admin/_docs/05_security/dependency_scan_cycle2.md

Dependency Scan — Cycle 2 (Auth Modernization, AZ-531..AZ-538)

Date: 2026-05-14 Scope: delta from cycle 1's dependency_scan.md — focuses on packages added or version-bumped during cycle 2. Tooling: dotnet list package --vulnerable --include-transitive, dotnet list package --deprecated --include-transitive.

Vulnerability scan result (all csprojs)

Project Azaion.AdminApi : no vulnerable packages
Project Azaion.Common   : no vulnerable packages
Project Azaion.Services : no vulnerable packages

Verdict: 0 known CVEs across direct + transitive packages on the resolved sources (nuget.org + 3 internal feeds).

Packages added in cycle 2

Package	Version	Project	Purpose	Security review
Konscious.Security.Cryptography.Argon2	1.3.1	Azaion.Services	Argon2id password hashing (AZ-536)	No reported CVEs. Author Keef Aragon; widely used in the .NET community. Implements the Argon2 1.3 spec. Ensure time/memory/parallelism parameters in AuthConfig.PasswordHashing are tuned for the production host (current defaults: t=3, m=64 MiB, p=2).
Otp.NET	1.4.1	Azaion.Services	TOTP / HOTP (AZ-534)	No reported CVEs. Implements RFC 6238 and RFC 4226. MIT-licensed. Last updated 2024.
QRCoder	1.8.0	Azaion.Services	QR PNG generation for MFA enrollment (AZ-534)	No reported CVEs in 1.8.0. Note: an older version 1.3.7 had a Critical vulnerability — verify our pinned 1.8.0 stays past that boundary on every refresh.
Microsoft.AspNetCore.DataProtection	10.0 (framework)	Azaion.AdminApi	Encrypt MFA secrets at rest (AZ-534)	Built-in to ASP.NET Core; CVE risk is folded into the framework version.
Microsoft.AspNetCore.RateLimiting	10.0 (framework)	Azaion.AdminApi	Per-IP rate limit (AZ-537)	Built-in.

No package was bumped to a new version during cycle 2 (cycle 1 already brought Newtonsoft.Json to 13.0.4 to close audit finding D-1).

Deprecated (Legacy) packages — unchanged from cycle 1

Azaion.AdminApi:
  > FluentValidation.AspNetCore  11.3.0  Legacy

Azaion.Services:
  > System.IdentityModel.Tokens.Jwt  7.1.2  Legacy
  Transitive:
    > Microsoft.IdentityModel.Abstractions  7.1.2  Legacy
    > Microsoft.IdentityModel.JsonWebTokens 7.1.2  Legacy
    > Microsoft.IdentityModel.Logging       7.1.2  Legacy
    > Microsoft.IdentityModel.Tokens        7.1.2  Legacy

Status: deprecated ≠ vulnerable. Cycle-1 audit already flagged these (D-2, D-3, D-4). Cycle 2 brings these packages much more squarely into the security path because they now also handle ES256 signing + JWKS construction. Recommendation upgraded vs. cycle 1: schedule an upgrade window in cycle 3 to bump Microsoft.IdentityModel.* to a non-Legacy line.

DataProtection key store — operational note (NOT a CVE)

Azaion.AdminApi.Program.cs lines 152–160 register DataProtection. If DataProtection:KeysFolder is unset in production, ASP.NET Core defaults to per-machine, ephemeral keys — restarts will silently invalidate every encrypted MFA secret in the database. This is not a code vulnerability but is a deployment-time misconfiguration risk; surfaced as a finding in infrastructure_review_cycle2.md (F-2026Q2-INFRA-1).

Recommendations (Phase 1 only)

1. (Open from cycle 1, severity-elevated for cycle 2) Bump Microsoft.IdentityModel.* family from 7.1.2 (Legacy) to the current LTS line. Cycle-2 ES256 signing path runs through these packages.
2. (Open from cycle 1) Bump FluentValidation.AspNetCore from 11.3.0 (Legacy) to current.
3. (New) Pin a CI gate that re-runs dotnet list package --vulnerable weekly and fails the pipeline on any non-zero result. The cycle-1 audit recommended this; cycle 2 surface (Argon2id, OtpNet, QRCoder, JWT signing) makes it more important, not less.