chore: WIP pre-implement cycle 14 baseline

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-27 09:51:14 +00:00 · 2026-06-26 16:13:37 +03:00
parent 50d4a76be3
commit 80ef5608f1
33 changed files with 619 additions and 47 deletions
@@ -0,0 +1,36 @@
+# Dependency Scan (Cycle 13)
+
+**Date**: 2026-06-26
+**Mode**: Delta scan
+**Scope**: Cycle-13 delta over cycle-10 baseline. Surface = AZ-1126 (`DateTimeOffset` migration — no package manifest changes).
+**Method**: `dotnet list SatelliteProvider.sln package --vulnerable`.
+
+## Cycle-13 Package Manifest Diff
+
+| csproj | Cycle 10 baseline | Cycle 13 change |
+|--------|-------------------|-----------------|
+| All csproj | unchanged | **+0** packages added or bumped |
+
+## Vulnerable Package Scan (2026-06-26)
+
+| Project | Finding | Severity | Notes |
+|---------|---------|----------|-------|
+| `SatelliteProvider.Api` | none | — | Production runtime — clean |
+| `SatelliteProvider.Common` | none | — | `UtcOffsetRequiredDateTimeOffsetConverter` is in-repo code |
+| `SatelliteProvider.IntegrationTests` | transitive JWT 7.0.3 | Moderate | GHSA-59j7-ghrg-fj52 — test-runtime only (pre-existing) |
+| `SatelliteProvider.TestSupport` | `System.IdentityModel.Tokens.Jwt` 7.0.3 | Moderate | test-runtime only — pre-existing |
+
+## Cycle-13 Findings
+
+**No new dependency CVEs.** AZ-1126 is a code-only DTO/converter change.
+
+## Carry-overs
+
+- **D-AZ795-1** (Low): FluentValidation 12.0.0 → 12.1.1 — still open
+- **D2-cy4** (Medium, test-runtime): JWT test packages — still open
+
+## Verdict
+
+**PASS** (cycle-13 delta) — zero new CVEs.
+
+Cumulative: **PASS_WITH_WARNINGS** — D2-cy4 + D-AZ795-1 carry-overs unchanged.
@@ -0,0 +1,13 @@
+# Infrastructure & Configuration Review (Cycle 13)
+
+**Date**: 2026-06-26
+**Mode**: Delta scan
+**Scope**: Cycle-13 infrastructure changes only.
+
+| File | Change | Security relevance |
+|------|--------|-------------------|
+| All Docker / compose / CI / appsettings | **unchanged** | AZ-1126 is application-code + contract doc only |
+
+## Verdict
+
+**PASS** (cycle-13 delta) — no infrastructure surface change.
@@ -0,0 +1,28 @@
+# OWASP Top 10 Review (Cycle 13)
+
+**Date**: 2026-06-26
+**Framework**: OWASP Top 10:2021
+**Mode**: Delta review — AZ-1126 over cycle-10 baseline.
+
+| Category | Cycle-10 status | Cycle-13 delta |
+|----------|-----------------|----------------|
+| A01 — Broken Access Control | PASS | No change |
+| A02 — Cryptographic Failures | PASS | No change |
+| A03 — Injection | PASS | No change |
+| A04 — Insecure Design | PASS | No change |
+| A05 — Security Misconfiguration | PASS | No change |
+| A06 — Vulnerable Components | PASS_WITH_WARNINGS | No new packages; D-AZ795-1 + D2-cy4 carry-overs unchanged |
+| A07 — Auth Failures | PASS | No change |
+| A08 — Data Integrity Failures | PASS | Improved time-handling integrity on UAV upload metadata |
+| A09 — Logging / Monitoring Failures | PASS_WITH_WARNINGS → **improved** | F-AZ810-2 **resolved**; F-AZ795-1/2 + F-AZ810-1 remain resolved |
+| A10 — SSRF | N/A | No URL-fetch changes |
+
+## A08 / A09 detail
+
+AZ-1126 eliminates ambiguous `DateTimeKind.Unspecified` handling on the UAV upload metadata input path. Offset-less client timestamps now fail fast with HTTP 400 instead of being interpreted against host local timezone in dev environments.
+
+## Verdict
+
+**PASS** (cycle-13 delta).
+
+Cumulative: **PASS_WITH_WARNINGS** — dependency carry-overs only (D-AZ795-1, D2-cy4).
@@ -0,0 +1,49 @@
+# Security Audit Report (Cycle 13)
+
+**Date**: 2026-06-26
+**Scope**: Cycle-13 delta — AZ-1126 (`capturedAt` DateTimeOffset / F-AZ810-2 closure).
