Skip to content

Latest commit

 

History

History
62 lines (48 loc) · 2.49 KB

File metadata and controls

62 lines (48 loc) · 2.49 KB

Contributing to SolAST

Thanks for your interest in improving SolAST! This project is an experimental, AST-based vulnerability scanner for Solidity, and contributions — new detectors, bug fixes, false-positive reductions, and docs — are all welcome.

Getting started

git clone https://github.com/Snovon/SolAST.git
cd SolAST
npm install
npm run build      # tsc -> dist/, plus copies fp-rates.json
npm run lint       # tsc --noEmit (type-check only)

Run the CLI locally against the bundled examples to confirm your build works:

node dist/cli.js scan examples/

Requires Node.js ≥ 18.

Project layout

  • src/cli.ts — CLI entrypoint (thin wrapper over the library API)
  • src/index.ts / src/api.ts — public API (scan, ScanResult, ScanOptions)
  • src/scan.ts, src/registry.ts — scan orchestration and the default detector registry
  • src/detectors/ — the detector corpus (one file per rule)
  • src/detectors/_common/ — shared detector helpers (dataflow, AST utilities, etc.)
  • src/ast/, src/semantic/ — AST walking and the lightweight semantic model
  • src/formatters/ — text / NDJSON / SARIF output
  • examples/ — small vulnerable contracts used in the README and for manual testing

Adding or changing a detector

  1. Add a src/detectors/<rule-id>.ts modeled on an existing detector, and register it so it is picked up by createDefaultDetectorRegistry().
  2. Use a stable, descriptive kebab-case ruleId (it appears in output and in --rule / --ignore-pattern).
  3. Add a minimal vulnerable contract to examples/ (or your own fixture) and confirm the detector fires on it and does not fire on a safe variant.
  4. Keep severity honest. SolAST favors recall, but avoid adding noise that has no path to being a real issue — prefer to make existing detectors more precise over piling on near-duplicates.

Pull requests

  • Keep PRs focused; describe the vulnerability class and include a before/after on a sample contract.
  • Make sure npm run build and npm run lint both pass.
  • Match the style and structure of the surrounding code.
  • By contributing, you agree your contributions are licensed under the project's Apache-2.0 License.

Reporting issues

  • Bugs / false positives / false negatives in scanning: open a GitHub issue with a minimal Solidity snippet and the command you ran.
  • A security vulnerability in SolAST itself: do not open a public issue — follow SECURITY.md.