# Phase 1 — Dependency Scan (Cycle 4) **Date**: 2026-05-12 **Scope**: Cycle-4 delta over `_docs/05_security/dependency_scan.md` (cycle 3, dated 2026-05-11) **Trigger**: AZ-500 .NET 8 LTS → .NET 10 migration bumped 19+ NuGet references in one coordinated commit; AZ-500 Security NFR requires a fresh dependency-scan pass after the bump. **Method**: Manual inventory diff against cycle-3 scan + targeted advisory search (WebSearch against GHSA / NVD / NuGet ReversingLabs / Sonatype). **Reason for manual mode**: `dotnet list package --vulnerable` is on the project's "do not run from agent" list (AGENTS.md — these commands hang in this environment). Same posture as cycle 3. ## Cycle-4 dependency delta (vs. cycle-3 scan) | Project | Package | Cycle-3 version | Cycle-4 version | Bumped by | |---------|---------|-----------------|-----------------|-----------| | Api | Microsoft.AspNetCore.Authentication.JwtBearer | 8.0.25 | **10.0.7** | AZ-500 | | Api | Microsoft.AspNetCore.OpenApi | 8.0.25 | **10.0.7** | AZ-500 | | Api | Swashbuckle.AspNetCore | 6.6.2 | **10.1.7** | AZ-500 | | Api | Microsoft.OpenApi (transitive via Swashbuckle 10.1.7) | 1.x (transitive) | **2.3.x (transitive)** | AZ-500 (indirect) | | Api | Serilog.AspNetCore | 8.0.3 | **8.0.3 (unchanged)** | — (AZ-500 Risk #4 fallback: no 10.x line published as of cycle 4; restores cleanly on .NET 10 via netstandard 2.0) | | Tests | Microsoft.AspNetCore.Authentication.JwtBearer | 8.0.25 (transitive) | **10.0.7 (transitive)** | AZ-500 | | Tests | Microsoft.Extensions.Caching.Memory | 9.0.10 | **10.0.7** | AZ-500 | | Tests | Microsoft.Extensions.Configuration.Json | 9.0.10 | **10.0.7** | AZ-500 | | Tests | Microsoft.Extensions.DependencyInjection | 9.0.10 | **10.0.7** | AZ-500 | | Tests | Microsoft.Extensions.Http | 9.0.10 | **10.0.7** | AZ-500 | | Tests | Microsoft.Extensions.Logging.Abstractions | 9.0.10 | **10.0.7** | AZ-500 | | Tests | Microsoft.Extensions.Logging.Console | 9.0.10 | **10.0.7** | AZ-500 | | Tests | Microsoft.Extensions.Options | 9.0.10 | **10.0.7** | AZ-500 | | DataAccess | Microsoft.Extensions.Configuration.Abstractions | 9.0.10 | **10.0.7** | AZ-500 | | DataAccess | Microsoft.Extensions.Logging.Abstractions | 9.0.10 | **10.0.7** | AZ-500 | | TileDownloader | Microsoft.Extensions.Caching.Memory | 9.0.10 | **10.0.7** | AZ-500 | | TileDownloader | Microsoft.Extensions.Http | 9.0.10 | **10.0.7** | AZ-500 | | TileDownloader | Microsoft.Extensions.Logging.Abstractions | 9.0.10 | **10.0.7** | AZ-500 | | TileDownloader | Microsoft.Extensions.Options.ConfigurationExtensions | 9.0.10 | **10.0.7** | AZ-500 | | RegionProcessing | Microsoft.Extensions.DependencyInjection.Abstractions | 9.0.10 | **10.0.7** | AZ-500 | | RegionProcessing | Microsoft.Extensions.Hosting.Abstractions | 9.0.10 | **10.0.7** | AZ-500 | | RegionProcessing | Microsoft.Extensions.Logging.Abstractions | 9.0.10 | **10.0.7** | AZ-500 | | RegionProcessing | Microsoft.Extensions.Options.ConfigurationExtensions | 9.0.10 | **10.0.7** | AZ-500 | | RouteManagement | Microsoft.Extensions.DependencyInjection.Abstractions | 9.0.10 | **10.0.7** | AZ-500 | | RouteManagement | Microsoft.Extensions.Hosting.Abstractions | 9.0.10 | **10.0.7** | AZ-500 | | RouteManagement | Microsoft.Extensions.Logging.Abstractions | 9.0.10 | **10.0.7** | AZ-500 | | RouteManagement | Microsoft.Extensions.Options.ConfigurationExtensions | 9.0.10 | **10.0.7** | AZ-500 | **Runtime image**: `mcr.microsoft.com/dotnet/aspnet:10.0` (was `:8.0` in cycle 3 — bumped by AZ-500 in `SatelliteProvider.Api/Dockerfile`). Same auto-resolve-to-latest-10.0.x posture cycle-3 noted for the `:8.0` floating tag — first build picks up Microsoft's most recent .NET 10 patch automatically. **Unchanged from cycle 3** (carried-over inventory; cycle-3 dispositions still apply): `Newtonsoft.Json 13.0.4`, `SixLabors.ImageSharp 3.1.11`, `Dapper 2.1.35`, `Npgsql 9.0.2`, `dbup-postgresql 6.0.3`, `Serilog.Sinks.File 6.0.0`, `Serilog.AspNetCore 8.0.3`, `Microsoft.IdentityModel.Tokens 7.0.3`, `System.IdentityModel.Tokens.Jwt 7.0.3`, `coverlet.collector 6.0.0`, `FluentAssertions 8.8.0`, `Microsoft.NET.Test.Sdk 17.8.0`, `Moq 4.20.72`, `xunit 2.5.3`, `xunit.runner.visualstudio 2.5.3`. None of these were touched by AZ-500 (Constraint: "do not silently fold in unrelated package bumps"). `Microsoft.NET.Test.Sdk 17.8.0` retains the cycle-3 NuGet.Frameworks transitive CVE flag (D2) — disposition unchanged. ## Findings | # | Severity | Package | Version | Advisory | Disposition | |---|----------|---------|---------|----------|-------------| | D1-cy4 | Low (informational) | Microsoft.AspNetCore.Authentication.JwtBearer | 10.0.7 | None as of 2026-05-12 (Sonatype + ReversingLabs both report 0 known vulnerabilities for the 10.0.7 line). The cycle-3 D1 finding (CVE-2026-26130 SignalR DoS, 8.0.21 → 8.0.25 patch) is now superseded — the 10.0.7 line incorporates that fix and continues forward; SignalR remains unused in this codebase. | **CLOSED** by the major-version bump (AZ-500). | | D2-cy4 | **Medium** (production-risk: **Low**, exposure: test-runtime only — same as cycle-3 D2) | Microsoft.NET.Test.Sdk → NuGet.Frameworks | 17.8.0 | Cycle-3 D2 disposition reproduced verbatim: transitive `NuGet.Frameworks` flagged for moderate severity in some scanners. AZ-500 did not bump `Microsoft.NET.Test.Sdk` (out of scope per the AZ-500 Constraint "do not silently fold in unrelated package bumps"). | **OPEN — carried over from cycle 3.** Same disposition: not loaded at runtime in the production container; test-runtime exposure only. Recommend a separate PBI (post cycle 4) to bump `Microsoft.NET.Test.Sdk` 17.8.0 → 17.13.0+ when the team next touches the test infrastructure. | | D3-cy4 | Low (informational) | Microsoft.AspNetCore.OpenApi | 10.0.7 | None as of 2026-05-12. The cycle-3 D3 finding (which paired with D1 — same supply-chain CVE-2026-26130 advisory) is now superseded by the major-version bump. | **CLOSED** by AZ-500. | | D4-cy4 | Low (informational) | Swashbuckle.AspNetCore | 10.1.7 | None as of 2026-05-12 (ReversingLabs scan of the 10.1.5/10.1.7 line reports 0 known vulnerabilities). The major bump (6.6.2 → 10.1.7) was driven by the Microsoft.OpenApi 2.x compat requirement of ASP.NET Core 10, not by an active CVE. | **NEW LINE — clean.** Recorded for traceability. | | D5-cy4 | Low (informational) | Microsoft.OpenApi (transitive) | 2.3.x (latest patch on the 2.3 line at restore time) | None as of 2026-05-12. The major bump from 1.x to 2.x is breaking-API but advisory-clean. The `Microsoft/OpenAPI.NET` GitHub Security tab shows zero published advisories for the 2.x line. | **NEW LINE — clean.** Drove the `Program.cs` Swashbuckle setup refactor (3 internal edits — see `_docs/02_document/modules/api_program.md` "Microsoft.OpenApi 2.x refactor note"). | | D6-cy4 | Low (informational) | Microsoft.Extensions.