Skip to content

Add security-model discoverability pointer to the project-wide CloudStack threat model#149

Open
potiuk wants to merge 4 commits into
apache:mainfrom
potiuk:asf-security/draft-threat-model-2026-05-30
Open

Add security-model discoverability pointer to the project-wide CloudStack threat model#149
potiuk wants to merge 4 commits into
apache:mainfrom
potiuk:asf-security/draft-threat-model-2026-05-30

Conversation

@potiuk

@potiuk potiuk commented May 30, 2026

Copy link
Copy Markdown
Member

Summary

Apache CloudStack's security model is project-wide, not per-repository. This PR replaces the earlier standalone draft-THREAT-MODEL.md in this repo with the standard discoverability chain so automated scanners find the one canonical model:

  • AGENTS.mdSECURITY.md → the project-wide model at
    https://github.com/apache/cloudstack/blob/main/THREAT_MODEL.md

The model lives in apache/cloudstack (see apache/cloudstack#13293); this repo inherits it via the pointer above rather than duplicating it — per the PMC's direction on #13293 to converge on the parent model first. The link resolves once that model lands on main. A thin repo-specific addendum can be added here later if this component needs one.

AGENTS.md carries a one-line SPDX header (it is read by agents on every session); SECURITY.md carries the full ASF header.

@potiuk potiuk force-pushed the asf-security/draft-threat-model-2026-05-30 branch from 0f8d4ea to b6579f6 Compare May 30, 2026 18:47
@yadvr yadvr requested review from DaanHoogland and vishesh92 June 1, 2026 07:17
@yadvr

yadvr commented Jun 1, 2026

Copy link
Copy Markdown
Member

There's a lot of details in the draft that needs a better set of eyes, so assigning @DaanHoogland @vishesh92 who're also PMC leads on the work.

@DaanHoogland

Copy link
Copy Markdown
Contributor

Thanks @yadvr, I think we should start with this one and work from there. I’ll look at the fields we need today cc @vishesh92 @potiuk

Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
@DaanHoogland

Copy link
Copy Markdown
Contributor

Thanks @yadvr, I think we should start with this one and work from there. I’ll look at the fields we need today cc @vishesh92 @potiuk

Given that this “inherits” from cloudstack, i think (on second thought) we should start there.

@potiuk

potiuk commented Jun 2, 2026

Copy link
Copy Markdown
Member Author

Agreed @DaanHoogland — let's converge on the parent apache/cloudstack model (#13293) first; cloudstack-go then inherits via a discoverability pointer + a thin Go-SDK addendum rather than a full copy. I'll re-point this PR once the parent's shape is settled. Continuing on #13293.

@potiuk potiuk changed the title Add draft project security threat-model document Add security-model discoverability pointer to the project-wide CloudStack threat model Jun 2, 2026
@potiuk

potiuk commented Jun 2, 2026

Copy link
Copy Markdown
Member Author

Note on the failing Apache RAT Check — it's the workflow's RAT-download step, not this PR. The job fetches apache-rat-0.17-bin.tar.gz from downloads.apache.org/creadur/…, which now returns a ~196-byte error page instead of the tarball (RAT 0.17 has rolled off the live mirror to archive.apache.org), so tar -xzf fails with gzip: stdin: not in gzip format before RAT ever runs. This PR only adds AGENTS.md + SECURITY.md (both carry license headers), so there's nothing RAT-relevant in the change itself. The same step is failing on the other cloudstack-* satellite PRs. Pointing the download at archive.apache.org/dist/creadur/… (or bumping to a version still on the live mirror) restores it — happy to open that workflow fix separately if useful.

@potiuk

potiuk commented Jun 4, 2026

Copy link
Copy Markdown
Member Author

Note for reviewers: the failing Apache RAT Check isn't related to this PR's content. The workflow downloads apache-rat-0.17 from downloads.apache.org, but 0.17 has aged off that mirror, so the download returns an error page instead of the tarball (gzip: stdin: not in gzip format). #150 fixes it by repointing the download to archive.apache.org; once that merges, this check greens. This PR only adds discoverability pointer files.