+**Trigger**: `/autodev` Step 14 — user chose **A) Run security audit**.
+**Verdict (cycle-13 delta)**: **PASS** — F-AZ810-2 resolved; 0 new Critical/High/Medium.
+**Verdict (cumulative)**: **PASS_WITH_WARNINGS** — D-AZ795-1, D2-cy4 remain open.
+
+## Summary
+
+| Severity | Cycle 13 at audit | Cumulative open |
+|----------|-------------------|-----------------|
+| Critical | 0 | 0 |
+| High | 0 | 0 |
+| Medium | 0 | 1 (D2-cy4 test-runtime) |
+| Low | 0 new | 1 (D-AZ795-1) |
+
+## OWASP Top 10:2021 (cycle-13 delta)
+
+See `owasp_review_cycle13.md` — A08/A09 improved; all other categories unchanged PASS/N/A.
+
+## Findings
+
+| # | Severity | Category | Location | Title | Status |
+|---|----------|----------|----------|-------|--------|
+| F-AZ810-2 | Low | Time-handling (A08/A09) | `UavTileMetadata.CapturedAt` | `DateTime` vs `DateTimeOffset` | **RESOLVED** (AZ-1126) |
+
+## Carry-overs (still open)
+
+- **D-AZ795-1** — FluentValidation 12.0.0 → 12.1.1
+- **D2-cy4** — test SDK transitive JWT advisory (Moderate, test-runtime only)
+
+## Recommendations
+
+### Immediate
+- None blocking cycle 13 ship.
+
+### Short-term
+- D-AZ795-1: bump FluentValidation when a coordinated package bump task lands.
+
+### Long-term
+- D2-cy4: pin JWT test packages when upstream resolves GHSA-59j7-ghrg-fj52 for 7.0.3 line.
+
+## Artifacts
+
+- `dependency_scan_cycle13.md`
+- `static_analysis_cycle13.md`
+- `owasp_review_cycle13.md`
+- `infrastructure_review_cycle13.md`
@@ -0,0 +1,37 @@
+# Static Analysis (Cycle 13)
+
+**Date**: 2026-06-26
+**Mode**: Delta scan
+**Scope**: AZ-1126 `capturedAt` → `DateTimeOffset` + `UtcOffsetRequiredDateTimeOffsetConverter`. Cycle-10 baseline remains authoritative elsewhere.
+
+**Files in scope**:
+- `SatelliteProvider.Common/DTO/UavTileMetadata.cs`
+- `SatelliteProvider.Common/Json/UtcOffsetRequiredDateTimeOffsetConverter.cs`
+- `SatelliteProvider.Api/Validators/UavTileMetadataValidator.cs`
+- `SatelliteProvider.Api/Validators/UavUploadValidationFilter.cs`
+- `SatelliteProvider.Services.TileDownloader/UavTileQualityGate.cs`
+- `SatelliteProvider.Services.TileDownloader/UavTileUploadHandler.cs`
+- Unit + integration tests for offset-less rejection
+
+**Method**: Read changed call sites; verify offset-less ISO strings rejected before persistence; confirm no new `ex.Message` echoes; grep for remaining `DateTimeKind` branching on upload path.
+
+## Resolved findings (AZ-1126)
+
+### F-AZ810-2 — `UavTileMetadata.CapturedAt` typed `DateTime` not `DateTimeOffset` (Low / Informational) — **RESOLVED**
+
+- **Location**: `UavTileMetadata.cs`, validators, quality gate, upload handler.
+- **Resolution**: `CapturedAt` is `DateTimeOffset` with `UtcOffsetRequiredDateTimeOffsetConverter` rejecting offset-less strings at deserialization. Freshness rules compare via `UtcDateTime`. Integration test `ItemCapturedAtOffsetLess_Returns400` binds the rejection path.
+
+## Pass areas (cycle-13 delta)
+
+| Area | Result |
+|------|--------|
+| SQL injection | N/A — no SQL changes |
+| Hardcoded secrets | None introduced |
+| Information disclosure (400 paths) | Unchanged from AZ-1113 — static strings preserved |
+| New attack surface | Narrower — ambiguous timestamps rejected earlier |
+| Inventory read path | `TileInventoryEntry.CapturedAt` remains `DateTime?` — intentional, out of scope |
+
+## Verdict
+
+**PASS** (cycle-13 delta) — F-AZ810-2 closed; zero new findings.