azaion/admin
1
0
Fork 0
mirror of https://github.com/azaion/admin.git synced 2026-06-21 16:01:09 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
3a925b9b0f9ead5b0d38d7c54b882b702ca23d66
admin/_docs/05_security/dependency_scan.md
T
Oleksandr Bezdieniezhnykh c7b297de83
ci/woodpecker/push/01-test Pipeline failed
Details
ci/woodpecker/push/02-build-push unknown status
Details
refactor: remove deploy.cmd and update Dockerfile for health checks 
- Deleted the deploy.cmd script as it was no longer needed.
- Updated Dockerfile to include curl for health checks and added a non-root user for improved security.
- Modified health check command to use curl for better reliability.
- Adjusted docker-compose.test.yml to reflect changes in health check configuration.
- Cleaned up appsettings.json and removed unused configuration properties.
- Removed Resource entity and related requests from the codebase as part of the architectural shift.
- Updated documentation to reflect the removal of hardware binding and related endpoints.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-13 08:47:21 +03:00

4.6 KiB
Raw Blame History

Dependency Scan

Date: 2026-05-13 Scanner: dotnet list package --vulnerable --include-transitive + --deprecated (NuGet metadata) plus manual cross-reference of pinned versions against published GitHub Security Advisories (GHSA). Sources used: api.nuget.org, three private pkgs.dev.azure.com/pwc-us-prism/_packaging/* feeds.

Scope

Project Vulnerable Packages
Azaion.AdminApi none reported
Azaion.Common none reported
Azaion.Services none reported
Azaion.Test none reported
e2e/Azaion.E2E none reported

dotnet list package --vulnerable --include-transitive returned a clean result for every project against the configured feeds. No CVE-ranked findings.

Deprecated Packages

Project Package Version Reason Recommended
Azaion.AdminApi FluentValidation.AspNetCore 11.3.0 Legacy (deprecated by maintainer) Move validators to manual ServiceCollectionExtensions.AddValidatorsFromAssembly(...) registration; FluentValidation 11.10.0 (already in use elsewhere) is the supported core. The AspNetCore auto-DI helper is no longer maintained.
Azaion.Services System.IdentityModel.Tokens.Jwt 7.1.2 Legacy (Microsoft pushes consumers to Microsoft.IdentityModel.JsonWebTokens) Migrate to Microsoft.IdentityModel.JsonWebTokens (the modern token-handler stack already shipped via Microsoft.AspNetCore.Authentication.JwtBearer 10.0.3).
Azaion.Test xunit 2.9.2 Legacy (xunit.v3 is the new line) Plan a migration to xunit.v3 once it leaves prerelease. Not urgent — xunit 2.x still receives security backports.

Deprecated ≠ vulnerable. None of the three packages above carry an open CVE. They are flagged so we have a paper trail before they reach end-of-life.

Manual Advisory Cross-Reference

The pinned top-level package list (output of dotnet list package) was cross-checked against GitHub Security Advisories for known issues NOT yet surfaced by NuGet metadata:

Package Pinned Advisory Severity Fix Version Notes
Newtonsoft.Json 13.0.1 GHSA-5crp-9r3c-p9vr (Improper Handling of Exceptional Conditions — DoS via deeply nested JSON) High 13.0.2 or higher Used transitively + directly across Azaion.Common, Azaion.Services. Untrusted JSON enters via LoginRequest, RegisterUserRequest, GetUpdateRequest, etc. — all of which deserialize via the ASP.NET Core minimal API stack. Even though minimal API uses System.Text.Json by default, the Newtonsoft.Json reference is reachable from logging payload formatting and from ResourceColumnEncryption-adjacent code paths. Bump to 13.0.3 or later.
LazyCache.AspNetCore 2.4.0 none open Last release 2022; in maintenance mode. No advisory.
Microsoft.AspNetCore.Authentication.JwtBearer 10.0.3 none open Latest .NET 10 line.
Npgsql 10.0.1 none open Current.
linq2db 5.4.1 none open Current.
Swashbuckle.AspNetCore 10.1.4 none open Current.
Serilog family (4.1.0 / sinks 6.0.0 / 8.0.0) varies none open Current.
FluentAssertions 6.12.2 n/a (test-only) License changed in 8.0; staying on 6.x is fine.

Findings

D-1: Newtonsoft.Json 13.0.1 is below the patched line for GHSA-5crp-9r3c-p9vr (High) — RESOLVED in cycle 1

  • Severity: High (now closed)
  • CVE/Advisory: GHSA-5crp-9r3c-p9vr (DoS via uncontrolled recursion when deserializing deeply nested JSON)
  • Location at time of finding: top-level reference in Azaion.Common.csproj, Azaion.Services.csproj
  • Resolution (2026-05-13): bumped to 13.0.4 (current stable, released 2025-09-17) in both csproj files. dotnet restore + dotnet build succeeded. Full test suite re-ran clean: 48 e2e (Docker) + 2 unit. The 13.0.1 → 13.0.4 jump is patch-level on the same major; JsonConvert.SerializeObject / DeserializeObject API surface unchanged at the call sites (AzaionDbSchemaHolder, BusinessExceptionHandler, SecurityTest).
  • Notes: NuGet's --vulnerable did not flag this on the configured feeds — likely because the GHSA → NuGet vulnerability index sync depends on advisory enrichment that hasn't propagated to all mirrors. Manual upgrade was warranted.

Self-verification

  • All package manifests scanned (5 csproj, 4 production + 1 e2e)
  • Each finding has a CVE/advisory reference
  • Upgrade paths identified for High findings
Reference in New Issue View Git Blame Copy Permalink