elharo commented on code in PR #12421:
URL: https://github.com/apache/maven/pull/12421#discussion_r3523848878


##########
THREAT_MODEL.md:
##########
@@ -0,0 +1,311 @@
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+# Apache Maven — Umbrella Threat Model (v0 DRAFT)
+
+## §1 Header
+
+- **Project family:** Apache Maven (build tool core, runtime, resolver, and 
the maintained plugin set). This is an **umbrella** threat model covering ~26 
repositories across ~34 branch-targets — see §2. Individual repos/branches 
inherit this model except where a §2 row narrows it.
+- **Modeled against:** the current `master`/maintenance branches of the 
in-scope repositories as of the date below. Because Maven is mid-transition 
from the 3.x to the 4.x runtime line, this model carries a **3.x-vs-4.x axis** 
as a first-class distinction rather than describing a single profile (see §2, 
§4, §5a, §6).
+- **Date:** 2026-07-04
+- **Author:** ASF Security team, drafted via the threat-model-producer 
(Scovetta) rubric at the Maven PMC's request (path 3 — Security team drafts, 
Maven PMC reviews).
+- **Status:** **v0 DRAFT — for Maven PMC review.** Not yet ratified. Most 
claims are *(inferred)* and each carries a matching open question in §14.
+- **Version binding:** the threat model is versioned alongside the projects. A 
report against a released Maven core / plugin version *N* is triaged against 
the model as it stood at *N*, not at `master` HEAD. Each branch-target (§2) 
binds to the releases cut from that branch. See §14 Q20.
+- **Reporting cross-reference:** findings that fall under §8 (claimed 
properties) should be reported privately per the ASF process at 
<https://maven.apache.org/security.html> / <https://www.apache.org/security/>. 
Findings that fall under §3 (out of scope) or §9 (properties not provided) — 
including "a plugin executed code", "the published POM differs from the source 
POM", or "checksums do not authenticate the publisher" — will be closed citing 
this document.
+- **Provenance legend:** every non-trivial claim carries exactly one tag:
+  - *(documented)* — stated in Maven's own docs/site; cited inline.
+  - *(maintainer)* — stated by a Maven PMC member in response to this process. 
(None yet — v0.)
+  - *(inferred)* — reasoned from Maven's architecture, domain knowledge, or 
the absence of a feature; **not yet confirmed.** Each *(inferred)* tag names 
the §14 question that must ratify it, e.g. *(inferred, Q5)*.
+- **Draft confidence:** ~26 documented / 0 maintainer / ~59 inferred. This is 
a react-to-me draft, not a ratified model — the heavy *(inferred)* weighting is 
expected for a v0 the PMC has not yet reviewed.
+
+**What Maven is.** Apache Maven is a build-automation and 
dependency-management tool for JVM projects. Given a project description in 
`pom.xml` (the Project Object Model), Maven resolves declared dependencies and 
build **plugins** from configured **repositories** into a local repository 
(`~/.m2/repository`), then executes a lifecycle of plugin goals — compiling, 
testing, packaging, signing, and deploying code. Plugins and build 
**extensions** are ordinary JVM artifacts that Maven downloads and executes 
**as arbitrary code in the build JVM**. Maven is invoked from the CLI (`mvn`, 
or the `mvnd` daemon, or a project-local `mvnw` wrapper) by a developer or a CI 
runner. Its security model is therefore fundamentally a **supply-chain and 
arbitrary-code-execution** model, and — by explicit design — Maven does not 
sandbox the code it is asked to build or the plugins it is asked to run.
+
+---
+
+## §2 Scope and intended use
+
+**Primary intended use.** Building, testing, packaging, and publishing JVM 
software from a trusted `pom.xml` in a developer or CI environment, resolving 
dependencies and plugins from repositories the operator has chosen to configure 
and trust. *(documented — security.html: "the Maven security model assumes you 
trust the `pom.xml` and the code, dependencies and repositories that are used 
in your build".)*
+
+**Caller roles.** Unlike a network service, Maven has no anonymous client. The 
roles are:
+- **Build author / operator** — writes or vendors the `pom.xml`, 
`settings.xml`, and `.mvn/` config; chooses repositories; runs `mvn`. 
**Trusted** — this actor has already chosen what code to execute. *(inferred, 
Q10)*
+- **Dependency / plugin / extension author** — a third party whose artifact is 
resolved into the build and executed. **Semi-trusted adversary in scope** for 
supply-chain threats (see §7). *(inferred, Q10)*
+- **Repository / mirror operator** — serves artifacts and metadata. 
**Semi-trusted adversary in scope** (compromise, poisoning, MITM on plaintext 
transport). *(inferred, Q10)*
+
+**The 3.x-vs-4.x axis (carried on this table).** Maven is mid-transition. Most 
plugin `master` branches still compile and run against the **Maven 3.9.x** API; 
seven "split" plugins have moved `master` to the **Maven 4** API and keep a 
`*-3.x` maintenance branch on the 3.9.x API. The runtime line changes the trust 
surface (consumer-POM transform, `mvnenc`, resolver 2.x, `mvnup` — all 
Maven-4-only; see §6/§9). Each branch-target is therefore tagged with the 
**Maven API line** it targets, and a finding is triaged against **that** line's 
surface.
+
+| # | Repository / component | Branch-target(s) | Maven API line | Touches 
outside process | In model? |

