fix aderyn false positives (#886)

Co-authored-by: raulk <[email protected]>
consensus-shipyard · May 6, 2024 · e4edf23 · e4edf23
1 parent 7af25c4
commit e4edf23
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 6 deletions.
diff --git a/contracts/src/lib/SubnetIDHelper.sol b/contracts/src/lib/SubnetIDHelper.sol
@@ -42,7 +42,7 @@ library SubnetIDHelper {
     }
 
     function toString(SubnetID calldata subnet) public pure returns (string memory) {
-        string memory route = string(abi.encodePacked("/r", Strings.toString(subnet.root)));
+        string memory route = string.concat("/r", Strings.toString(subnet.root));
         uint256 subnetLength = subnet.route.length;
         for (uint256 i; i < subnetLength; ) {
             route = string.concat(route, "/");

diff --git a/contracts/test/helpers/FvmAddressHelper.sol b/contracts/test/helpers/FvmAddressHelper.sol
@@ -21,6 +21,6 @@ contract FvmAddressHelperTest is Test {
             converted[i * 2 + 1] = _base[uint8(buffer[i]) % _base.length];
         }
 
-        return string(abi.encodePacked("0x", converted));
+        return string.concat("0x", string(converted));
     }
 }
diff --git a/contracts/tools/check_aderyn.sh b/contracts/tools/check_aderyn.sh
@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-set -eu
+set -eux
 set -o pipefail
 
 # Path to the report file
@@ -11,6 +11,11 @@ SEVERITIES=(critical high medium)
 # List of vulnerability titles to ignore
 IGNORE_TITLES=("Centralization Risk for trusted owners")
 
+# Specific vulnerabilities to ignore with path and line number
+declare -A IGNORE_SPECIFIC
+IGNORE_SPECIFIC["src/lib/LibDiamond.sol:204:Unprotected initializer"]=1
+IGNORE_SPECIFIC["src/lib/LibDiamond.sol:203:Unprotected initializer"]=1
+
 containsElement() {
   local e match="$1"
   shift
@@ -21,7 +26,7 @@ containsElement() {
 # Read vulnerabilities from the report
 readVulnerabilities() {
   level="$1"
-  jq -c --argjson ignoreTitles "$(printf '%s\n' "${IGNORE_TITLES[@]}" | jq -R . | jq -s .)" ".${level}_issues.issues[] | select(.title as \$title | \$ignoreTitles | index(\$title) | not)" $REPORT_FILE
+  jq -c --argjson ignoreTitles "$(printf '%s\n' "${IGNORE_TITLES[@]}" | jq -R . | jq -s .)" ".${level}_issues.issues[] | select(.title as \$title | .instances[].contract_path as \$path | .instances[].line_no as \$line | \$ignoreTitles | index(\$title) | not)" $REPORT_FILE
 }
 
 # Main function to process the report
@@ -31,8 +36,16 @@ processReport() {
   for level in ${SEVERITIES[@]}; do
     while IFS= read -r vulnerability; do
       title=$(echo "$vulnerability" | jq -r ".title")
-      echo "Found $level vulnerability: $title"
-      hasVulnerabilities=1
+      path=$(echo "$vulnerability" | jq -r ".instances[].contract_path")
+      line=$(echo "$vulnerability" | jq -r ".instances[].line_no")
+      specificKey="${path}:${line}:${title}"
+
+      if [[ ${IGNORE_SPECIFIC[$specificKey]+_} ]]; then
+        echo "Ignoring specific vulnerability: $title at $path line $line"
+      else
+        echo "Found $level vulnerability: $title at $path line $line"
+        hasVulnerabilities=1
+      fi
     done < <(readVulnerabilities "$level")
   done