azaion/satellite-provider
1
0
Fork 0
mirror of https://github.com/azaion/satellite-provider.git synced 2026-06-21 14:31:13 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
8e15e537820d0196e3251ee409fc315b023296eb
satellite-provider/_docs/05_security/dependency_scan.md
T
Oleksandr Bezdieniezhnykh 51b572108a
ci/woodpecker/push/01-test Pipeline was successful
Details
ci/woodpecker/push/02-build-push Pipeline was successful
Details
[AZ-484] Cycle 1 Steps 12-16: docs, security, perf, deploy report 
Captures the post-implementation autodev gates for AZ-484 multi-source
tile storage:

- Step 12 (Test-Spec Sync): added 7 AC rows (AZ-484 AC-1..AC-7) and a
  PT-07 NFR row to traceability-matrix.md; added PT-07 scenario to
  performance-tests.md.
- Step 13 (Update Docs): refreshed data_model.md (tiles columns +
  indexes + selection rule + UPSERT contract + migrations 012/013),
  module-layout.md (Common/Enums section with L-001 guidance,
  DataAccess imports-from now lists 6 sites), 6 module / component
  docs to reflect the new repo signatures, source/captured_at fields,
  and Dapper enum bypass workaround. ripple_log_cycle1.md records
  zero out-of-scope ripple.
- Step 14 (Security Audit): PASS_WITH_WARNINGS - 0 Critical, 0 High,
  5 Medium, 5 Low. AZ-484 itself added zero new findings. Hardening
  items (Postgres default creds, .env in build context, GMaps key
  rotation, ASP.NET Core 8.0.21 -> 8.0.25, rate limiter) recorded
  for separate tickets.
- Step 15 (Performance Test): all PT-01..PT-07 scenarios Unverified
  (non-blocking); PT-07 baseline-comparison harness deferred to a
  leftover for next cycle.
- Step 16 (Deploy): cycle deploy report covering migration safety,
  rollback path, post-deploy verification, security caveats.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-11 10:03:05 +03:00

4.5 KiB
Raw Blame History

Phase 1 — Dependency Scan

Date: 2026-05-11 Method: Manual inventory from *.csproj + targeted advisory search (WebSearch against GHSA / NVD / NuGet ReversingLabs). Reason for manual mode: dotnet list package --vulnerable is on the project's "do not run from agent" list (AGENTS.md — these commands hang in this environment).

Inventory

Project Package Version Notes
Api Microsoft.AspNetCore.OpenApi 8.0.21 ASP.NET Core 8 LTS patch (one behind 8.0.25)
Api Newtonsoft.Json 13.0.4 Latest 13.x
Api Serilog.AspNetCore 8.0.3
Api Serilog.Sinks.File 6.0.0
Api SixLabors.ImageSharp 3.1.11
Api Swashbuckle.AspNetCore 6.6.2
Common SixLabors.ImageSharp 3.1.11
DataAccess Dapper 2.1.35
DataAccess Npgsql 9.0.2
DataAccess dbup-postgresql 6.0.3
DataAccess Microsoft.Extensions.Configuration.Abstractions 9.0.10
DataAccess Microsoft.Extensions.Logging.Abstractions 9.0.10
TileDownloader Microsoft.Extensions.Caching.Memory 9.0.10
TileDownloader Microsoft.Extensions.Http 9.0.10
TileDownloader Microsoft.Extensions.Logging.Abstractions 9.0.10
TileDownloader Microsoft.Extensions.Options.ConfigurationExtensions 9.0.10
TileDownloader Newtonsoft.Json 13.0.4
Tests coverlet.collector 6.0.0
Tests FluentAssertions 8.8.0
Tests Microsoft.Extensions.* 9.0.10 (multiple)
Tests Microsoft.NET.Test.Sdk 17.8.0 NuGet.Frameworks transitive CVE flag — see findings
Tests Moq 4.20.72
Tests xunit 2.5.3
Tests xunit.runner.visualstudio 2.5.3

Findings

# Severity Package Version Advisory Disposition
D1 Medium (production-risk: Low, exposure: not reachable) Microsoft.AspNetCore.OpenApi → ASP.NET Core 8 runtime 8.0.21 CVE-2026-26130 — SignalR DoS via unbounded buffer Not exploitable in this app: codebase grep for SignalR|MapHub|UseSignalR|HubConnection returns zero hits. Runtime patch still recommended. Upgrade Microsoft.AspNetCore.OpenApi to 8.0.25 (or current 8.0.x patch) and redeploy on a runtime ≥ 8.0.25 to remove the vulnerable code paths from the deployed image.
D2 Low (test-only) Microsoft.NET.Test.Sdk 17.8.0 CVE-2022-30184 via transitive NuGet.Frameworks <6.2.1 — information disclosure (CVSS 5.5) Not exploitable in production: package is IsTestProject=true only; never shipped. Upgrade to Microsoft.NET.Test.Sdk ≥ 17.9.0 (which dropped the NuGet.Frameworks dependency entirely) the next time the test project's deps are touched.

Cross-version sanity (per coderule.mdc: keep dependency versions consistent)

  • Microsoft.Extensions.* is uniformly 9.0.10 across DataAccess, TileDownloader, Tests, RegionProcessing, RouteManagement — consistent. ✓
  • Newtonsoft.Json is 13.0.4 in both Api and TileDownloader — consistent. ✓
  • SixLabors.ImageSharp is 3.1.11 in both Api and Common — consistent. ✓
  • ASP.NET Core meta-package level is at 8.0.21 while extensions are at 9.0.10. The 9.x extensions ship a forward-compatible netstandard2.0 surface and load fine on the .NET 8 runtime — no functional issue, but worth flagging as a minor consistency drift for whoever next bumps the framework.

Items checked clean

  • SixLabors.ImageSharp 3.1.11 — newer than the patched 3.1.7 / 3.1.5 lines (CVE-2024-41131, CVE-2025-27598). No outstanding GHSA against 3.1.11 itself.
  • Newtonsoft.Json 13.0.4 — past CVE-2024-21907 fix line (13.0.1).
  • Npgsql 9.0.2 — outside the 4.x / 5.x / 6.x / 7.x / 8.x ranges affected by CVE-2024-32655 (SQL injection via protocol message size overflow). 9.0.x line was never affected.
  • Dapper 2.1.35 — only "advisory" hit was a dependency-check false positive for SQLite CVE-2017-10989; not a Dapper issue.
  • Swashbuckle.AspNetCore 6.6.2 — no published GHSA / CVE.
  • Serilog.AspNetCore 8.0.3 — no published GHSA / CVE.
  • dbup-postgresql 6.0.3 — no published GHSA / CVE.

Self-verification

  • All package manifests scanned (8 csproj files)
  • Each finding has a CVE ID or advisory reference
  • Upgrade paths identified for every Medium/Low finding
  • No Critical or High finding remains open after exploitability triage
Reference in New Issue View Git Blame Copy Permalink