satellite-provider/_docs/05_security/security_report_cycle4.md

Security Audit Report (Cycle 4)

Date: 2026-05-12 Scope: Cycle-4 delta over the cycle-3 audit (_docs/05_security/security_report.md) Trigger: AZ-500 .NET 8 LTS → .NET 10 migration; AZ-500 Security NFR requires a fresh dependency-scan pass after the bump Mode: Resume (per user choice at the prerequisite gate) — only Phase 1 (dependency scan) was re-executed; Phases 2–4 carried forward from cycle 3 because AZ-500 made no source-level edits to the surfaces those phases cover (auth/authorization, input validation, crypto, deserialization, data exposure, infrastructure beyond the image-tag bump) Verdict: PASS_WITH_WARNINGS

Summary

Severity	Count (cycle 4 delta)	Count (cumulative — incl. cycle-3 carry-overs)
Critical	0	0
High	0	0
Medium	0 NEW	1 (D2-cy4 — Microsoft.NET.Test.Sdk 17.8.0 transitive NuGet.Frameworks flag, carried over from cycle 3, test-runtime exposure only, AZ-500 explicitly out-of-scope)
Low	5 NEW (informational only — all are "no published advisory" confirmations on the bumped lines)	5 NEW + cycle-3 carry-overs

OWASP Top 10 Assessment

Carried forward unchanged from cycle 3 (_docs/05_security/owasp_review.md). AZ-500 introduced no new endpoints, no new permission policies, no new user-input paths, no new external integrations, no new crypto, and no new data-exposure surface — all 10 OWASP categories retain their cycle-3 posture. Cycle-3 status table is the authoritative reference.

Cycle-4 NEW Findings

#	Severity	Category	Location	Title
F1-cy4	Low (informational)	Vulnerable Components	SatelliteProvider.Api/SatelliteProvider.Api.csproj (Microsoft.AspNetCore.Authentication.JwtBearer 10.0.7)	No published advisories — bump closes cycle-3 D1 (CVE-2026-26130)
F2-cy4	Low (informational)	Vulnerable Components	SatelliteProvider.Api/SatelliteProvider.Api.csproj (Microsoft.AspNetCore.OpenApi 10.0.7)	No published advisories — bump closes cycle-3 D3
F3-cy4	Low (informational)	Vulnerable Components	SatelliteProvider.Api/SatelliteProvider.Api.csproj (Swashbuckle.AspNetCore 10.1.7)	New major-line; clean per ReversingLabs scan
F4-cy4	Low (informational)	Vulnerable Components	Transitive via Swashbuckle (Microsoft.OpenApi 2.3.x)	New major-line; clean per Microsoft/OpenAPI.NET GitHub Security tab (zero published advisories)
F5-cy4	Low (informational)	Vulnerable Components	All 11 Microsoft.Extensions.* package IDs across 6 csproj files (10.0.7)	No published advisories — historical CVE-2024-43483 was already not applicable in cycle 3 (9.0.10 baseline post-rc.1 cutoff); 10.0.7 carries the fix forward

Finding Details

F1-cy4: Microsoft.AspNetCore.Authentication.JwtBearer bumped to 10.0.7 — no known vulnerabilities (Low / Vulnerable Components)

• Location: SatelliteProvider.Api/SatelliteProvider.Api.csproj (and SatelliteProvider.Tests/SatelliteProvider.Tests.csproj transitively)
• Description: AZ-500 bumped this package from 8.0.25 → 10.0.7 as part of the .NET 10 migration. The 10.0.7 line is reported as having 0 known vulnerabilities by Sonatype Guide and ReversingLabs Spectra Assure as of 2026-05-12.
• Impact: None — this is an informational confirmation. The bump SUPERSEDES the cycle-3 D1 finding (CVE-2026-26130 SignalR DoS) because the 10.x line incorporates that fix and continues forward; SignalR is still unused in this codebase.
• Remediation: None required. AZ-500 NFR (Security) is satisfied for this package.
• Verification cross-reference: AZ-487/AZ-494 integration tests (SEC-05..SEC-09 + AZ-494 AC-1/AC-2) — all green in the cycle-4 Step 11 full run, confirming JWT validation contract preservation across the major bump.

