satellite-provider/_docs/05_security/dependency_scan_cycle4.md

Phase 1 — Dependency Scan (Cycle 4)

Date: 2026-05-12 Scope: Cycle-4 delta over _docs/05_security/dependency_scan.md (cycle 3, dated 2026-05-11) Trigger: AZ-500 .NET 8 LTS → .NET 10 migration bumped 19+ NuGet references in one coordinated commit; AZ-500 Security NFR requires a fresh dependency-scan pass after the bump. Method: Manual inventory diff against cycle-3 scan + targeted advisory search (WebSearch against GHSA / NVD / NuGet ReversingLabs / Sonatype). Reason for manual mode: dotnet list package --vulnerable is on the project's "do not run from agent" list (AGENTS.md — these commands hang in this environment). Same posture as cycle 3.

Cycle-4 dependency delta (vs. cycle-3 scan)

Project	Package	Cycle-3 version	Cycle-4 version	Bumped by
Api	Microsoft.AspNetCore.Authentication.JwtBearer	8.0.25	10.0.7	AZ-500
Api	Microsoft.AspNetCore.OpenApi	8.0.25	10.0.7	AZ-500
Api	Swashbuckle.AspNetCore	6.6.2	10.1.7	AZ-500
Api	Microsoft.OpenApi (transitive via Swashbuckle 10.1.7)	1.x (transitive)	2.3.x (transitive)	AZ-500 (indirect)
Api	Serilog.AspNetCore	8.0.3	8.0.3 (unchanged)	— (AZ-500 Risk #4 fallback: no 10.x line published as of cycle 4; restores cleanly on .NET 10 via netstandard 2.0)
Tests	Microsoft.AspNetCore.Authentication.JwtBearer	8.0.25 (transitive)	10.0.7 (transitive)	AZ-500
Tests	Microsoft.Extensions.Caching.Memory	9.0.10	10.0.7	AZ-500
Tests	Microsoft.Extensions.Configuration.Json	9.0.10	10.0.7	AZ-500
Tests	Microsoft.Extensions.DependencyInjection	9.0.10	10.0.7	AZ-500
Tests	Microsoft.Extensions.Http	9.0.10	10.0.7	AZ-500
Tests	Microsoft.Extensions.Logging.Abstractions	9.0.10	10.0.7	AZ-500
Tests	Microsoft.Extensions.Logging.Console	9.0.10	10.0.7	AZ-500
Tests	Microsoft.Extensions.Options	9.0.10	10.0.7	AZ-500
DataAccess	Microsoft.Extensions.Configuration.Abstractions	9.0.10	10.0.7	AZ-500
DataAccess	Microsoft.Extensions.Logging.Abstractions	9.0.10	10.0.7	AZ-500
TileDownloader	Microsoft.Extensions.Caching.Memory	9.0.10	10.0.7	AZ-500
TileDownloader	Microsoft.Extensions.Http	9.0.10	10.0.7	AZ-500
TileDownloader	Microsoft.Extensions.Logging.Abstractions	9.0.10	10.0.7	AZ-500
TileDownloader	Microsoft.Extensions.Options.ConfigurationExtensions	9.0.10	10.0.7	AZ-500
RegionProcessing	Microsoft.Extensions.DependencyInjection.Abstractions	9.0.10	10.0.7	AZ-500
RegionProcessing	Microsoft.Extensions.Hosting.Abstractions	9.0.10	10.0.7	AZ-500
RegionProcessing	Microsoft.Extensions.Logging.Abstractions	9.0.10	10.0.7	AZ-500
RegionProcessing	Microsoft.Extensions.Options.ConfigurationExtensions	9.0.10	10.0.7	AZ-500
RouteManagement	Microsoft.Extensions.DependencyInjection.Abstractions	9.0.10	10.0.7	AZ-500
RouteManagement	Microsoft.Extensions.Hosting.Abstractions	9.0.10	10.0.7	AZ-500
RouteManagement	Microsoft.Extensions.Logging.Abstractions	9.0.10	10.0.7	AZ-500
RouteManagement	Microsoft.Extensions.Options.ConfigurationExtensions	9.0.10	10.0.7	AZ-500

