azaion/admin
1
0
Fork 0
mirror of https://github.com/azaion/admin.git synced 2026-06-21 16:31:10 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
d2b5308b455baaedbcd9d7d78f777e2ec8247a78
admin/_docs/05_security/dependency_scan_cycle2.md
T
Oleksandr Bezdieniezhnykh 1bdbe8c96d [AZ-529] [AZ-530] Cycle-2 security audit reports 
Step 14 (Security Audit) output for cycle 2. Verdict: FAIL — 2 Critical
(F-INFRA-1, F-INFRA-2) + 4 High (F-INFRA-3, F-INFRA-4, F-AUTH-1,
F-AUTH-2) block deploy. 13 cycle-2 findings total; cycle-1 closures
confirmed for F-6, F-7, F-8, F-13, A09.

Files:
- security_report_cycle2.md (delta on cycle-1 report; FAIL verdict,
  tracker follow-ups filed as AZ-552..AZ-557 + 9 deferred Medium/Low)
- owasp_review_cycle2.md (A01..A09 delta; 2 FAIL / 2 PASS_W_W / 5 PASS)
- static_analysis_cycle2.md (F-AUTH-1..9 with locations + remediation)
- infrastructure_review_cycle2.md (F-INFRA-1..6 with locations
  + remediation)
- dependency_scan_cycle2.md (no new CVEs; cycle-1 deprecations re-flagged)

Cycle-1 reports remain authoritative for non-cycle-2 surface.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-14 09:23:02 +03:00

55 lines
3.8 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Dependency Scan — Cycle 2 (Auth Modernization, AZ-531..AZ-538)
**Date**: 2026-05-14
**Scope**: delta from cycle 1's `dependency_scan.md` — focuses on packages added or version-bumped during cycle 2.
**Tooling**: `dotnet list package --vulnerable --include-transitive`, `dotnet list package --deprecated --include-transitive`.
## Vulnerability scan result (all csprojs)
```
Project Azaion.AdminApi : no vulnerable packages
Project Azaion.Common : no vulnerable packages
Project Azaion.Services : no vulnerable packages
```
**Verdict**: 0 known CVEs across direct + transitive packages on the resolved sources (nuget.org + 3 internal feeds).
## Packages added in cycle 2
| Package | Version | Project | Purpose | Security review |
|---------|---------|---------|---------|-----------------|
| `Konscious.Security.Cryptography.Argon2` | 1.3.1 | Azaion.Services | Argon2id password hashing (AZ-536) | No reported CVEs. Author Keef Aragon; widely used in the .NET community. Implements the Argon2 1.3 spec. Ensure `time/memory/parallelism` parameters in `AuthConfig.PasswordHashing` are tuned for the production host (current defaults: t=3, m=64 MiB, p=2). |
| `Otp.NET` | 1.4.1 | Azaion.Services | TOTP / HOTP (AZ-534) | No reported CVEs. Implements RFC 6238 and RFC 4226. MIT-licensed. Last updated 2024. |
| `QRCoder` | 1.8.0 | Azaion.Services | QR PNG generation for MFA enrollment (AZ-534) | No reported CVEs in 1.8.0. Note: an older version 1.3.7 had a Critical vulnerability — verify our pinned 1.8.0 stays past that boundary on every refresh. |
| `Microsoft.AspNetCore.DataProtection` | 10.0 (framework) | Azaion.AdminApi | Encrypt MFA secrets at rest (AZ-534) | Built-in to ASP.NET Core; CVE risk is folded into the framework version. |
| `Microsoft.AspNetCore.RateLimiting` | 10.0 (framework) | Azaion.AdminApi | Per-IP rate limit (AZ-537) | Built-in. |
> No package was bumped to a new version during cycle 2 (cycle 1 already brought `Newtonsoft.Json` to 13.0.4 to close audit finding D-1).
## Deprecated (Legacy) packages — unchanged from cycle 1
```
Azaion.AdminApi:
> FluentValidation.AspNetCore 11.3.0 Legacy
Azaion.Services:
> System.IdentityModel.Tokens.Jwt 7.1.2 Legacy
Transitive:
> Microsoft.IdentityModel.Abstractions 7.1.2 Legacy
> Microsoft.IdentityModel.JsonWebTokens 7.1.2 Legacy
> Microsoft.IdentityModel.Logging 7.1.2 Legacy
> Microsoft.IdentityModel.Tokens 7.1.2 Legacy
```
**Status**: deprecated ≠ vulnerable. Cycle-1 audit already flagged these (D-2, D-3, D-4). Cycle 2 brings these packages much more squarely into the security path because they now also handle ES256 signing + JWKS construction. **Recommendation upgraded** vs. cycle 1: schedule an upgrade window in cycle 3 to bump `Microsoft.IdentityModel.*` to a non-Legacy line.
## DataProtection key store — operational note (NOT a CVE)
`Azaion.AdminApi.Program.cs` lines 152160 register DataProtection. If `DataProtection:KeysFolder` is unset in production, ASP.NET Core defaults to per-machine, ephemeral keys — restarts will silently invalidate every encrypted MFA secret in the database. This is **not** a code vulnerability but is a deployment-time misconfiguration risk; surfaced as a finding in `infrastructure_review_cycle2.md` (F-2026Q2-INFRA-1).
## Recommendations (Phase 1 only)
1. (Open from cycle 1, severity-elevated for cycle 2) Bump `Microsoft.IdentityModel.*` family from `7.1.2` (Legacy) to the current LTS line. Cycle-2 ES256 signing path runs through these packages.
2. (Open from cycle 1) Bump `FluentValidation.AspNetCore` from `11.3.0` (Legacy) to current.
3. (New) Pin a CI gate that re-runs `dotnet list package --vulnerable` weekly and fails the pipeline on any non-zero result. The cycle-1 audit recommended this; cycle 2 surface (Argon2id, OtpNet, QRCoder, JWT signing) makes it more important, not less.
Reference in New Issue View Git Blame Copy Permalink