F2-cy4: Microsoft.AspNetCore.OpenApi bumped to 10.0.7 — no known vulnerabilities (Low / Vulnerable Components)

• Location: SatelliteProvider.Api/SatelliteProvider.Api.csproj
• Description: AZ-500 bumped this package from 8.0.25 → 10.0.7. Same supply-chain advisory family as F1; bump supersedes cycle-3 D3.
• Impact: None.
• Remediation: None required.

F3-cy4: Swashbuckle.AspNetCore bumped to 10.1.7 — no known vulnerabilities (Low / Vulnerable Components)

• Location: SatelliteProvider.Api/SatelliteProvider.Api.csproj
• Description: AZ-500 bumped this package from 6.6.2 → 10.1.7 specifically to land Microsoft.OpenApi 2.x compat (required by ASP.NET Core 10's Microsoft.AspNetCore.OpenApi 10.x). ReversingLabs scan of the 10.1.x line reports 0 known vulnerabilities.
• Impact: None — bump was driven by compat, not by an active CVE. Note that the major bump introduced a breaking-API change (Microsoft.OpenApi 1.x → 2.x), which drove three internal Program.cs setup edits (using-directive, AddSecurityRequirement → Func<OpenApiDocument, OpenApiSecurityRequirement> + OpenApiSecuritySchemeReference("Bearer"), MapType<UavTileBatchUploadRequest> → JsonSchemaType + IDictionary<string, IOpenApiSchema>). The Swagger document shape (paths, Bearer Authorize button, multipart-batch upload schema) is preserved exactly; SwaggerDocument_AdvertisesBearerSecurityScheme programmatic test passed.
• Remediation: None required for security. Eight ASPDEPR002 WithOpenApi(...) deprecation warnings remain in Program.cs — recorded as a follow-up PBI in _docs/03_implementation/reviews/batch_01_cycle4_review.md.

F4-cy4: Microsoft.OpenApi 2.3.x (transitive) — no known vulnerabilities (Low / Vulnerable Components)

• Location: Transitive dependency of Swashbuckle.AspNetCore 10.1.7 and Microsoft.AspNetCore.OpenApi 10.0.7
• Description: AZ-500's Swashbuckle bump pulled in Microsoft.OpenApi 2.x as a transitive replacement for the 1.x previously in scope. The microsoft/OpenAPI.NET GitHub Security tab shows zero published advisories for the 2.x line.
• Impact: None for security. Code-impact handled in F3 (the API rewrite was small and contained).
• Remediation: None required.

F5-cy4: Microsoft.Extensions. coordinated bump to 10.0.7 — no known vulnerabilities* (Low / Vulnerable Components)

• Location: 6 csproj files: SatelliteProvider.Api, SatelliteProvider.Tests, SatelliteProvider.DataAccess, SatelliteProvider.Services.TileDownloader, SatelliteProvider.Services.RegionProcessing, SatelliteProvider.Services.RouteManagement. ~20 PackageReference rows across 11 distinct package IDs (Caching.Memory, Configuration.Abstractions, Configuration.Json, DependencyInjection, DependencyInjection.Abstractions, Hosting.Abstractions, Http, Logging.Abstractions, Logging.Console, Options, Options.ConfigurationExtensions).
• Description: AZ-500 bumped all M.E.* references from 9.0.10 → 10.0.7 as a coordinated cycle-4 move (per AZ-500 Constraint: "TFM, SDK pin, Docker images, CI images, and M.E.* package versions ALL move in the same commit"). Historical Microsoft.Extensions.Caching.Memory CVE-2024-43483 (DoS via hash flooding) affected only 6.x ≤ 6.0.1 / 8.x ≤ 8.0.0 / 9.x ≤ 9.0.0-rc.1 — the cycle-3 9.0.10 baseline was already past that cutoff; 10.0.7 carries the fix forward.
• Impact: None.
• Remediation: None required. The Microsoft.IdentityModel.Tokens 7.0.3 / System.IdentityModel.Tokens.Jwt 7.0.3 packages remain pinned (AZ-500 Constraint kept them out of scope); restore against net10.0 succeeded with no NU1605/NU1107 conflicts (Risk #3 verified clean in the cycle-4 Step 11 build path).

