# Dependency Scan (Cycle 5)

**Date**: 2026-05-12
**Mode**: Delta scan
**Scope**: Cycle-5 delta over the cycle-4 dependency scan (`_docs/05_security/dependency_scan_cycle4.md`)
**Trigger**: AZ-503-foundation + AZ-504; both Step-15-gated by the same audit infrastructure as cycle 4

## Cycle-5 Package Manifest Diff

| csproj | Cycle 4 baseline (post-AZ-500) | Cycle 5 change | Net effect on supply chain |
|--------|--------------------------------|----------------|----------------------------|
| `SatelliteProvider.IntegrationTests/SatelliteProvider.IntegrationTests.csproj` | references Api, TestSupport | **+1 ProjectReference**: `SatelliteProvider.Common` (AZ-503 — so test seeders can call `Uuidv5.Create`) | None — ProjectReference inside the workspace; no new NuGet packages, no new transitive graph nodes |
| `SatelliteProvider.Common/SatelliteProvider.Common.csproj` | unchanged from cycle 4 | **+0 PackageReferences** — `Uuidv5.cs` is pure BCL (`System.Security.Cryptography.SHA1`, `System.Buffers.Binary.BinaryPrimitives`, `System.Buffers.ArrayPool`) | None — no new NuGet packages |
| `SatelliteProvider.DataAccess/SatelliteProvider.DataAccess.csproj` | unchanged from cycle 4 | **+0 PackageReferences** | None |
| `SatelliteProvider.Services.TileDownloader/SatelliteProvider.Services.TileDownloader.csproj` | unchanged from cycle 4 | **+0 PackageReferences** | None |
| `SatelliteProvider.Api/SatelliteProvider.Api.csproj` | unchanged from cycle 4 | **+0 PackageReferences** | None |
| `SatelliteProvider.Tests/SatelliteProvider.Tests.csproj` | unchanged from cycle 4 | **+0 PackageReferences** — `Uuidv5Tests` is pure BCL | None |

**Net cycle-5 dependency change**: zero new NuGet packages, zero version bumps, zero removed packages. The only manifest edit is one intra-workspace `ProjectReference` line (`IntegrationTests → Common`).

## Cycle-5 New PostgreSQL Extensions

Migration `014_AddTileIdentityColumns.sql` issues `CREATE EXTENSION IF NOT EXISTS pgcrypto`. This is a new runtime database dependency.

| Extension | Used for | Where it executes | Postures |
|-----------|----------|-------------------|----------|
| `pgcrypto` | The migration's `pg_temp.uuidv5` PL/pgSQL helper calls `digest(..., 'sha1')` to backfill `location_hash` over every pre-existing `tiles` row | Inside the migration transaction only; **runtime application code does NOT call `pgcrypto`** (UUIDv5 in production paths is computed in C# via `SatelliteProvider.Common.Utils.Uuidv5`) | Standard, bundled-with-Postgres extension. No external download. Known historical CVEs (e.g. CVE-2024-10977 in the `crypt()` Blowfish path, CVE-2025-1094 in `quote_literal`) do NOT touch the `digest()` SHA-1 surface AZ-503 uses. |

The `pg_temp.uuidv5` helper is a `pg_temp.*` function — automatically scoped to the migration's session and discarded at COMMIT. It is not callable by runtime application code.

## Cycle-5 Findings

None. No new CVEs to surface, no version bumps to audit, no transitive graph changes.

The cycle-4 carry-over (D2-cy4 — `Microsoft.NET.Test.Sdk 17.8.0` transitive `NuGet.Frameworks` Medium-severity finding, test-runtime exposure only) is **unchanged in cycle 5**: AZ-503 did not bump `Microsoft.NET.Test.Sdk` and did not introduce a new test-runtime package. The finding continues to live in `dependency_scan_cycle4.md` and is owned by a still-unscheduled follow-up task (slated for the next Test SDK refresh cycle).

## Verdict

**PASS** (cycle-5 delta) — zero new supply-chain findings.

Cumulative verdict (carrying forward cycle 4): **PASS_WITH_WARNINGS** (1 cycle-3 Medium carry-over via D2-cy4; no Critical/High; AZ-503/AZ-504 add nothing).