Runtime image: mcr.microsoft.com/dotnet/aspnet:10.0 (was :8.0 in cycle 3 — bumped by AZ-500 in SatelliteProvider.Api/Dockerfile). Same auto-resolve-to-latest-10.0.x posture cycle-3 noted for the :8.0 floating tag — first build picks up Microsoft's most recent .NET 10 patch automatically.

Unchanged from cycle 3 (carried-over inventory; cycle-3 dispositions still apply): Newtonsoft.Json 13.0.4, SixLabors.ImageSharp 3.1.11, Dapper 2.1.35, Npgsql 9.0.2, dbup-postgresql 6.0.3, Serilog.Sinks.File 6.0.0, Serilog.AspNetCore 8.0.3, Microsoft.IdentityModel.Tokens 7.0.3, System.IdentityModel.Tokens.Jwt 7.0.3, coverlet.collector 6.0.0, FluentAssertions 8.8.0, Microsoft.NET.Test.Sdk 17.8.0, Moq 4.20.72, xunit 2.5.3, xunit.runner.visualstudio 2.5.3. None of these were touched by AZ-500 (Constraint: "do not silently fold in unrelated package bumps"). Microsoft.NET.Test.Sdk 17.8.0 retains the cycle-3 NuGet.Frameworks transitive CVE flag (D2) — disposition unchanged.

Findings

#	Severity	Package	Version	Advisory	Disposition
D1-cy4	Low (informational)	Microsoft.AspNetCore.Authentication.JwtBearer	10.0.7	None as of 2026-05-12 (Sonatype + ReversingLabs both report 0 known vulnerabilities for the 10.0.7 line). The cycle-3 D1 finding (CVE-2026-26130 SignalR DoS, 8.0.21 → 8.0.25 patch) is now superseded — the 10.0.7 line incorporates that fix and continues forward; SignalR remains unused in this codebase.	CLOSED by the major-version bump (AZ-500).
D2-cy4	Medium (production-risk: Low, exposure: test-runtime only — same as cycle-3 D2)	Microsoft.NET.Test.Sdk → NuGet.Frameworks	17.8.0	Cycle-3 D2 disposition reproduced verbatim: transitive NuGet.Frameworks flagged for moderate severity in some scanners. AZ-500 did not bump Microsoft.NET.Test.Sdk (out of scope per the AZ-500 Constraint "do not silently fold in unrelated package bumps").	OPEN — carried over from cycle 3. Same disposition: not loaded at runtime in the production container; test-runtime exposure only. Recommend a separate PBI (post cycle 4) to bump Microsoft.NET.Test.Sdk 17.8.0 → 17.13.0+ when the team next touches the test infrastructure.
D3-cy4	Low (informational)	Microsoft.AspNetCore.OpenApi	10.0.7	None as of 2026-05-12. The cycle-3 D3 finding (which paired with D1 — same supply-chain CVE-2026-26130 advisory) is now superseded by the major-version bump.	CLOSED by AZ-500.
D4-cy4	Low (informational)	Swashbuckle.AspNetCore	10.1.7	None as of 2026-05-12 (ReversingLabs scan of the 10.1.5/10.1.7 line reports 0 known vulnerabilities). The major bump (6.6.2 → 10.1.7) was driven by the Microsoft.OpenApi 2.x compat requirement of ASP.NET Core 10, not by an active CVE.	NEW LINE — clean. Recorded for traceability.
D5-cy4	Low (informational)	Microsoft.OpenApi (transitive)	2.3.x (latest patch on the 2.3 line at restore time)	None as of 2026-05-12. The major bump from 1.x to 2.x is breaking-API but advisory-clean. The Microsoft/OpenAPI.NET GitHub Security tab shows zero published advisories for the 2.x line.	NEW LINE — clean. Drove the Program.cs Swashbuckle setup refactor (3 internal edits — see _docs/02_document/modules/api_program.md "Microsoft.OpenApi 2.x refactor note").
D6-cy4	Low (informational)	Microsoft.Extensions.*	10.0.7 (across 11 distinct package IDs, ~20 csproj references)	None as of 2026-05-12 against the 10.0.7 line. Historical Microsoft.Extensions.Caching.Memory CVE-2024-43483 (DoS via hash flooding) affected ≤ 6.0.1 / ≤ 8.0.0 / ≤ 9.0.0-rc.1 — the cycle-3 9.0.10 baseline was already past that cutoff, and 10.0.7 carries the fix forward.	CLOSED transitively — historical CVE was already not applicable in cycle 3; cycle 4 maintains that posture.
D7-cy4	Low (informational — operational risk noted, not security)	Serilog.AspNetCore	8.0.3 (unchanged)	None published. AZ-500 Risk #4 fallback: no 10.x line published as of cycle 4; the package targets netstandard 2.0 so it restores cleanly against net10.0.	DEFERRED — re-check at the start of every subsequent cycle. If a 10.x line ships, bump as a single-PBI hygiene task. No security exposure today.

