andrewmusselman opened a new issue, #681: URL: https://github.com/apache/tooling-trusted-releases/issues/681
**Source:** V10.4.1, V10.4.2, V10.4.3, V10.4.4, V10.4.5 audits — all recommend this ### Description All five ASVS V10.4.x audits found ATR is an OAuth Client, not an Authorization Server. The ASVS V10.4 requirements (redirect URI validation, authorization code single-use, code lifetime, grant restrictions, refresh token replay mitigation) apply to the external `oauth.apache.org` service, not to ATR. This architectural decision is not currently documented. Explicit documentation would: - Clarify security responsibilities for future developers and auditors - Prevent redundant audit work on inapplicable requirements - Make it clear which ASVS sections apply to ATR (V10.2.x Client, V10.3.x Resource Server) vs. the external AS (V10.4.x) ### Recommendation Add a section to the project documentation (`SECURITY.md`) that: 1. Identifies ATR's OAuth roles: Client, OIDC Relying Party, Resource Server 2. States that ATR does **not** implement an OAuth Authorization Server 3. Notes that ASVS V10.4.x compliance responsibility lies with `oauth.apache.org` 4. Lists the ASVS sections that **are** applicable to ATR (V10.2.x, V10.3.x) ### Severity Informational / documentation improvement. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
