Oleksandr Bezdieniezhnykh
ac40a8b352
PASS_WITH_WARNINGS. Zero Critical / High. New cycle-8 findings: - F-AZ809-1 (Medium / A04 Insecure Design): unbounded geofences.polygons enables an authenticated DoS on POST /api/satellite/route. Cap candidate: 50 or 500. - F-AZ810-1 (Low / A09): JsonException.Message echoed in UavUploadValidationFilter (new instance of cycle-7 F-AZ795-1 pattern in a second code path). - F-AZ810-2 (Low / Informational): UavTileMetadata.CapturedAt typed DateTime not DateTimeOffset; freshness window drifts in non-UTC dev environments. Zero impact in UTC-deployed prod. Carry-overs (cycle 7): F-AZ795-1, F-AZ795-2, D-AZ795-1 still open. Cycle 4 D2-cy4 still open (test-runtime Medium). Cycle-8 architectural wins recorded: per-endpoint validation reached 100% coverage; three approved validation paths formalised; OSM wire-format normalisation under strict mode (AZ-812); UAV-handler defence-in-depth retained. Highest-priority cycle-9 follow-up: F-AZ809-1 polygon cap. Co-authored-by: Cursor <cursoragent@cursor.com>
7.0 KiB
Dependency Scan (Cycle 8)
Date: 2026-05-23
Mode: Delta scan
Scope: Cycle-8 delta over the cycle-7 dependency scan (_docs/05_security/dependency_scan_cycle7.md). Cycle-8 surface = AZ-808 + AZ-809 + AZ-810 + AZ-811 (strict input validation rolled out across the remaining 4 endpoints) + AZ-812 (region-API wire rename Latitude/Longitude → Lat/Lon).
Method: Manifest diff via git diff --name-only 865dfdb..b763da3 -- '*.csproj' (cycle-7 tip → cycle-8 tip; verified empty). dotnet list package --vulnerable is intentionally not run (per AGENTS.md: that command hangs the agent shell in this workspace). The manifest-diff substitute is deterministic because the result is null.
Cycle-8 Package Manifest Diff
| csproj | Cycle 7 baseline | Cycle 8 change | Net effect on supply chain |
|---|---|---|---|
SatelliteProvider.Api/SatelliteProvider.Api.csproj |
references Microsoft.AspNetCore.OpenApi 10.0.7, Microsoft.AspNetCore.Authentication.JwtBearer 10.0.7, Newtonsoft.Json 13.0.4, Serilog.AspNetCore 8.0.3, Serilog.Sinks.File 6.0.0, SixLabors.ImageSharp 3.1.11, Swashbuckle.AspNetCore 10.1.7, FluentValidation 12.0.0, FluentValidation.DependencyInjectionExtensions 12.0.0 |
+0 PackageReferences. Every cycle-8 validator + filter reuses the AZ-795 infrastructure already shipped in cycle 7. | None. |
SatelliteProvider.Common/SatelliteProvider.Common.csproj |
unchanged from cycle 5 | +0 PackageReferences — the cycle-8 DTO changes ([JsonRequired] on RequestRegionRequest, CreateRouteRequest, RoutePoint, GeoPoint, GeofencePolygon.NorthWest/SouthEast, Geofences.Polygons, UavTileMetadata.*) and the AZ-812 rename are BCL + System.Text.Json.Serialization only. |
None. |
SatelliteProvider.DataAccess/SatelliteProvider.DataAccess.csproj |
unchanged from cycle 5 | +0 PackageReferences. | None. |
SatelliteProvider.Services.TileDownloader/SatelliteProvider.Services.TileDownloader.csproj |
unchanged from cycle 5 | +0 PackageReferences. The cycle-8 validator path lives in the API project; the existing UavTileUploadHandler defence-in-depth path is untouched. |
None. |
SatelliteProvider.Services.RegionProcessing/SatelliteProvider.Services.RegionProcessing.csproj |
unchanged from cycle 5 | +0 PackageReferences. | None. |
SatelliteProvider.Services.RouteManagement/SatelliteProvider.Services.RouteManagement.csproj |
unchanged from cycle 5 | +0 PackageReferences. | None. |
SatelliteProvider.Tests/SatelliteProvider.Tests.csproj |
unchanged from cycle 5 | +0 PackageReferences — the 8 new validator unit-test files reuse the cycle-7 FluentValidation.TestHelper namespace (transitive via FluentValidation main package, picked up via ProjectReference to the API). |
None. |
SatelliteProvider.IntegrationTests/SatelliteProvider.IntegrationTests.csproj |
unchanged from cycle 5 | +0 PackageReferences — the 4 new integration test files (CreateRouteValidationTests, GetTileByLatLonValidationTests, RegionFieldRenameTests, RegionRequestValidationTests, UavUploadValidationTests) reuse the cycle-7 ProblemDetailsAssertions helper + the pre-existing Xunit + Microsoft.AspNetCore ProjectReference. |
None. |
SatelliteProvider.TestSupport/SatelliteProvider.TestSupport.csproj |
unchanged from cycle 5 | +0 PackageReferences. | None. |
Net cycle-8 dependency change: zero new PackageReference lines, zero removed lines, zero version bumps. Every *.csproj file in the repo is byte-identical between 865dfdb (cycle-7 tip) and b763da3 (cycle-8 tip).
