slither icon indicating copy to clipboard operation
slither copied to clipboard
verified publisher icon crytic

More robust triage mode

Open mds1 opened this issue 2 years ago • 4 comments

Describe the desired feature

There are two ways to triage an issue:

  1. Using // slither-disable comments
  2. Using triage mode to save findings to a database

I prefer (2) because (1) can get noisy and result in many source code comments.

In https://github.com/crytic/slither-action/issues/70#issuecomment-1933104976 @elopez helped me notice that the triage database isn't robust to unrelated to source code changes. In that example, a contract had 8 incorrect-return findings ignored via triage, and after removing 2 unused error declarations in that contract, those resurfaced.

It seems this happens because the ID of the finding changed. I'm not sure how IDs are determined, but my guess is they are a function of line number.

I'm not sure of the best way to implement this feature, but it would be very helpful if the database findings were most robust to source code changes.

mds1 avatar Feb 08 '24 13:02 mds1

This doesn't really address the issue but would it be helpful to only show results from the current diff so that the CI and local results match up (https://github.com/crytic/slither/issues/1954)?

0xalpharush avatar Feb 08 '24 15:02 0xalpharush

Oh yes that would be very helpful! One of the issues with code scanning integration is that the local DB doesn't sync with what's been triaged in github, so running slither . locally stays noisy. Being able to run slither . --diff {baseBranchName} and have CI behavior match that would be great.

I think that would be sufficient for me to not need this issue's feature anytime soon

mds1 avatar Feb 08 '24 16:02 mds1