# Dependency Scan (Cycle 7)

**Date**: 2026-05-22
**Mode**: Delta scan
**Scope**: Cycle-7 delta over the cycle-5 dependency scan (`_docs/05_security/dependency_scan_cycle5.md`); cycle 6 did not produce a dependency scan, so the last scanned baseline is cycle 5
**Trigger**: AZ-794 (wire-format rename — no manifest changes) + AZ-795 (strict-validation epic — adds FluentValidation 12.0.0 + FluentValidation.DependencyInjectionExtensions 12.0.0) + AZ-796 (per-endpoint validator — no manifest changes beyond what AZ-795 added)
**Method**: Manifest diff + WebSearch CVE lookup against GitHub Security Advisories + NVD + ReversingLabs Spectra Assure. `dotnet list package --vulnerable` is intentionally not run (the AGENTS.md operational note in this workspace says it hangs the agent shell); the manifest diff + advisory lookup is the deterministic substitute.

## Cycle-7 Package Manifest Diff

| csproj | Cycle 5 baseline (post-AZ-503) | Cycle 7 change | Net effect on supply chain |
|--------|--------------------------------|----------------|----------------------------|
| `SatelliteProvider.Api/SatelliteProvider.Api.csproj` | references `Microsoft.AspNetCore.OpenApi 10.0.7`, `Microsoft.AspNetCore.Authentication.JwtBearer 10.0.7`, `Newtonsoft.Json 13.0.4`, `Serilog.AspNetCore 8.0.3`, `Serilog.Sinks.File 6.0.0`, `SixLabors.ImageSharp 3.1.11`, `Swashbuckle.AspNetCore 10.1.7` | **+2 PackageReferences**: `FluentValidation 12.0.0` and `FluentValidation.DependencyInjectionExtensions 12.0.0` (both new at AZ-795). | New supply-chain node. Both packages are MIT/Apache-2.0; no transitive Microsoft.* version bumps. |
| `SatelliteProvider.Common/SatelliteProvider.Common.csproj` | unchanged from cycle 5 | **+0 PackageReferences** — the cycle-7 DTO changes (`[JsonRequired]` on `TileCoord.Z/X/Y`) are BCL-only. | None. |
| `SatelliteProvider.DataAccess/SatelliteProvider.DataAccess.csproj` | unchanged from cycle 5 | **+0 PackageReferences**. | None. |
| `SatelliteProvider.Services.TileDownloader/SatelliteProvider.Services.TileDownloader.csproj` | unchanged from cycle 5 | **+0 PackageReferences**. | None. |
| `SatelliteProvider.Services.RegionProcessing/SatelliteProvider.Services.RegionProcessing.csproj` | unchanged from cycle 5 | **+0 PackageReferences**. | None. |
| `SatelliteProvider.Services.RouteManagement/SatelliteProvider.Services.RouteManagement.csproj` | unchanged from cycle 5 | **+0 PackageReferences**. | None. |
| `SatelliteProvider.Tests/SatelliteProvider.Tests.csproj` | unchanged from cycle 5 | **+0 PackageReferences** — `FluentValidation.TestHelper` is the namespace inside the main `FluentValidation` package consumed transitively via `ProjectReference` to `SatelliteProvider.Api`. | None at the manifest level; one new transitive runtime node at test execution (FluentValidation main assembly). |
| `SatelliteProvider.IntegrationTests/SatelliteProvider.IntegrationTests.csproj` | unchanged from cycle 5 | **+0 PackageReferences** — the new `ProblemDetailsAssertions.cs` + `TileInventoryValidationTests.cs` use only BCL + the existing `Xunit` + `Microsoft.AspNetCore` ProjectReference. | None. |
| `SatelliteProvider.TestSupport/SatelliteProvider.TestSupport.csproj` | unchanged from cycle 5 | **+0 PackageReferences**. | None. |

**Net cycle-7 dependency change**: two new `PackageReference` lines (FluentValidation 12.0.0 + FluentValidation.DependencyInjectionExtensions 12.0.0). All other csprojs are byte-identical at the manifest level (verified by `git diff cycle5_tip..HEAD -- '*.csproj'` in the implementation phase).

