# Security Audit Report (Cycle 4)

**Date**: 2026-05-12
**Scope**: Cycle-4 delta over the cycle-3 audit (`_docs/05_security/security_report.md`)
**Trigger**: AZ-500 .NET 8 LTS → .NET 10 migration; AZ-500 Security NFR requires a fresh dependency-scan pass after the bump
**Mode**: Resume (per user choice at the prerequisite gate) — only Phase 1 (dependency scan) was re-executed; Phases 2–4 carried forward from cycle 3 because AZ-500 made no source-level edits to the surfaces those phases cover (auth/authorization, input validation, crypto, deserialization, data exposure, infrastructure beyond the image-tag bump)
**Verdict**: **PASS_WITH_WARNINGS**

## Summary

| Severity | Count (cycle 4 delta) | Count (cumulative — incl. cycle-3 carry-overs) |
|----------|-----------------------|--------------------------------------------------|
| Critical | 0 | 0 |
| High     | 0 | 0 |
| Medium   | 0 NEW                 | 1 (D2-cy4 — `Microsoft.NET.Test.Sdk 17.8.0` transitive `NuGet.Frameworks` flag, **carried over from cycle 3**, test-runtime exposure only, AZ-500 explicitly out-of-scope) |
| Low      | 5 NEW (informational only — all are "no published advisory" confirmations on the bumped lines) | 5 NEW + cycle-3 carry-overs |

## OWASP Top 10 Assessment

**Carried forward unchanged from cycle 3** (`_docs/05_security/owasp_review.md`). AZ-500 introduced no new endpoints, no new permission policies, no new user-input paths, no new external integrations, no new crypto, and no new data-exposure surface — all 10 OWASP categories retain their cycle-3 posture. Cycle-3 status table is the authoritative reference.

## Cycle-4 NEW Findings

| # | Severity | Category | Location | Title |
|---|----------|----------|----------|-------|
| F1-cy4 | Low (informational) | Vulnerable Components | `SatelliteProvider.Api/SatelliteProvider.Api.csproj` (Microsoft.AspNetCore.Authentication.JwtBearer 10.0.7) | No published advisories — bump closes cycle-3 D1 (CVE-2026-26130) |
| F2-cy4 | Low (informational) | Vulnerable Components | `SatelliteProvider.Api/SatelliteProvider.Api.csproj` (Microsoft.AspNetCore.OpenApi 10.0.7) | No published advisories — bump closes cycle-3 D3 |
| F3-cy4 | Low (informational) | Vulnerable Components | `SatelliteProvider.Api/SatelliteProvider.Api.csproj` (Swashbuckle.AspNetCore 10.1.7) | New major-line; clean per ReversingLabs scan |
| F4-cy4 | Low (informational) | Vulnerable Components | Transitive via Swashbuckle (Microsoft.OpenApi 2.3.x) | New major-line; clean per Microsoft/OpenAPI.NET GitHub Security tab (zero published advisories) |
| F5-cy4 | Low (informational) | Vulnerable Components | All 11 `Microsoft.Extensions.*` package IDs across 6 csproj files (10.0.7) | No published advisories — historical CVE-2024-43483 was already not applicable in cycle 3 (9.0.10 baseline post-rc.1 cutoff); 10.0.7 carries the fix forward |

### Finding Details

**F1-cy4: Microsoft.AspNetCore.Authentication.JwtBearer bumped to 10.0.7 — no known vulnerabilities** (Low / Vulnerable Components)
- Location: `SatelliteProvider.Api/SatelliteProvider.Api.csproj` (and `SatelliteProvider.Tests/SatelliteProvider.Tests.csproj` transitively)
- Description: AZ-500 bumped this package from 8.0.25 → 10.0.7 as part of the .NET 10 migration. The 10.0.7 line is reported as having 0 known vulnerabilities by Sonatype Guide and ReversingLabs Spectra Assure as of 2026-05-12.
- Impact: None — this is an informational confirmation. The bump SUPERSEDES the cycle-3 D1 finding (CVE-2026-26130 SignalR DoS) because the 10.x line incorporates that fix and continues forward; SignalR is still unused in this codebase.
- Remediation: None required. AZ-500 NFR (Security) is satisfied for this package.
- Verification cross-reference: AZ-487/AZ-494 integration tests (SEC-05..SEC-09 + AZ-494 AC-1/AC-2) — all green in the cycle-4 Step 11 full run, confirming JWT validation contract preservation across the major bump.

