[Audit] Identify the scope

[victhorbi]

Context
As the VeChain-SDK is a public good, the code is open for anyone to review. VeChain Foundation wants also to get the codebase reviewed by a recognised third-party professional auditor.

Description
Since the SDK is vast, giving the auditor the whole repo can be dispersive and can take a lot of time. The ask is to go through the packages and tag the portions with a risk level.

Acceptance criteria
Produce a spreadsheet where each raw represent a part of the sdk, define for each entry a risk level (LOWEST, LOW, MEDIUM, HIGH, HIGHEST) to later define prioritise the code to audit.

[leszek-vechain]

So I was looking into the repository today and couple of things come to my mind:

• review eslint config for start, to see if we have everything in place
• include additional checks e.g.:
  • https://www.npmjs.com/package/eslint-plugin-sonarjs
  • https://www.npmjs.com/package/eslint-plugin-security
• perform DAST (dynamic AST analysis)
• perform taint analysis: https://deepsource.com/glossary/taint-analysis, not sure if Sonar is doing it already or not
• review crucial data:
  • any PII like data from user and how we handle them (private keys etc)
  • how we use external variables (process etc)
  • possible injections (console, SQL etc)
  • possible API calls with body / headers scan and injections
  • any contract calls or Solidity files analysis (if we use it)

I suppose based on this we can try to identify code which is more susceptible to abuse

[freemanzMrojo]

Hi guys, after discussing with @lucanicoladebiasi , we thought that by refactoring the network package we could:

1. Fix any security issues for that package since the code will become different
2. Make it better and remove circular dependencies

To better define the scope of this refactor, we have decided to start "small" by refactoring the ThorClient so we can have a better idea of the follow-up steps in this regard. With that in mind I have created this ticket #1450.

Any comments/questions just let us know, thanks.