Add static analysis action (#848)

* Add static analysis github action
setup python and install slither

* Add nvmrc file for setting node to v14.17

* Update slither command run to link missing contract packages from monorepo root

* Add steps for installing dependencies

* Add yarn build step to github action

* Enable colour in github action for static analysis

* Disable certain detectors

* Ensure slither does not fail build

* Add instructions on running static analysis to monorepo readme

.github/workflows/static-analysis.yml

@@ -0,0 +1,61 @@
+name: Static analysis
+
+on:
+  push:
+    branches:
+      - master
+      - develop
+  pull_request:
+  workflow_dispatch:
+
+env:
+  PYTEST_ADDOPTS: "--color=yes"
+
+jobs:
+  slither:
+    name: Slither run
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Fetch history
+        run: git fetch
+
+      - name: Setup node
+        uses: actions/setup-node@v1
+        with:
+          node-version: '12.x'
+
+      - name: Get yarn cache directory path
+        id: yarn-cache-dir-path
+        run: echo "::set-output name=dir::$(yarn cache dir)"
+
+      - uses: actions/cache@v2
+        id: yarn-cache
+        with:
+          path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
+          key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-yarn-
+
+      - name: Install Dependencies
+        # only install dependencies if there was a change in the deps
+        # if: steps.yarn-cache.outputs.cache-hit != 'true'
+        run: yarn install
+
+      - name: Build
+        run: yarn build
+
+      - name: Set up Python 3.8
+        uses: actions/setup-python@v2
+        with:
+          python-version: '3.8'
+
+      - name: Install Slither
+        run: pip3 install slither-analyzer
+
+      - name: Run analysis
+        working-directory: ./packages/contracts
+        shell: bash
+        run: yarn test:slither
+        continue-on-error: true

.gitignore

@@ -14,6 +14,9 @@ cache-ovm
 l2geth/build/bin
 packages/contracts/deployments/custom
 packages/contracts/coverage*
+packages/contracts/@ens*
+packages/contracts/@openzeppelin*
+packages/contracts/hardhat*
 
 packages/data-transport-layer/db
 

.nvmrc

@@ -0,0 +1 @@
+14.17.0

README.md

@@ -23,14 +23,14 @@ Extensive documentation is available [here](http://community.optimism.io/docs/)
     * [`message-relayer`](./packages/message-relayer): Service for relaying L2 messages to L1
 * [`l2geth`](./l2geth): Fork of [go-ethereum v1.9.10](https://github.com/ethereum/go-ethereum/tree/v1.9.10) implementing the [OVM](https://research.paradigm.xyz/optimism#optimistic-geth).
 * [`integration-tests`](./integration-tests): Integration tests between a L1 testnet, `l2geth`,
-* [`ops`](./ops): Contains Dockerfiles for containerizing each service involved in the protocol, 
+* [`ops`](./ops): Contains Dockerfiles for containerizing each service involved in the protocol,
 as well as a docker-compose file for bringing up local testnets easily
 
 ## Quickstart
 
 ### Installation
 
-Dependency management is done using `yarn`. 
+Dependency management is done using `yarn`.
 
 ```bash
 git clone git@github.com:ethereum-optimism/optimism.git
@@ -67,7 +67,7 @@ you can run `yarn lerna run test --parallel --since master`
 #### Running the integration tests
 
 The integration tests first require bringing up the Optimism stack. This is done via
-a Docker Compose network. For better performance, we also recommend enabling Docker 
+a Docker Compose network. For better performance, we also recommend enabling Docker
 BuildKit
 
 ```bash
@@ -110,3 +110,11 @@ can be hard to filter through. In order to view the logs from a specific service
 ```
 docker-compose logs --follow <service name>
 ```
+### Static analysis
+
+To run `slither` locally in `./packages/contracts` do
+
+```
+pip3 install slither-analyzer
+yarn test:slither
+```

packages/contracts/package.json

@@ -32,6 +32,9 @@
     "test:contracts": "hardhat test --show-stack-traces",
     "test:gas": "hardhat test \"test/contracts/OVM/execution/OVM_StateManager.gas-spec.ts\" --no-compile --show-stack-traces",
     "test:coverage": "NODE_OPTIONS=--max_old_space_size=8192 hardhat coverage",
+    "test:slither": "slither .",
+    "pretest:slither": "rm -f @openzeppelin && rm -f @ens && rm -f hardhat && ln -s ../../node_modules/@openzeppelin @openzeppelin && ln -s ../../node_modules/@ens @ens && ln -s ../../node_modules/hardhat hardhat",
+    "posttest:slither": "rm -f @openzeppelin && rm -f @ens && rm -f hardhat",
     "lint": "yarn lint:fix && yarn lint:check",
     "lint:fix": "yarn run lint:fix:typescript",
     "lint:fix:typescript": "prettier --config .prettierrc.json --write \"hardhat.config.ts\" \"{src,test}/**/*.ts\"",

packages/contracts/slither.config.json

@@ -0,0 +1,12 @@
+{
+  "detectors_to_exclude": "conformance-to-solidity-naming-conventions,assembly-usage,low-level-calls,block-timestamp",
+  "exclude_informational": false,
+  "exclude_low": false,
+  "exclude_medium": false,
+  "exclude_high": false,
+  "solc_disable_warnings": false,
+  "hardhat_ignore_compile": true,
+  "disable_color": false,
+  "exclude_dependencies": true,
+  "filter_paths": "@openzeppelin|hardhat|contracts/test-helpers|contracts/test-libraries"
+}