🟢 | [`boolean_comparison`](https://github.com/camden-smallwood/sway-analyzer/wiki/Detectors#boolean-comparison) | Checks if an expression contains a comparison with a boolean literal, which is unnecessary. |

| 🔴 | [`discarded_assignment`](https://github.com/camden-smallwood/sway-analyzer/wiki/Detectors#discarded-assignment) | Checks for variables that are assigned to without being utilized. |

| 🟢 | [`division_before_multiplication`](https://github.com/camden-smallwood/sway-analyzer/wiki/Detectors#division-before-multiplication) | Checks for division operations before multiplications, which can result in value truncation. |

| 🟢 | [`explicit_return_statement`](https://github.com/camden-smallwood/sway-analyzer/wiki/Detectors#explicit-return-statement) | Checks for functions that end with explicit `return` statements, which is unnecessary. |

| 🟡 | [`external_call_in_loop`](https://github.com/camden-smallwood/sway-analyzer/wiki/Detectors#external-call-in-loop) | Checks if any functions contain any loops which performs calls to external functions. |

| 🟡 | [`inline_assembly_usage`](https://github.com/camden-smallwood/sway-analyzer/wiki/Detectors#inline-assembly-usage) | Checks functions for inline assembly usage. |

| 🟢 | [`large_literal`](https://github.com/camden-smallwood/sway-analyzer/wiki/Detectors#large-literal) | Checks for expressions that contain large literal values, which may be difficult to read or interpreted incorrectly. |

| 🔴 | [`locked_native_asset`](https://github.com/camden-smallwood/sway-analyzer/wiki/Detectors#locked-native-asset) | Checks if a contract can withdraw potential incoming native assets. |

| 🟢 | [`magic_number`](https://github.com/camden-smallwood/sway-analyzer/wiki/Detectors#magic-number) | Checks for expressions that contain irregular numerical constants that can be introduced as named constants. |

| 🟡 | [`manipulatable_balance_usage`](https://github.com/camden-smallwood/sway-analyzer/wiki/Detectors#manipulatable-balance-usage) | Checks if any functions contain balance usage which can potentially be manipulated. |

| 🟡 | [`missing_logs`](https://github.com/camden-smallwood/sway-analyzer/wiki/Detectors#missing-logs) | Checks for publicly-accessible functions that make changes to storage variables without emitting logs. |

| 🟡 | [`msg_amount_in_loop`](https://github.com/camden-smallwood/sway-analyzer/wiki/Detectors#msg-amount-in-loop) | Checks for calls to `std::context::msg_amount()` or `std::registers::balance()` inside a while loop. In most cases, the result of the call should be stored in a local variable and decremented over each loop iteration. |

| 🟢 | [`non_zero_identity_validation`](https://github.com/camden-smallwood/sway-analyzer/wiki/Detectors#non-zero-identity-validation) | Checks to see if functions containing `Identity`, `Address` and `ContractId` parameters are checked for a zero value. |

| 🔴 | [`potential_infinite_loop`](https://github.com/camden-smallwood/sway-analyzer/wiki/Detectors#potential-infinite-loop) | Checks for potentially infinite loops. |

| 🟡 | [`redundant_comparison`](https://github.com/camden-smallwood/sway-analyzer/wiki/Detectors#redundant-comparison) | Checks for functions that make redundant comparisons. |

| 🟡 | [`redundant_storage_access`](https://github.com/camden-smallwood/sway-analyzer/wiki/Detectors#redundant-storage-access) | Checks for redundant calls to `storage.x.read()` and `storage.x.write(x)`. |

| 🟢 | [`storage_field_mutability`](https://github.com/camden-smallwood/sway-analyzer/wiki/Detectors#storage-field-mutability) | Checks for any storage fields that can be refactored into constants or configurable fields. |

| 🔴 | [`storage_not_updated`](https://github.com/camden-smallwood/sway-analyzer/wiki/Detectors#storage-not-updated) | Checks for local variables that are read from storage, then modified without being written back to storage. |

| 🟢 | [`storage_read_in_loop_condition`](https://github.com/camden-smallwood/sway-analyzer/wiki/Detectors#storage-read-in-loop-condition) | Checks for loops that contain a storage read in their condition, which can increase gas costs for each iteration. |

| 🔴 | [`strict_equality`](https://github.com/camden-smallwood/sway-analyzer/wiki/Detectors#strict-equality) | Checks for the use of strict equalities, which can be manipulated by an attacker. |

| 🟢 | [`unchecked_call_payload`](https://github.com/camden-smallwood/sway-analyzer/wiki/Detectors#unchecked-call-payload) | Checks for functions that supply a `raw_ptr` argument to the `CALL` assembly instruction, or a `Bytes` argument without checking its length. |

| 🔴 | [`unprotected_initialization`](https://github.com/camden-smallwood/sway-analyzer/wiki/Detectors#unprotected-initialization) | Checks for initializer functions that can be called without requirements. |

| 🔴 | [`unprotected_storage_variable`](https://github.com/camden-smallwood/sway-analyzer/wiki/Detectors#unprotected-storage-variable) | Checks for functions that make changes to storage variables without access restriction. |

| 🟡 | [`unsafe_timestamp_usage`](https://github.com/camden-smallwood/sway-analyzer/wiki/Detectors#unsafe-timestamp-usage) | Checks for dependence on `std::block::timestamp` or `std::block::timestamp_of_block`, which can be manipulated by an attacker. |

| 🟢 | [`unused_import`](https://github.com/camden-smallwood/sway-analyzer/wiki/Detectors#unused-import) | Checks for imported symbols that are not used. |

| 🟡 | [`weak_prng`](https://github.com/camden-smallwood/sway-analyzer/wiki/Detectors#weak-prng) | Checks for weak PRNG due to a modulo operation on a block timestamp. |