The following scope was defined during the project intake:

Repository NameRepository PathCommit HashDatePerson Days

The total time spent on auditing was 4 person days.

The component Audit was focused on the Tauri specific parts of the application stack. The Tauri configuration (tauri.conf.json), commands (#[tauri::command]) and general interaction between frontend and backend of the application in /apps/desktop were in scope. The /server and /client component were out of scope for manual checks, due to time restrictions.

Threat Model

The main adversary assumed was the Input Control Adversary, as untrusted data is parsed when repositories are searched. Other possible adversaries were not explicitly excluded but considered a lower priority for this engagement.

The most impactful types of business risks were identified as:

  • Loss of Integrity
  • Loss of Confidentiality