azaion/gps-denied-onboard
1
0
Fork 0
mirror of https://github.com/azaion/gps-denied-onboard.git synced 2026-06-22 16:41:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

[AZ-243] Record security audit

Browse Source 
Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-05-07 03:40:36 +03:00
parent a8e7199f30
commit ee6606a9c2
6 changed files with 262 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
_docs/05_security/security_report.md
+106
View File
@@ -0,0 +1,106 @@
# Security Audit Report
**Date**: 2026-05-07
**Scope**: GPS-denied onboard runtime and replay infrastructure
**Verdict**: PASS_WITH_WARNINGS
## Summary
| Severity | Count |
|----------|-------|
| Critical | 0 |
| High | 0 |
| Medium | 2 |
| Low | 1 |
No Critical or High issues were found. The audit can proceed through the autodev gate, with hardening work recommended before production deployment.
## OWASP Top 10 Assessment
| Category | Status | Findings |
|----------|--------|----------|
| A01: Broken Access Control | PASS | — |
| A02: Cryptographic Failures | PASS_WITH_WARNINGS | Deployment key handling remains a release concern |
| A03: Injection | PASS | — |
| A04: Insecure Design | PASS_WITH_WARNINGS | S1 |
| A05: Security Misconfiguration | PASS_WITH_WARNINGS | S2 / I1 |
| A06: Vulnerable and Outdated Components | PASS | — |
| A07: Identification and Authentication Failures | NOT_APPLICABLE | No auth/session surface in current package |
| A08: Software and Data Integrity Failures | PASS_WITH_WARNINGS | I2 |
| A09: Security Logging and Monitoring Failures | PASS | — |
| A10: Server-Side Request Forgery | NOT_APPLICABLE | No URL-fetching runtime surface |
## Findings
| # | Severity | Category | Location | Title |
|---|----------|----------|----------|-------|
| 1 | Medium | Resource / Input Validation | `src/satellite_service/types.py:67` | VPR index JSON is read fully without size limits |
| 2 | Medium | Security Misconfiguration | `docker-compose.yml:7`, `docker-compose.yml:9`, `.env.example:5` | Default DB credentials and exposed port need dev/prod separation |
| 3 | Low | CI/CD Hardening | `.github/workflows/ci.yml` | CI lacks dependency audit / secret scan / SAST gates |
## Finding Details
### F1: VPR index JSON is read fully without size limits
**Severity**: Medium
**Category**: Resource / Input Validation
**Location**: `src/satellite_service/types.py:67`
`LocalVprIndexPackage.from_json_file()` reads an entire local descriptor package into memory before validation. Descriptor packages are part of the local cache trust boundary and can become large.
**Impact**: A malformed or unexpectedly large package could exhaust memory or stall startup/readiness on Jetson.
**Remediation**: Add a maximum file-size check before reading, cap descriptor record count and descriptor length, and require callers to load only manifest-validated package paths.
### F2: Default DB credentials and exposed port need dev/prod separation
**Severity**: Medium
**Category**: Security Misconfiguration
**Location**: `docker-compose.yml:7`, `docker-compose.yml:9`, `.env.example:5`
The default compose file uses `POSTGRES_PASSWORD=gpsd`, publishes Postgres on `5432:5432`, and the example database URL embeds `gpsd:gpsd`.
**Impact**: Safe enough as a local fixture convention, but risky if reused in staging, Jetson, or field deployment.
**Remediation**: Move credentials to ignored local `.env` files, document the default compose as development-only, bind Postgres to loopback for local runs, and require secret-manager sourced credentials for production/Jetson deploys.
### F3: CI lacks dependency audit / secret scan / SAST gates
**Severity**: Low
**Category**: CI/CD Hardening
**Location**: `.github/workflows/ci.yml`
CI runs format, lint, unit tests, and compose config validation, but not dependency audit, secret scanning, or SAST.
**Impact**: Vulnerable dependencies or accidentally committed secrets may be caught only during manual audits.
**Remediation**: Add `pip-audit`, a secret scanner such as Gitleaks/TruffleHog, and a lightweight SAST pass such as Semgrep or Ruff security rules.
## Dependency Vulnerabilities
| Package | CVE / Advisory | Severity | Fix Version |
|---------|----------------|----------|-------------|
| None | — | — | — |
## Positive Controls
- `pip-audit` reported no known vulnerabilities for the declared Python dependency set.
- No SQL construction, shell execution, dynamic code execution, Pickle/marshal use, weak crypto, hardcoded production secrets, or HTTP URL-fetching runtime surface was found in source.
- Runtime and replay Dockerfiles run as non-root `gpsd`.
- Cache manifest/hash validation, no in-flight satellite-provider access, MAVLink spoofing/source rejection, and FDR-visible security events are represented in code, docs, and tests.
## Recommendations
### Immediate
- None required for Critical/High severity because no Critical/High findings were found.
### Short-Term
- Add size/count limits to VPR descriptor package loading.
- Split local-development database credentials from production/Jetson deploy configuration and restrict local Postgres host binding.
### Long-Term
- Add dependency audit, secret scanning, and SAST to CI.
- Re-run security audit after the deploy step creates final production deployment artifacts.