Blockchain Security (#434)

* Blockchain Security

P1 - Decentralized Application Misconfiguration - Insecure Data Storage - Plaintext Private Key
Varies - Decentralized Application Misconfiguration - Insecure Data Storage - Sensitive Information Exposure
Varies - Decentralized Application Misconfiguration - Improper Authorization - Insufficient Signature Validation
Varies - Decentralized Application Misconfiguration - DeFi Security - Flash Loan Attack
Varies - Decentralized Application Misconfiguration - DeFi Security - Pricing Oracle Manipulation
Varies - Decentralized Application Misconfiguration - DeFi Security - Function-Level Accounting Error
Varies - Decentralized Application Misconfiguration - DeFi Security - Improper Implementation of Governance
P1 - Decentralized Application Misconfiguration - Marketplace Security - Signer Account Takeover
P1 - Decentralized Application Misconfiguration - Marketplace Security - Unauthorized Asset Transfer
P1 - Decentralized Application Misconfiguration - Marketplace Security - Orderbook Manipulation
P2 - Decentralized Application Misconfiguration - Marketplace Security - Malicious Order Offer
P2 - Decentralized Application Misconfiguration - Marketplace Security - Price or Fee Manipulation
P3 - Decentralized Application Misconfiguration - Marketplace Security - OFAC Bypass
Varies - Decentralized Application Misconfiguration - Marketplace Security - Improper Validation and Checks For Deposits and Withdrawals
Varies - Decentralized Application Misconfiguration - Marketplace Security - Miscalculated Accounting Logic
Varies - Decentralized Application Misconfiguration - Marketplace Security - Denial of Service
P1 - Decentralized Application Misconfiguration - Protocol Security Misconfiguration - Node-level Denial of Service
P2 - Protocol Specific Misconfiguration - Frontrunning-Enabled Attack
P2 - Protocol Specific Misconfiguration - Sandwich-Enabled Attack
Varies - Protocol Specific Misconfiguration - Misconfigured Staking Logic
Varies - Protocol Specific Misconfiguration - Improper Validation and Finalization Logic
P1 - Smart Contract Misconfiguration - Reentrancy Attack
P1 - Smart Contract Misconfiguration - Smart Contract Owner Takeover
P1 - Smart Contract Misconfiguration - Uninitialized Variables
P1 - Smart Contract Misconfiguration - Unauthorized Transfer of Funds
P2 - Smart Contract Misconfiguration - Integer Overflow / Underflow
P2 - Smart Contract Misconfiguration - Unauthorized Smart Contract Approval
P3 - Smart Contract Misconfiguration - Irreversible Function Call
P3 - Smart Contract Misconfiguration - Function-level Denial of Service
P3 - Smart Contract Misconfiguration - Malicious Superuser Risk
P3 - Smart Contract Misconfiguration - Improper Fee Implementation
P4 - Smart Contract Misconfiguration - Improper Use of Modifier
P4 - Smart Contract Misconfiguration - Improper Decimals Implementation
Varies - Smart Contract Misconfiguration - Inaccurate Rounding Calculation
Varies - Smart Contract Misconfiguration - Bypass of Function Modifiers & Checks
Varies - Zero Knowledge Security Misconfiguration - Missing Constraint
Varies - Zero Knowledge Security Misconfiguration - Mismatching Bit Lengths
Varies - Zero Knowledge Security Misconfiguration - Misconfigured Trusted Setup
Varies - Zero Knowledge Security Misconfiguration - Missing Range Check
P1 - Zero Knowledge Security Misconfiguration - Improper Proof Validation and Finalization Logic
P1 - Zero Knowledge Security Misconfiguration - Deanonymization of Data
Varies - Blockchain Infrastructure Misconfiguration - Improper Bridge Validation and Verification Logic

* Fixing syntax errors

* Update vulnerability-rating-taxonomy.json

* Fixing errors

* Fixing errors

* Fixing errors

* SAML Replay - P5

Adding:
P5 - Broken Authentication and Session Management - SAML Replay

* Revert "SAML Replay - P5"

This reverts commit 04c8503.

* Update vulnerability-rating-taxonomy.json

* Sorted JSONs + Helper Script (#436)

* Additional Files

---------

Co-authored-by: Abhinav Nain <[email protected]>

Author: TimmyBugcrowd

lib/utils/utils.py

@@ -1,5 +1,4 @@
-import json
-import git
+import json, git, os
 
 VRT_FILENAME = 'vulnerability-rating-taxonomy.json'
 DEPRECATED_MAPPING_FILENAME = 'deprecated-node-mapping.json'
@@ -9,7 +8,9 @@
 SCW_FILENAME = 'secure-code-warrior-links.json'
 SCW_DIR = 'remediation_training'
 THIRD_PARTY_MAPPING_DIR = 'third-party-mappings'
-
+CVSS_FILE = "cvss_v3/cvss_v3.json"
+CWE_FILE = "cwe/cwe.json"
+REMEDIATION_ADVICE_FILE = "remediation_advice/remediation_advice.json"
 
 def get_json(filename):
     with open(filename) as f:
@@ -130,3 +131,31 @@ def _all_id_lists(sub_vrt, prefix):
             print(sub_vrt)
             raise Exception('unexpected entry found')
     return _all_id_lists(vrt['content'], [])
+
+def sort_jsons():
+    '''
+    Sort all corresponding JSONs for this project for better readability and
+    maintaining properly formatted JSON files. 
+    '''
+    def sort_json(json_data):
+        def sort_json_blocks(block_data):
+            sorted_blocks = list(sorted(block_data, key = lambda a: a['id']))
+            for idx, block in enumerate(sorted_blocks):
+                if 'children' in block and block['children']!=[]:
+                    sorted_children = sort_json_blocks(block['children'])
+                    sorted_blocks[idx]['children'] = sorted_children
+            return sorted_blocks
+        json_data['content'] = sort_json_blocks(json_data['content'])
+        return json_data
+    
+    for json_path in [
+        VRT_FILENAME, 
+        os.path.join(MAPPING_DIR, CVSS_FILE), 
+        os.path.join(MAPPING_DIR, CWE_FILE), 
+        os.path.join(MAPPING_DIR, REMEDIATION_ADVICE_FILE)
+        ]:
+        data = sort_json(get_json(json_path))
+        print("`{}` JSON data sorted!".format(json_path))
+        output = json.dumps(data, indent=2)
+        open(json_path, "w").write(output)
+        print("- Writing {} bytes.\n".format(len(output)))