@snovon/solast 0.2.0

package/dist/detectors/zksync-simulation-drift.js

@@ -0,0 +1,309 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ZkSyncSimulationDriftDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'zksync-simulation-drift';
+const MSG_SENDER_PATTERN = `${RULE_ID}/msg-sender-simulation-drift`;
+const NONCE_PATTERN = `${RULE_ID}/aa-nonce-simulation-drift`;
+const DEPLOY_PATTERN = `${RULE_ID}/deploy-address-simulation-drift`;
+const ZKSYNC_TYPES = new Set(['IContractDeployer', 'ContractDeployer', 'INonceHolder', 'NonceHolder', 'ISystemContext', 'SystemContext']);
+const ZKSYNC_SYSTEM_ADDRESSES = new Set([
+    '0x0000000000000000000000000000000000008003',
+    '0x0000000000000000000000000000000000008006',
+    '0x000000000000000000000000000000000000800b',
+]);
+const ASSIGNMENT_OPERATORS = new Set(['=', '+=', '-=', '*=', '/=', '%=', '&=', '|=', '^=', '<<=', '>>=', '>>>=']);
+class ZkSyncSimulationDriftDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    currentFile = '';
+    findings = [];
+    contractStack = [];
+    currentFunction = '';
+    currentFunctionNode = null;
+    emittedInFunction = new Set();
+    nonceCheckNode = null;
+    nonceMutationNode = null;
+    setFile(file) {
+        this.currentFile = file;
+        this.findings = [];
+        this.contractStack = [];
+        this.resetFunction();
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        const name = node?.name || '';
+        this.contractStack.push({
+            name,
+            hasZkSyncContext: ZKSYNC_TYPES.has(name),
+            node,
+        });
+    }
+    ContractDefinition_post(node) {
+        const top = this.contractStack[this.contractStack.length - 1];
+        if (!top)
+            return;
+        if (!node || top.node === node) {
+            this.contractStack.pop();
+            return;
+        }
+        const index = this.contractStack.findIndex(contract => contract.node === node);
+        if (index !== -1) {
+            this.contractStack.splice(index, 1);
+        }
+    }
+    ['ContractDefinition:exit'](node) {
+        this.ContractDefinition_post(node);
+    }
+    UserDefinedTypeName(node) {
+        const name = lastNamePart(node?.namePath || node?.name);
+        if (ZKSYNC_TYPES.has(name))
+            this.markZkSyncContext();
+    }
+    Identifier(node) {
+        if (ZKSYNC_TYPES.has(node?.name))
+            this.markZkSyncContext();
+    }
+    NumberLiteral(node) {
+        if (typeof node?.number === 'string' && ZKSYNC_SYSTEM_ADDRESSES.has(node.number.toLowerCase())) {
+            this.markZkSyncContext();
+        }
+    }
+    FunctionDefinition(node) {
+        this.resetFunction();
+        if (!node?.body)
+            return;
+        this.currentFunctionNode = node;
+        this.currentFunction = node.isConstructor ? '<constructor>' : (node.name || '<anonymous>');
+    }
+    FunctionDefinition_post(node) {
+        if (node && this.currentFunctionNode && this.currentFunctionNode !== node)
+            return;
+        if (this.currentFunction && this.isZkSyncContext() && this.nonceCheckNode && this.nonceMutationNode) {
+            this.emitOnce(NONCE_PATTERN, this.nonceMutationNode, 'Local AA nonce state can drift from zkSync Era NonceHolder semantics during simulation.');
+        }
+        this.resetFunction();
+    }
+    ['FunctionDefinition:exit'](node) {
+        this.FunctionDefinition_post(node);
+    }
+    BinaryOperation(node) {
+        if (!this.currentFunction || !this.isZkSyncContext())
+            return;
+        const isNonceCheck = isNonceComparison(node);
+        if ((node.operator === '==' || node.operator === '!=') && containsMsgSender(node) && !isNonceCheck) {
+            this.emitOnce(MSG_SENDER_PATTERN, node, 'msg.sender authorization or accounting can drift when zkSync Era system contracts mediate eth_call simulation.');
+        }
+        if (isNonceCheck) {
+            this.nonceCheckNode = this.nonceCheckNode || node;
+            if (this.nonceMutationNode) {
+                this.emitOnce(NONCE_PATTERN, this.nonceMutationNode, 'Local AA nonce state can drift from zkSync Era NonceHolder semantics during simulation.');
