elharo commented on code in PR #12421: URL: https://github.com/apache/maven/pull/12421#discussion_r3524724380
########## THREAT_MODEL.md: ########## @@ -0,0 +1,317 @@ +<!-- +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +--> + +# Apache Maven — Umbrella Threat Model (v0 DRAFT) + +## §1 Header + +- **Project family:** Apache Maven (build tool core, runtime, resolver, and the maintained plugin set). This is an **umbrella** threat model covering ~26 repositories across ~34 branch-targets — see §2. Individual repos/branches inherit this model except where a §2 row narrows it. +- **Modeled against:** the current `master`/maintenance branches of the in-scope repositories as of the date below. Because Maven is mid-transition from the 3.x to the 4.x runtime line, this model carries a **3.x-vs-4.x axis** as a first-class distinction rather than describing a single profile (see §2, §4, §5a, §6). +- **Date:** 2026-07-04 +- **Author:** ASF Security team, drafted via the threat-model-producer (Scovetta) rubric at the Maven PMC's request (path 3 — Security team drafts, Maven PMC reviews). +- **Status:** **v0 DRAFT — for Maven PMC review.** Not yet ratified. Most claims are *(inferred)* and each carries a matching open question in §14. +- **Version binding:** the threat model is versioned alongside the projects. A report against a released Maven core / plugin version *N* is triaged against the model as it stood at *N*, not at `master` HEAD. Each branch-target (§2) binds to the releases cut from that branch. See §14 Q20. +- **Reporting cross-reference:** findings that fall under §8 (claimed properties) should be reported privately per the ASF process at <https://maven.apache.org/security.html> / <https://www.apache.org/security/>. Findings that fall under §3 (out of scope) or §9 (properties not provided) — including "a plugin executed code", "the published POM differs from the source POM", or "checksums do not authenticate the publisher" — will be closed citing this document. +- **Provenance legend:** every non-trivial claim carries exactly one tag: + - *(documented)* — stated in Maven's own docs/site; cited inline. + - *(maintainer)* — stated by a Maven PMC member in response to this process. (None yet — v0.) + - *(inferred)* — reasoned from Maven's architecture, domain knowledge, or the absence of a feature; **not yet confirmed.** Each *(inferred)* tag names the §14 question that must ratify it, e.g. *(inferred, Q5)*. +- **Draft confidence:** ~26 documented / 0 maintainer / ~59 inferred. This is a react-to-me draft, not a ratified model — the heavy *(inferred)* weighting is expected for a v0 the PMC has not yet reviewed. + +**What Maven is.** Apache Maven is a build-automation and dependency-management tool for JVM projects. Given a project description in `pom.xml` (the Project Object Model), Maven resolves declared dependencies and build **plugins** from configured **repositories** into a local repository (`~/.m2/repository`), then executes a lifecycle of plugin goals — compiling, testing, packaging, signing, and deploying code. Plugins and build **extensions** are ordinary JVM artifacts that Maven downloads and executes **as arbitrary code in the build JVM**. Maven is invoked from the CLI (`mvn`, or the `mvnd` daemon, or a project-local `mvnw` wrapper) by a developer or a CI runner. Its security model is therefore fundamentally a **supply-chain and arbitrary-code-execution** model, and — by explicit design — Maven does not sandbox the code it is asked to build or the plugins it is asked to run. + +--- + +## §2 Scope and intended use + +**Primary intended use.** Building, testing, packaging, and publishing JVM software from a trusted `pom.xml` in a developer or CI environment, resolving dependencies and plugins from repositories the operator has chosen to configure and trust. *(documented — security.html: "the Maven security model assumes you trust the `pom.xml` and the code, dependencies and repositories that are used in your build".)* + +**Caller roles.** Unlike a network service, Maven has no anonymous client. The roles are: +- **Build author / operator** — writes or vendors the `pom.xml`, `settings.xml`, and `.mvn/` config; chooses repositories; runs `mvn`. **Trusted** — this actor has already chosen what code to execute. *(inferred, Q10)* +- **Dependency / plugin / extension author** — a third party whose artifact is resolved into the build and executed. **Semi-trusted adversary in scope** for supply-chain threats (see §7). *(inferred, Q10)* +- **Repository / mirror operator** — serves artifacts and metadata. **Semi-trusted adversary in scope** (compromise, poisoning, MITM on plaintext transport). *(inferred, Q10)* + +**The 3.x-vs-4.x axis (carried on this table).