azaion/satellite-provider
1
0
Fork 0
mirror of https://github.com/azaion/satellite-provider.git synced 2026-06-21 09:41:15 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
dev
satellite-provider/_docs/05_security/dependency_scan_cycle8.md
T
Oleksandr Bezdieniezhnykh ac40a8b352 [AZ-808] [AZ-809] [AZ-810] [AZ-811] [AZ-812] Cycle 8 security audit 
PASS_WITH_WARNINGS. Zero Critical / High.

New cycle-8 findings:
- F-AZ809-1 (Medium / A04 Insecure Design): unbounded
  geofences.polygons enables an authenticated DoS on
  POST /api/satellite/route. Cap candidate: 50 or 500.
- F-AZ810-1 (Low / A09): JsonException.Message echoed in
  UavUploadValidationFilter (new instance of cycle-7 F-AZ795-1
  pattern in a second code path).
- F-AZ810-2 (Low / Informational): UavTileMetadata.CapturedAt
  typed DateTime not DateTimeOffset; freshness window drifts in
  non-UTC dev environments. Zero impact in UTC-deployed prod.

Carry-overs (cycle 7): F-AZ795-1, F-AZ795-2, D-AZ795-1 still
open. Cycle 4 D2-cy4 still open (test-runtime Medium).

Cycle-8 architectural wins recorded: per-endpoint validation
reached 100% coverage; three approved validation paths
formalised; OSM wire-format normalisation under strict mode
(AZ-812); UAV-handler defence-in-depth retained.

Highest-priority cycle-9 follow-up: F-AZ809-1 polygon cap.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-23 15:17:31 +03:00

7.0 KiB
Raw Permalink Blame History

Dependency Scan (Cycle 8)

Date: 2026-05-23 Mode: Delta scan Scope: Cycle-8 delta over the cycle-7 dependency scan (_docs/05_security/dependency_scan_cycle7.md). Cycle-8 surface = AZ-808 + AZ-809 + AZ-810 + AZ-811 (strict input validation rolled out across the remaining 4 endpoints) + AZ-812 (region-API wire rename Latitude/LongitudeLat/Lon). Method: Manifest diff via git diff --name-only 865dfdb..b763da3 -- '*.csproj' (cycle-7 tip → cycle-8 tip; verified empty). dotnet list package --vulnerable is intentionally not run (per AGENTS.md: that command hangs the agent shell in this workspace). The manifest-diff substitute is deterministic because the result is null.

Cycle-8 Package Manifest Diff

csproj Cycle 7 baseline Cycle 8 change Net effect on supply chain
SatelliteProvider.Api/SatelliteProvider.Api.csproj references Microsoft.AspNetCore.OpenApi 10.0.7, Microsoft.AspNetCore.Authentication.JwtBearer 10.0.7, Newtonsoft.Json 13.0.4, Serilog.AspNetCore 8.0.3, Serilog.Sinks.File 6.0.0, SixLabors.ImageSharp 3.1.11, Swashbuckle.AspNetCore 10.1.7, FluentValidation 12.0.0, FluentValidation.DependencyInjectionExtensions 12.0.0 +0 PackageReferences. Every cycle-8 validator + filter reuses the AZ-795 infrastructure already shipped in cycle 7. None.
SatelliteProvider.Common/SatelliteProvider.Common.csproj unchanged from cycle 5 +0 PackageReferences — the cycle-8 DTO changes ([JsonRequired] on RequestRegionRequest, CreateRouteRequest, RoutePoint, GeoPoint, GeofencePolygon.NorthWest/SouthEast, Geofences.Polygons, UavTileMetadata.*) and the AZ-812 rename are BCL + System.Text.Json.Serialization only. None.
SatelliteProvider.DataAccess/SatelliteProvider.DataAccess.csproj unchanged from cycle 5 +0 PackageReferences. None.
SatelliteProvider.Services.TileDownloader/SatelliteProvider.Services.TileDownloader.csproj unchanged from cycle 5 +0 PackageReferences. The cycle-8 validator path lives in the API project; the existing UavTileUploadHandler defence-in-depth path is untouched. None.
SatelliteProvider.Services.RegionProcessing/SatelliteProvider.Services.RegionProcessing.csproj unchanged from cycle 5 +0 PackageReferences. None.
SatelliteProvider.Services.RouteManagement/SatelliteProvider.Services.RouteManagement.csproj unchanged from cycle 5 +0 PackageReferences. None.
SatelliteProvider.Tests/SatelliteProvider.Tests.csproj unchanged from cycle 5 +0 PackageReferences — the 8 new validator unit-test files reuse the cycle-7 FluentValidation.TestHelper namespace (transitive via FluentValidation main package, picked up via ProjectReference to the API). None.
SatelliteProvider.IntegrationTests/SatelliteProvider.IntegrationTests.csproj unchanged from cycle 5 +0 PackageReferences — the 4 new integration test files (CreateRouteValidationTests, GetTileByLatLonValidationTests, RegionFieldRenameTests, RegionRequestValidationTests, UavUploadValidationTests) reuse the cycle-7 ProblemDetailsAssertions helper + the pre-existing Xunit + Microsoft.AspNetCore ProjectReference. None.
SatelliteProvider.TestSupport/SatelliteProvider.TestSupport.csproj unchanged from cycle 5 +0 PackageReferences. None.

