leszek-vechain
commented
2 days ago So I was looking into the repository today and couple of things come to my mind:
- review eslint config for start, to see if we have everything in place
- include additional checks e.g.:
- perform DAST (dynamic AST analysis)
- perform taint analysis: https://deepsource.com/glossary/taint-analysis, not sure if Sonar is doing it already or not
- review crucial data:
- any PII like data from user and how we handle them (private keys etc)
- how we use external variables (process etc)
- possible injections (console, SQL etc)
- possible API calls with body / headers scan and injections
- any contract calls or Solidity files analysis (if we use it)
I suppose based on this we can try to identify code which is more susceptible to abuse
freemanzMrojo
Context As the VeChain-SDK is a public good, the code is open for anyone to review. VeChain Foundation wants also to get the codebase reviewed by a recognised third-party professional auditor.
Description Since the SDK is vast, giving the auditor the whole repo can be dispersive and can take a lot of time. The ask is to go through the packages and tag the portions with a risk level.
Acceptance criteria Produce a spreadsheet where each raw represent a part of the sdk, define for each entry a risk level (LOWEST, LOW, MEDIUM, HIGH, HIGHEST) to later define prioritise the code to audit.