** Maven is mid-transition. Most plugin `master` branches still compile and run against the **Maven 3.9.x** API; seven "split" plugins have moved `master` to the **Maven 4** API and keep a `*-3.x` maintenance branch on the 3.9.x API. The runtime line changes the trust surface (consumer-POM transform, `mvnenc`, resolver 2.x, `mvnup` — all Maven-4-only; see §6/§9). Each branch-target is therefore tagged with the **Maven API line** it targets, and a finding is triaged against **that** line's surface. + +| # | Repository / component | Branch-target(s) | Maven API line | Touches outside process | In model? | +| --- | --- | --- | --- | --- | --- | +| **Core & runtime** | | | | | | +| 1 | `maven` (core) | `master` (4.0.x); `maven-3.9.x`/3.10.x maint. | **both** | reads POM/settings/`~/.m2`, spawns plugin code, network resolve | **yes** | +| 2 | `maven-resolver` | `master` (2.x); `1.9.x` maint. | **both** | HTTP(S) transport, local-repo I/O | **yes** | +| 3 | `maven-mvnd` (daemon) | `master` | 4.x-oriented | long-lived JVM, sockets, filesystem | **yes** | +| 4 | `maven-wrapper` | `master` | line-agnostic | downloads + executes a Maven distribution | **yes** | +| 5 | `maven-build-cache-extension` | `master` | 4.x-oriented | reads/writes build-output cache | **yes** | +| **Single-line master plugins (Maven 3.9.x API)** | | | | | | +| 6 | `maven-surefire` (surefire + failsafe) | `master` | 3.x | forks test JVMs, runs test code | **yes** | +| 7 | `maven-javadoc-plugin` | `master` | 3.x | forks `javadoc`, unpacks archives | **yes** | +| 8 | `maven-dependency-plugin` | `master` | 3.x | resolves + unpacks artifacts | **yes** | +| 9 | `maven-checkstyle-plugin` | `master` | 3.x | reads source, resolves rulesets | **yes** | +| 10 | `maven-release-plugin` | `master` | 3.x | SCM writes, invokes nested Maven | **yes** | +| 11 | `maven-shade-plugin` | `master` | 3.x | rewrites/merges JAR bytecode | **yes** | +| 12 | `maven-assembly-plugin` | `master` | 3.x | reads/writes archives | **yes** | +| 13 | `maven-scm` | `master` | 3.x | invokes SCM clients (git/svn/…) | **yes** | +| 14 | `maven-site-plugin` | `master` | 3.x | renders site, resolves skins/reports | **yes** | +| 15 | `maven-enforcer` | `master` | 3.x | evaluates rules over the build | **yes** | +| 16 | `maven-archetype` | `master` | 3.x | scaffolds projects from templates | **yes** | +| 17 | `maven-resolver-ant-tasks` | `master` | 3.x | Ant-side resolution/transport | **yes** | +| 18 | `maven-indexer` | `master` | 3.x | parses repository index metadata | **yes** | +| 19 | `maven-war-plugin` | `master` | 3.x | assembles WAR archives (overlays, resource filtering) | **yes** | +| 20 | `maven-ear-plugin` | `master` | 3.x | assembles EAR archives from module artifacts | **yes** | +| **Split plugins — master on Maven 4 API + `*-3.x` maintenance** | | | | | | +| 21 | `maven-compiler-plugin` | `master` (M4); `*-3.x` | **both (two targets)** | forks/embeds compiler, reads source | **yes** | +| 22 | `maven-jar-plugin` | `master` (M4); `*-3.x` | **both** | writes JARs | **yes** | +| 23 | `maven-clean-plugin` | `master` (M4); `*-3.x` | **both** | deletes filesystem paths | **yes** | +| 24 | `maven-deploy-plugin` | `master` (M4); `*-3.x` | **both** | uploads artifacts to remote repo | **yes** | +| 25 | `maven-install-plugin` | `master` (M4); `*-3.x` | **both** | writes to local repo | **yes** | +| 26 | `maven-resources-plugin` | `master` (M4); `*-3.x` | **both** | copies/filters resource files | **yes** | +| 27 | `maven-source-plugin` | `master` (M4); `*-3.x` | **both** | packages source JARs | **yes** | +| **Shared libraries (build/release path; no standalone CLI)** | | | | | | +| 28 | `maven-filtering` | `master` | line-agnostic | interpolates `${...}` into resource files (used by resources/war plugins) | **yes** | +| 29 | `maven-shared-utils` | `master` | line-agnostic | shared IO / process-exec / CLI helpers used across plugins | **yes** | +| 30 | `maven-archiver` | `master` | line-agnostic | shared archive + JAR/WAR manifest assembly used by packaging plugins | **yes** | Review Comment: add maven-dependency-analyzer maven-shared-io should probably be defunct but likely isn't It would be convenient if maven had its own top-level project instead of 40 separate repos inside apache/ but that ship might have sailed. For now this is close to a complete list. Not al lof these are active: gh repo list apache --limit 2000 --json name,url --jq '.