satellite-provider/_docs/05_security/security_report_cycle10.md

Security Audit Report (Cycle 10)

Date: 2026-06-25 Scope: Cycle-10 delta — AZ-1113 (REST 400 error message sanitization). Trigger: /autodev Step 14 — user chose A) Run security audit. Verdict (cycle-10 delta): PASS — 3 REST information-disclosure carry-overs resolved; 0 new Critical/High/Medium. Verdict (cumulative): PASS_WITH_WARNINGS — F-AZ810-2, D-AZ795-1, D2-cy4 remain open.

Summary

Severity	Cycle 10 at audit	Cumulative open
Critical	0	0
High	0	0
Medium	0	1 (D2-cy4 test-runtime)
Low	0 new	2 (F-AZ810-2, D-AZ795-1)

OWASP Top 10:2021 (cycle-10 delta)

See owasp_review_cycle10.md — A09 improved; all other categories unchanged PASS/N/A.

Findings

#	Severity	Category	Location	Title	Status
F-AZ795-1	Low	Information Disclosure (A09)	GlobalExceptionHandler	JsonException.Message in 400 errors[]	RESOLVED (AZ-1113)
F-AZ795-2	Low	Information Disclosure (A09)	GlobalExceptionHandler	BadHttpRequestException.Message in detail	RESOLVED (AZ-1113)
F-AZ810-1	Low	Information Disclosure (A09)	UavUploadValidationFilter + UavTileUploadHandler	Metadata parse ex.Message echo	RESOLVED (AZ-1113)

Carry-overs (still open)

• F-AZ810-2 — DateTime vs DateTimeOffset on UavTileMetadata.CapturedAt (Low / informational)
• D-AZ795-1 — FluentValidation 12.0.0 → 12.1.1
• D2-cy4 — test SDK transitive JWT advisory (Moderate, test-runtime only)

Recommendations

Immediate

• None blocking cycle 10 ship.

Short-term

• F-AZ810-2: add DateTimeKind.Unspecified rejection or migrate to DateTimeOffset (separate task).
• D-AZ795-1: bump FluentValidation when a coordinated package bump task lands.

Long-term

• D2-cy4: pin JWT test packages when upstream resolves GHSA-59j7-ghrg-fj52 for 7.0.3 line.

Artifacts

• dependency_scan_cycle10.md
• static_analysis_cycle10.md
• owasp_review_cycle10.md
• infrastructure_review_cycle10.md