azaion/satellite-provider
1
0
Fork 0
mirror of https://github.com/azaion/satellite-provider.git synced 2026-06-26 07:11:14 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
7ed780b0634eda3d8092f0c3e76cd865fde0fafb
satellite-provider/_docs/05_security/dependency_scan_cycle9.md
T
Oleksandr Bezdieniezhnykh 7ed780b063
ci/woodpecker/push/01-test Pipeline failed
Details
ci/woodpecker/push/02-build-push unknown status
Details
[AZ-1074] [AZ-1075] Cycle 9 closeout: security, tests, metrics 
Resolve F-AZ1074-1/2 (collection caps, generic gRPC internal errors).
Standalone integration compose stack, docs, security audit, perf and retro.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-25 17:32:14 +03:00

2.0 KiB
Raw Blame History

Dependency Scan (Cycle 9)

Date: 2026-06-25 Mode: Delta scan Scope: Cycle-9 delta over cycle-8 (dependency_scan_cycle8.md). Surface = AZ-1074/AZ-1075 gRPC RouteTileDelivery + SatelliteProvider.GrpcContracts. Method: dotnet list SatelliteProvider.sln package --vulnerable --include-transitive via Docker SDK 10.0 image + manifest diff on new/changed csproj files.

Cycle-9 Package Manifest Diff

csproj Cycle 8 baseline Cycle 9 change
SatelliteProvider.Api/SatelliteProvider.Api.csproj unchanged +1 Grpc.AspNetCore 2.71.0
SatelliteProvider.GrpcContracts/SatelliteProvider.GrpcContracts.csproj NEW Google.Protobuf 3.31.1, Grpc.AspNetCore 2.71.0, Grpc.Tools 2.71.0 (PrivateAssets)
All other csproj unchanged +0

Vulnerable Package Scan (2026-06-25)

Project Finding Severity Notes
SatelliteProvider.Api none Includes new Grpc.AspNetCore 2.71.0 — clean
SatelliteProvider.GrpcContracts none New project — clean
SatelliteProvider.IntegrationTests transitive Microsoft.IdentityModel.JsonWebTokens 7.0.3, System.IdentityModel.Tokens.Jwt 7.0.3 Moderate GHSA-59j7-ghrg-fj52 — test-runtime only (pre-existing; unchanged by cycle 9)
SatelliteProvider.TestSupport same JWT packages 7.0.3 Moderate test-runtime only — pre-existing

Cycle-9 Findings

No new dependency CVEs from the gRPC package additions. Grpc.AspNetCore 2.71.0 / Google.Protobuf 3.31.1 report clean against NuGet advisory feed at scan time.

Carry-overs

  • D-AZ795-1 (Low): FluentValidation 12.0.0 → 12.1.1 hardening — still open
  • D2-cy4 (Medium, test-runtime): Microsoft.NET.Test.Sdk transitive — still open

Verdict

PASS (cycle-9 delta) — zero new CVEs in production/runtime packages.

Cumulative: PASS_WITH_WARNINGS — D2-cy4 + D-AZ795-1 carry-overs unchanged.

Reference in New Issue View Git Blame Copy Permalink