+            }
+        }
+        if (ASSIGNMENT_OPERATORS.has(node.operator || '') && isNonceStorageAccess(node.left)) {
+            this.nonceMutationNode = this.nonceMutationNode || node;
+            if (this.nonceCheckNode) {
+                this.emitOnce(NONCE_PATTERN, node, 'Local AA nonce state can drift from zkSync Era NonceHolder semantics during simulation.');
+            }
+        }
+    }
+    UnaryOperation(node) {
+        if (!this.currentFunction || !this.isZkSyncContext())
+            return;
+        if ((node.operator === '++' || node.operator === '--') && isNonceStorageAccess(node.subExpression)) {
+            this.nonceMutationNode = this.nonceMutationNode || node;
+            if (this.nonceCheckNode) {
+                this.emitOnce(NONCE_PATTERN, node, 'Local AA nonce state can drift from zkSync Era NonceHolder semantics during simulation.');
+            }
+        }
+    }
+    FunctionCall(node) {
+        if (!this.currentFunction || !this.isZkSyncContext())
+            return;
+        if (isEvmCreateAddressHash(node)) {
+            this.emitOnce(DEPLOY_PATTERN, node, 'EVM CREATE/CREATE2 address precomputation can diverge from zkSync Era ContractDeployer semantics.');
+        }
+    }
+    NameValueExpression(node) {
+        if (!this.currentFunction || !this.isZkSyncContext())
+            return;
+        if (isSaltedNewExpression(node)) {
+            this.emitOnce(DEPLOY_PATTERN, node, 'Salted Solidity new deployment can diverge from zkSync Era ContractDeployer address semantics.');
+        }
+    }
+    FunctionCallOptions(node) {
+        if (!this.currentFunction || !this.isZkSyncContext())
+            return;
+        if (isSaltedNewExpression(node)) {
+            this.emitOnce(DEPLOY_PATTERN, node, 'Salted Solidity new deployment can diverge from zkSync Era ContractDeployer address semantics.');
+        }
+    }
+    emitOnce(pattern, node, message) {
+        if (this.emittedInFunction.has(pattern))
+            return;
+        this.emittedInFunction.add(pattern);
+        const loc = (0, ast_1.tryLoc)(node, this.currentFunctionNode) || { line: 1, column: 0, endLine: 1 };
+        this.findings.push({
+            file: this.currentFile,
+            contract: this.currentContractName(),
+            'function': this.currentFunction,
+            line: loc.line,
+            endLine: loc.endLine,
+            column: loc.column,
+            pattern,
+            confidence: 'medium',
+            ruleId: RULE_ID,
+            severity: 'high',
+            category: 'vulnerability',
+            message,
+            rationale: 'zkSync Era routes selected account-abstraction, nonce, and deployment behavior through system contracts; local EVM-style assumptions can produce simulation/state-transition drift.',
+            suggestedFix: 'Delegate nonce and deployment semantics to the relevant zkSync Era system contract and avoid treating eth_call msg.sender behavior as equivalent to ordinary EVM execution.',
+            contractName: this.currentContractName(),
+            functionName: this.currentFunction,
+            sourceLocation: { line: loc.line, column: loc.column },
+            findingId: '',
+            contractHash: '',
+        });
+    }
+    markZkSyncContext() {
+        const current = this.contractStack[this.contractStack.length - 1];
+        if (current)
+            current.hasZkSyncContext = true;
+    }
+    isZkSyncContext() {
+        return this.contractStack.some(contract => contract.hasZkSyncContext);
+    }
+    currentContractName() {
+        return this.contractStack[this.contractStack.length - 1]?.name || '';
+    }
+    resetFunction() {
+        this.currentFunction = '';
+        this.currentFunctionNode = null;
+        this.emittedInFunction.clear();
+        this.nonceCheckNode = null;
+        this.nonceMutationNode = null;
+    }
+}
+exports.ZkSyncSimulationDriftDetector = ZkSyncSimulationDriftDetector;
+function lastNamePart(name) {
+    return String(name || '').split('.').pop() || '';
+}
