azaion/satellite-provider
1
0
Fork 0
mirror of https://github.com/azaion/satellite-provider.git synced 2026-06-21 09:41:15 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
dev
satellite-provider/_docs/05_security/dependency_scan_cycle7.md
T
Oleksandr Bezdieniezhnykh bc04ba7f99 [AZ-794] [AZ-795] [AZ-796] Cycle 7 Steps 12-15 sync (test-spec / docs / security / perf) 
Step 12 (Test-Spec Sync): adds BT-27 for the AZ-796 9-rule
validation surface and 12 cycle-7 AC rows + Coverage Summary
update to traceability-matrix.md.

Step 13 (Update Docs): module-layout + module docs for the new
SatelliteProvider.Api/Validators namespace + GlobalExceptionHandler
+ updated TileInventory DTO; tests_unit + tests_integration
document the new InventoryRequestValidatorTests (16 unit tests
covering all 9 rules) + TileInventoryValidationTests (16
integration tests) + ProblemDetailsAssertions support;
glossary entries for Validation Problem Details / FluentValidation
/ Unmapped Member Handling; system-flows F8 (Tile Inventory Bulk
Lookup) expanded with deserializer + validator gates and a 13-row
Validation Surface table; data_parameters § Tile Inventory
documents the v2 input schema + constraints; ripple_log_cycle7
captures the doc-side ripple decisions.

Step 14 (Security Audit): 5-phase audit ran; verdict
PASS_WITH_WARNINGS (3 Low findings — D-AZ795-1 FluentValidation
12.0.0 -> 12.1.1 recommended bump, F-AZ795-1 JsonException.Message
leak in 400 detail, F-AZ795-2 BadHttpRequestException.Message leak).
No Critical / High; auth runs before validation (confirmed in
Program.cs); two NuGet additions (FluentValidation 12.0.0 +
.DependencyInjectionExtensions 12.0.0) both CVE-clean. Per-phase
reports plus consolidated security_report_cycle7.md.

Step 15 (Performance Test): docker compose stack used for perf
run, scripts/run-performance-tests.sh exited 0 with 8/8 scenarios
PASS (second consecutive clean exit-0); added PT-09 cycle-7 smoke
probe (v2 z/x/y schema, 2500-tile all-miss batch) measuring
min=27ms median=44ms p95=73ms max=86ms (13.7x under AZ-505 AC-4
1000ms budget). PT-07/08 improvements traced to the cycle-6 TLS
handshake-overhead identification, not application-side change.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-22 11:24:27 +03:00

7.4 KiB
Raw Permalink Blame History

Dependency Scan (Cycle 7)

Date: 2026-05-22 Mode: Delta scan Scope: Cycle-7 delta over the cycle-5 dependency scan (_docs/05_security/dependency_scan_cycle5.md); cycle 6 did not produce a dependency scan, so the last scanned baseline is cycle 5 Trigger: AZ-794 (wire-format rename — no manifest changes) + AZ-795 (strict-validation epic — adds FluentValidation 12.0.0 + FluentValidation.DependencyInjectionExtensions 12.0.0) + AZ-796 (per-endpoint validator — no manifest changes beyond what AZ-795 added) Method: Manifest diff + WebSearch CVE lookup against GitHub Security Advisories + NVD + ReversingLabs Spectra Assure. dotnet list package --vulnerable is intentionally not run (the AGENTS.md operational note in this workspace says it hangs the agent shell); the manifest diff + advisory lookup is the deterministic substitute.

Cycle-7 Package Manifest Diff

csproj Cycle 5 baseline (post-AZ-503) Cycle 7 change Net effect on supply chain
SatelliteProvider.Api/SatelliteProvider.Api.csproj references Microsoft.AspNetCore.OpenApi 10.0.7, Microsoft.AspNetCore.Authentication.JwtBearer 10.0.7, Newtonsoft.Json 13.0.4, Serilog.AspNetCore 8.0.3, Serilog.Sinks.File 6.0.0, SixLabors.ImageSharp 3.1.11, Swashbuckle.AspNetCore 10.1.7 +2 PackageReferences: FluentValidation 12.0.0 and FluentValidation.DependencyInjectionExtensions 12.0.0 (both new at AZ-795). New supply-chain node. Both packages are MIT/Apache-2.0; no transitive Microsoft.* version bumps.
SatelliteProvider.Common/SatelliteProvider.Common.csproj unchanged from cycle 5 +0 PackageReferences — the cycle-7 DTO changes ([JsonRequired] on TileCoord.Z/X/Y) are BCL-only. None.
SatelliteProvider.DataAccess/SatelliteProvider.DataAccess.csproj unchanged from cycle 5 +0 PackageReferences. None.
SatelliteProvider.Services.TileDownloader/SatelliteProvider.Services.TileDownloader.csproj unchanged from cycle 5 +0 PackageReferences. None.
SatelliteProvider.Services.RegionProcessing/SatelliteProvider.Services.RegionProcessing.csproj unchanged from cycle 5 +0 PackageReferences. None.
SatelliteProvider.Services.RouteManagement/SatelliteProvider.Services.RouteManagement.csproj unchanged from cycle 5 +0 PackageReferences. None.
SatelliteProvider.Tests/SatelliteProvider.Tests.csproj unchanged from cycle 5 +0 PackageReferencesFluentValidation.TestHelper is the namespace inside the main FluentValidation package consumed transitively via ProjectReference to SatelliteProvider.Api. None at the manifest level; one new transitive runtime node at test execution (FluentValidation main assembly).
SatelliteProvider.IntegrationTests/SatelliteProvider.IntegrationTests.csproj unchanged from cycle 5 +0 PackageReferences — the new ProblemDetailsAssertions.cs + TileInventoryValidationTests.cs use only BCL + the existing Xunit + Microsoft.AspNetCore ProjectReference. None.
SatelliteProvider.TestSupport/SatelliteProvider.TestSupport.csproj unchanged from cycle 5 +0 PackageReferences. None.

Net cycle-7 dependency change: two new PackageReference lines (FluentValidation 12.0.0 + FluentValidation.DependencyInjectionExtensions 12.0.0). All other csprojs are byte-identical at the manifest level (verified by git diff cycle5_tip..HEAD -- '*.csproj' in the implementation phase).

Cycle-7 Dependency CVE Lookup

FluentValidation 12.0.0

Source Result
GitHub Security Advisories (https://github.com/FluentValidation/FluentValidation/security/advisories) No published advisories.
NVD CVE database (search: FluentValidation) No CVEs against this .NET library. (One historical record matched on the substring "FluentForms" — a WordPress plugin unrelated to FluentValidation; explicitly excluded.)
ReversingLabs Spectra Assure Community (https://secure.software/nuget/packages/fluentvalidation/12.0.0) "No known vulnerabilities detected" for the package. One "Hardening" note (1 outdated toolchain detected) — not a CVE.
Historical Regex DoS (Issue #120 — EmailAddressValidator) Pre-2017, resolved in commit ebe3720. v12.0.0 ships with the fixed implementation. Cycle 7 does not use EmailAddressValidator (no Matches/EmailAddress rules — all rules are integer ranges and collection-count predicates).
Latest published version 12.1.1 (5 months ago at time of audit). v12.0.0 → v12.1.1 is a hardening release (no security advisories between the two); the bump is recommended but not security-mandatory.

FluentValidation.DependencyInjectionExtensions 12.0.0

Source Result
GitHub Security Advisories No published advisories.
NVD CVE database No CVEs.
ReversingLabs Spectra Assure Community (https://secure.software/nuget/packages/fluentvalidation.dependencyinjectionextensions/vulnerabilities) "No known vulnerabilities detected".
Latest published version 12.1.1. Same posture as the main package.

Cycle-5 carry-overs unchanged

  • D2-cy4 (Microsoft.NET.Test.Sdk 17.8.0 transitive NuGet.Frameworks Medium — test-runtime exposure only) — unchanged. AZ-795 did not bump Microsoft.NET.Test.Sdk; it remains the same package at the same version with the same exposure surface. Still owned by a follow-up task at the next Test SDK refresh cycle.

Cycle-7 New Source Code Runtime Surface

The two new NuGet packages introduce the following runtime surface in the API process:

Surface Risk class Notes
IValidator<T> registration via AddValidatorsFromAssemblyContaining<Program>() Reflection-based DI scan Bounded to the API assembly only (SatelliteProvider.Api.dll). Cannot pick up validators from upstream test assemblies or runtime-loaded DLLs.
ValidatorOptions.Global.PropertyNameResolver (set by GlobalValidatorConfig.ApplyOnce) Process-wide static state Idempotent under a lock guard. Only affects how error-map keys are rendered. Cannot affect parsing or business logic.
IValidator<T>.ValidateAsync(arg, CancellationToken) invocation in ValidationEndpointFilter<T> User-controlled DTO entering managed code DTOs are already deserialized by System.Text.Json (with UnmappedMemberHandling.Disallow); the validator receives strongly-typed properties only — no string injection surface. Rules in cycle 7 are integer-only (no regex, no string contains).

Cycle-7 Findings

F-DEPS-AZ795-1 (Low / Hardening)FluentValidation 12.0.0 → 12.1.1 minor refresh available

  • Severity: Low (no CVE; hardening release only)
  • Impact: 12.1.1 includes minor lifecycle fixes published in the upstream changelog; none are flagged as security advisories.
  • Remediation: Bump FluentValidation and FluentValidation.DependencyInjectionExtensions to 12.1.1 in a follow-up cycle alongside other minor dependency rolls. Not blocking for cycle-7 release.

No Critical / High / Medium findings.

Verdict

PASS (cycle-7 delta) — zero new CVEs, zero new supply-chain blockers. One Low/hardening recommendation (minor version bump to 12.1.1).

Cumulative verdict (carrying forward earlier cycles): PASS_WITH_WARNINGS — D2-cy4 (cycle 4 Medium, test-runtime only) still in effect; cycle 7 adds one Low.

Reference in New Issue View Git Blame Copy Permalink