potiuk commented on code in PR #6709: URL: https://github.com/apache/jmeter/pull/6709#discussion_r3360051130
########## THREAT_MODEL.md: ########## @@ -0,0 +1,174 @@ +# Apache JMeter — Threat Model (v1 draft) + +> Built on Apache JMeter's existing security policy at +> <https://jmeter.apache.org/security.html>. That page's "Security Model" +> statements are lifted here verbatim as the *(documented)* core; this +> document adds the threat-model structure around them (adversary model, +> in/out scope, properties, known non-findings, triage dispositions). + +## §1 Header + +- **Project:** Apache JMeter (`apache/jmeter`), `master`, against which this draft was written. +- **Date:** 2026-06-02 (v0); **revised 2026-06-03** incorporating JMeter PMC review (vlsi, milamberspace). **Status:** draft v1 — Wave-1/2 questions ratified by the PMC; remaining items flagged below. **Author:** ASF Security team (drafted via the Scovetta threat-model rubric, building on JMeter's `security.html`), for PMC ratification. +- **Version binding:** versioned with the project; a report against version *N* is triaged against the model as it stood at *N*. +- **Reporting cross-reference:** §8-property violations → report privately per ASF process (`[email protected]` → `[email protected]`); §3/§9 findings are closed citing this document and `security.html`. +- **Provenance legend:** *(documented)* = JMeter's own docs/`security.html`/repo; *(maintainer)* = confirmed by a JMeter PMC member through this process; *(inferred)* = reasoned from architecture, not yet confirmed — each has a matching §14 open question. +- **Coexistence:** this model is a strict superset of `security.html`; nothing there is weakened. `security.html` stays the canonical reporting/policy page and should link here for the expanded model. +- **Draft confidence:** ~10 documented / ~12 maintainer / ~14 inferred (RMI-SSL posture, the open-vs-run line, Security-Manager status, and the SUT scope were confirmed from JMeter source by the PMC on 2026-06-03). +- **What JMeter is:** Apache JMeter is a Java load-/performance-testing tool. A user builds a **test plan** (a `.jmx` file) in the GUI or by hand, then runs it — in the GUI, in non-GUI/CLI mode, or distributed across a controller and remote engines — to drive load at a *system under test* and collect results. Test plans may contain scripting (JSR223/Groovy/BeanShell) and therefore arbitrary code. *(documented — README, security.html)* + +## §2 Scope and intended use + +- **Primary use:** a **user-run tool** — the person running JMeter authors (or obtains) the `.jmx`, points it at a target they are authorised to test, and runs it locally or across machines they control. *(documented — security.html)* Review Comment: Folded — §2 now lists authorized penetration testing as a recognized dual-use (operator-trust model unchanged); unauthorized use stays a §11 misuse. Thanks! ########## AGENTS.md: ########## @@ -0,0 +1,11 @@ +# Agent Guide for jmeter + +This file is read by automated agents (security scanners, code +analyzers, AI assistants) operating on this repository. + +## Security + +Security model: [SECURITY.md](./SECURITY.md) + +Agents that scan this repository should consult `SECURITY.md` and the +threat model it links before reporting issues. Review Comment: Applied — trimmed AGENTS.md to the bare `Security model: [SECURITY.md](./SECURITY.md)` pointer (commit 4ea3c42). Thanks @vlsi/@milamberspace! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