**F2-cy4: Microsoft.AspNetCore.OpenApi bumped to 10.0.7 — no known vulnerabilities** (Low / Vulnerable Components)
- Location: `SatelliteProvider.Api/SatelliteProvider.Api.csproj`
- Description: AZ-500 bumped this package from 8.0.25 → 10.0.7. Same supply-chain advisory family as F1; bump supersedes cycle-3 D3.
- Impact: None.
- Remediation: None required.

**F3-cy4: Swashbuckle.AspNetCore bumped to 10.1.7 — no known vulnerabilities** (Low / Vulnerable Components)
- Location: `SatelliteProvider.Api/SatelliteProvider.Api.csproj`
- Description: AZ-500 bumped this package from 6.6.2 → 10.1.7 specifically to land Microsoft.OpenApi 2.x compat (required by ASP.NET Core 10's `Microsoft.AspNetCore.OpenApi 10.x`). ReversingLabs scan of the 10.1.x line reports 0 known vulnerabilities.
- Impact: None — bump was driven by compat, not by an active CVE. Note that the major bump introduced a breaking-API change (Microsoft.OpenApi 1.x → 2.x), which drove three internal `Program.cs` setup edits (using-directive, `AddSecurityRequirement` → `Func<OpenApiDocument, OpenApiSecurityRequirement>` + `OpenApiSecuritySchemeReference("Bearer")`, `MapType<UavTileBatchUploadRequest>` → `JsonSchemaType` + `IDictionary<string, IOpenApiSchema>`). The Swagger document shape (paths, Bearer Authorize button, multipart-batch upload schema) is preserved exactly; `SwaggerDocument_AdvertisesBearerSecurityScheme` programmatic test passed.
- Remediation: None required for security. Eight `ASPDEPR002` `WithOpenApi(...)` deprecation warnings remain in `Program.cs` — recorded as a follow-up PBI in `_docs/03_implementation/reviews/batch_01_cycle4_review.md`.

**F4-cy4: Microsoft.OpenApi 2.3.x (transitive) — no known vulnerabilities** (Low / Vulnerable Components)
- Location: Transitive dependency of `Swashbuckle.AspNetCore 10.1.7` and `Microsoft.AspNetCore.OpenApi 10.0.7`
- Description: AZ-500's Swashbuckle bump pulled in Microsoft.OpenApi 2.x as a transitive replacement for the 1.x previously in scope. The microsoft/OpenAPI.NET GitHub Security tab shows zero published advisories for the 2.x line.
- Impact: None for security. Code-impact handled in F3 (the API rewrite was small and contained).
- Remediation: None required.

**F5-cy4: Microsoft.Extensions.* coordinated bump to 10.0.7 — no known vulnerabilities** (Low / Vulnerable Components)
- Location: 6 csproj files: `SatelliteProvider.Api`, `SatelliteProvider.Tests`, `SatelliteProvider.DataAccess`, `SatelliteProvider.Services.TileDownloader`, `SatelliteProvider.Services.RegionProcessing`, `SatelliteProvider.Services.RouteManagement`. ~20 PackageReference rows across 11 distinct package IDs (Caching.Memory, Configuration.Abstractions, Configuration.Json, DependencyInjection, DependencyInjection.Abstractions, Hosting.Abstractions, Http, Logging.Abstractions, Logging.Console, Options, Options.ConfigurationExtensions).
- Description: AZ-500 bumped all M.E.* references from 9.0.10 → 10.0.7 as a coordinated cycle-4 move (per AZ-500 Constraint: "TFM, SDK pin, Docker images, CI images, and M.E.* package versions ALL move in the same commit"). Historical `Microsoft.Extensions.Caching.Memory` CVE-2024-43483 (DoS via hash flooding) affected only 6.x ≤ 6.0.1 / 8.x ≤ 8.0.0 / 9.x ≤ 9.0.0-rc.1 — the cycle-3 9.0.10 baseline was already past that cutoff; 10.0.7 carries the fix forward.
- Impact: None.
- Remediation: None required. The `Microsoft.IdentityModel.Tokens 7.0.3` / `System.IdentityModel.Tokens.Jwt 7.0.3` packages remain pinned (AZ-500 Constraint kept them out of scope); restore against `net10.0` succeeded with no NU1605/NU1107 conflicts (Risk #3 verified clean in the cycle-4 Step 11 build path).