+function containsMsgSender(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if ((0, ast_1.isNode)(node, 'MemberAccess') && node.memberName === 'sender' && (0, ast_1.isNode)(node.expression, 'Identifier') && node.expression.name === 'msg') {
+        return true;
+    }
+    return childNodes(node).some(containsMsgSender);
+}
+function isNonceComparison(node) {
+    if (!(0, ast_1.isNode)(node, 'BinaryOperation'))
+        return false;
+    if (node.operator !== '==' && node.operator !== '!=')
+        return false;
+    return (isNonceStorageAccess(node.left) && expressionContainsNonceIdentifier(node.right)) ||
+        (isNonceStorageAccess(node.right) && expressionContainsNonceIdentifier(node.left));
+}
+function isNonceStorageAccess(node) {
+    if (!(0, ast_1.isNode)(node, 'IndexAccess'))
+        return false;
+    return /nonce/i.test(expressionName(node.base));
+}
+function expressionContainsNonceIdentifier(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if ((0, ast_1.isNode)(node, 'Identifier') && /nonce/i.test(node.name || ''))
+        return true;
+    return childNodes(node).some(expressionContainsNonceIdentifier);
+}
+function isEvmCreateAddressHash(node) {
+    if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+        return false;
+    if (callName(node.expression) !== 'keccak256')
+        return false;
+    const packed = (node.arguments || []).find(isAbiEncodePackedCall);
+    if (!packed)
+        return false;
+    const args = packed.arguments || [];
+    return args.some(isCreate2Prefix) || hasCreatePrefixPair(args);
+}
+function isAbiEncodePackedCall(node) {
+    return (0, ast_1.isNode)(node, 'FunctionCall') && callName(node.expression) === 'abi.encodePacked';
+}
+function isCreate2Prefix(node) {
+    return numericLiteralValue(unwrapSingleArgumentCast(node)) === '0xff';
+}
+function hasCreatePrefixPair(args) {
+    let hasD6 = false;
+    let has94 = false;
+    for (const arg of args) {
+        const value = numericLiteralValue(unwrapSingleArgumentCast(arg));
+        if (value === '0xd6')
+            hasD6 = true;
+        if (value === '0x94')
+            has94 = true;
+    }
+    return hasD6 && has94;
+}
+function unwrapSingleArgumentCast(node) {
+    let current = node;
+    while ((0, ast_1.isNode)(current, 'FunctionCall') && (current.arguments || []).length === 1 && isTypeExpression(current.expression)) {
+        current = current.arguments[0];
+    }
+    return current;
+}
+function isTypeExpression(node) {
+    return (0, ast_1.isNode)(node, 'ElementaryTypeName') || ((0, ast_1.isNode)(node, 'Identifier') && /^(?:bytes\d*|uint\d*|int\d*|address)$/.test(node.name || ''));
+}
+function numericLiteralValue(node) {
+    if (!(0, ast_1.isNode)(node, 'NumberLiteral'))
+        return '';
+    return String(node.number || '').toLowerCase();
+}
+function isSaltedNewExpression(node) {
+    if (!(0, ast_1.isNode)(node.expression, 'NewExpression'))
+        return false;
+    const names = node.arguments?.names || node.names || [];
+    return names.some((name) => String(name).toLowerCase() === 'salt');
+}
+function callName(node) {
+    if ((0, ast_1.isNode)(node, 'Identifier'))
+        return node.name || '';
+    if ((0, ast_1.isNode)(node, 'ElementaryTypeName'))
+        return node.name || '';
+    if ((0, ast_1.isNode)(node, 'MemberAccess')) {
+        const base = callName(node.expression);
+        return base ? `${base}.${node.memberName || ''}` : (node.memberName || '');
+    }
+    return '';
+}
+function expressionName(node) {
+    if ((0, ast_1.isNode)(node, 'Identifier'))
+        return node.name || '';
+    if ((0, ast_1.isNode)(node, 'MemberAccess'))
+        return node.memberName || expressionName(node.expression);
+    if ((0, ast_1.isNode)(node, 'IndexAccess'))
+        return expressionName(node.base);
+    return '';
+}
+function childNodes(node) {
+    const children = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'range')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    children.push(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            children.push(value);
+        }
+    }
+    return children;
+}
+//# sourceMappingURL=zksync-simulation-drift.js.map