## Cycle-7 Dependency CVE Lookup

### FluentValidation 12.0.0

| Source | Result |
|--------|--------|
| GitHub Security Advisories (https://github.com/FluentValidation/FluentValidation/security/advisories) | No published advisories. |
| NVD CVE database (search: `FluentValidation`) | No CVEs against this .NET library. (One historical record matched on the substring "FluentForms" — a WordPress plugin unrelated to FluentValidation; explicitly excluded.) |
| ReversingLabs Spectra Assure Community (https://secure.software/nuget/packages/fluentvalidation/12.0.0) | "No known vulnerabilities detected" for the package. One "Hardening" note (`1 outdated toolchain detected`) — not a CVE. |
| Historical Regex DoS (Issue #120 — `EmailAddressValidator`) | Pre-2017, resolved in commit `ebe3720`. v12.0.0 ships with the fixed implementation. Cycle 7 does not use `EmailAddressValidator` (no `Matches`/`EmailAddress` rules — all rules are integer ranges and collection-count predicates). |
| Latest published version | 12.1.1 (5 months ago at time of audit). v12.0.0 → v12.1.1 is a hardening release (no security advisories between the two); the bump is recommended but not security-mandatory. |

### FluentValidation.DependencyInjectionExtensions 12.0.0

| Source | Result |
|--------|--------|
| GitHub Security Advisories | No published advisories. |
| NVD CVE database | No CVEs. |
| ReversingLabs Spectra Assure Community (https://secure.software/nuget/packages/fluentvalidation.dependencyinjectionextensions/vulnerabilities) | "No known vulnerabilities detected". |
| Latest published version | 12.1.1. Same posture as the main package. |

### Cycle-5 carry-overs unchanged

- **D2-cy4** (`Microsoft.NET.Test.Sdk 17.8.0` transitive `NuGet.Frameworks` Medium — test-runtime exposure only) — unchanged. AZ-795 did not bump `Microsoft.NET.Test.Sdk`; it remains the same package at the same version with the same exposure surface. Still owned by a follow-up task at the next Test SDK refresh cycle.

## Cycle-7 New Source Code Runtime Surface

The two new NuGet packages introduce the following runtime surface in the API process:

| Surface | Risk class | Notes |
|---------|------------|-------|
| `IValidator<T>` registration via `AddValidatorsFromAssemblyContaining<Program>()` | Reflection-based DI scan | Bounded to the API assembly only (`SatelliteProvider.Api.dll`). Cannot pick up validators from upstream test assemblies or runtime-loaded DLLs. |
| `ValidatorOptions.Global.PropertyNameResolver` (set by `GlobalValidatorConfig.ApplyOnce`) | Process-wide static state | Idempotent under a `lock` guard. Only affects how error-map keys are rendered. Cannot affect parsing or business logic. |
| `IValidator<T>.ValidateAsync(arg, CancellationToken)` invocation in `ValidationEndpointFilter<T>` | User-controlled DTO entering managed code | DTOs are already deserialized by System.Text.Json (with `UnmappedMemberHandling.Disallow`); the validator receives strongly-typed properties only — no string injection surface. Rules in cycle 7 are integer-only (no regex, no string contains). |

## Cycle-7 Findings

**F-DEPS-AZ795-1 (Low / Hardening)** — `FluentValidation` 12.0.0 → 12.1.1 minor refresh available
- Severity: Low (no CVE; hardening release only)
- Impact: 12.1.1 includes minor lifecycle fixes published in the upstream changelog; none are flagged as security advisories.
- Remediation: Bump `FluentValidation` and `FluentValidation.DependencyInjectionExtensions` to 12.1.1 in a follow-up cycle alongside other minor dependency rolls. Not blocking for cycle-7 release.

No Critical / High / Medium findings.

## Verdict

**PASS** (cycle-7 delta) — zero new CVEs, zero new supply-chain blockers. One Low/hardening recommendation (minor version bump to 12.1.1).

Cumulative verdict (carrying forward earlier cycles): **PASS_WITH_WARNINGS** — D2-cy4 (cycle 4 Medium, test-runtime only) still in effect; cycle 7 adds one Low.