potiuk opened a new pull request, #496:
URL: https://github.com/apache/jspwiki/pull/496
## Summary
This PR adds an initial draft of a project-level security
threat-model document (`draft-THREAT-MODEL.md`) so that automated
security scanners running against this repository have a
maintainer-facing reference for which classes of findings are
in-scope vs. out-of-scope for the project.
The document follows the rubric format used by several other ASF
projects piloting improved security-model discoverability for
agentic scanners. Every claim carries a provenance tag:
- *(documented)* — paraphrased from public artefacts (this repo,
the project website, the JSPWiki Security and CVE wiki pages),
cited inline.
- *(inferred)* — synthesised from code structure or domain
knowledge; the PMC has not confirmed.
- *(maintainer)* — confirmed by a JSPWiki PMC member in response
to this draft. (1 in this initial draft — Juan Pablo's Path-3 +
scope confirmation from the GLASSWING thread.)
Draft stats:
- ~40 documented claims (incl. the wiki Security + CVE pages,
folded into the appendix back-map after the initial draft)
- ~27 inferred claims (each maps to a §14 question)
- 37 open questions for maintainers in §14, grouped in 6 waves
(meta + external-artefact reconciliation / SecurityManager /
XSS + markup parser / auth + attachments / environment +
side-effects / meta finalization)
§14 is the highest-leverage section: answering each question
either promotes one *(inferred)* tag to *(maintainer)* or corrects
the underlying claim.
## Why "draft-" prefix?
The file is named `draft-THREAT-MODEL.md` rather than
`SECURITY-THREAT-MODEL.md` because **this is a proposal for the
PMC to review — please correct, reject, or discuss as needed.**
Once the PMC ratifies (or substantially edits) the content, the
file can be renamed in a follow-up PR and a discoverability
scaffold (`AGENTS.md` → `SECURITY.md` → the model) added so
scanners can mechanically follow the chain.
## What this is, and what it is not
This is **not** a security audit. It is a working triage document
— the reference a triager holds against an inbound report to
decide whether the report is about a JSPWiki vulnerability or
about operator misconfiguration / an out-of-scope concern.
JSPWiki's wiki-engine domain (untrusted user-supplied markup
rendering, optional plugin execution, attachment handling, JAAS
container-managed auth) makes §3 / §9 / §11a especially load-
bearing — the model carefully calls out which classes of findings
the PMC has historically ruled non-issues vs. valid.
The draft was generated by an automated agentic security scan
being piloted by the ASF Security team; the discoverability work
is independent of any specific scan run.
## How to review
1. **§14 first.** Q1 (back-map of the wiki Security + CVE pages),
Q9 (the SecurityManager-not-supported question — single
highest-impact open ruling), and Q37 (§11a population from
historical XSS-class CVE clusters) are the three most
load-bearing.
2. After that, please skim §3 (out-of-scope) and §13 (triage
dispositions) — those govern how a vulnerability report would
be triaged.
Reply edits / corrections inline on the PR, or to the original
`[email protected]` thread, whichever fits the PMC's workflow.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
