Oleksandr Bezdieniezhnykh
61612044fb
Wrap up cycle 5 verification + documentation: - Steps 10/11 wrap-up reports (implementation_completeness + implementation_report) for the AZ-503-foundation + AZ-504 batch. - Step 12 test-spec sync: AZ-503-foundation/AZ-504 ACs appended; AZ-505 deferred ACs recorded. - Step 13 update-docs: architecture, data-model, glossary, module- layout, uav-tile-upload contract (v1.1.0), DataAccess + Services + Tests module docs synced; new common_uuidv5.md module doc. - Step 14 security audit: PASS_WITH_WARNINGS; 0 new Critical/High; 2 new Low informational (F1 flightId provenance, F2 pgcrypto deploy gap). - Step 15 performance test: PASS_WITH_INFRA_WARNINGS; PT-08 passed twice (AZ-504 fix verified); PT-01/02 failed due to recurring local Docker/colima DNS cold-start (not an app regression). Cycle-3 perf-harness leftover stays OPEN with replay #5 documented. - Autodev state moved to Step 16 (Deploy). Co-authored-by: Cursor <cursoragent@cursor.com>
3.6 KiB
Dependency Scan (Cycle 5)
Date: 2026-05-12
Mode: Delta scan
Scope: Cycle-5 delta over the cycle-4 dependency scan (_docs/05_security/dependency_scan_cycle4.md)
Trigger: AZ-503-foundation + AZ-504; both Step-15-gated by the same audit infrastructure as cycle 4
Cycle-5 Package Manifest Diff
| csproj | Cycle 4 baseline (post-AZ-500) | Cycle 5 change | Net effect on supply chain |
|---|---|---|---|
SatelliteProvider.IntegrationTests/SatelliteProvider.IntegrationTests.csproj |
references Api, TestSupport | +1 ProjectReference: SatelliteProvider.Common (AZ-503 — so test seeders can call Uuidv5.Create) |
None — ProjectReference inside the workspace; no new NuGet packages, no new transitive graph nodes |
SatelliteProvider.Common/SatelliteProvider.Common.csproj |
unchanged from cycle 4 | +0 PackageReferences — Uuidv5.cs is pure BCL (System.Security.Cryptography.SHA1, System.Buffers.Binary.BinaryPrimitives, System.Buffers.ArrayPool) |
None — no new NuGet packages |
SatelliteProvider.DataAccess/SatelliteProvider.DataAccess.csproj |
unchanged from cycle 4 | +0 PackageReferences | None |
SatelliteProvider.Services.TileDownloader/SatelliteProvider.Services.TileDownloader.csproj |
unchanged from cycle 4 | +0 PackageReferences | None |
SatelliteProvider.Api/SatelliteProvider.Api.csproj |
unchanged from cycle 4 | +0 PackageReferences | None |
SatelliteProvider.Tests/SatelliteProvider.Tests.csproj |
unchanged from cycle 4 | +0 PackageReferences — Uuidv5Tests is pure BCL |
None |
Net cycle-5 dependency change: zero new NuGet packages, zero version bumps, zero removed packages. The only manifest edit is one intra-workspace ProjectReference line (IntegrationTests → Common).
Cycle-5 New PostgreSQL Extensions
Migration 014_AddTileIdentityColumns.sql issues CREATE EXTENSION IF NOT EXISTS pgcrypto. This is a new runtime database dependency.
| Extension | Used for | Where it executes | Postures |
|---|---|---|---|
pgcrypto |
The migration's pg_temp.uuidv5 PL/pgSQL helper calls digest(..., 'sha1') to backfill location_hash over every pre-existing tiles row |
Inside the migration transaction only; runtime application code does NOT call pgcrypto (UUIDv5 in production paths is computed in C# via SatelliteProvider.Common.Utils.Uuidv5) |
Standard, bundled-with-Postgres extension. No external download. Known historical CVEs (e.g. CVE-2024-10977 in the crypt() Blowfish path, CVE-2025-1094 in quote_literal) do NOT touch the digest() SHA-1 surface AZ-503 uses. |
The pg_temp.uuidv5 helper is a pg_temp.* function — automatically scoped to the migration's session and discarded at COMMIT. It is not callable by runtime application code.
Cycle-5 Findings
None. No new CVEs to surface, no version bumps to audit, no transitive graph changes.
The cycle-4 carry-over (D2-cy4 — Microsoft.NET.Test.Sdk 17.8.0 transitive NuGet.Frameworks Medium-severity finding, test-runtime exposure only) is unchanged in cycle 5: AZ-503 did not bump Microsoft.NET.Test.Sdk and did not introduce a new test-runtime package. The finding continues to live in dependency_scan_cycle4.md and is owned by a still-unscheduled follow-up task (slated for the next Test SDK refresh cycle).
Verdict
PASS (cycle-5 delta) — zero new supply-chain findings.
Cumulative verdict (carrying forward cycle 4): PASS_WITH_WARNINGS (1 cycle-3 Medium carry-over via D2-cy4; no Critical/High; AZ-503/AZ-504 add nothing).