azaion/satellite-provider
1
0
Fork 0
mirror of https://github.com/azaion/satellite-provider.git synced 2026-06-21 17:51:13 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
0e05fc519a01850706d8fee36b5fb1a4cdef5d34
satellite-provider/_docs/05_security/dependency_scan_cycle5.md
T
Oleksandr Bezdieniezhnykh 61612044fb [AZ-503] [AZ-504] Cycle 5 Steps 11-15 sync 
Wrap up cycle 5 verification + documentation:
- Steps 10/11 wrap-up reports (implementation_completeness +
  implementation_report) for the AZ-503-foundation + AZ-504 batch.
- Step 12 test-spec sync: AZ-503-foundation/AZ-504 ACs appended;
  AZ-505 deferred ACs recorded.
- Step 13 update-docs: architecture, data-model, glossary, module-
  layout, uav-tile-upload contract (v1.1.0), DataAccess + Services
  + Tests module docs synced; new common_uuidv5.md module doc.
- Step 14 security audit: PASS_WITH_WARNINGS; 0 new Critical/High;
  2 new Low informational (F1 flightId provenance, F2 pgcrypto
  deploy gap).
- Step 15 performance test: PASS_WITH_INFRA_WARNINGS; PT-08
  passed twice (AZ-504 fix verified); PT-01/02 failed due to
  recurring local Docker/colima DNS cold-start (not an app
  regression). Cycle-3 perf-harness leftover stays OPEN with
  replay #5 documented.
- Autodev state moved to Step 16 (Deploy).

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-12 18:01:27 +03:00

42 lines
3.6 KiB
Markdown
Raw Blame History

# Dependency Scan (Cycle 5)
**Date**: 2026-05-12
**Mode**: Delta scan
**Scope**: Cycle-5 delta over the cycle-4 dependency scan (`_docs/05_security/dependency_scan_cycle4.md`)
**Trigger**: AZ-503-foundation + AZ-504; both Step-15-gated by the same audit infrastructure as cycle 4
## Cycle-5 Package Manifest Diff
| csproj | Cycle 4 baseline (post-AZ-500) | Cycle 5 change | Net effect on supply chain |
|--------|--------------------------------|----------------|----------------------------|
| `SatelliteProvider.IntegrationTests/SatelliteProvider.IntegrationTests.csproj` | references Api, TestSupport | **+1 ProjectReference**: `SatelliteProvider.Common` (AZ-503 — so test seeders can call `Uuidv5.Create`) | None — ProjectReference inside the workspace; no new NuGet packages, no new transitive graph nodes |
| `SatelliteProvider.Common/SatelliteProvider.Common.csproj` | unchanged from cycle 4 | **+0 PackageReferences** — `Uuidv5.cs` is pure BCL (`System.Security.Cryptography.SHA1`, `System.Buffers.Binary.BinaryPrimitives`, `System.Buffers.ArrayPool`) | None — no new NuGet packages |
| `SatelliteProvider.DataAccess/SatelliteProvider.DataAccess.csproj` | unchanged from cycle 4 | **+0 PackageReferences** | None |
| `SatelliteProvider.Services.TileDownloader/SatelliteProvider.Services.TileDownloader.csproj` | unchanged from cycle 4 | **+0 PackageReferences** | None |
| `SatelliteProvider.Api/SatelliteProvider.Api.csproj` | unchanged from cycle 4 | **+0 PackageReferences** | None |
| `SatelliteProvider.Tests/SatelliteProvider.Tests.csproj` | unchanged from cycle 4 | **+0 PackageReferences** — `Uuidv5Tests` is pure BCL | None |
**Net cycle-5 dependency change**: zero new NuGet packages, zero version bumps, zero removed packages. The only manifest edit is one intra-workspace `ProjectReference` line (`IntegrationTests → Common`).
## Cycle-5 New PostgreSQL Extensions
Migration `014_AddTileIdentityColumns.sql` issues `CREATE EXTENSION IF NOT EXISTS pgcrypto`. This is a new runtime database dependency.
| Extension | Used for | Where it executes | Postures |
|-----------|----------|-------------------|----------|
| `pgcrypto` | The migration's `pg_temp.uuidv5` PL/pgSQL helper calls `digest(..., 'sha1')` to backfill `location_hash` over every pre-existing `tiles` row | Inside the migration transaction only; **runtime application code does NOT call `pgcrypto`** (UUIDv5 in production paths is computed in C# via `SatelliteProvider.Common.Utils.Uuidv5`) | Standard, bundled-with-Postgres extension. No external download. Known historical CVEs (e.g. CVE-2024-10977 in the `crypt()` Blowfish path, CVE-2025-1094 in `quote_literal`) do NOT touch the `digest()` SHA-1 surface AZ-503 uses. |
The `pg_temp.uuidv5` helper is a `pg_temp.*` function — automatically scoped to the migration's session and discarded at COMMIT. It is not callable by runtime application code.
## Cycle-5 Findings
None. No new CVEs to surface, no version bumps to audit, no transitive graph changes.
The cycle-4 carry-over (D2-cy4 — `Microsoft.NET.Test.Sdk 17.8.0` transitive `NuGet.Frameworks` Medium-severity finding, test-runtime exposure only) is **unchanged in cycle 5**: AZ-503 did not bump `Microsoft.NET.Test.Sdk` and did not introduce a new test-runtime package. The finding continues to live in `dependency_scan_cycle4.md` and is owned by a still-unscheduled follow-up task (slated for the next Test SDK refresh cycle).
## Verdict
**PASS** (cycle-5 delta) — zero new supply-chain findings.
Cumulative verdict (carrying forward cycle 4): **PASS_WITH_WARNINGS** (1 cycle-3 Medium carry-over via D2-cy4; no Critical/High; AZ-503/AZ-504 add nothing).
Reference in New Issue View Git Blame Copy Permalink