# [DEPRECATED. UPDATED VERSION COMING SOON] ![](https://i.imgur.com/akU3TOz.png) <br> # SpearBit reports 1) This is the Spearbit [Template repository](https://github.com/spearbit-audits/audit-template) for security reviews. 2) This one is the [Report template](https://github.com/spearbit-audits/report-template) for writing audit reports 3) Create GitHub issues with the [Finding template](https://github.com/spearbit-audits/audit-template/blob/main/.github/ISSUE_TEMPLATE/finding.md) and use the appropriate severity labels (see below). <br> ## Requirements needed to get started with the report template 1) [Pandoc, a universal document converter](https://pandoc.org/getting-started.html) `install from their site: https://pandoc.org/installing.html` 2) [Pandocfilters, interface to wite programs which act on pandoc’s AST. (Abstract Syntax Tree)](https://github.com/jgm/pandocfilters) `pip install pandocfilters` 3) [Full install of LaTex, a document preparation software ](https://www.latex-project.org/get/) `install from their site: https://www.latex-project.org/get/` 4) [Pygments, a generic syntax highlighter](https://pygments.org/) `pip install pygments` 5) [Bash linux](https://en.wikipedia.org/wiki/Bash_(Unix_shell)) - Manually change `title.tex` and `summary.tex`. - Generate report either via bash with`./generate.sh` or GitHub client: ![](https://i.imgur.com/3BG6i3Q.png) ![](https://i.imgur.com/Lbogoi4.png) ![](https://i.imgur.com/DQJFSiQ.png) <br> <br> ## Workflow: 1) Leave initial comments / findings on the GitHub pull requests. This can be used to collaboratively discuss among the security review team and the client asynchronously. 2) Once a finding from a pull request review is finalized, this can be converted into a GitHub issue with tags: - Severity: Critical Risk (for issues with high impact and high likelihood) - Severity: High Risk, - Severity: Medium Risk - Severity: Low Risk, - Severity: Gas Optimization, - Severity: Informational. ![](https://i.imgur.com/hm4eInU.jpg) <br> 3) These issues can then be written well, polished, properly typeset, etc. This task is mainly aimed at the non-lead security researchers and apprentices in the project. Please follow the style guidelines. - Use the script to collect issues from the repository into a markdown file. This allows the GitHub issues to be the single source of truth. Therefore, all the edits can be made directly in the issue. - The above markdown file is semi-automatically compiled into a PDF report. See report template--you would need to start with the report.md file. - Use the script to collect review comments from a specified PR into a markdown file. <br> <br> ## "The Script": compiling-issues from a repository When Researchers conduct audits they leave github issues based on their findings. This allows the issues to become a single source of truth. [The script wrote by Hari](https://github.com/spearbit-audits/compile-issues.git) collects all issues from the repository into a `Markdown` file. <br> ### How does "the script" work? - First, **install `pygithub`**: ```Python pip install --user pygithub ``` - Then, you need to generate a personal **access token** to **access** the **private repository**. You can follow this official GitHub tutorial: [Creating-a-personal-access-token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token). In essence, what we are doing is the following... ![](https://i.imgur.com/c1fcqWX.png)![](https://i.imgur.com/yywUBZR.png)![](https://i.imgur.com/Fg0ukxK.png) <br> ... and proceed to generate your token. When you get to the **scopes or permissions**, select the **repo** option and click **Generate token**: ![](https://i.imgur.com/aL6tgNp.png) ![](https://i.imgur.com/xrp8bAZ.png) <br> - Now we have an access token! (*image taken from GitHub tutorial*): <br> ![](https://i.imgur.com/201M5Tm.png) <br> :::danger **Be advised!** :warning: Tokens are like passwords and must be kept secret! :warning: ::: <br> <br> And now that we have the token... - **Clone the repo** uncle Hari made available for us. `git clone 'https://github.com/spearbit-audits/compile-issues.git'` - **Update `config.py` file locally with the token and a reference** to the GitHub repo ![](https://i.imgur.com/2rD2Ve4.png) - **Run** to generate `report.md`: `python3 compile.py` <br> ### Example: I have created a private repo and labeled some made up issues: ![](https://i.imgur.com/jJU7YhU.png) <br> when running **`python compile.py`** i get the following output: ![](https://i.imgur.com/lSSUuFH.png) <br> <br> ## "The other script": compiling-comments from a repository GitHub often has performance issues if the number of review comments get to large numbers. This script collects review comments from a pull request using the GitHub API and compiles it into a markdown file. The repository and the pull request number can be [configured](https://github.com/spearbit-audits/compile-review-comments#configuration). - The steps to use **this script are similar to the previous one** we just discussed, with one caveats: **we need to specify the number of the pull request** to compile ![](https://i.imgur.com/ZKAU3Wk.png) <br> <br> ## Pandoc Download public release [github.com/jgm/pandoc](https://github.com/jgm/pandoc/releases/tag/2.17.1.1) `sudo dpkg -i pandoc-2.17.1.1-1-amd64.deb` ![](https://i.imgur.com/4nN7p1J.png) ## LaTex (Linux) `sudo apt-get install texlive-full` OR - Download the `.zip` file from the [website](https://tug.org/texlive/acquire-netinstall.html) - Unzip folder ![](https://i.imgur.com/2AkhZ2o.png) - install with `perl` ![](https://i.imgur.com/0saBVAu.png) ## pandocfilters `pip install pandocfilters` ![](https://i.imgur.com/cf1TU5C.png) ## pygments `pip install pygments` ![](https://i.imgur.com/GTEPDIx.png) <br> <hr> Reach me via Discord or [@Twitter](https://twitter.com/P_Misirov)