integritee-network / worker

Integritee off-chain worker and sidechain validateer
Apache License 2.0
90 stars 47 forks source link

define scope for code audit #270

Open brenzi opened 3 years ago

brenzi commented 3 years ago

Please define source code files that must undergo a security audit

quantification: We need to know lines of code (LOC) of

pure lines, no comments or whitespace

murerfel commented 3 years ago

Using SCC to count lines of code against the current master branch of https://github.com/scs/substraTEE-worker:

Worker

───────────────────────────────────────────────────────────────────────────────
Language                 Files     Lines   Blanks  Comments     Code Complexity
───────────────────────────────────────────────────────────────────────────────
Rust                        17      2544      272       329     1943        141
TOML                         2       101       21         1       79          0
YAML                         1       119        3         4      112          0
───────────────────────────────────────────────────────────────────────────────
Total                       20      2764      296       334     2134        141
───────────────────────────────────────────────────────────────────────────────
Estimated Cost to Develop (organic) $59,875
Estimated Schedule Effort (organic) 4.718119 months
Estimated People Required (organic) 1.127448
───────────────────────────────────────────────────────────────────────────────
Processed 91750 bytes, 0.092 megabytes (SI)
───────────────────────────────────────────────────────────────────────────────

--> 1943 lines of code

Enclave

───────────────────────────────────────────────────────────────────────────────
Language                 Files     Lines   Blanks  Comments     Code Complexity
───────────────────────────────────────────────────────────────────────────────
Rust                        38     12106     1459      1726     8921        476
TOML                         3       272       52         6      214          0
XML                          2        24        0         2       22          0
JSON                         1        31        0         0       31          0
LD Script                    1         9        0         0        9          0
Makefile                     1        52        5        27       20          0
───────────────────────────────────────────────────────────────────────────────
Total                       46     12494     1516      1761     9217        476
───────────────────────────────────────────────────────────────────────────────
Estimated Cost to Develop (organic) $278,236
Estimated Schedule Effort (organic) 8.458464 months
Estimated People Required (organic) 2.922394
───────────────────────────────────────────────────────────────────────────────
Processed 421695 bytes, 0.422 megabytes (SI)
───────────────────────────────────────────────────────────────────────────────

--> 8921 lines of code

client

───────────────────────────────────────────────────────────────────────────────
Language                 Files     Lines   Blanks  Comments     Code Complexity
───────────────────────────────────────────────────────────────────────────────
Shell                        3       327       46        64      217         12
Markdown                     1        20        2         0       18          0
Rust                         1       883       45        44      794         31
TOML                         1        85       17         2       66          0
───────────────────────────────────────────────────────────────────────────────
Total                        6      1315      110       110     1095         43
───────────────────────────────────────────────────────────────────────────────
Estimated Cost to Develop (organic) $29,715
Estimated Schedule Effort (organic) 3.615318 months
Estimated People Required (organic) 0.730213
───────────────────────────────────────────────────────────────────────────────
Processed 48607 bytes, 0.049 megabytes (SI)
───────────────────────────────────────────────────────────────────────────────

--> 794 lines of code

murerfel commented 3 years ago

Parity Substrate Security Review

Found a report from 2018, where parity had parts of their code base audited: https://www.parity.io/blog/parity-completes-trail-of-bits-security-review/ , with a pdf report: https://www.trailofbits.com/reports/parity.pdf

Polkadot Security Audit

Security audit of Polkadot -> https://medium.com/web3foundation/polkadot-security-audits-atredis-ba14246aa7c5 and detailed report is here https://assets.polkadot.network/security-audits/Atredis_Partners-Web3-Polkadot-PlatformSecurityAssessment.pdf

murerfel commented 3 years ago

Parts to exclude

Parts to include

Issues to resolve before audit