asf-tooling opened a new issue, #979:
URL: https://github.com/apache/tooling-trusted-releases/issues/979
**ASVS Level(s):** [L2-only]
**Description:**
### Summary
ASVS 15.1.3 explicitly requires documentation that identifies time-consuming
or resource-demanding functionality, describes how to prevent availability
loss, and explains how to avoid response timeout issues. The application has
strong runtime controls but lacks a consolidated inventory of
resource-intensive operations with their limits, timeout chains, and
availability defenses. Without this documentation, operations cannot plan
capacity, developers may introduce issues, and security reviews cannot verify
completeness. This is fundamentally a documentation gap rather than a technical
deficiency.
### Details
**Affected Files and Lines:**
- `atr/docs/resource-management.md` - MISSING DOCUMENT
The application implements comprehensive resource controls but lacks
centralized documentation of these controls and the operations they protect.
### Recommended Remediation
Create `atr/docs/resource-management.md` documenting:
1. **Resource-intensive operations inventory** with time profiles and limits:
- Archive extraction
- SBOM generation
- Signature verification
- Rsync transfers
- Git clone operations
- SVN operations
- Database pagination
- etc.
2. **Timeout chain architecture** showing HTTP→Task Queue→Worker→Subprocess
relationships
3. **Per-user and per-application limits**:
- Rate limiting
- Upload sizes
- Worker resources
4. **Monitoring and alerting guidance**
5. **Capacity planning recommendations**
Include all 15+ identified resource-intensive operations with their defenses
and consumer timeout handling patterns. Total effort: ~1-2 days.
### Acceptance Criteria
- [ ] Resource management document created
- [ ] All resource-intensive operations documented
- [ ] Timeout chains documented
- [ ] Limits and thresholds documented
- [ ] Monitoring guidance provided
- [ ] Capacity planning guidance provided
### References
- Source reports: L2:15.1.3.md
- Related findings: FINDING-050, FINDING-053, FINDING-193, FINDING-194,
FINDING-195, FINDING-196, FINDING-197
- ASVS sections: 15.1.3
### Priority
High
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
