chore: WIP pre-implement cycle 14 baseline

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-27 11:21:14 +00:00 · 2026-06-26 16:13:37 +03:00
parent 50d4a76be3
commit 80ef5608f1
33 changed files with 619 additions and 47 deletions
@@ -0,0 +1,28 @@
+# OWASP Top 10 Review (Cycle 13)
+
+**Date**: 2026-06-26
+**Framework**: OWASP Top 10:2021
+**Mode**: Delta review — AZ-1126 over cycle-10 baseline.
+
+| Category | Cycle-10 status | Cycle-13 delta |
+|----------|-----------------|----------------|
+| A01 — Broken Access Control | PASS | No change |
+| A02 — Cryptographic Failures | PASS | No change |
+| A03 — Injection | PASS | No change |
+| A04 — Insecure Design | PASS | No change |
+| A05 — Security Misconfiguration | PASS | No change |
+| A06 — Vulnerable Components | PASS_WITH_WARNINGS | No new packages; D-AZ795-1 + D2-cy4 carry-overs unchanged |
+| A07 — Auth Failures | PASS | No change |
+| A08 — Data Integrity Failures | PASS | Improved time-handling integrity on UAV upload metadata |
+| A09 — Logging / Monitoring Failures | PASS_WITH_WARNINGS → **improved** | F-AZ810-2 **resolved**; F-AZ795-1/2 + F-AZ810-1 remain resolved |
+| A10 — SSRF | N/A | No URL-fetch changes |
+
+## A08 / A09 detail
+
+AZ-1126 eliminates ambiguous `DateTimeKind.Unspecified` handling on the UAV upload metadata input path. Offset-less client timestamps now fail fast with HTTP 400 instead of being interpreted against host local timezone in dev environments.
+
+## Verdict
+
+**PASS** (cycle-13 delta).
+
+Cumulative: **PASS_WITH_WARNINGS** — dependency carry-overs only (D-AZ795-1, D2-cy4).