Analyzing Cairo Code Using Amarna by Trail of Bits
Cairo with Amarna
After the recent completion of the RockPaperScissors game implementation in cairo programming language, I decided to further review the code with the help of Amarna. Amarna is a static-analyzer and linter for the Cairo programming language. It has 14 supported rules and in this review we will go through installation and the usage of the tool against the Cairo_RockPaperScissors game found here
Getting Started
To get started, you need to install Amarna. From their github page amarna. Installation can be done via pip install amarna
You can run amarna -h to check the installation is successful.
Amarna provides different usages but you have the ability to output the results in a file format. The current supported output format is SARIF.
You can analyze a single file and output the results to an output file as amarna file.cairo -o file.sarif where the cairo code is file.cairo and the output file is specified as file.sarif
Results
The game, RockPaperScissors has only a single file rockpaperscissors.cairo therefore running the analysis on the game can be done as amarna rockpaperscissors.cairo -o rockpaperscissors.sarif
This will create a sarif file rockapaperscissors.sarif. The results are quite interesting an opening the sarif file opens the results window on the side for visualization.
The tool successfully ran 5 rules from its ruleset which is shown as
I particularly like the fact that the tool pinpoints to specific areas where the issue are raised based on the ruleset as shown below:
You can also use the location tab to get specific areas in the code where the issues are raised. Most importantly, the issues are highlighted on the code which is amazing.
Other Use Cases
Amarna as well provides the ability of providing summary of results in the terminal via the -s flag. In my case, I ran amarna rockpaperscissors.cairo -s and the output looks like :
You can as well print the output as a png file via the png flag.
Well for a new language like cairo, Amarna is a really great tool which offers a lot. The output in sarif together with the visualization and the fact that the tool pinpoints to specific code areas where the issues are raised is really interesting.
You can check the tool out.