-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
4e235ba
commit 7c0ab9c
Showing
1 changed file
with
42 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,25 +1,56 @@ | ||
| # Soroban version | ||
|
|
||
| ### What it does | ||
| ## Description | ||
|
|
||
| Warns you if you are using an old version of Soroban in the `Cargo.toml`. | ||
| - Category: `Best practices` | ||
| - Severity: `Enhacement` | ||
| - Detector: [`soroban-version`](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/soroban-version) | ||
| - Test Cases: [`soroban-version-1`](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/soroban-version/soroban-version-1) | ||
|
|
||
| Using an outdated version of Soroban can lead to issues in our contract. It's a good practice to use the latest version. | ||
|
|
||
| ### Why is this bad? | ||
| ## Why is this bad? | ||
|
|
||
| Using an old version of Soroban can be dangerous, as it may have bugs or security issues. | ||
|
|
||
| ### Example | ||
| ## Issue example | ||
|
|
||
|
|
||
| Consider the following `Cargo.toml`: | ||
|
|
||
| ```toml | ||
| [dependencies] | ||
| soroban-sdk = { version = "=19.0.0" } | ||
|
|
||
| [dev_dependencies] | ||
| soroban-sdk = { version = "=19.0.0", features = ["testutils"] } | ||
| ``` | ||
|
|
||
| Problems can arise if the version is not updated to the latest available. | ||
|
|
||
| The code example can be found [here](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/soroban-version/soroban-version-1/vulnerable-example). | ||
|
|
||
|
|
||
| ## Remediated example | ||
|
|
||
| ```toml | ||
| [dependencies] | ||
| soroban-sdk = { version = "=21.4.0" } | ||
| [dependencies] | ||
| // Use the latest version available. | ||
| soroban-sdk = { workspace = true } | ||
|
|
||
| [dev-dependencies] | ||
| soroban-sdk = { version = "=20.0.0", features = ["testutils"] } | ||
| [dev_dependencies] | ||
| soroban-sdk = { workspace = true, features = ["testutils"] } | ||
| ``` | ||
|
|
||
| Instead, use the latest available version in the `Cargo.toml`. | ||
| The remediated code example can be found [here](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/soroban-version/soroban-version-1/remediated-example) | ||
|
|
||
| ## How is it detected? | ||
|
|
||
| Warns you if you are using an old version of Soroban in the `Cargo.toml`. | ||
|
|
||
| ## References | ||
|
|
||
| ### Implementation | ||
| - [Floating Pragma](https://swcregistry.io/docs/SWC-103/) | ||
| - [outdated Compiler Version](https://swcregistry.io/docs/SWC-102/) | ||
|
|
||
| The detector's implementation can be found at [this link](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/soroban-version). | ||