No Critical or High findings introduced by AZ-500. Cycle-4 verdict (dependency-scan dimension only): PASS_WITH_WARNINGS — the only OPEN item (D2-cy4) is a cycle-3 carry-over that AZ-500 explicitly excluded from scope.

Self-verification

• All package manifests scanned (9 csproj files, post-AZ-500 state).
• Each finding has a CVE/advisory reference or an explicit "no published advisory as of [date]" note.
• Upgrade paths identified for the only OPEN item (D2-cy4 → bump Microsoft.NET.Test.Sdk to 17.13.0+ in a separate PBI).
• Cross-checked against AZ-500 Risk #1 (JwtBearer behavioral change): the Step 11 full integration suite passed including SEC-05..SEC-09 + AZ-494 AC-1/AC-2 wrong-iss/aud — JWT validation contract preserved exactly.
• Cross-checked against AZ-500 Risk #2 (OpenApi Swagger UI breakage): post-build manual probe of http://localhost:18980/swagger returned 200; SwaggerDocument_AdvertisesBearerSecurityScheme programmatic test passed in the cycle-4 Step 11 run.
• Cross-checked against AZ-500 Risk #3 (M.E.* 10.0.x cascade conflicting with Microsoft.IdentityModel.Tokens 7.0.3): no NU1605 / NU1107 conflicts at restore time in the cycle-4 Step 11 build path.

Out of scope for this scan (covered elsewhere)

• Static analysis (SAST): cycle-3 _docs/05_security/static_analysis.md carries forward unchanged. AZ-500 made no source-level edits to authentication, authorization, input validation, crypto, deserialization, or data-exposure paths. The only C# edits were Program.cs Swashbuckle DI registration (internal wiring, no external surface change) and Swagger/ParameterDescriptionFilter.cs using directive — neither category in the SAST checklist.
• OWASP Top 10 review: cycle-3 _docs/05_security/owasp_review.md carries forward unchanged. AZ-500 introduced no new endpoints, no new permission policies, no new user-input paths, no new external integrations, no new crypto, and no new data exposure surface — all 10 OWASP categories are unchanged in posture.
• Infrastructure review: cycle-3 _docs/05_security/infrastructure_review.md carries forward unchanged with one delta: Docker base/build/runtime images and CI image moved from the :8.0 floating tag to :10.0. Microsoft publishes the :10.0 images as multi-arch (amd64 + arm64); the runtime image still uses a non-root user via the cycle-1 USER app directive (verified in SatelliteProvider.Api/Dockerfile); no secrets were added to build args. Net infrastructure security posture: unchanged.