开源社区中区块链项目的代码漏洞分析
Analysis of Code Vulnerabilities of Blockchain Projects in the Open Source Communities

随着近年来关于区块链领域的研究探索不断加深，例如数字货币，商品溯源等基于区块链技术的各种应用已经深入我们的生活，与此同时，区块链网络中的漏洞也在不断被人挖掘，即使区块链技术理论本身是安全的，但是大部分应用都是研发人员基于区块链技术之上进行的软件系统设计。我们很难保证研发人员在设计软件时是否会引入第三包组件，由第三方组件产生的漏洞，是导致软件出现问题的重要原因之一。本文将关注开源社区中与交易场景相关的区块链项目的漏洞情况，基于Scantist SCA对项目的漏洞情况进行扫描并分析。首先，为了能够获取到符合主题的项目，本文通过网络爬虫的方式在GitHub社区中进行项目检索区块链项目，并通过五个维度建立筛选模型，最终确定待扫描项目。然后，本文针对Scantist SCA进行指标分析，来了解SCA工具在漏洞检测中有哪些能力，分析SCA工具通过哪些指标来帮助分析漏洞。当掌握了SCA在漏洞分析中的帮助后，对交易场景下的区块链项目中，第三方组件漏洞现状进行了一个评估，主要对该主题下社区中项目平均CVE安全漏洞数，安全等级分布，公共漏洞情况三个方面进行分析，最终得出该主题下的普遍情况。其次，在分析了漏洞情况后，为了解决这些漏洞带来的影响，本文根据Scantist SCA给予的漏洞修复方法进行尝试修复。在修复后，对项目的安全性，修复兼容性问题做出探讨。最后，本文经过上述的分析，对现有的漏洞问题进行讨论，对已经开发完成的代码给出检测方案，对开发初期或中期的项目，提出安全防护左移策略方案。
With the deepening of research and exploration in the field of blockchain in recent years, various applications based on the blockchain technology such as digital currency and commodity traceability have penetrated into our lives. At the same time, the loopholes in the blockchain network are also constantly mining by people, even if the blockchain technology theory itself is safe, most of the applications are based on the blockchain technology to carry out the software system design by developers. It is difficult for us to guarantee whether developers will introduce the third package of components when designing software. Vulnerabilities generated by third-party components are one of the important reasons for software problems. This article will focus on the vulnerability of block-chain projects related to transaction scenarios in the open source communities, and scanning as well as analyzing the vulnerabilities situations of the project based on Scantist SCA. First of all, to be able to obtain projects that meet the theme, this article uses a web crawler to search for blockchain projects in the GitHub community, and establish a screening model through five dimensions to finally determine the project to be scanned. Then, this article analyzes the indicators of Scantist SCA to understand the capabilities of the SCA tools in vulnerability detection, and analyzes which indicators the SCA tool uses to help analyze the vulnerabilities. After mastering the help of SCA in vulnerability analysis, an assessment was made on the current situation of third-party component vulnerabilities in blockchain projects in transaction scenarios, mainly the average number of CVE security vulnerabilities in the community projects under this topic, and the distribution of security levels, and the public vulnerability situation. Analyze the three aspects, and finally get the general situation under the theme. Secondly, after analyzing the