Merge pull request #729 from protofire/feat-no-immutable-before-declaration

Feat:  new rule ==> no immutable before declaration

Author: dbale-altoros

conf/rulesets/solhint-all.js

@@ -120,6 +120,7 @@ module.exports = Object.freeze({
     ],
     'multiple-sends': 'warn',
     'no-complex-fallback': 'warn',
+    'no-immutable-before-declaration': 'warn',
     'no-inline-assembly': 'warn',
     'not-rely-on-block-hash': 'warn',
     'not-rely-on-time': 'warn',

conf/rulesets/solhint-recommended.js

@@ -97,6 +97,7 @@ module.exports = Object.freeze({
     ],
     'multiple-sends': 'warn',
     'no-complex-fallback': 'warn',
+    'no-immutable-before-declaration': 'warn',
     'no-inline-assembly': 'warn',
     'not-rely-on-block-hash': 'warn',
     reentrancy: 'warn',

docs/rules.md

@@ -80,24 +80,25 @@ title:       "Rule Index of Solhint"
 
 ## Security Rules
 
-| Rule Id                                                              | Error                                                                    | Recommended  | Deprecated |
-| -------------------------------------------------------------------- | ------------------------------------------------------------------------ | ------------ | ---------- |
-| [avoid-call-value](./rules/security/avoid-call-value.md)             | Avoid to use ".call.value()()".                                          | $~~~~~~~~$✔️ |            |
-| [avoid-low-level-calls](./rules/security/avoid-low-level-calls.md)   | Avoid to use low level calls.                                            | $~~~~~~~~$✔️ |            |
-| [avoid-sha3](./rules/security/avoid-sha3.md)                         | Use "keccak256" instead of deprecated "sha3".                            | $~~~~~~~~$✔️ |            |
-| [avoid-suicide](./rules/security/avoid-suicide.md)                   | Use "selfdestruct" instead of deprecated "suicide".                      | $~~~~~~~~$✔️ |            |
-| [avoid-throw](./rules/security/avoid-throw.md)                       | "throw" is deprecated, avoid to use it.                                  | $~~~~~~~~$✔️ |            |
-| [avoid-tx-origin](./rules/security/avoid-tx-origin.md)               | Avoid to use tx.origin.                                                  | $~~~~~~~~$✔️ |            |
-| [check-send-result](./rules/security/check-send-result.md)           | Check result of "send" call.                                             | $~~~~~~~~$✔️ |            |
-| [compiler-version](./rules/security/compiler-version.md)             | Compiler version must satisfy a semver requirement at least ^0.8.24.     | $~~~~~~~~$✔️ |            |
-| [func-visibility](./rules/security/func-visibility.md)               | Explicitly mark visibility in function.                                  | $~~~~~~~~$✔️ |            |
-| [multiple-sends](./rules/security/multiple-sends.md)                 | Avoid multiple calls of "send" method in single transaction.             | $~~~~~~~~$✔️ |            |
-| [no-complex-fallback](./rules/security/no-complex-fallback.md)       | Fallback function must be simple.                                        | $~~~~~~~~$✔️ |            |
-| [no-inline-assembly](./rules/security/no-inline-assembly.md)         | Avoid to use inline assembly. It is acceptable only in rare cases.       | $~~~~~~~~$✔️ |            |
-| [not-rely-on-block-hash](./rules/security/not-rely-on-block-hash.md) | Do not rely on "block.blockhash". Miners can influence its value.        | $~~~~~~~~$✔️ |            |
-| [not-rely-on-time](./rules/security/not-rely-on-time.md)             | Avoid making time-based decisions in your business logic.                |              |            |
-| [reentrancy](./rules/security/reentrancy.md)                         | Possible reentrancy vulnerabilities. Avoid state changes after transfer. | $~~~~~~~~$✔️ |            |
-| [state-visibility](./rules/security/state-visibility.md)             | Explicitly mark visibility of state.                                     | $~~~~~~~~$✔️ |            |
+| Rule Id                                                                                | Error                                                                                           | Recommended  | Deprecated |
+| -------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- | ------------ | ---------- |
+| [avoid-call-value](./rules/security/avoid-call-value.md)                               | Avoid to use ".call.value()()".                                                                 | $~~~~~~~~$✔️ |            |
+| [avoid-low-level-calls](./rules/security/avoid-low-level-calls.md)                     | Avoid to use low level calls.                                                                   | $~~~~~~~~$✔️ |            |
+| [avoid-sha3](./rules/security/avoid-sha3.md)                                           | Use "keccak256" instead of deprecated "sha3".                                                   | $~~~~~~~~$✔️ |            |
+| [avoid-suicide](./rules/security/avoid-suicide.md)                                     | Use "selfdestruct" instead of deprecated "suicide".                                             | $~~~~~~~~$✔️ |            |
+| [avoid-throw](./rules/security/avoid-throw.md)                                         | "throw" is deprecated, avoid to use it.                                                         | $~~~~~~~~$✔️ |            |
+| [avoid-tx-origin](./rules/security/avoid-tx-origin.md)                                 | Avoid to use tx.origin.                                                                         | $~~~~~~~~$✔️ |            |
+| [check-send-result](./rules/security/check-send-result.md)                             | Check result of "send" call.                                                                    | $~~~~~~~~$✔️ |            |
+| [compiler-version](./rules/security/compiler-version.md)                               | Compiler version must satisfy a semver requirement at least ^0.8.24.                            | $~~~~~~~~$✔️ |            |
+| [func-visibility](./rules/security/func-visibility.md)                                 | Explicitly mark visibility in function.                                                         | $~~~~~~~~$✔️ |            |
+| [multiple-sends](./rules/security/multiple-sends.md)                                   | Avoid multiple calls of "send" method in single transaction.                                    | $~~~~~~~~$✔️ |            |
+| [no-complex-fallback](./rules/security/no-complex-fallback.md)                         | Fallback function must be simple.                                                               | $~~~~~~~~$✔️ |            |
+| [no-immutable-before-declaration](./rules/security/no-immutable-before-declaration.md) | Immutable variables should not be used in state variable initializers before they are declared. | $~~~~~~~~$✔️ |            |
+| [no-inline-assembly](./rules/security/no-inline-assembly.md)                           | Avoid to use inline assembly. It is acceptable only in rare cases.                              | $~~~~~~~~$✔️ |            |
+| [not-rely-on-block-hash](./rules/security/not-rely-on-block-hash.md)                   | Do not rely on "block.blockhash". Miners can influence its value.                               | $~~~~~~~~$✔️ |            |
+| [not-rely-on-time](./rules/security/not-rely-on-time.md)                               | Avoid making time-based decisions in your business logic.                                       |              |            |
+| [reentrancy](./rules/security/reentrancy.md)                                           | Possible reentrancy vulnerabilities. Avoid state changes after transfer.                        | $~~~~~~~~$✔️ |            |
+| [state-visibility](./rules/security/state-visibility.md)                               | Explicitly mark visibility of state.                                                            | $~~~~~~~~$✔️ |            |
         