Cycle-3 carry-overs (still OPEN)

#	Severity	Title	Why still OPEN	Cycle-4 disposition
D2 (cycle 3)	Medium (production-risk: Low, exposure: test-runtime only)	Microsoft.NET.Test.Sdk 17.8.0 transitive NuGet.Frameworks advisory flag	AZ-500 explicitly excluded Microsoft.NET.Test.Sdk from scope (Constraint: "do not silently fold in unrelated package bumps")	Continue to defer. Recommend a separate PBI (post-cycle-4) to bump 17.8.0 → 17.13.0+ when the team next touches test infrastructure. Test-runtime-only exposure; not loaded in the production container.

All cycle-3 SAST findings (_docs/05_security/static_analysis.md), OWASP findings (_docs/05_security/owasp_review.md), and infrastructure findings (_docs/05_security/infrastructure_review.md) carry forward at their cycle-3 dispositions. AZ-500 made no source-level changes that would alter any of those.

Recommendations

Immediate (Critical / High)

• None. No Critical or High findings introduced by AZ-500.

Short-term (Medium)

• (Carried over from cycle 3) PBI: bump Microsoft.NET.Test.Sdk 17.8.0 → 17.13.0+ to close D2-cy4 / D2 (cycle 3). Estimated 1 SP. Test-only impact.

Long-term (Low / Hardening)

• Re-check Serilog.AspNetCore at the start of every subsequent cycle. If a 10.x line ships, bump as a single-PBI hygiene task to remove the AZ-500 Risk #4 fallback note from AGENTS.md / _docs/02_document/00_discovery.md / _docs/02_document/modules/api_program.md.
• (From cycle-4 review) Migrate the 8 WithOpenApi(...) callsites in Program.cs to the ASP.NET Core 10 minimal-API metadata extensions to clear the ASPDEPR002 deprecation warnings (3 SP, recommended PBI from _docs/03_implementation/reviews/batch_01_cycle4_review.md). Not a security item — quality/maintainability — but worth tracking alongside the AZ-500 follow-ups.

Verdict justification

• PASS would require zero findings of any severity. Cycle-3 D2 carry-over (Medium) prevents PASS.
• PASS_WITH_WARNINGS is the correct verdict because the only OPEN item is a Medium with mitigations in place (test-runtime-only exposure, not loaded in production container) and AZ-500 explicitly scoped it out per its Constraints. AZ-500 itself introduced zero new findings above Low.
• FAIL would require Critical or High. AZ-500 introduced none.

Self-verification

• All findings from the executed phase (Phase 1 — dependency_scan_cycle4.md) included.
• No duplicate findings.
• Every finding has remediation guidance ("None required" is acceptable for informational confirmations on clean lines).
• Verdict matches severity logic (PASS_WITH_WARNINGS — only Medium open is a cycle-3 carry-over with documented mitigations).
• Cycle-3 phases that were intentionally not re-executed (Phases 2/3/4) are explicitly cited as "carried forward" with the rationale recorded.
• AZ-500's three named risks (Risk #1 JwtBearer behavioral change, Risk #2 OpenApi Swagger UI breakage, Risk #3 M.E.* cascade conflict) are each cross-referenced against an in-cycle verification.