Conversation
IMHO I don't think it's desirable to force a CI action to fail on the basis of the result of Slither since static analysis is known to give a fair amount of false positives. |
Thanks for sharing this, I had been looking in the wrong docs
I agree with this, adding |
RiccardoBiosas
left a comment
There was a problem hiding this comment.
Looks good overall and I really like that you paired it with codeQL!
Just a few things:
- can you also run slither with the
slither-check-upgradeabilityplugin? - I think it'd be best to have a separate github action for Slither rather than lumping everything together with the other tests
- [question] seems like codeQL action v1 will be EOL in december, so is worth to switch to v2 right away?
This actually already exists on the Slither step - the failure is a GitHub code scanning failure, so we'd have to manually dismiss the security results we'd like to ignore/create issues on the ones we'd like to address.
Yeah, the false positives can be a bit annoying. I think if we remove the failures altogether, we will start to ignore the results of slither. I'd advocate for a process of adding comments to manually opt out of Slither false positives, or manually dismissing the security results as "false positive". Otherwise this CI step will get ignored.
|
Ah yes sorry, just found out that it doesn't work as I expected.
I also think this would be an easy way forward. Once we address these alerts they will go away and for future contract updates I think it's nice to have explicit alerts even if they are FPs. The reviewer could address (or dismiss) these before merging. WDYT @RiccardoBiosas. |
Isn't it what the PR is already doing? The only issues that are dismissed by default are informational |
Yeah, I meant that it's fine only, the way it is, addressing your comment ⬇️
|
|
There are actual errors here we need to address - for instance, the unchecked transfer issues are something we should not dismiss. I can lump those changes into this PR. As far as the others are concerned, we may want to jump on a 10 min call to make sure we're okay with dismissing them permanently. WDYT @RiccardoBiosas @kautukkundan @yondonfu @red-0ne |
I tried using the upgradeable plugin, but it depends on following the OZ standards for upgradeable contracts:
https://docs.openzeppelin.com/upgrades-plugins/1.x/writing-upgradeable
I will address these! |
yes good idea, i think some of them should be added to the backlog anyway |
hjpotter92
left a comment
There was a problem hiding this comment.
left few notes to probably reduce build times and use cache to avoid package installations on each run :)
|
@hjpotter92 resolved those issues |
.github/workflows/analyze.yaml
Outdated
| restore-keys: | | ||
| ${{ runner.os }}-yarn- | ||
| - name: Install dependencies | ||
| run: | |
There was a problem hiding this comment.
you need to add if: steps.yarn-cache.outputs.cache-hit != 'true' as suggested in the commend from yarn-cache step above to avoid running this step entirely :)
There was a problem hiding this comment.
I actually think this caches the yarn cache directory, not the node_modules folder. So we'll still need to run yarn install and it will pull from the cache
There was a problem hiding this comment.
There was a problem hiding this comment.
thanks! i did not know that! and also about the caching done by the setup-node action!
What does this pull request do? Explain your changes. (required)
Adds Slither to CI with Github Code Scanning integration.
Specific updates (required)
CI updates + security analysis comments integration w/ GH
Slither has certain noisy configs ignored (for now)
How did you test each of these updates (required)
See below
Does this pull request close any open issues?
Fixes #567
Checklist:
yarn testpass