## Cycle-3 carry-overs (still OPEN)

| # | Severity | Title | Why still OPEN | Cycle-4 disposition |
|---|----------|-------|----------------|---------------------|
| D2 (cycle 3) | Medium (production-risk: Low, exposure: test-runtime only) | `Microsoft.NET.Test.Sdk 17.8.0` transitive `NuGet.Frameworks` advisory flag | AZ-500 explicitly excluded `Microsoft.NET.Test.Sdk` from scope (Constraint: "do not silently fold in unrelated package bumps") | **Continue to defer.** Recommend a separate PBI (post-cycle-4) to bump 17.8.0 → 17.13.0+ when the team next touches test infrastructure. Test-runtime-only exposure; not loaded in the production container. |

All cycle-3 SAST findings (`_docs/05_security/static_analysis.md`), OWASP findings (`_docs/05_security/owasp_review.md`), and infrastructure findings (`_docs/05_security/infrastructure_review.md`) carry forward at their cycle-3 dispositions. AZ-500 made no source-level changes that would alter any of those.

## Recommendations

### Immediate (Critical / High)

- **None.** No Critical or High findings introduced by AZ-500.

### Short-term (Medium)

- (Carried over from cycle 3) PBI: bump `Microsoft.NET.Test.Sdk` 17.8.0 → 17.13.0+ to close D2-cy4 / D2 (cycle 3). Estimated 1 SP. Test-only impact.

### Long-term (Low / Hardening)

- Re-check `Serilog.AspNetCore` at the start of every subsequent cycle. If a 10.x line ships, bump as a single-PBI hygiene task to remove the AZ-500 Risk #4 fallback note from `AGENTS.md` / `_docs/02_document/00_discovery.md` / `_docs/02_document/modules/api_program.md`.
- (From cycle-4 review) Migrate the 8 `WithOpenApi(...)` callsites in `Program.cs` to the ASP.NET Core 10 minimal-API metadata extensions to clear the `ASPDEPR002` deprecation warnings (3 SP, recommended PBI from `_docs/03_implementation/reviews/batch_01_cycle4_review.md`). Not a security item — quality/maintainability — but worth tracking alongside the AZ-500 follow-ups.

## Verdict justification

- **PASS** would require zero findings of any severity. Cycle-3 D2 carry-over (Medium) prevents PASS.
- **PASS_WITH_WARNINGS** is the correct verdict because the only OPEN item is a Medium with mitigations in place (test-runtime-only exposure, not loaded in production container) and AZ-500 explicitly scoped it out per its Constraints. AZ-500 itself introduced zero new findings above Low.
- **FAIL** would require Critical or High. AZ-500 introduced none.

## Self-verification

- [x] All findings from the executed phase (Phase 1 — `dependency_scan_cycle4.md`) included.
- [x] No duplicate findings.
- [x] Every finding has remediation guidance ("None required" is acceptable for informational confirmations on clean lines).
- [x] Verdict matches severity logic (PASS_WITH_WARNINGS — only Medium open is a cycle-3 carry-over with documented mitigations).
- [x] Cycle-3 phases that were intentionally not re-executed (Phases 2/3/4) are explicitly cited as "carried forward" with the rationale recorded.
- [x] AZ-500's three named risks (Risk #1 JwtBearer behavioral change, Risk #2 OpenApi Swagger UI breakage, Risk #3 M.E.* cascade conflict) are each cross-referenced against an in-cycle verification.