azaion/satellite-provider
1
0
Fork 0
mirror of https://github.com/azaion/satellite-provider.git synced 2026-06-27 09:51:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

[AZ-1132] Bump FluentValidation 12.0.0 to 12.1.1
ci/woodpecker/push/02-build-push/2 Pipeline is pending
Details
ci/woodpecker/push/01-test Pipeline failed
Details
ci/woodpecker/push/02-build-push/1 unknown status
Details

Browse Source 
Closes D-AZ795-1 production dependency carry-over.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-06-26 16:35:47 +03:00
parent 6a948321d3
commit b3e5a66799
11 changed files with 271 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
_docs/05_security/dependency_scan_cycle15.md
+39
View File
@@ -0,0 +1,39 @@
# Dependency Scan (Cycle 15)
**Date**: 2026-06-26
**Mode**: Delta scan
**Scope**: Cycle-15 delta — AZ-1132 (FluentValidation 12.0.0 → 12.1.1).
**Method**: `dotnet list SatelliteProvider.sln package --vulnerable`.
## Cycle-15 Package Manifest Diff
| csproj | Cycle 13 baseline | Cycle 15 change |
|--------|-------------------|-----------------|
| `SatelliteProvider.Api` | FluentValidation 12.0.0, FluentValidation.DependencyInjectionExtensions 12.0.0 | **12.1.1** (both) |
## Vulnerable Package Scan (2026-06-26)
| Project | Finding | Severity | Notes |
|---------|---------|----------|-------|
| `SatelliteProvider.Api` | none | — | Production runtime — clean |
| `SatelliteProvider.Common` | none | — | — |
| `SatelliteProvider.IntegrationTests` | transitive JWT 7.0.3 | Moderate | GHSA-59j7-ghrg-fj52 — test-runtime only (pre-existing) |
| `SatelliteProvider.TestSupport` | `System.IdentityModel.Tokens.Jwt` 7.0.3 | Moderate | test-runtime only — pre-existing |
## Cycle-15 Findings
**No new dependency CVEs.** Patch bump only.
## Resolved carry-overs
- **D-AZ795-1** (Low): FluentValidation 12.0.0 → 12.1.1 — **RESOLVED** (AZ-1132)
## Remaining carry-overs
- **D2-cy4** (Medium, test-runtime): JWT test packages — still open
## Verdict
**PASS** (cycle-15 delta) — D-AZ795-1 closed; zero new CVEs.
Cumulative: **PASS_WITH_WARNINGS** — D2-cy4 only.
_docs/05_security/security_report_cycle15.md
+38
View File
@@ -0,0 +1,38 @@
# Security Audit Report (Cycle 15)
**Date**: 2026-06-26
**Scope**: Cycle-15 delta — AZ-1132 (FluentValidation bump / D-AZ795-1 closure).
**Trigger**: Implement batch — dependency hardening (Step 14 audit pending).
**Verdict (cycle-15 delta)**: **PASS** — D-AZ795-1 resolved; 0 new Critical/High/Medium.
**Verdict (cumulative)**: **PASS_WITH_WARNINGS** — D2-cy4 remains open.
## Summary
| Severity | Cycle 15 at audit | Cumulative open |
|----------|-------------------|-----------------|
| Critical | 0 | 0 |
| High | 0 | 0 |
| Medium | 0 | 1 (D2-cy4 test-runtime) |
| Low | 0 (D-AZ795-1 resolved) | 0 |
## Findings
| # | Severity | Category | Location | Title | Status |
|---|----------|----------|----------|-------|--------|
| D-AZ795-1 | Low | Dependency | `SatelliteProvider.Api` FluentValidation packages | Pin at 12.0.0 | **RESOLVED** (AZ-1132 → 12.1.1) |
## Carry-overs (still open)
- **D2-cy4** — test SDK transitive JWT advisory (Moderate, test-runtime only)
## Recommendations
### Immediate
- None blocking cycle 15 ship.
### Short-term
- D2-cy4: pin JWT test packages when upstream resolves GHSA-59j7-ghrg-fj52 for 7.0.3 line.
## Artifacts
- `dependency_scan_cycle15.md`