# Dependency Scan (Cycle 9)

**Date**: 2026-06-25
**Mode**: Delta scan
**Scope**: Cycle-9 delta over cycle-8 (`dependency_scan_cycle8.md`). Surface = AZ-1074/AZ-1075 gRPC RouteTileDelivery + `SatelliteProvider.GrpcContracts`.
**Method**: `dotnet list SatelliteProvider.sln package --vulnerable --include-transitive` via Docker SDK 10.0 image + manifest diff on new/changed csproj files.

## Cycle-9 Package Manifest Diff

| csproj | Cycle 8 baseline | Cycle 9 change |
|--------|------------------|----------------|
| `SatelliteProvider.Api/SatelliteProvider.Api.csproj` | unchanged | **+1** `Grpc.AspNetCore` 2.71.0 |
| `SatelliteProvider.GrpcContracts/SatelliteProvider.GrpcContracts.csproj` | **NEW** | `Google.Protobuf` 3.31.1, `Grpc.AspNetCore` 2.71.0, `Grpc.Tools` 2.71.0 (PrivateAssets) |
| All other csproj | unchanged | **+0** |

## Vulnerable Package Scan (2026-06-25)

| Project | Finding | Severity | Notes |
|---------|---------|----------|-------|
| `SatelliteProvider.Api` | none | — | Includes new `Grpc.AspNetCore` 2.71.0 — clean |
| `SatelliteProvider.GrpcContracts` | none | — | New project — clean |
| `SatelliteProvider.IntegrationTests` | transitive `Microsoft.IdentityModel.JsonWebTokens` 7.0.3, `System.IdentityModel.Tokens.Jwt` 7.0.3 | Moderate | GHSA-59j7-ghrg-fj52 — **test-runtime only** (pre-existing; unchanged by cycle 9) |
| `SatelliteProvider.TestSupport` | same JWT packages 7.0.3 | Moderate | test-runtime only — pre-existing |

## Cycle-9 Findings

**No new dependency CVEs** from the gRPC package additions. Grpc.AspNetCore 2.71.0 / Google.Protobuf 3.31.1 report clean against NuGet advisory feed at scan time.

## Carry-overs

- **D-AZ795-1** (Low): FluentValidation 12.0.0 → 12.1.1 hardening — still open
- **D2-cy4** (Medium, test-runtime): `Microsoft.NET.Test.Sdk` transitive — still open

## Verdict

**PASS** (cycle-9 delta) — zero new CVEs in production/runtime packages.

Cumulative: **PASS_WITH_WARNINGS** — D2-cy4 + D-AZ795-1 carry-overs unchanged.