Adds Manticore tool analysis report #729
Conversation
Signed-off-by: maciek.nabialek <[email protected]>
There was a problem hiding this comment.
- there is a good introduction on what is manticore and what it does
- installation execution does not specify platform, I tried with M1 and compose is not able to run the image. Should I try on Linux?
- installation and execution instructions, lack step-by-step on how to accomplish static analysis and does not specify how to a set of my contract as an input for analysis.
- the PR specifies that the framework PR is requisite for this one, however, I merged both of them locally and still didn't work.
- support notes taken from Manticore repository specify that is no longer developed and maintain. However, it suggests that issues should be resolved that does not seem to be feasible. Also, I would not recommend adding a tool that is no longer maintained or develop and that has this many issues.
| ### Custom detector investigation | ||
| Manticore has no documented ways to introduce new detectors. It requires adding a new detector class to [detectors.py](https://github.com/trailofbits/manticore/blob/master/manticore/ethereum/detectors.py) file and importing it in cli.py (for command line interface analysis). | ||
| ## Recommendations and possible investments in the tool: | ||
| * Issues encountered in the latest versions of the application should be resolved. |
There was a problem hiding this comment.
As per support section, this project is no longer maintain, issues are unlikely to be resolved
There was a problem hiding this comment.
@AlfredoG87 The usage of the archival manticore version is crucial for it to run correctly. The version included in the "docker-compose.yaml" file from this PR was tested on the M1 Host.
I've added usage instruction.
| > executions may be found in [this file](sample_execution/execution_errors.md) | ||
|
|
||
| ### Custom detector investigation | ||
| Manticore has no documented ways to introduce new detectors. It requires adding a new detector class to [detectors.py](https://github.com/trailofbits/manticore/blob/master/manticore/ethereum/detectors.py) file and importing it in cli.py (for command line interface analysis). |
There was a problem hiding this comment.
Do we need to add custom detectors? If so, how can we add them if installation by PIP results in error?
tools/manticore-analysis/analysis.md
Outdated
| - Installing by PIP results in [protobuf incorrect version error](sample_execution/execution_errors.md#pip-instalation) | ||
| (described better here: https://github.com/trailofbits/manticore/issues/2600) | ||
| - Build attempt with docker image version 3.7+ result in [attribute error](sample_execution/execution_errors.md#docker-v37-and-latest-) | ||
| - Build attempt with docker image version 3.6 results in [tool custom exception](sample_execution/execution_errors.md#docker-v36) |
There was a problem hiding this comment.
I don't think we should have this in installation execution, maybe as a side note. since is not relevant for execution of the tool.
tools/manticore-analysis/analysis.md
Outdated
| (described better here: https://github.com/trailofbits/manticore/issues/2600) | ||
| - Build attempt with docker image version 3.7+ result in [attribute error](sample_execution/execution_errors.md#docker-v37-and-latest-) | ||
| - Build attempt with docker image version 3.6 results in [tool custom exception](sample_execution/execution_errors.md#docker-v36) | ||
| - Manticore may be built on docker image version 3.5. Execution example may be found [here](sample_execution/sample_execution.md), |
There was a problem hiding this comment.
Where is the sample execution.md located?
| contract migration (Slither detector placed in this repository can be used to check for ecrecover usage in the contract to | ||
| migrate). |
There was a problem hiding this comment.
Are we talking about slither or manticore here?
|
What is the objective of adding manticore? I believe that the correct output should be a report that runs automatically on a CI for every PR, is this possible? |
|
Replaced with: #740 |
Adds Manticore tool analysis report, and docker file.
Is dependent upon: https://github.com/hashgraph/hedera-smart-contracts/pull/726/files