Add security threat model (THREAT_MODEL.md + SECURITY.md pointer + AGENTS.md)#613
Open
potiuk wants to merge 1 commit into
Open
Add security threat model (THREAT_MODEL.md + SECURITY.md pointer + AGENTS.md)#613potiuk wants to merge 1 commit into
potiuk wants to merge 1 commit into
Conversation
…md chain Adds a threat model for Apache XML Security for Java, drafted at the Santuario PMC's request following the Apache Security team's threat-model rubric, plus an AGENTS.md that routes vulnerability-research agents through the model. The existing SECURITY.md is preserved and gains a Threat Model pointer. The model centres on the defining trust split (the XML submitted for verification/decryption is attacker-controlled) and the load-bearing role of secure validation mode; it makes explicit that key trust and signature-coverage (XML-Signature-Wrapping) checks are the caller's responsibility, and lists the recurring non-findings. DRAFT for PMC review: section 14 carries open questions (notably the secure-validation defaults per entry point/version). Generated-by: Claude Opus 4.8 (1M context)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds a threat model for Apache XML Security for Java, drafted at the Santuario PMC's request (the GLASSWING / Mythos scan pre-flight needs a discoverable threat model), plus the discoverability chain:
THREAT_MODEL.md— the model, following Michael Scovetta's rubric (public mirror).SECURITY.md— your existing policy, preserved, with a new Threat Model pointer appended.AGENTS.md— routes a vulnerability-research agent throughAGENTS.md -> SECURITY.md -> THREAT_MODEL.md.The model in brief
The defining trust split: the application is trusted, but the XML submitted for verification/decryption is fully attacker-controlled. The model is built around that, with secure validation mode as the load-bearing knob, and it makes explicit the two things the library deliberately leaves to the caller — key trust and signature-coverage (XML-Signature-Wrapping) checks — so scanner/AI reports against those route to "by design / caller's responsibility" rather than churning.
DRAFT — you own and merge it
Most claims are grounded in the source / your
SECURITY.md(tagged (documented)); the trust assumptions I marked (inferred) are gathered as open questions in section 14. The pivotal one is Q6 — secure-validation defaults: for each entry point (nativeorg.apache.xml.securityvs JSR-105, DOM vs StAX, by version), is secure validation on by default or opt-in? That single answer decides whether "secure-validation-off" findings are valid or out-of-model. Please edit freely.Context
This is the threat-model step of the GLASSWING pre-flight for
apache/santuario-xml-security-java. Once it's merged and discoverable, pre-flight passes and we can queue the scan.Generated by the ASF Security team's threat-model tooling (Claude Opus); reviewed before opening.