azaion/gps-denied-onboard
1
0
Fork 0
mirror of https://github.com/azaion/gps-denied-onboard.git synced 2026-06-21 19:51:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
ee6606a9c28c24da145c7e421b9af8b1ce9cc329
gps-denied-onboard/_docs/05_security/security_report.md
T
Oleksandr Bezdieniezhnykh ee6606a9c2 [AZ-243] Record security audit 
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-07 03:40:36 +03:00

4.7 KiB
Raw Blame History

Security Audit Report

Date: 2026-05-07 Scope: GPS-denied onboard runtime and replay infrastructure Verdict: PASS_WITH_WARNINGS

Summary

Severity Count
Critical 0
High 0
Medium 2
Low 1

No Critical or High issues were found. The audit can proceed through the autodev gate, with hardening work recommended before production deployment.

OWASP Top 10 Assessment

Category Status Findings
A01: Broken Access Control PASS
A02: Cryptographic Failures PASS_WITH_WARNINGS Deployment key handling remains a release concern
A03: Injection PASS
A04: Insecure Design PASS_WITH_WARNINGS S1
A05: Security Misconfiguration PASS_WITH_WARNINGS S2 / I1
A06: Vulnerable and Outdated Components PASS
A07: Identification and Authentication Failures NOT_APPLICABLE No auth/session surface in current package
A08: Software and Data Integrity Failures PASS_WITH_WARNINGS I2
A09: Security Logging and Monitoring Failures PASS
A10: Server-Side Request Forgery NOT_APPLICABLE No URL-fetching runtime surface

Findings

# Severity Category Location Title
1 Medium Resource / Input Validation src/satellite_service/types.py:67 VPR index JSON is read fully without size limits
2 Medium Security Misconfiguration docker-compose.yml:7, docker-compose.yml:9, .env.example:5 Default DB credentials and exposed port need dev/prod separation
3 Low CI/CD Hardening .github/workflows/ci.yml CI lacks dependency audit / secret scan / SAST gates

Finding Details

F1: VPR index JSON is read fully without size limits

Severity: Medium Category: Resource / Input Validation Location: src/satellite_service/types.py:67

LocalVprIndexPackage.from_json_file() reads an entire local descriptor package into memory before validation. Descriptor packages are part of the local cache trust boundary and can become large.

Impact: A malformed or unexpectedly large package could exhaust memory or stall startup/readiness on Jetson.

Remediation: Add a maximum file-size check before reading, cap descriptor record count and descriptor length, and require callers to load only manifest-validated package paths.

F2: Default DB credentials and exposed port need dev/prod separation

Severity: Medium Category: Security Misconfiguration Location: docker-compose.yml:7, docker-compose.yml:9, .env.example:5

The default compose file uses POSTGRES_PASSWORD=gpsd, publishes Postgres on 5432:5432, and the example database URL embeds gpsd:gpsd.

Impact: Safe enough as a local fixture convention, but risky if reused in staging, Jetson, or field deployment.

Remediation: Move credentials to ignored local .env files, document the default compose as development-only, bind Postgres to loopback for local runs, and require secret-manager sourced credentials for production/Jetson deploys.

F3: CI lacks dependency audit / secret scan / SAST gates

Severity: Low Category: CI/CD Hardening Location: .github/workflows/ci.yml

CI runs format, lint, unit tests, and compose config validation, but not dependency audit, secret scanning, or SAST.

Impact: Vulnerable dependencies or accidentally committed secrets may be caught only during manual audits.

Remediation: Add pip-audit, a secret scanner such as Gitleaks/TruffleHog, and a lightweight SAST pass such as Semgrep or Ruff security rules.

Dependency Vulnerabilities

Package CVE / Advisory Severity Fix Version
None

Positive Controls

  • pip-audit reported no known vulnerabilities for the declared Python dependency set.
  • No SQL construction, shell execution, dynamic code execution, Pickle/marshal use, weak crypto, hardcoded production secrets, or HTTP URL-fetching runtime surface was found in source.
  • Runtime and replay Dockerfiles run as non-root gpsd.
  • Cache manifest/hash validation, no in-flight satellite-provider access, MAVLink spoofing/source rejection, and FDR-visible security events are represented in code, docs, and tests.

Recommendations

Immediate

  • None required for Critical/High severity because no Critical/High findings were found.

Short-Term

  • Add size/count limits to VPR descriptor package loading.
  • Split local-development database credentials from production/Jetson deploy configuration and restrict local Postgres host binding.

Long-Term

  • Add dependency audit, secret scanning, and SAST to CI.
  • Re-run security audit after the deploy step creates final production deployment artifacts.
Reference in New Issue View Git Blame Copy Permalink