* | 10.0.7 (across 11 distinct package IDs, ~20 csproj references) | None as of 2026-05-12 against the 10.0.7 line. Historical `Microsoft.Extensions.Caching.Memory` CVE-2024-43483 (DoS via hash flooding) affected ≤ 6.0.1 / ≤ 8.0.0 / ≤ 9.0.0-rc.1 — the cycle-3 9.0.10 baseline was already past that cutoff, and 10.0.7 carries the fix forward. | **CLOSED transitively** — historical CVE was already not applicable in cycle 3; cycle 4 maintains that posture. | | D7-cy4 | Low (informational — operational risk noted, not security) | Serilog.AspNetCore | 8.0.3 (unchanged) | None published. AZ-500 Risk #4 fallback: no 10.x line published as of cycle 4; the package targets `netstandard 2.0` so it restores cleanly against `net10.0`. | **DEFERRED** — re-check at the start of every subsequent cycle. If a 10.x line ships, bump as a single-PBI hygiene task. No security exposure today. | **No Critical or High findings introduced by AZ-500.** Cycle-4 verdict (dependency-scan dimension only): **PASS_WITH_WARNINGS** — the only OPEN item (D2-cy4) is a cycle-3 carry-over that AZ-500 explicitly excluded from scope. ## Self-verification - [x] All package manifests scanned (9 csproj files, post-AZ-500 state). - [x] Each finding has a CVE/advisory reference or an explicit "no published advisory as of [date]" note. - [x] Upgrade paths identified for the only OPEN item (D2-cy4 → bump `Microsoft.NET.Test.Sdk` to 17.13.0+ in a separate PBI). - [x] Cross-checked against AZ-500 Risk #1 (JwtBearer behavioral change): the Step 11 full integration suite passed including SEC-05..SEC-09 + AZ-494 AC-1/AC-2 wrong-iss/aud — JWT validation contract preserved exactly. - [x] Cross-checked against AZ-500 Risk #2 (OpenApi Swagger UI breakage): post-build manual probe of `http://localhost:18980/swagger` returned 200; `SwaggerDocument_AdvertisesBearerSecurityScheme` programmatic test passed in the cycle-4 Step 11 run. - [x] Cross-checked against AZ-500 Risk #3 (M.E.* 10.0.x cascade conflicting with `Microsoft.IdentityModel.Tokens 7.0.3`): no NU1605 / NU1107 conflicts at restore time in the cycle-4 Step 11 build path. ## Out of scope for this scan (covered elsewhere) - **Static analysis** (SAST): cycle-3 `_docs/05_security/static_analysis.md` carries forward unchanged. AZ-500 made no source-level edits to authentication, authorization, input validation, crypto, deserialization, or data-exposure paths. The only C# edits were `Program.cs` Swashbuckle DI registration (internal wiring, no external surface change) and `Swagger/ParameterDescriptionFilter.cs` `using` directive — neither category in the SAST checklist. - **OWASP Top 10 review**: cycle-3 `_docs/05_security/owasp_review.md` carries forward unchanged. AZ-500 introduced no new endpoints, no new permission policies, no new user-input paths, no new external integrations, no new crypto, and no new data exposure surface — all 10 OWASP categories are unchanged in posture. - **Infrastructure review**: cycle-3 `_docs/05_security/infrastructure_review.md` carries forward unchanged with one delta: Docker base/build/runtime images and CI image moved from the `:8.0` floating tag to `:10.0`. Microsoft publishes the `:10.0` images as multi-arch (amd64 + arm64); the runtime image still uses a non-root user via the cycle-1 `USER app` directive (verified in `SatelliteProvider.Api/Dockerfile`); no secrets were added to build args. **Net infrastructure security posture: unchanged.**