potiuk opened a new pull request, #3158: URL: https://github.com/apache/cxf/pull/3158
**This is a draft proposal for the CXF PMC to review — please correct, reject, or discuss as needed.** Nothing here is a requirement; the maintainers are the decision-makers, and this describes CXF *as the PMC says it is*. This PR adds an umbrella **`THREAT_MODEL.md`** for the CXF framework, an **`AGENTS.md`**, and a **Threat Model** section linking it from the existing **`SECURITY.md`** — so a scan agent can follow `AGENTS.md -> SECURITY.md -> THREAT_MODEL.md`. A framing note the model leads with: **CXF is a framework, not an app.** It provides mechanisms (WS-Security, TLS conduits, authorization interceptors, XML limits); *which* are active and *how* is the integrator's choice. So many properties are conditional, and the integrator-responsibilities and known-non-findings sections carry a lot of weight. Draft-first, mostly inferred (~14 documented / 0 maintainer / ~55 inferred); every `*(inferred)*` claim routes to a numbered **§14** question. The **wave-1** rulings are what decide `VALID`-vs-misconfiguration: - Are CXF's **XML secure-processing limits** (DTD/external-entity off, entity-expansion/depth/size caps) **on by default** for inbound SOAP and JAX-RS XML, so an XXE/XML-bomb report against defaults is `VALID`? - Is **remote WSDL/schema/MTOM resolution** disabled/allow-listed by default (SSRF)? - Are the shipped **JAX-RS providers'** unsafe deserialization modes off by default? Scope note: this umbrella covers `apache/cxf`. `apache/cxf-fediz` (WS-Federation SSO) has a distinct trust surface and gets its own model; `apache/cxf-xjc-utils` and `apache/cxf-build-utils` are build-time tooling (out of the runtime model) and will carry only a discoverability pointer. Context: the ASF Security team is preparing the project for an automated agentic security scan we're piloting. Drafted via the [threat-model-producer](https://gist.github.com/potiuk/da14a826283038ddfe38cc9fe6310573) rubric. If you'd rather author it yourselves, close this PR and we'll regroup. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