Review Comment:
   Looks like quite a few are missing from this table including:
   
   * maven-war-plugin
   * maven-ear-plugin
   
   probably others. are non-plugins in scope here? If so, then also 
maven-filtering, maven-shared-utils, and maven-archiver. and I don't recall the 
current repos, but all the doxia stuff



##########
THREAT_MODEL.md:
##########
@@ -0,0 +1,311 @@
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+# Apache Maven — Umbrella Threat Model (v0 DRAFT)
+
+## §1 Header
+
+- **Project family:** Apache Maven (build tool core, runtime, resolver, and 
the maintained plugin set). This is an **umbrella** threat model covering ~26 
repositories across ~34 branch-targets — see §2. Individual repos/branches 
inherit this model except where a §2 row narrows it.
+- **Modeled against:** the current `master`/maintenance branches of the 
in-scope repositories as of the date below. Because Maven is mid-transition 
from the 3.x to the 4.x runtime line, this model carries a **3.x-vs-4.x axis** 
as a first-class distinction rather than describing a single profile (see §2, 
§4, §5a, §6).
+- **Date:** 2026-07-04
+- **Author:** ASF Security team, drafted via the threat-model-producer 
(Scovetta) rubric at the Maven PMC's request (path 3 — Security team drafts, 
Maven PMC reviews).
+- **Status:** **v0 DRAFT — for Maven PMC review.** Not yet ratified. Most 
claims are *(inferred)* and each carries a matching open question in §14.
+- **Version binding:** the threat model is versioned alongside the projects. A 
report against a released Maven core / plugin version *N* is triaged against 
the model as it stood at *N*, not at `master` HEAD. Each branch-target (§2) 
binds to the releases cut from that branch. See §14 Q20.
+- **Reporting cross-reference:** findings that fall under §8 (claimed 
properties) should be reported privately per the ASF process at 
<https://maven.apache.org/security.html> / <https://www.apache.org/security/>. 
Findings that fall under §3 (out of scope) or §9 (properties not provided) — 
including "a plugin executed code", "the published POM differs from the source 
POM", or "checksums do not authenticate the publisher" — will be closed citing 
this document.
+- **Provenance legend:** every non-trivial claim carries exactly one tag:
+  - *(documented)* — stated in Maven's own docs/site; cited inline.
+  - *(maintainer)* — stated by a Maven PMC member in response to this process. 
(None yet — v0.)
+  - *(inferred)* — reasoned from Maven's architecture, domain knowledge, or 
the absence of a feature; **not yet confirmed.** Each *(inferred)* tag names 
the §14 question that must ratify it, e.g. *(inferred, Q5)*.
+- **Draft confidence:** ~26 documented / 0 maintainer / ~59 inferred. This is 
a react-to-me draft, not a ratified model — the heavy *(inferred)* weighting is 
expected for a v0 the PMC has not yet reviewed.
+
+**What Maven is.** Apache Maven is a build-automation and 
dependency-management tool for JVM projects. Given a project description in 
`pom.xml` (the Project Object Model), Maven resolves declared dependencies and 
build **plugins** from configured **repositories** into a local repository 
(`~/.m2/repository`), then executes a lifecycle of plugin goals — compiling, 
testing, packaging, signing, and deploying code. Plugins and build 
**extensions** are ordinary JVM artifacts that Maven downloads and executes 
**as arbitrary code in the build JVM**. Maven is invoked from the CLI (`mvn`, 
or the `mvnd` daemon, or a project-local `mvnw` wrapper) by a developer or a CI 
runner. Its security model is therefore fundamentally a **supply-chain and 
arbitrary-code-execution** model, and — by explicit design — Maven does not 
sandbox the code it is asked to build or the plugins it is asked to run.

Review Comment:
   This is true, though thinking about it now I wonder if we should do better 
than that? 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to