@potiuk

potiuk commented Jun 5, 2026

Copy link
Copy Markdown
Member Author

Thanks @DaanHoogland. This PR was re-pointed to the project-wide CloudStack model (apache/cloudstack#13293) — the per-repo draft-THREAT-MODEL.md your comments were on is replaced by AGENTS.md + SECURITY.md pointers to that canonical model, so these threads are now outdated. Your scope points (the SDK is a CloudStack concern only insofar as it's the Apache-delivered SDK against a targeted-version response; the out-of-scope items) are captured in #13293. Resolving here; the substantive review lives on #13293. (The CI red is the apache-rat download infra, fixed by #150.) Thanks!

potiuk and others added 3 commits June 16, 2026 22:29
Adds a draft project-level security threat-model document
(draft-THREAT-MODEL.md) at repo root, improving discoverability
for automated security scanners running against this repository.
The file follows the rubric format used by several other ASF
projects piloting security-model discoverability.

The "draft-" prefix signals this is a proposal for the PMC to
review, correct, or reject — not a finalised maintainer-blessed
model. Every claim carries a provenance tag (documented /
inferred / maintainer) so reviewers can see where each claim
originates; §14 collects open questions for the maintainers.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…po copy

Drop the standalone draft-THREAT-MODEL.md and wire the discoverability chain
AGENTS.md -> SECURITY.md -> the project-wide model in apache/cloudstack
(apache/cloudstack#13293), so scanners find one canonical model and this repo
inherits it rather than duplicating it.

Generated-by: Claude Code
These scaffold files carry an SPDX license header, but this repo's Apache RAT
check doesn't scan headers embedded in Markdown, so list them in .rat-excludes.

Generated-by: Claude Code
@potiuk potiuk force-pushed the asf-security/draft-threat-model-2026-05-30 branch from c8db4b0 to 2c92488 Compare June 17, 2026 02:29
@potiuk

potiuk commented Jun 17, 2026

Copy link
Copy Markdown
Member Author

Update: rebased onto current main to pick up #139 (Apache RAT 0.17 -> 0.18). The earlier "Apache RAT Check" failure was just the old workflow downloading RAT 0.17, which has aged off downloads.apache.org — RAT and the builds are green now. Ready for review whenever convenient.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds repository-level security discoverability documents so automated tools can find CloudStack’s canonical, project-wide threat model via a pointer chain (AGENTS.mdSECURITY.mdapache/cloudstack’s THREAT_MODEL.md).

Changes:

  • Adds SECURITY.md describing vulnerability reporting guidance and linking to the project-wide threat model.
  • Adds AGENTS.md as an agent-facing entry point pointing scanners/tools to SECURITY.md.
  • Updates .rat-excludes to exempt the new Markdown files from Apache RAT checks.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
SECURITY.md Introduces security policy + threat model pointer (with license header).
AGENTS.md Adds an agent-readable entry point directing tools to SECURITY.md.
.rat-excludes Exempts the new Markdown policy files from RAT scanning.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread SECURITY.md
Comment on lines +1 to +15
<!--
SPDX-License-Identifier: Apache-2.0

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
Comment thread SECURITY.md Outdated
Comment thread .rat-excludes
Comment on lines +6 to +10

# Security-model scaffold (carries an SPDX header; exempted
# from RAT for setups that don't scan Markdown headers).
AGENTS.md
SECURITY.md
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 13, 2026 06:09

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

Comment thread SECURITY.md
Comment on lines +1 to +15
<!--
SPDX-License-Identifier: Apache-2.0

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
Comment thread SECURITY.md
Comment on lines +33 to +35
(That link resolves once the project-wide model lands on `apache/cloudstack`'s
`main` branch — see apache/cloudstack#13293. A thin `cloudstack-go`-specific
addendum can be added here later if this component needs one.)
Comment thread AGENTS.md
Comment on lines +1 to +2
<!-- SPDX-License-Identifier: Apache-2.0 -->

Comment thread .rat-excludes
Comment on lines +6 to +10

# Security-model scaffold (carries an SPDX header; exempted
# from RAT for setups that don't scan Markdown headers).
AGENTS.md
SECURITY.md
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants