Skip to content

Add security threat model (THREAT_MODEL.md + SECURITY.md + AGENTS.md)#127

Merged
mboapache merged 2 commits into
apache:mainfrom
potiuk:asf-security/threat-model-2026-06-09
Jun 13, 2026
Merged

Add security threat model (THREAT_MODEL.md + SECURITY.md + AGENTS.md)#127
mboapache merged 2 commits into
apache:mainfrom
potiuk:asf-security/threat-model-2026-06-09

Conversation

@potiuk

@potiuk potiuk commented Jun 9, 2026

Copy link
Copy Markdown
Member

What

Adds a threat model for Apache JDO, drafted at the JDO PMC's request, plus the discoverability files that let an automated security reviewer mechanically find it:

  • THREAT_MODEL.md — the model, following Michael Scovetta's threat-model rubric (public mirror).
  • SECURITY.md — disclosure pointer (ASF security process) + threat-model reference.
  • AGENTS.md — routes a vulnerability-research agent through AGENTS.md -> SECURITY.md -> THREAT_MODEL.md.

The model in one paragraph

jdo-api is an API-definition jar: it defines the JDO interfaces and bootstraps an implementation, but does not itself execute queries, manage connections, or persist data. So the model scopes query (JDOQL/SQL) execution, connection handling, credential management, and persistence to the implementation (DataNucleus and others) — out of scope here. jdo-api's own surface is narrow: trusted, operator-supplied bootstrap configuration; XXE-hardened jdoconfig.xml parsing (disallow-doctype-decl=true); reflection confined to configured class names; and the contract / identity / exception types. The TCK and exectck are test/build artifacts, also out of scope.

This is a DRAFT for your review — you own and merge it

Most claims are grounded in the source and tagged (documented); a few trust assumptions are (inferred) and need your confirmation, collected as open questions in §14 (3 short waves). The key ones:

  • Q1 — confirm jdo-api is an in-process, trusted library with no untrusted-input adversary of its own (config + classpath trusted).
  • Q5 — the SecurityManager / JDOPermission / doPrivileged machinery is effectively inert on JEP 411 JDKs; do you still claim any SecurityManager-enforced property for older deployments?
  • Q6 — confirm the disclosure channel SECURITY.md should name (security@apache.org / private@db.apache.org).

Please edit freely — the tags and §14 are there to make review a quick confirm/correct rather than a rewrite.

Context

This is the threat-model step of the GLASSWING / Mythos security-scan pre-flight for apache/db-jdo. Once a model is merged and discoverable (the AGENTS.md -> SECURITY.md chain), pre-flight passes and we can queue the scan — the program window closes 30 June 2026, so the sooner this lands the more comfortably it fits.

Generated by the ASF Security team's threat-model tooling (Claude Opus); reviewed before opening.

potiuk and others added 2 commits June 9, 2026 11:46
…md chain

Adds a threat model for Apache JDO (the jdo-api jar), drafted at the JDO PMC's
request following the Apache Security team's threat-model rubric, plus a
SECURITY.md disclosure pointer and an AGENTS.md that routes vulnerability-
research agents through the model (AGENTS.md -> SECURITY.md -> THREAT_MODEL.md).

The model scopes jdo-api as an API-definition library: query (JDOQL/SQL)
execution, connection handling, and persistence are the implementation's (e.g.
DataNucleus) responsibility and out of scope; jdo-api's own surface is trusted
bootstrap configuration (XXE-hardened jdoconfig.xml parsing via
disallow-doctype-decl, reflection confined to configured class names) plus the
contract / identity / exception types. The TCK and exectck are out of scope.

DRAFT for PMC review: section 14 carries open questions for the maintainers to
confirm the inferred trust assumptions.

Generated-by: Claude Opus 4.8 (1M context)
Update status to APPROVED.
Resolve questions in section 14.
@sonarqubecloud

Copy link
Copy Markdown

@clr-apache clr-apache left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated with change of status to APPROVED.
Third approver should squash and merge to main.

@potiuk

potiuk commented Jun 12, 2026

Copy link
Copy Markdown
Member Author

Friendly nudge — this threat-model / discoverability PR is approved and green, so it's ready to merge whenever the PMC has a moment. Merging completes the pre-flight discoverability step (AGENTS.md → SECURITY.md → THREAT_MODEL.md) so an automated security-scan agent can mechanically find the model. No rush — thanks!

@mboapache
mboapache merged commit 8673ab0 into apache:main Jun 13, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants