Add draft project security threat-model document#352
Conversation
Adds a draft project-level security threat-model document (draft-THREAT-MODEL.md) at repo root, improving discoverability for automated security scanners running against this repository. The file follows the rubric format used by several other ASF projects piloting security-model discoverability. The "draft-" prefix signals this is a proposal for the PMC to review, correct, or reject — not a finalised maintainer-blessed model. Every claim carries a provenance tag (documented / inferred / maintainer) so reviewers can see where each claim originates; §14 collects open questions for the maintainers. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
0bed1ee to
b13371b
Compare
|
Heads-up on the red SonarQube Analysis: this PR is documentation-only — it adds a draft threat-model document and touches no code — so the Sonar quality-gate / coverage result is unrelated to the change. Flagging so the red check isn't read as a defect in the PR. |
|
Note for reviewers: the failing Maven Build is a surefire test failure in |
|
Quick note on CI: the red "Maven Build" isn't introduced by this change — it's a docs-only PR (the threat-model doc already carries the ASF license header), and the failure is in the full integration-testing build, unrelated to the added file. It shouldn't block review/merge. Happy to rebase for a clean run if useful. |
|
@potiuk - Jackrabbit has removed RMI support in the current stable branch two years go (https://issues.apache.org/jira/browse/JCR-5042); it's only present in a maintenance branch (2.20.x) which we want to EOL in ca 6 months. Does it make sense to keep this in the document? |
|
Feel free to skip it. |
|
So: remove & PR against your branch? Or create a branch in Jackrabbit first and merge your PR? |
|
Thanks Julian — no need for you to do either. It's our branch, so I'll trim the RMI material from the doc myself (it's touched in a handful of sections, so cleaner in one pass) and push the update here. Since RMI is only in the 2.20.x maintenance line you're planning to EOL, I'll drop it from the in-scope model rather than caveat it. Once that's pushed it's ready for a PMC member to review and merge — I'll ping this thread when it's up. |
|
yes, I'll review again, but getting out the RMI noise will make it shorter (somewhat) |
Per PR review by @reschke: RMI support was removed from the current codebase (JCR-5042, ~2 years ago) and remains only in the 2.20.x maintenance branch slated for EOL, so it is out of scope for this model. Removes the jackrabbit-jcr-rmi module, its trust-boundary / entry-point / asset rows, finding P8 (RMI deserialisation), section 9.5, and the RMI residual-risk / FAQ / non-goal bullets and two RMI-specific open questions; renumbers findings, subsections, trust boundaries, and open questions sequentially with cross-references fixed.
|
Pushed — the RMI content is out: dropped |
|
Still SonarQube "red" can't be fixed by me :) |
Summary
This PR adds an initial draft of a project-level security
threat-model document (
draft-THREAT-MODEL.md) so that automatedsecurity scanners running against this repository have a
maintainer-facing reference for which classes of findings are
in-scope vs. out-of-scope for the project.
The document follows the rubric format used by several other ASF
projects piloting improved security-model discoverability for
agentic scanners. Every claim carries a provenance tag:
the project website), cited inline.
knowledge; the PMC has not confirmed.
to this draft. (Zero in this initial draft.)
Draft stats:
§14 is the highest-leverage section: answering each question
either promotes one (inferred) tag to (maintainer) or corrects
the underlying claim.
Why "draft-" prefix?
The file is named
draft-THREAT-MODEL.mdrather thanSECURITY-THREAT-MODEL.mdbecause this is a proposal for thePMC to review — please correct, reject, or discuss as needed.
Once the PMC ratifies (or substantially edits) the content, the
file can be renamed in a follow-up PR and a discoverability
scaffold (
AGENTS.md→SECURITY.md→ the model) added soscanners can mechanically follow the chain.
What this is, and what it is not
This is not a security audit. It is a working triage document
— the reference a triager holds against an inbound report to
decide whether the report is about a Jackrabbit vulnerability or
about caller misuse / operator misconfiguration / an out-of-scope
concern.
The draft was generated by an automated agentic security scan
being piloted by the ASF Security team; the discoverability work
is independent of any specific scan run.
How to review
replaces the inferred claim with the correct one.
dispositions) — those govern how a vulnerability report would
be triaged.
Reply edits / corrections inline on the PR, or to the original
security@apache.orgthread, whichever fits the PMC's workflow.🤖 Generated with Claude Code