azaion/satellite-provider
1
0
Fork 0
mirror of https://github.com/azaion/satellite-provider.git synced 2026-06-27 09:51:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: WIP pre-implement cycle 14 baseline

Browse Source 
Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-06-26 16:13:37 +03:00
parent 50d4a76be3
commit 80ef5608f1
33 changed files with 619 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files
_docs/05_security/static_analysis_cycle13.md
+37
View File
@@ -0,0 +1,37 @@
# Static Analysis (Cycle 13)
**Date**: 2026-06-26
**Mode**: Delta scan
**Scope**: AZ-1126 `capturedAt``DateTimeOffset` + `UtcOffsetRequiredDateTimeOffsetConverter`. Cycle-10 baseline remains authoritative elsewhere.
**Files in scope**:
- `SatelliteProvider.Common/DTO/UavTileMetadata.cs`
- `SatelliteProvider.Common/Json/UtcOffsetRequiredDateTimeOffsetConverter.cs`
- `SatelliteProvider.Api/Validators/UavTileMetadataValidator.cs`
- `SatelliteProvider.Api/Validators/UavUploadValidationFilter.cs`
- `SatelliteProvider.Services.TileDownloader/UavTileQualityGate.cs`
- `SatelliteProvider.Services.TileDownloader/UavTileUploadHandler.cs`
- Unit + integration tests for offset-less rejection
**Method**: Read changed call sites; verify offset-less ISO strings rejected before persistence; confirm no new `ex.Message` echoes; grep for remaining `DateTimeKind` branching on upload path.
## Resolved findings (AZ-1126)
### F-AZ810-2 — `UavTileMetadata.CapturedAt` typed `DateTime` not `DateTimeOffset` (Low / Informational) — **RESOLVED**
- **Location**: `UavTileMetadata.cs`, validators, quality gate, upload handler.
- **Resolution**: `CapturedAt` is `DateTimeOffset` with `UtcOffsetRequiredDateTimeOffsetConverter` rejecting offset-less strings at deserialization. Freshness rules compare via `UtcDateTime`. Integration test `ItemCapturedAtOffsetLess_Returns400` binds the rejection path.
## Pass areas (cycle-13 delta)
| Area | Result |
|------|--------|
| SQL injection | N/A — no SQL changes |
| Hardcoded secrets | None introduced |
| Information disclosure (400 paths) | Unchanged from AZ-1113 — static strings preserved |
| New attack surface | Narrower — ambiguous timestamps rejected earlier |
| Inventory read path | `TileInventoryEntry.CapturedAt` remains `DateTime?` — intentional, out of scope |
## Verdict
**PASS** (cycle-13 delta) — F-AZ810-2 closed; zero new findings.