potiuk opened a new pull request, #12421: URL: https://github.com/apache/maven/pull/12421
**This is a proposal for the Maven PMC to review — please correct, reject, or discuss as needed.** The PMC owns the document; nothing here is a requirement. This adds a draft **umbrella** `THREAT_MODEL.md` for the Apache Maven family, a `SECURITY.md` (apache/maven doesn't currently have one — the model has lived only on maven.apache.org/security.html), and an `AGENTS.md` wiring `AGENTS.md -> SECURITY.md -> THREAT_MODEL.md` so an automated scanner can mechanically discover it. Path 3 as agreed on the list (we draft the v0, the PMC reviews). Generated from Maven's public artefacts (`security.html`, the Maven 4 docs, the repos) via the [`threat-model-producer`](https://gist.github.com/scovetta/2dc9a0695c7cbcc32e23799e00d2ced3) rubric. Provenance-tagged throughout; every *(inferred)* claim routes to a numbered §14 question (20 of them). Per the two asks from the list it carries: - a **3.x-vs-4.x** axis on the trust boundaries (the §2 component-family table + a "Line" dimension in §5a/§6), not a single profile; - explicit coverage of the **Maven-4-new** surface: the consumer / build-POM transform (published POM != source POM), `mvnup`, the reworked `mvnenc` encryption, and the resolver changes. The load-bearing call the model makes (please confirm): §9 states that **no build/plugin sandbox exists — arbitrary code execution during a build is BY DESIGN**, and §11a lists that (plus "deployed POM != source POM", dependabot alerts on test-scope deps, etc.) as known non-findings, so a scan doesn't report Maven's core behaviour as vulnerabilities. What's most useful from the PMC: walk the §14 questions and confirm / correct / strike each in-thread — a one-line each is enough. We fold the answers in, then open the per-repo `AGENTS.md -> SECURITY.md` pointer PRs across the rest of the scope once the model shape is agreed. Context: the ASF Security team is preparing projects for an automated agentic security scan we're piloting; discoverability is the one hard prerequisite. This PR only adds files — it edits no existing content. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
