azaion/satellite-provider
1
0
Fork 0
mirror of https://github.com/azaion/satellite-provider.git synced 2026-06-27 13:51:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

[AZ-1113] Cycle 10 closeout: docs, perf harness, security

Browse Source 
Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-06-26 10:55:59 +03:00
parent 01d7e7d584
commit c79998bfa7
24 changed files with 600 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files
_docs/05_security/security_report_cycle10.md
+53
View File
@@ -0,0 +1,53 @@
# Security Audit Report (Cycle 10)
**Date**: 2026-06-25
**Scope**: Cycle-10 delta — AZ-1113 (REST 400 error message sanitization).
**Trigger**: `/autodev` Step 14 — user chose **A) Run security audit**.
**Verdict (cycle-10 delta)**: **PASS** — 3 REST information-disclosure carry-overs resolved; 0 new Critical/High/Medium.
**Verdict (cumulative)**: **PASS_WITH_WARNINGS** — F-AZ810-2, D-AZ795-1, D2-cy4 remain open.
## Summary
| Severity | Cycle 10 at audit | Cumulative open |
|----------|-------------------|-----------------|
| Critical | 0 | 0 |
| High | 0 | 0 |
| Medium | 0 | 1 (D2-cy4 test-runtime) |
| Low | 0 new | 2 (F-AZ810-2, D-AZ795-1) |
## OWASP Top 10:2021 (cycle-10 delta)
See `owasp_review_cycle10.md` — A09 improved; all other categories unchanged PASS/N/A.
## Findings
| # | Severity | Category | Location | Title | Status |
|---|----------|----------|----------|-------|--------|
| F-AZ795-1 | Low | Information Disclosure (A09) | `GlobalExceptionHandler` | `JsonException.Message` in 400 `errors[]` | **RESOLVED** (AZ-1113) |
| F-AZ795-2 | Low | Information Disclosure (A09) | `GlobalExceptionHandler` | `BadHttpRequestException.Message` in `detail` | **RESOLVED** (AZ-1113) |
| F-AZ810-1 | Low | Information Disclosure (A09) | `UavUploadValidationFilter` + `UavTileUploadHandler` | Metadata parse `ex.Message` echo | **RESOLVED** (AZ-1113) |
## Carry-overs (still open)
- **F-AZ810-2** — `DateTime` vs `DateTimeOffset` on `UavTileMetadata.CapturedAt` (Low / informational)
- **D-AZ795-1** — FluentValidation 12.0.0 → 12.1.1
- **D2-cy4** — test SDK transitive JWT advisory (Moderate, test-runtime only)
## Recommendations
### Immediate
- None blocking cycle 10 ship.
### Short-term
- F-AZ810-2: add `DateTimeKind.Unspecified` rejection or migrate to `DateTimeOffset` (separate task).
- D-AZ795-1: bump FluentValidation when a coordinated package bump task lands.
### Long-term
- D2-cy4: pin JWT test packages when upstream resolves GHSA-59j7-ghrg-fj52 for 7.0.3 line.
## Artifacts
- `dependency_scan_cycle10.md`
- `static_analysis_cycle10.md`
- `owasp_review_cycle10.md`
- `infrastructure_review_cycle10.md`