Cycle-7 Carry-overs
Because cycle 8 added no new packages and bumped none, every cycle-7 dependency finding remains in force unchanged:
D-AZ795-1 (Low / Hardening) — FluentValidation 12.0.0 → 12.1.1
- Filed in
dependency_scan_cycle7.md§ "FluentValidation 12.0.0" andsecurity_report_cycle7.md§ "D-AZ795-1". - Status at cycle-8 tip: still open. Cycle 8 did not bump either
FluentValidationorFluentValidation.DependencyInjectionExtensionsfrom 12.0.0 to 12.1.1. The same hardening-release recommendation carries forward. - Cycle-8-specific re-check at https://github.com/FluentValidation/FluentValidation/security/advisories (audit date 2026-05-23): no NEW advisories published against 12.x since the cycle-7 audit. The bump remains pure forward-compatibility hardening.
D2-cy4 (Medium / test-runtime only) — Microsoft.NET.Test.Sdk 17.8.0 transitive NuGet.Frameworks
- Filed in
dependency_scan_cycle4.mdand re-confirmed in cycles 5 and 7. - Status at cycle-8 tip: still open. Cycle 8 did not bump
Microsoft.NET.Test.Sdk. Test-runtime exposure only; not reachable from the API process.
Cycle-8 New Source Code Runtime Surface
Because no new packages were added, the new runtime surface introduced by cycle 8 sits entirely within already-vetted packages:
| New surface | Hosted by | Risk delta |
|---|---|---|
4 new AbstractValidator<T> subclasses (RegionRequestValidator, CreateRouteRequestValidator, GetTileByLatLonQueryValidator, UavTileBatchMetadataPayloadValidator) + 4 helper validators (RoutePointValidator, GeofencePolygonValidator, UavTileMetadataValidator, the inner GeoCornerValidator) |
FluentValidation 12.0.0 — same package surface assessed in cycle 7. |
None — reflection scan path (AddValidatorsFromAssemblyContaining<Program>()) is unchanged from cycle 7; cycle 8 adds more registered types but uses the same registration call. |
RejectUnknownQueryParamsEndpointFilter + UavUploadValidationFilter — two new IEndpointFilter types |
ASP.NET Core 10 — Microsoft.AspNetCore.Http already in the BCL footprint. |
None — IEndpointFilter API surface is unchanged; UavUploadValidationFilter is AddTransient<>-registered, so per-request instance isolation matches the existing WithValidation<T>() pattern from cycle 7. |
[JsonRequired] annotations on 6 modified DTOs (RequestRegionRequest, CreateRouteRequest, RoutePoint, GeoPoint, GeofencePolygon, UavTileMetadata) |
System.Text.Json.Serialization — BCL. |
None — cycle-7 baseline already used [JsonRequired] on TileCoord; cycle 8 just expands coverage. |
[JsonPropertyName] annotations added by AZ-812 to RequestRegionRequest.Lat/Lon |
System.Text.Json.Serialization — BCL. |
None. |
Cycle-8 Findings
No new dependency findings.
The cycle-7 D-AZ795-1 Low/Hardening recommendation (FluentValidation 12.0.0 → 12.1.1) is carried forward unchanged and re-iterated in this cycle's report. Cycle 8 did not regress any prior cycle's posture.
Verdict
PASS (cycle-8 delta) — zero new CVEs, zero new supply-chain blockers, zero new packages.
Cumulative verdict (carrying forward earlier cycles): PASS_WITH_WARNINGS — D2-cy4 (cycle-4 Medium, test-runtime only) + D-AZ795-1 (cycle-7 Low/Hardening) both still in effect. Cycle 8 adds nothing to the cumulative dependency-finding ledger.