elharo commented on code in PR #12421:
URL: https://github.com/apache/maven/pull/12421#discussion_r3524724380


##########
THREAT_MODEL.md:
##########
@@ -0,0 +1,317 @@
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+# Apache Maven — Umbrella Threat Model (v0 DRAFT)
+
+## §1 Header
+
+- **Project family:** Apache Maven (build tool core, runtime, resolver, and 
the maintained plugin set). This is an **umbrella** threat model covering ~26 
repositories across ~34 branch-targets — see §2. Individual repos/branches 
inherit this model except where a §2 row narrows it.
+- **Modeled against:** the current `master`/maintenance branches of the 
in-scope repositories as of the date below. Because Maven is mid-transition 
from the 3.x to the 4.x runtime line, this model carries a **3.x-vs-4.x axis** 
as a first-class distinction rather than describing a single profile (see §2, 
§4, §5a, §6).
+- **Date:** 2026-07-04
+- **Author:** ASF Security team, drafted via the threat-model-producer 
(Scovetta) rubric at the Maven PMC's request (path 3 — Security team drafts, 
Maven PMC reviews).
+- **Status:** **v0 DRAFT — for Maven PMC review.** Not yet ratified. Most 
claims are *(inferred)* and each carries a matching open question in §14.
+- **Version binding:** the threat model is versioned alongside the projects. A 
report against a released Maven core / plugin version *N* is triaged against 
the model as it stood at *N*, not at `master` HEAD. Each branch-target (§2) 
binds to the releases cut from that branch. See §14 Q20.
+- **Reporting cross-reference:** findings that fall under §8 (claimed 
properties) should be reported privately per the ASF process at 
<https://maven.apache.org/security.html> / <https://www.apache.org/security/>. 
Findings that fall under §3 (out of scope) or §9 (properties not provided) — 
including "a plugin executed code", "the published POM differs from the source 
POM", or "checksums do not authenticate the publisher" — will be closed citing 
this document.
+- **Provenance legend:** every non-trivial claim carries exactly one tag:
+  - *(documented)* — stated in Maven's own docs/site; cited inline.
+  - *(maintainer)* — stated by a Maven PMC member in response to this process. 
(None yet — v0.)
+  - *(inferred)* — reasoned from Maven's architecture, domain knowledge, or 
the absence of a feature; **not yet confirmed.** Each *(inferred)* tag names 
the §14 question that must ratify it, e.g. *(inferred, Q5)*.
+- **Draft confidence:** ~26 documented / 0 maintainer / ~59 inferred. This is 
a react-to-me draft, not a ratified model — the heavy *(inferred)* weighting is 
expected for a v0 the PMC has not yet reviewed.
+
+**What Maven is.** Apache Maven is a build-automation and 
dependency-management tool for JVM projects. Given a project description in 
`pom.xml` (the Project Object Model), Maven resolves declared dependencies and 
build **plugins** from configured **repositories** into a local repository 
(`~/.m2/repository`), then executes a lifecycle of plugin goals — compiling, 
testing, packaging, signing, and deploying code. Plugins and build 
**extensions** are ordinary JVM artifacts that Maven downloads and executes 
**as arbitrary code in the build JVM**. Maven is invoked from the CLI (`mvn`, 
or the `mvnd` daemon, or a project-local `mvnw` wrapper) by a developer or a CI 
runner. Its security model is therefore fundamentally a **supply-chain and 
arbitrary-code-execution** model, and — by explicit design — Maven does not 
sandbox the code it is asked to build or the plugins it is asked to run.
+
+---
+
+## §2 Scope and intended use
+
+**Primary intended use.** Building, testing, packaging, and publishing JVM 
software from a trusted `pom.xml` in a developer or CI environment, resolving 
dependencies and plugins from repositories the operator has chosen to configure 
and trust. *(documented — security.html: "the Maven security model assumes you 
trust the `pom.xml` and the code, dependencies and repositories that are used 
in your build".)*
+
+**Caller roles.** Unlike a network service, Maven has no anonymous client. The 
roles are:
+- **Build author / operator** — writes or vendors the `pom.xml`, 
`settings.xml`, and `.mvn/` config; chooses repositories; runs `mvn`. 
**Trusted** — this actor has already chosen what code to execute. *(inferred, 
Q10)*
+- **Dependency / plugin / extension author** — a third party whose artifact is 
