-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #314 from CoinFabrik/migrate-soroban-version-docum…
…entation New soroban-version documentation
- Loading branch information
Showing
1 changed file
with
42 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,25 +1,56 @@ | ||
| # Soroban version | ||
|
|
||
| ### What it does | ||
| ## Description | ||
|
|
||
| Warns you if you are using an old version of Soroban in the `Cargo.toml`. | ||
| - Category: `Best practices` | ||
| - Severity: `Enhacement` | ||
| - Detector: [`soroban-version`](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/soroban-version) | ||
| - Test Cases: [`soroban-version-1`](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/soroban-version/soroban-version-1) | ||
|
|
||
| Using an outdated version of Soroban can lead to issues in our contract. It's a good practice to use the latest version. | ||
|
|
||
| ### Why is this bad? | ||
| ## Why is this bad? | ||
|
|
||
| Using an old version of Soroban can be dangerous, as it may have bugs or security issues. | ||
|
|
||
| ### Example | ||
| ## Issue example | ||
|
|
||
|
|
||
| Consider the following `Cargo.toml`: | ||
|
|
||
| ```toml | ||
| [dependencies] | ||
| soroban-sdk = { version = "=19.0.0" } | ||
|
|
||
| [dev_dependencies] | ||
| soroban-sdk = { version = "=19.0.0", features = ["testutils"] } | ||
| ``` | ||
|
|
||
| Problems can arise if the version is not updated to the latest available. | ||
|
|
||
| The code example can be found [here](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/soroban-version/soroban-version-1/vulnerable-example). | ||
|
|
||
|
|
||
| ## Remediated example | ||
|
|
||
| ```toml | ||
| [dependencies] | ||
| soroban-sdk = { version = "=21.4.0" } | ||
| [dependencies] | ||
| // Use the latest version available. | ||
| soroban-sdk = { workspace = true } | ||
|
|
||
| [dev-dependencies] | ||
| soroban-sdk = { version = "=20.0.0", features = ["testutils"] } | ||
| [dev_dependencies] | ||
| soroban-sdk = { workspace = true, features = ["testutils"] } | ||
| ``` | ||
|
|
||
| Instead, use the latest available version in the `Cargo.toml`. | ||
| The remediated code example can be found [here](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/soroban-version/soroban-version-1/remediated-example) | ||
|
|
||
| ## How is it detected? | ||
|
|
||
| Warns you if you are using an old version of Soroban in the `Cargo.toml`. | ||
|
|
||
| ## References | ||
|
|
||
| ### Implementation | ||
| - [Floating Pragma](https://swcregistry.io/docs/SWC-103/) | ||
| - [outdated Compiler Version](https://swcregistry.io/docs/SWC-102/) | ||
|
|
||
| The detector's implementation can be found at [this link](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/soroban-version). | ||