potiuk opened a new pull request, #769: URL: https://github.com/apache/unomi/pull/769
## What this is A **draft threat model** for Apache Unomi, proposed by the ASF Security team for the Unomi PMC to review, correct, or reject. It is a starting point for discussion, not a finished document — drafted by the Security team's threat-model tooling from Unomi's public docs, repository, and published CVE advisories, following the [ASF Security threat-model rubric](https://gist.github.com/potiuk/da14a826283038ddfe38cc9fe6310573). This PR: - adds `THREAT_MODEL.md` — the draft model; - adds `SECURITY.md` — a short security policy that links the threat model; - adds `AGENTS.md` with a `## Security` section, so the chain `AGENTS.md → SECURITY.md → THREAT_MODEL.md` is mechanically discoverable by automated security scanners. ## How to read it Every claim is provenance-tagged: *(documented)* (from Unomi's docs/repo/CVE advisories), *(inferred)* (reasoned from architecture/history, **not yet confirmed**), *(maintainer)* (confirmed by the PMC). This v0 is ~16 documented / ~30 inferred. The **§14 Open questions** section collects every inferred claim into waves for the PMC to confirm or correct — that is where review time is best spent. The model is built around Unomi's documented threat history (the OGNL/MVEL expression-evaluation CVEs) and treats the **public context endpoint** as the primary boundary, with JSON-Schema event validation and the post-CVE expression restrictions as the defenses. The highest-impact open questions: - the public-context-endpoint vs. authenticated-admin-API trust split and its defaults (wave 1); - whether JSON-Schema validation + the expression allow-list are the on-by-default public-boundary defenses (wave 2); - that OGNL/MVEL expression power is by-design for trusted admin-authored conditions, so a finding is only `VALID` when *public* input reaches it (wave 3). Nothing here is a requirement — the model is for the PMC to own. Comment inline, edit the branch, or reply on the email thread. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