resolved into the build and executed. **Semi-trusted adversary in scope** for 
supply-chain threats (see §7). *(inferred, Q10)*
+- **Repository / mirror operator** — serves artifacts and metadata. 
**Semi-trusted adversary in scope** (compromise, poisoning, MITM on plaintext 
transport). *(inferred, Q10)*
+
+**The 3.x-vs-4.x axis (carried on this table).** Maven is mid-transition. Most 
plugin `master` branches still compile and run against the **Maven 3.9.x** API; 
seven "split" plugins have moved `master` to the **Maven 4** API and keep a 
`*-3.x` maintenance branch on the 3.9.x API. The runtime line changes the trust 
surface (consumer-POM transform, `mvnenc`, resolver 2.x, `mvnup` — all 
Maven-4-only; see §6/§9). Each branch-target is therefore tagged with the 
**Maven API line** it targets, and a finding is triaged against **that** line's 
surface.
+
+| # | Repository / component | Branch-target(s) | Maven API line | Touches 
outside process | In model? |
+| --- | --- | --- | --- | --- | --- |
+| **Core & runtime** | | | | | |
+| 1 | `maven` (core) | `master` (4.0.x); `maven-3.9.x`/3.10.x maint. | 
**both** | reads POM/settings/`~/.m2`, spawns plugin code, network resolve | 
**yes** |
+| 2 | `maven-resolver` | `master` (2.x); `1.9.x` maint. | **both** | HTTP(S) 
transport, local-repo I/O | **yes** |
+| 3 | `maven-mvnd` (daemon) | `master` | 4.x-oriented | long-lived JVM, 
sockets, filesystem | **yes** |
+| 4 | `maven-wrapper` | `master` | line-agnostic | downloads + executes a 
Maven distribution | **yes** |
+| 5 | `maven-build-cache-extension` | `master` | 4.x-oriented | reads/writes 
build-output cache | **yes** |
+| **Single-line master plugins (Maven 3.9.x API)** | | | | | |
+| 6 | `maven-surefire` (surefire + failsafe) | `master` | 3.x | forks test 
JVMs, runs test code | **yes** |
+| 7 | `maven-javadoc-plugin` | `master` | 3.x | forks `javadoc`, unpacks 
archives | **yes** |
+| 8 | `maven-dependency-plugin` | `master` | 3.x | resolves + unpacks 
artifacts | **yes** |
+| 9 | `maven-checkstyle-plugin` | `master` | 3.x | reads source, resolves 
rulesets | **yes** |
+| 10 | `maven-release-plugin` | `master` | 3.x | SCM writes, invokes nested 
Maven | **yes** |
+| 11 | `maven-shade-plugin` | `master` | 3.x | rewrites/merges JAR bytecode | 
**yes** |
+| 12 | `maven-assembly-plugin` | `master` | 3.x | reads/writes archives | 
**yes** |
+| 13 | `maven-scm` | `master` | 3.x | invokes SCM clients (git/svn/…) | 
**yes** |
+| 14 | `maven-site-plugin` | `master` | 3.x | renders site, resolves 
skins/reports | **yes** |
+| 15 | `maven-enforcer` | `master` | 3.x | evaluates rules over the build | 
**yes** |
+| 16 | `maven-archetype` | `master` | 3.x | scaffolds projects from templates 
| **yes** |
+| 17 | `maven-resolver-ant-tasks` | `master` | 3.x | Ant-side 
resolution/transport | **yes** |
+| 18 | `maven-indexer` | `master` | 3.x | parses repository index metadata | 
**yes** |
+| 19 | `maven-war-plugin` | `master` | 3.x | assembles WAR archives (overlays, 
resource filtering) | **yes** |
+| 20 | `maven-ear-plugin` | `master` | 3.x | assembles EAR archives from 
module artifacts | **yes** |
+| **Split plugins — master on Maven 4 API + `*-3.x` maintenance** | | | | | |
+| 21 | `maven-compiler-plugin` | `master` (M4); `*-3.x` | **both (two 
targets)** | forks/embeds compiler, reads source | **yes** |
+| 22 | `maven-jar-plugin` | `master` (M4); `*-3.x` | **both** | writes JARs | 
**yes** |
+| 23 | `maven-clean-plugin` | `master` (M4); `*-3.x` | **both** | deletes 
filesystem paths | **yes** |
+| 24 | `maven-deploy-plugin` | `master` (M4); `*-3.x` | **both** | uploads 
artifacts to remote repo | **yes** |
+| 25 | `maven-install-plugin` | `master` (M4); `*-3.x` | **both** | writes to 
local repo | **yes** |
+| 26 | `maven-resources-plugin` | `master` (M4); `*-3.x` | **both** | 
copies/filters resource files | **yes** |
+| 27 | `maven-source-plugin` | `master` (M4); `*-3.x` | **both** | packages 
source JARs | **yes** |
+| **Shared libraries (build/release path; no standalone CLI)** | | | | | |
+| 28 | `maven-filtering` | `master` | line-agnostic | interpolates `${...}` 
into resource files (used by resources/war plugins) | **yes** |
+| 29 | `maven-shared-utils` | `master` | line-agnostic | shared IO / 
process-exec / CLI helpers used across plugins | **yes** |
+| 30 | `maven-archiver` | `master` | line-agnostic | shared archive + JAR/WAR 
manifest assembly used by packaging plugins | **yes** |

Review Comment:
   add  maven-dependency-analyzer
   
   maven-shared-io should probably be defunct but likely isn't
   
   It would be convenient if maven had its own top-level project instead of 40 
separate repos inside apache/ but that ship might have sailed. For now this is 
close to a  complete list. Not al lof these are active:
   
   gh repo list apache --limit 2000 --json name,url --jq '.[] | select(.name | 
startswith("maven")) | .url'~$ gh repo list apache --limit 2000 --json name,url 
--jqtartswith("maven")) | .url'
   https://github.com/apache/maven-resources-plugin
   https://github.com/apache/maven-compiler-plugin
   https://github.com/apache/maven-jlink-plugin
   https://github.com/apache/maven-plugin-tools
   https://github.com/apache/maven-deploy-plugin
   https://github.com/apache/maven-resolver
   https://github.com/apache/maven-jdeprscan-plugin
   https://github.com/apache/maven
   https://github.com/apache/maven-archiver
   https://github.com/apache/maven-mvnd
   https://github.com/apache/maven-jar-plugin
   https://github.com/apache/maven-shared-utils
   https://github.com/apache/maven-help-plugin
   https://github.com/apache/maven-surefire
   https://github.com/apache/maven-filtering
   https://github.com/apache/maven-executor
   https://github.com/apache/maven-gpg-plugin
   https://github.com/apache/maven-gh-actions-shared
   https://github.com/apache/maven-dependency-plugin
   https://github.com/apache/maven-dependency-tree
   https://github.com/apache/maven-doxia-sitetools
   https://github.com/apache/maven-reporting-api
   https://github.com/apache/maven-site
   https://github.com/apache/maven-toolchains-plugin
   https://github.com/apache/maven-artifact-plugin
   https://github.com/apache/maven-parent
   https://github.com/apache/maven-scm-publish-plugin
   https://github.com/apache/maven-archetype
   https://github.com/apache/maven-site-plugin
   https://github.com/apache/maven-javadoc-plugin
   https://github.com/apache/maven-archetypes
   https://github.com/apache/maven-fluido-skin
   https://github.com/apache/maven-jdeps-plugin
   https://github.com/apache/maven-shared-resources
   https://github.com/apache/maven-checkstyle-plugin
   https://github.com/apache/maven-jarsigner-plugin
   https://github.com/apache/maven-reporting-impl
   https://github.com/apache/maven-wrapper
   https://github.com/apache/maven-source-plugin
   https://github.com/apache/maven-shared-io
   https://github.com/apache/maven-shared-incremental
   https://github.com/apache/maven-scm
   https://github.com/apache/maven-mapping
   https://github.com/apache/maven-enforcer
   https://github.com/apache/maven-common-artifact-filters
   https://github.com/apache/maven-file-management
   https://github.com/apache/maven-doxia-site
   https://github.com/apache/maven-doxia
   https://github.com/apache/maven-dist-tool
   https://github.com/apache/maven-dependency-analyzer
   https://github.com/apache/maven-assembly-plugin
   https://github.com/apache/maven-apache-resources
   https://github.com/apache/maven-antrun-plugin
   https://github.com/apache/maven-war-plugin
   https://github.com/apache/maven-wagon
   https://github.com/apache/maven-verifier-plugin
   https://github.com/apache/maven-verifier
   https://github.com/apache/maven-stage-plugin
   https://github.com/apache/maven-shared-jar
   https://github.com/apache/maven-shade-plugin
   https://github.com/apache/maven-scripting-plugin
   https://github.com/apache/maven-script-interpreter
   https://github.com/apache/maven-resolver-ant-tasks
   https://github.com/apache/maven-reporting-exec
   https://github.com/apache/maven-remote-resources-plugin
   https://github.com/apache/maven-release
   https://github.com/apache/maven-rar-plugin
   https://github.com/apache/maven-project-info-reports-plugin
   https://github.com/apache/maven-pmd-plugin
   https://github.com/apache/maven-plugin-testing
   https://github.com/apache/maven-jxr
   https://github.com/apache/maven-jmod-plugin
   https://github.com/apache/maven-jarsigner
   https://github.com/apache/maven-invoker
   https://github.com/apache/maven-indexer
   https://github.com/apache/maven-invoker-plugin
   https://github.com/apache/maven-install-plugin
   https://github.com/apache/maven-ejb-plugin
   https://github.com/apache/maven-ear-plugin
   https://github.com/apache/maven-doap-plugin
   https://github.com/apache/maven-clean-plugin
   https://github.com/apache/maven-changes-plugin
   https://github.com/apache/maven-changelog-plugin
   https://github.com/apache/maven-build-cache-extension
   https://github.com/apache/maven-acr-plugin
   https://github.com/apache/maven-apache-parent
   https://github.com/apache/maven-integration-testing
   https://github.com/apache/maven-sources
   https://github.com/apache/maven-jenkins-lib
   https://github.com/apache/maven-xinclude-extension
   https://github.com/apache/maven-doxia-converter
   https://github.com/apache/maven-doxia-book-maven-plugin
   https://github.com/apache/maven-studies
   https://github.com/apache/maven-build-helper-plugin
   https://github.com/apache/maven-skins
   https://github.com/apache/maven-jenkins-env
   https://github.com/apache/maven-hocon-extension
   https://github.com/apache/maven-blog
   https://github.com/apache/maven-ant-tasks
   https://github.com/apache/maven-2
   
   
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to