Add draft project security threat-model document#496
Open
potiuk wants to merge 1 commit into
Open
Conversation
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds a draft security threat model document for Apache JSPWiki to define scope, trust boundaries, security properties, non-goals, and triage dispositions for vulnerability reports.
Changes:
- Introduces a comprehensive threat model draft, including deployment postures, trust boundaries, and adversary model.
- Documents explicit “out of scope” areas and “known non-findings” to help triage/automation.
- Captures maintainer open questions and a back-map to existing security artefacts.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Adds a draft project-level security threat-model document (draft-THREAT-MODEL.md) at repo root, improving discoverability for automated security scanners running against this repository. The file follows the rubric format used by several other ASF projects piloting security-model discoverability. The "draft-" prefix signals this is a proposal for the PMC to review, correct, or reject — not a finalised maintainer-blessed model. Every claim carries a provenance tag (documented / inferred / maintainer) so reviewers can see where each claim originates; §14 collects open questions for the maintainers. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
potiuk
force-pushed
the
asf-security/draft-threat-model-2026-05-30
branch
from
540d733 to
a599070
Compare
Comment on lines
+38
to
+41
| - **Reporting**: vulnerabilities that fall under §8 (claimed properties) | ||
| should be reported per the Apache Security Team disclosure channel | ||
| (<security@jspwiki.apache.org>); reports that fall under §3 (out of | ||
| scope), §9 (properties not provided), or §11a (known non-findings) |
| | `ChangeLog.md` (recurring XSS entries lines 373–375, 750, 937–938, 984, 1525, 1781, 1794, 1875, 1902, 1961, 1970, 1996) | recurring class of XSS findings, all fixed case-by-case | §9 well-known attack classes, §14 Q37 | | ||
| | `ChangeLog.md` line 163 (`JSPWIKI-1245`) | "run security validation checks at start up and log it" | §8 P10 | | ||
| | `ChangeLog.md` line 213 (`JSPWIKI-1229`) | "cookie security flags. new jspwiki properties added" | §8 P8 | | ||
| | `jspwiki-wiki.apache.org/Wiki.jsp?page=Security` | hardening recommendations: enable TLS, remove `Install.jsp` after install, vet third-party plugins, restrict file uploads with size limits + AV scanning, secure file permissions, vet container/JDK versions; **explicit note that CSS can be inserted into wiki pages but JavaScript injection is prevented by default settings**; advises private security mailing list at `security@apache.org` for disclosure | §10 hardening, §11a (CSS-injection-permitted-by-default false-friend) | |
Comment on lines
+319
to
+320
| transport for the whole webapp ("this block will require TLS across | ||
| all the board" — `web.xml`) *(documented)*. |
| | `jspwiki.aclManager` | `DefaultAclManager` *(documented: line 665)* | the documented default | swapping changes the ACL syntax | | ||
| | `jspwiki.userdatabase` | `XMLUserDatabase` *(documented: line 626)* | the documented default for P2 | passwords SHA-1 hashed per docs (lines 628–630) — **see §14 Q17** | | ||
| | `jspwiki.groupdatabase` | `XMLGroupDatabase` *(documented: line 606)* | the documented default | as above | | ||
| | `jspwiki.credentials.length.min` / `minUpper` / `minLower` / `minDigits` / `minSymbols` / `repeatingCharacters` / `minChanged` / `reuseCount` | 8 / 1 / 1 / 1 / 1 / 1 / 1 / -1 *(documented: lines 1117–1151)* | "8 is the default. 15 or more is recommended for high security systems"; reuseCount default `-1` (disabled) | password-complexity defaults; do not apply in P3 (container) or external IdP postures | |
Comment on lines
+774
to
+776
| 11. **Configure password policy** above the very-defensive defaults | ||
| (`jspwiki.credentials.length.min ≥ 15`, `reuseCount ≥ 5`) for any | ||
| P2-posture wiki with real user accounts. |
| under the License. | ||
| --> | ||
|
|
||
| # Apache JSPWiki Security Threat Model (draft) |
Comment on lines
+1178
to
+1180
| **Q34.** Where should this document live? Proposed: | ||
| `docs/threat-model.md` in `apache/jspwiki`, with the wiki Security | ||
| page linking to it. *(meta)* |
Comment on lines
+27
to
+29
| - **Repository scope**: `apache/jspwiki` only. `jspwiki-site` and | ||
| `jspwiki-asf-docs` are dormant and **out of scope** (confirmed by PMC chair | ||
| Juan Pablo Santos, 2026-05-30). |
Comment on lines
+44
to
+45
| `https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE` *(maintainer-published | ||
| artefact — not mined into this draft, see §14 Q1)*. |
Comment on lines
+963
to
+965
| ### Wave 1 — meta and external-artefact reconciliation | ||
|
|
||
| **Q1.** The JSPWiki PMC publishes two canonical security artefacts **on |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds an initial draft of a project-level security
threat-model document (
draft-THREAT-MODEL.md) so that automatedsecurity scanners running against this repository have a
maintainer-facing reference for which classes of findings are
in-scope vs. out-of-scope for the project.
The document follows the rubric format used by several other ASF
projects piloting improved security-model discoverability for
agentic scanners. Every claim carries a provenance tag:
the project website, the JSPWiki Security and CVE wiki pages),
cited inline.
knowledge; the PMC has not confirmed.
to this draft. (1 in this initial draft — Juan Pablo's Path-3 +
scope confirmation from the GLASSWING thread.)
Draft stats:
folded into the appendix back-map after the initial draft)
(meta + external-artefact reconciliation / SecurityManager /
XSS + markup parser / auth + attachments / environment +
side-effects / meta finalization)
§14 is the highest-leverage section: answering each question
either promotes one (inferred) tag to (maintainer) or corrects
the underlying claim.
Why "draft-" prefix?
The file is named
draft-THREAT-MODEL.mdrather thanSECURITY-THREAT-MODEL.mdbecause this is a proposal for thePMC to review — please correct, reject, or discuss as needed.
Once the PMC ratifies (or substantially edits) the content, the
file can be renamed in a follow-up PR and a discoverability
scaffold (
AGENTS.md→SECURITY.md→ the model) added soscanners can mechanically follow the chain.
What this is, and what it is not
This is not a security audit. It is a working triage document
— the reference a triager holds against an inbound report to
decide whether the report is about a JSPWiki vulnerability or
about operator misconfiguration / an out-of-scope concern.
JSPWiki's wiki-engine domain (untrusted user-supplied markup
rendering, optional plugin execution, attachment handling, JAAS
container-managed auth) makes §3 / §9 / §11a especially load-
bearing — the model carefully calls out which classes of findings
the PMC has historically ruled non-issues vs. valid.
The draft was generated by an automated agentic security scan
being piloted by the ASF Security team; the discoverability work
is independent of any specific scan run.
How to review
Q9 (the SecurityManager-not-supported question — single
highest-impact open ruling), and Q37 (§11a population from
historical XSS-class CVE clusters) are the three most
load-bearing.
dispositions) — those govern how a vulnerability report would
be triaged.
Reply edits / corrections inline on the PR, or to the original
security@apache.orgthread, whichever fits the PMC's workflow.🤖 Generated with Claude Code