potiuk commented on PR #22431: URL: https://github.com/apache/kafka/pull/22431#issuecomment-4627208566
Thanks @mimaison, @showuon (and @clolov) — genuinely helpful, and the readability point is fair. Since the PMC already has its own draft in #22398 that you find easier to work with, the right move is to defer to that one — it's PMC-authored and PMC-owned, which is exactly where a threat model should live. Rather than keep two competing PRs open, I'll **close this one (#22431) in favor of #22398**. Two pieces from here might be worth grafting across, since they're the bits most directly useful when triaging scan output (and easy to under-include in a first pass): - **§11a "known non-findings"** — the recurring false-positive suppression list; highest-leverage section for keeping scan noise down. - **§13 triage dispositions** — the closed set of outcomes (`VALID` / `BY-DESIGN` / `OUT-OF-MODEL` / …) so every finding routes somewhere. I'm happy to open a small follow-up against #22398 porting just those two (trimmed to your format) — or leave it entirely to you. And @showuon, on how it's used: the model is the reference you classify each scan finding against (in-scope / out-of-scope / known-non-finding), and it's meant to be iterated as real results arrive — so "run with it and refine" is exactly right. Closing this in favor of #22398; just say the word if you'd like the §11a/§13 graft. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
