potiuk opened a new pull request, #127: URL: https://github.com/apache/db-jdo/pull/127
## What Adds a **threat model** for Apache JDO, drafted at the JDO PMC's request, plus the discoverability files that let an automated security reviewer mechanically find it: - **`THREAT_MODEL.md`** — the model, following Michael Scovetta's threat-model rubric ([public mirror](https://gist.github.com/potiuk/da14a826283038ddfe38cc9fe6310573)). - **`SECURITY.md`** — disclosure pointer (ASF security process) + threat-model reference. - **`AGENTS.md`** — routes a vulnerability-research agent through `AGENTS.md -> SECURITY.md -> THREAT_MODEL.md`. ## The model in one paragraph `jdo-api` is an **API-definition jar**: it defines the JDO interfaces and bootstraps an implementation, but does not itself execute queries, manage connections, or persist data. So the model scopes **query (JDOQL/SQL) execution, connection handling, credential management, and persistence to the implementation** (DataNucleus and others) — out of scope here. `jdo-api`'s own surface is narrow: trusted, operator-supplied bootstrap configuration; XXE-hardened `jdoconfig.xml` parsing (`disallow-doctype-decl=true`); reflection confined to configured class names; and the contract / identity / exception types. The TCK and `exectck` are test/build artifacts, also out of scope. ## This is a DRAFT for your review — you own and merge it Most claims are grounded in the source and tagged *(documented)*; a few trust assumptions are *(inferred)* and need your confirmation, collected as **open questions in §14** (3 short waves). The key ones: - **Q1** — confirm `jdo-api` is an in-process, trusted library with no untrusted-input adversary of its own (config + classpath trusted). - **Q5** — the SecurityManager / `JDOPermission` / `doPrivileged` machinery is effectively inert on JEP 411 JDKs; do you still claim any SecurityManager-enforced property for older deployments? - **Q6** — confirm the disclosure channel `SECURITY.md` should name ([email protected] / `[email protected]`). Please edit freely — the tags and §14 are there to make review a quick confirm/correct rather than a rewrite. ## Context This is the threat-model step of the GLASSWING / Mythos security-scan pre-flight for `apache/db-jdo`. Once a model is merged and discoverable (the `AGENTS.md -> SECURITY.md` chain), pre-flight passes and we can queue the scan — the program window closes **30 June 2026**, so the sooner this lands the more comfortably it fits. Generated by the ASF Security team's threat-model tooling (Claude Opus); reviewed before opening. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
