potiuk opened a new pull request, #12421:
URL: https://github.com/apache/maven/pull/12421

   **This is a proposal for the Maven PMC to review — please correct, reject, 
or discuss as needed.** The PMC owns the document; nothing here is a 
requirement.
   
   This adds a draft **umbrella** `THREAT_MODEL.md` for the Apache Maven 
family, a `SECURITY.md` (apache/maven doesn't currently have one — the model 
has lived only on maven.apache.org/security.html), and an `AGENTS.md` wiring 
`AGENTS.md -> SECURITY.md -> THREAT_MODEL.md` so an automated scanner can 
mechanically discover it. Path 3 as agreed on the list (we draft the v0, the 
PMC reviews).
   
   Generated from Maven's public artefacts (`security.html`, the Maven 4 docs, 
the repos) via the 
[`threat-model-producer`](https://gist.github.com/scovetta/2dc9a0695c7cbcc32e23799e00d2ced3)
 rubric. Provenance-tagged throughout; every *(inferred)* claim routes to a 
numbered §14 question (20 of them).
   
   Per the two asks from the list it carries:
   
   - a **3.x-vs-4.x** axis on the trust boundaries (the §2 component-family 
table + a "Line" dimension in §5a/§6), not a single profile;
   - explicit coverage of the **Maven-4-new** surface: the consumer / build-POM 
transform (published POM != source POM), `mvnup`, the reworked `mvnenc` 
encryption, and the resolver changes.
   
   The load-bearing call the model makes (please confirm): §9 states that **no 
build/plugin sandbox exists — arbitrary code execution during a build is BY 
DESIGN**, and §11a lists that (plus "deployed POM != source POM", dependabot 
alerts on test-scope deps, etc.) as known non-findings, so a scan doesn't 
report Maven's core behaviour as vulnerabilities.
   
   What's most useful from the PMC: walk the §14 questions and confirm / 
correct / strike each in-thread — a one-line each is enough. We fold the 
answers in, then open the per-repo `AGENTS.md -> SECURITY.md` pointer PRs 
across the rest of the scope once the model shape is agreed.
   
   Context: the ASF Security team is preparing projects for an automated 
agentic security scan we're piloting; discoverability is the one hard 
prerequisite. This PR only adds files — it edits no existing content.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to