 
 ## References

docs/rules/security/no-immutable-before-declaration.md

@@ -0,0 +1,74 @@
+---
+warning:     "This is a dynamically generated file. Do not edit manually."
+layout:      "default"
+title:       "no-immutable-before-declaration | Solhint"
+---
+
+# no-immutable-before-declaration
+![Recommended Badge](https://img.shields.io/badge/-Recommended-brightgreen)
+![Category Badge](https://img.shields.io/badge/-Security%20Rules-informational)
+![Default Severity Badge warn](https://img.shields.io/badge/Default%20Severity-warn-yellow)
+> The {"extends": "solhint:recommended"} property in a configuration file enables this rule.
+
+
+## Description
+Immutable variables should not be used in state variable initializers before they are declared.
+
+## Options
+This rule accepts a string option for rule severity. Must be one of "error", "warn", "off". Defaults to warn.
+
+### Example Config
+```json
+{
+  "rules": {
+    "no-immutable-before-declaration": "warn"
+  }
+}
+```
+
+
+## Examples
+### 👍 Examples of **correct** code for this rule
+
+#### Immutable declared before being used in another initializer
+
+```solidity
+
+            contract Immutables {
+                uint256 internal immutable immB = 25;
+                uint256 public immA = immB + 100; // OK, immB is already declared
+            }
+          
+```
+
+#### Constants can be referenced before declaration
+
+```solidity
+
+            contract Immutables {
+                uint256 public constA = constB + 100; // OK, constants are compile-time
+                uint256 internal constant constB = 50;
+            }
+          
+```
+
+### 👎 Examples of **incorrect** code for this rule
+
+#### Immutable used before declaration in state variable initializer
+
+```solidity
+
+            contract Immutables {
+                uint256 public immA = immB + 100; // BAD: immB declared later
+                uint256 internal immutable immB = 25;
+            }
+          
+```
+
+## Version
+This rule was introduced in the latest version.
+
+## Resources
+- [Rule source](https://github.com/protofire/solhint/blob/master/lib/rules/security/no-immutable-before-declaration.js)
+- [Document source](https://github.com/protofire/solhint/blob/master/docs/rules/security/no-immutable-before-declaration.md)
+- [Test cases](https://github.com/protofire/solhint/blob/master/test/rules/security/no-immutable-before-declaration.js)

lib/rules/security/index.js

@@ -14,6 +14,7 @@ const NotRelyOnBlockHashChecker = require('./not-rely-on-block-hash')
 const NotRelyOnTimeChecker = require('./not-rely-on-time')
 const ReentrancyChecker = require('./reentrancy')
 const StateVisibilityChecker = require('./state-visibility')
+const ImmutableB4DeclarationChecker = require('./no-immutable-before-declaration')
 
 module.exports = function security(reporter, config, inputSrc) {
   return [
@@ -33,5 +34,6 @@ module.exports = function security(reporter, config, inputSrc) {
     new NotRelyOnTimeChecker(reporter),
     new ReentrancyChecker(reporter, inputSrc),
     new StateVisibilityChecker(reporter),
+    new ImmutableB4DeclarationChecker(reporter),
   ]
 }