Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions AGENTS.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
<!-- SPDX-License-Identifier: Apache-2.0 -->
# AGENTS.md

## Security

You are helping a security researcher find and report vulnerabilities in
Apache JDO. Before drafting any report or reaching any conclusion, complete
these reading steps — skipping them leads to duplicate and out-of-scope
reports.

### Step 1 — Read the threat model

Read **[THREAT_MODEL.md](THREAT_MODEL.md)** first: the trust boundaries, the
in-scope / out-of-scope declarations, the properties the project does and does
not provide, and the known non-findings.

### Step 2 — Read the security policy

Read **[SECURITY.md](SECURITY.md)** for how (and where) to report.

### Key scoping facts (see THREAT_MODEL.md)

- `jdo-api` defines the JDO API and **bootstraps an implementation**; it does
not execute queries or manage datastore connections. Those belong to the JDO
implementation (DataNucleus and others) and are **out of scope** (§3) — route
such findings there.
- Bootstrap reflection (`Class.forName` / `Method.invoke`) and `jdoconfig.xml`
parsing operate on **trusted, operator-supplied configuration** (§6); a finding
that requires attacker-controlled config or classpath is out of model.
- The `jdoconfig.xml` parser disallows DOCTYPE declarations and is therefore
XXE-safe (§8).
- JDO is **not** an authorization boundary; JDOQL/SQL injection, credential
storage, and safe deserialization of JDO objects are downstream
responsibilities (§9 / §10).
- The TCK (`tck/`) and `exectck/` are test / build artifacts, out of scope (§3).

### Then assess

Route the finding to exactly one disposition in **THREAT_MODEL.md §13**, citing
the section that licenses the call. If it cannot be routed cleanly, it is a
`MODEL-GAP` (§12) — surface it rather than forcing a disposition.
48 changes: 48 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at

https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->

# Security Policy

## Reporting a Vulnerability

Apache JDO follows the Apache Software Foundation security process. Report
suspected vulnerabilities **privately** to the ASF Security Team at
[security@apache.org](mailto:security@apache.org) (the JDO PMC is reachable via
`private@db.apache.org`). Please do **not** open public GitHub issues or pull
requests for security reports. See <https://www.apache.org/security/> for the
foundation-wide process and disclosure policy.

## Threat Model

Before reporting — and before triaging a tool, fuzzer, or AI-generated finding
— read the project threat model: **[THREAT_MODEL.md](THREAT_MODEL.md)**. It
describes the trust boundaries Apache JDO assumes, what it does and does not
treat as a security issue, what is in and out of scope, and the recurring
non-findings. In particular:

- The published `jdo-api` jar is an **API-definition library**. Query (JDOQL/SQL)
execution, connection handling, credential management, and persistence are the
responsibility of the JDO **implementation** (e.g. DataNucleus), **not** this
project — see THREAT_MODEL.md §3.
- JDO is **not** an authorization boundary. Injection safety, credential storage,
and safe deserialization of JDO objects are downstream responsibilities — see
THREAT_MODEL.md §9 and §10.
- Bootstrap configuration (the implementation class, `jdoconfig.xml`, connection
properties, classpath) is **trusted, operator-supplied** input — see §6.

Findings that fall outside the model (§3 / §9 / §11a) will be closed citing the
relevant section.
Loading
Loading