Hi, thanks for great work.

I noticed that the current Implementation of upgradeableMissingGap just uses /Upgradeable/gi to match.

This could produce a lot of False catches.

1. _gap may already in the contract
2. OZ 5.0 uses storage layout.

Recommendation:

1. change regex to exclude _gap.

command

yarn analyze 2023-02-ethos scope.txt

scope.txt

Ethos-Core/contracts/CollateralConfig.sol
Ethos-Core/contracts/BorrowerOperations.sol
Ethos-Core/contracts/TroveManager.sol
Ethos-Core/contracts/ActivePool.sol
Ethos-Core/contracts/StabilityPool.sol
Ethos-Core/contracts/LQTY/CommunityIssuance.sol
Ethos-Core/contracts/LQTY/LQTYStaking.sol
Ethos-Core/contracts/LUSDToken.sol
Ethos-Vault/contracts/ReaperVaultV2.sol
Ethos-Vault/contracts/ReaperVaultERC4626.sol
Ethos-Vault/contracts/abstract/ReaperBaseStrategyV4.sol
Ethos-Vault/contracts/ReaperStrategyGranarySupplyOnly.sol

/mnt/e/web3/tools/4naly3er/node_modules/solc-0.8.17/soljson.js:925
getWasmTableEntry(index)(a1, a2, a3, a4);
^
TypeError: Cannot read properties of undefined (reading 'contents')
at /mnt/e/web3/tools/4naly3er/node_modules/solc-0.8.17/wrapper.js:106:31
at wasm://wasm/04f5a63e:wasm-function[34043]:0xe75c3a
at invoke_viiii (/mnt/e/web3/tools/4naly3er/node_modules/solc-0.8.17/soljson.js:925:29)
at wasm://wasm/04f5a63e:wasm-function[25253]:0x9bbaec
at invoke_viii (/mnt/e/web3/tools/4naly3er/node_modules/solc-0.8.17/soljson.js:853:29)
at wasm://wasm/04f5a63e:wasm-function[11985]:0x38c779
at wasm://wasm/04f5a63e:wasm-function[25244]:0x9ba3b3
at invoke_iii (/mnt/e/web3/tools/4naly3er/node_modules/solc-0.8.17/soljson.js:907:36)
at wasm://wasm/04f5a63e:wasm-function[24956]:0x9679e5
at invoke_viii (/mnt/e/web3/tools/4naly3er/node_modules/solc-0.8.17/soljson.js:853:29)
error Command failed with exit code 1.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.

Hacktoberfest is a month-long celebration of open source projects where contributors can help out and earn rewards for their participation. It's a fantastic time for maintainers to gain visibility and contributions.

I propose adding the "hacktoberfest" topic to your repository. This label will help your repository stand out to those participating in the event, potentially bringing more contributors to your project.

Benefits:

• Increased project visibility during Hacktoberfest
• Attracts new contributors
• Encourages community engagement
• Helps with the completion of pending issues or feature requests
• Expands the project's reach within the open source community

I believe this small change could lead to significant growth and development for project.

Reference:
https://hacktoberfest.com/participation/#maintainers

When I run 4naly3er in 2023-01-astaria and 2023-01-ondo. I got the following errors.

2023-01-astaria

    getWasmTableEntry(index)(a1, a2, a3, a4);
                            ^
TypeError: Cannot read property 'contents' of undefined

    at /4naly3er/node_modules/solc-0.8.17/wrapper.js:106:31
    at <anonymous>:wasm-function[34043]:0xe75c3a
    at invoke_viiii (/4naly3er/node_modules/solc-0.8.17/soljson.js:925:29)
    at <anonymous>:wasm-function[25253]:0x9bbaec
    at invoke_viii (/4naly3er/node_modules/solc-0.8.17/soljson.js:853:29)
    at <anonymous>:wasm-function[11985]:0x38c779
    at <anonymous>:wasm-function[25244]:0x9ba3b3
    at invoke_iii (/4naly3er/node_modules/solc-0.8.17/soljson.js:907:36)
    at <anonymous>:wasm-function[24956]:0x9679e5
    at invoke_viii (/4naly3er/node_modules/solc-0.8.17/soljson.js:853:29)
error Command failed with exit code 1.

2023-01-ondo

    contract.linearizedBaseContracts.includes(contractId) &&
                                           ^
TypeError: Cannot read property 'includes' of undefined
    at topLevelFiles (/4naly3er/src/utils.ts:59:44)
    at Object.detector (/4naly3er/src/issues/GAS/uselessInternal.ts:35:57)
    at analyze (/4naly3er/src/analyze.ts:39:25)
    at main (/4naly3er/src/index.ts:64:22)
    at processTicksAndRejections (internal/process/task_queues.js:95:5)
error Command failed with exit code 1.

Should be changed to use previousFileName instead of o.filename

I cloned the repository and navigated to the project folder. Upon installation of the package using yarn, I attempted to use a script using the command yarn analyze contracts scope.example.txt. However, I consistently encounter the following error:

Cannot compile AST for contracts/example/Test.sol
/github/xxx/node_modules/solidity-ast/utils/find-all.js:19
  const push = node => queue.push({ node, props: getNextProps(nodeType, node.nodeType ?? '$other', cache) });
                                                                             ^
TypeError: Cannot read properties of undefined (reading 'nodeType')
    at push (/github/xxx/node_modules/solidity-ast/utils/find-all.js:19:78)
    at findAll (/github/xxx/node_modules/solidity-ast/utils/find-all.js:21:3)
    at findAll.next (<anonymous>)
    at Object.detector (/github/xxx/src/issues/NC/uselessOverride.ts:15:18)
    at analyze (/github/xxx/src/analyze.ts:43:25)
    at main (/github/xxx/src/main.ts:69:22)
    at processTicksAndRejections (node:internal/process/task_queues:95:5)
error Command failed with exit code 1.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.

Of course for the purpose of anonimity I change my true path to /github/xxx/.

What should I do to use script? I use macbook and Visual Studio Code.

For example:

contract ImmutableCached {
    uint256 public immutable one = 1;
    function two() public returns (uint256 result) {
        result = one + one;
    }
}

yields:

### <a name="GAS-1"></a>[GAS-1] State variables should be cached in stack variables rather than re-reading them from storage
The instances below point to the second+ access of a state variable within a function. Caching of a state variable replaces each Gwarmaccess (100 gas) with a much cheaper stack read. Other less obvious fixes/optimizations include having local memory caches of state variable structs, or having local caches of state variable contracts/addresses.

*Saves 100 gas per instance*

*Instances (1)*:
``solidity
File: lol.sol

7:         result = one + one;

``

This is a weird issue, because depending on how code is expressed it may not trigger, e.g. changing

result = one + one;

into

return one + one;

fixes the warning.

The calldataViewFunctions flags all memory parameters as gas inefficient if they aren't modified. This isn't always the case, memory arguments are often cheaper than calldata. This is because calldata is not trusted by Solidity and each access does many sanity checks while memory arguments are sanity checked only once, when loading. I've seen a gas usage drop after switching from calldata to memory in the contracts I've been working on and it even has an issue in Solidity repo, which doesn't seem to be ever solved due to calldata arguments needing the sanity checks: ethereum/solidity#12103.

I'm getting remapping related errors such as:

solmate/src/tokens/ERC721.sol import not found.

when the file is question is at

lib/solmate/src/tokens/ERC721.sol.

Does this application support remappings?
If not, do you suggest something?

The tool cannot read files with 0 in the file name. Such as contracts/lending/tokens/cErc20ModifiedDelegator.sol, contracts/lending/tokens/cToken/CErc20.sol

In the src/index.ts#L32

    for (const word of [...content.matchAll(/[a-zA-Z\/\.\-\_1-9]+/g)].map(r => r[0])) {

Suggestion:

    for (const word of [...content.matchAll(/[a-zA-Z\/\.\-\_0-9]+/g)].map(r => r[0])) {

Hello I just published https://github.com/ConsenSysDiligence/napalm the other week.

I think it'd be cool to integrate 4naly3er in napalm, however I believe some small things are missing that are needed to make this possible.

1. computer friendly output: parsing a markdown file is possible ofc, but very painful. Having JSON would make things much easier! I recommend checking out SARIF, which is increasingly gaining adoption for static analysis issue reports.
2. plugability: if I understand it correctly people currently clone this project and drop in their own detectors, it'd be very nice if there was some way of packaging detectors separate from the main code base.

I understand that both of these features might not be high priority, buut if you do decide to add them I'd be a happy dev and add 4naly3er support to napalm immediately!

So, this rule sometimes (always for me 😅) ends in an infinite loop. I usually delete it to run the tool.
I'm pretty sure AST would be much better.
Or, even a simple regex on delegatecall (yes, giga high chance of false positive, but may hit) would be better.
Wdyt?
https://github.com/Picodes/4naly3er/blob/main/src/issues/H/delegateCallInLoop.ts

Sometimes you add using SafeERC20 for IERC20; but then forget to use safeTransferFrom, or whatever.

It would be nice to have a detector for unused libraries.

In picode there a specific "Test.sol" file in which he is testing the issues, so lets say i want to run the bot on la whole smart contract Repo, so what should i put in the contract file of analyser, i'm facing hard time doing it