Add security threat model (THREAT_MODEL.md + SECURITY.md + AGENTS.md)#127
Merged
mboapache merged 2 commits intoJun 13, 2026
Merged
Conversation
…md chain Adds a threat model for Apache JDO (the jdo-api jar), drafted at the JDO PMC's request following the Apache Security team's threat-model rubric, plus a SECURITY.md disclosure pointer and an AGENTS.md that routes vulnerability- research agents through the model (AGENTS.md -> SECURITY.md -> THREAT_MODEL.md). The model scopes jdo-api as an API-definition library: query (JDOQL/SQL) execution, connection handling, and persistence are the implementation's (e.g. DataNucleus) responsibility and out of scope; jdo-api's own surface is trusted bootstrap configuration (XXE-hardened jdoconfig.xml parsing via disallow-doctype-decl, reflection confined to configured class names) plus the contract / identity / exception types. The TCK and exectck are out of scope. DRAFT for PMC review: section 14 carries open questions for the maintainers to confirm the inferred trust assumptions. Generated-by: Claude Opus 4.8 (1M context)
Update status to APPROVED. Resolve questions in section 14.
|
clr-apache
approved these changes
Jun 11, 2026
clr-apache
left a comment
Contributor
There was a problem hiding this comment.
Updated with change of status to APPROVED.
Third approver should squash and merge to main.
Member
Author
|
Friendly nudge — this threat-model / discoverability PR is approved and green, so it's ready to merge whenever the PMC has a moment. Merging completes the pre-flight discoverability step (AGENTS.md → SECURITY.md → THREAT_MODEL.md) so an automated security-scan agent can mechanically find the model. No rush — thanks! |
tobous
approved these changes
Jun 12, 2026
mboapache
approved these changes
Jun 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



What
Adds a threat model for Apache JDO, drafted at the JDO PMC's request, plus the discoverability files that let an automated security reviewer mechanically find it:
THREAT_MODEL.md— the model, following Michael Scovetta's threat-model rubric (public mirror).SECURITY.md— disclosure pointer (ASF security process) + threat-model reference.AGENTS.md— routes a vulnerability-research agent throughAGENTS.md -> SECURITY.md -> THREAT_MODEL.md.The model in one paragraph
jdo-apiis an API-definition jar: it defines the JDO interfaces and bootstraps an implementation, but does not itself execute queries, manage connections, or persist data. So the model scopes query (JDOQL/SQL) execution, connection handling, credential management, and persistence to the implementation (DataNucleus and others) — out of scope here.jdo-api's own surface is narrow: trusted, operator-supplied bootstrap configuration; XXE-hardenedjdoconfig.xmlparsing (disallow-doctype-decl=true); reflection confined to configured class names; and the contract / identity / exception types. The TCK andexectckare test/build artifacts, also out of scope.This is a DRAFT for your review — you own and merge it
Most claims are grounded in the source and tagged (documented); a few trust assumptions are (inferred) and need your confirmation, collected as open questions in §14 (3 short waves). The key ones:
jdo-apiis an in-process, trusted library with no untrusted-input adversary of its own (config + classpath trusted).JDOPermission/doPrivilegedmachinery is effectively inert on JEP 411 JDKs; do you still claim any SecurityManager-enforced property for older deployments?SECURITY.mdshould name (security@apache.org /private@db.apache.org).Please edit freely — the tags and §14 are there to make review a quick confirm/correct rather than a rewrite.
Context
This is the threat-model step of the GLASSWING / Mythos security-scan pre-flight for
apache/db-jdo. Once a model is merged and discoverable (theAGENTS.md -> SECURITY.mdchain), pre-flight passes and we can queue the scan — the program window closes 30 June 2026, so the sooner this lands the more comfortably it fits.Generated by the ASF Security team's threat-model tooling (Claude Opus); reviewed before opening.