[] | select(.name | startswith("maven")) | .url'~$ gh repo list apache --limit 2000 --json name,url --jqtartswith("maven")) | .url' https://github.com/apache/maven-resources-plugin https://github.com/apache/maven-compiler-plugin https://github.com/apache/maven-jlink-plugin https://github.com/apache/maven-plugin-tools https://github.com/apache/maven-deploy-plugin https://github.com/apache/maven-resolver https://github.com/apache/maven-jdeprscan-plugin https://github.com/apache/maven https://github.com/apache/maven-archiver https://github.com/apache/maven-mvnd https://github.com/apache/maven-jar-plugin https://github.com/apache/maven-shared-utils https://github.com/apache/maven-help-plugin https://github.com/apache/maven-surefire https://github.com/apache/maven-filtering https://github.com/apache/maven-executor https://github.com/apache/maven-gpg-plugin https://github.com/apache/maven-gh-actions-shared https://github.com/apache/maven-dependency-plugin https://github.com/apache/maven-dependency-tree https://github.com/apache/maven-doxia-sitetools https://github.com/apache/maven-reporting-api https://github.com/apache/maven-site https://github.com/apache/maven-toolchains-plugin https://github.com/apache/maven-artifact-plugin https://github.com/apache/maven-parent https://github.com/apache/maven-scm-publish-plugin https://github.com/apache/maven-archetype https://github.com/apache/maven-site-plugin https://github.com/apache/maven-javadoc-plugin https://github.com/apache/maven-archetypes https://github.com/apache/maven-fluido-skin https://github.com/apache/maven-jdeps-plugin https://github.com/apache/maven-shared-resources https://github.com/apache/maven-checkstyle-plugin https://github.com/apache/maven-jarsigner-plugin https://github.com/apache/maven-reporting-impl https://github.com/apache/maven-wrapper https://github.com/apache/maven-source-plugin https://github.com/apache/maven-shared-io https://github.com/apache/maven-shared-incremental https://github.com/apache/maven-scm https://github.com/apache/maven-mapping https://github.com/apache/maven-enforcer https://github.com/apache/maven-common-artifact-filters https://github.com/apache/maven-file-management https://github.com/apache/maven-doxia-site https://github.com/apache/maven-doxia https://github.com/apache/maven-dist-tool https://github.com/apache/maven-dependency-analyzer https://github.com/apache/maven-assembly-plugin https://github.com/apache/maven-apache-resources https://github.com/apache/maven-antrun-plugin https://github.com/apache/maven-war-plugin https://github.com/apache/maven-wagon https://github.com/apache/maven-verifier-plugin https://github.com/apache/maven-verifier https://github.com/apache/maven-stage-plugin https://github.com/apache/maven-shared-jar https://github.com/apache/maven-shade-plugin https://github.com/apache/maven-scripting-plugin https://github.com/apache/maven-script-interpreter https://github.com/apache/maven-resolver-ant-tasks https://github.com/apache/maven-reporting-exec https://github.com/apache/maven-remote-resources-plugin https://github.com/apache/maven-release https://github.com/apache/maven-rar-plugin https://github.com/apache/maven-project-info-reports-plugin https://github.com/apache/maven-pmd-plugin https://github.com/apache/maven-plugin-testing https://github.com/apache/maven-jxr https://github.com/apache/maven-jmod-plugin https://github.com/apache/maven-jarsigner https://github.com/apache/maven-invoker https://github.com/apache/maven-indexer https://github.com/apache/maven-invoker-plugin https://github.com/apache/maven-install-plugin https://github.com/apache/maven-ejb-plugin https://github.com/apache/maven-ear-plugin https://github.com/apache/maven-doap-plugin https://github.com/apache/maven-clean-plugin https://github.com/apache/maven-changes-plugin https://github.com/apache/maven-changelog-plugin https://github.com/apache/maven-build-cache-extension https://github.com/apache/maven-acr-plugin https://github.com/apache/maven-apache-parent https://github.com/apache/maven-integration-testing https://github.com/apache/maven-sources https://github.com/apache/maven-jenkins-lib https://github.com/apache/maven-xinclude-extension https://github.com/apache/maven-doxia-converter https://github.com/apache/maven-doxia-book-maven-plugin https://github.com/apache/maven-studies https://github.com/apache/maven-build-helper-plugin https://github.com/apache/maven-skins https://github.com/apache/maven-jenkins-env https://github.com/apache/maven-hocon-extension https://github.com/apache/maven-blog https://github.com/apache/maven-ant-tasks https://github.com/apache/maven-2 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