Net cycle-8 dependency change: zero new PackageReference lines, zero removed lines, zero version bumps. Every *.csproj file in the repo is byte-identical between 865dfdb (cycle-7 tip) and b763da3 (cycle-8 tip).

Cycle-7 Carry-overs

Because cycle 8 added no new packages and bumped none, every cycle-7 dependency finding remains in force unchanged:

D-AZ795-1 (Low / Hardening) — FluentValidation 12.0.0 → 12.1.1

  • Filed in dependency_scan_cycle7.md § "FluentValidation 12.0.0" and security_report_cycle7.md § "D-AZ795-1".
  • Status at cycle-8 tip: still open. Cycle 8 did not bump either FluentValidation or FluentValidation.DependencyInjectionExtensions from 12.0.0 to 12.1.1. The same hardening-release recommendation carries forward.
  • Cycle-8-specific re-check at https://github.com/FluentValidation/FluentValidation/security/advisories (audit date 2026-05-23): no NEW advisories published against 12.x since the cycle-7 audit. The bump remains pure forward-compatibility hardening.

D2-cy4 (Medium / test-runtime only) — Microsoft.NET.Test.Sdk 17.8.0 transitive NuGet.Frameworks

  • Filed in dependency_scan_cycle4.md and re-confirmed in cycles 5 and 7.
  • Status at cycle-8 tip: still open. Cycle 8 did not bump Microsoft.NET.Test.Sdk. Test-runtime exposure only; not reachable from the API process.

Cycle-8 New Source Code Runtime Surface

Because no new packages were added, the new runtime surface introduced by cycle 8 sits entirely within already-vetted packages:

New surface Hosted by Risk delta
4 new AbstractValidator<T> subclasses (RegionRequestValidator, CreateRouteRequestValidator, GetTileByLatLonQueryValidator, UavTileBatchMetadataPayloadValidator) + 4 helper validators (RoutePointValidator, GeofencePolygonValidator, UavTileMetadataValidator, the inner GeoCornerValidator) FluentValidation 12.0.0 — same package surface assessed in cycle 7. None — reflection scan path (AddValidatorsFromAssemblyContaining<Program>()) is unchanged from cycle 7; cycle 8 adds more registered types but uses the same registration call.
RejectUnknownQueryParamsEndpointFilter + UavUploadValidationFilter — two new IEndpointFilter types ASP.NET Core 10 — Microsoft.AspNetCore.Http already in the BCL footprint. None — IEndpointFilter API surface is unchanged; UavUploadValidationFilter is AddTransient<>-registered, so per-request instance isolation matches the existing WithValidation<T>() pattern from cycle 7.
[JsonRequired] annotations on 6 modified DTOs (RequestRegionRequest, CreateRouteRequest, RoutePoint, GeoPoint, GeofencePolygon, UavTileMetadata) System.Text.Json.Serialization — BCL. None — cycle-7 baseline already used [JsonRequired] on TileCoord; cycle 8 just expands coverage.
[JsonPropertyName] annotations added by AZ-812 to RequestRegionRequest.Lat/Lon System.Text.Json.Serialization — BCL. None.

Cycle-8 Findings

No new dependency findings.

The cycle-7 D-AZ795-1 Low/Hardening recommendation (FluentValidation 12.0.0 → 12.1.1) is carried forward unchanged and re-iterated in this cycle's report. Cycle 8 did not regress any prior cycle's posture.

Verdict

PASS (cycle-8 delta) — zero new CVEs, zero new supply-chain blockers, zero new packages.

Cumulative verdict (carrying forward earlier cycles): PASS_WITH_WARNINGS — D2-cy4 (cycle-4 Medium, test-runtime only) + D-AZ795-1 (cycle-7 Low/Hardening) both still in effect. Cycle 8 adds nothing to the cumulative dependency-finding ledger.

Reference in New Issue View Git Blame Copy Permalink