package/dist/exit-codes.d.ts

@@ -0,0 +1,15 @@
+/**
+ * v0.1 CLI exit code contract for CI integration:
+ * 0 - analysis completed with no reportable vulnerabilities
+ * 1 - one or more reportable vulnerabilities were found
+ * 2 - user/input/configuration error
+ * 3 - internal SolAST/tool failure
+ */
+export declare const EXIT_CODES: {
+    readonly OK: 0;
+    readonly VULNERABILITIES_FOUND: 1;
+    readonly USER_ERROR: 2;
+    readonly INTERNAL_FAILURE: 3;
+    readonly FP_THRESHOLD_EXCEEDED: 4;
+};
+export type ExitCode = typeof EXIT_CODES[keyof typeof EXIT_CODES];

package/dist/exit-codes.js

@@ -0,0 +1,18 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EXIT_CODES = void 0;
+/**
+ * v0.1 CLI exit code contract for CI integration:
+ * 0 - analysis completed with no reportable vulnerabilities
+ * 1 - one or more reportable vulnerabilities were found
+ * 2 - user/input/configuration error
+ * 3 - internal SolAST/tool failure
+ */
+exports.EXIT_CODES = {
+    OK: 0,
+    VULNERABILITIES_FOUND: 1,
+    USER_ERROR: 2,
+    INTERNAL_FAILURE: 3,
+    FP_THRESHOLD_EXCEEDED: 4
+};
+//# sourceMappingURL=exit-codes.js.map

package/dist/formatters/github-actions.d.ts

@@ -0,0 +1,2 @@
+import { ScanResult } from '../api';
+export declare function formatGithubActionsAnnotation(finding: ScanResult, level: string, cwd?: string): string;

package/dist/formatters/github-actions.js

@@ -0,0 +1,61 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.formatGithubActionsAnnotation = formatGithubActionsAnnotation;
+const path = __importStar(require("path"));
+function escapeProperty(str) {
+    return str
+        .replace(/%/g, '%25')
+        .replace(/\r/g, '%0D')
+        .replace(/\n/g, '%0A')
+        .replace(/:/g, '%3A')
+        .replace(/,/g, '%2C');
+}
+function escapeData(str) {
+    return str
+        .replace(/%/g, '%25')
+        .replace(/\r/g, '%0D')
+        .replace(/\n/g, '%0A');
+}
+function formatGithubActionsAnnotation(finding, level, cwd) {
+    const command = level === 'error' ? 'error' : (level === 'warning' ? 'warning' : 'notice');
+    const filePath = cwd ? path.relative(cwd, finding.file) : finding.file;
+    const file = escapeProperty(filePath);
+    const line = finding.line;
+    const title = escapeProperty(finding.ruleId);
+    const message = escapeData(finding.message);
+    return `::${command} file=${file},line=${line},title=${title}::${message}`;
+}
+//# sourceMappingURL=github-actions.js.map

package/dist/formatters/sarif.d.ts

@@ -0,0 +1,24 @@
+import type { ScanResult } from '../index';
+import type { SeverityLabel } from '../severity';
+interface FormatSarifOptions {
+    rootDir?: string;
+    cwd?: string;
+    fpThresholdPct?: number;
+    fpRates?: Record<string, number>;
+    severityOverrides?: Record<string, SeverityLabel>;
+    sarifSeverityTuning?: boolean;
+}
+export declare function sarifLevelForFinding(finding: ScanResult, opts?: Pick<FormatSarifOptions, 'fpThresholdPct' | 'fpRates' | 'severityOverrides' | 'sarifSeverityTuning'>): 'error' | 'warning' | 'note' | 'none';
+interface SarifRuleEntry {
+    id: string;
+    shortDescription: string;
+    helpUri: string;
+    defaultSeverity: SeverityLabel;
+    help?: string;
+}
+/** Exposed for tests: the set of rule IDs with hand-written SARIF metadata. */
+export declare function getCuratedSarifRuleIds(): string[];
+/** Exposed for tests: curated SARIF descriptors, before SARIF object shaping. */
+export declare function getCuratedSarifRules(): SarifRuleEntry[];
+export declare function formatSarif(findings: ScanResult[], opts?: FormatSarifOptions): string;
+export {};