Skip to content

Add draft project security threat-model document#13293

Merged
DaanHoogland merged 10 commits into
apache:mainfrom
potiuk:asf-security/draft-threat-model-2026-05-30
Jul 6, 2026
Merged

Add draft project security threat-model document#13293
DaanHoogland merged 10 commits into
apache:mainfrom
potiuk:asf-security/draft-threat-model-2026-05-30

Conversation

@potiuk

@potiuk potiuk commented May 30, 2026

Copy link
Copy Markdown
Member

Summary

This PR adds an initial draft of a project-level security
threat-model document (draft-THREAT-MODEL.md) so that automated
security scanners running against this repository have a
maintainer-facing reference for which classes of findings are
in-scope vs. out-of-scope for the project.

The document follows the rubric format used by several other ASF
projects piloting improved security-model discoverability for
agentic scanners. Every claim carries a provenance tag:

  • (documented) — paraphrased from public artefacts (this repo or
    the project website), cited inline.
  • (inferred) — synthesised from code structure or domain
    knowledge; the PMC has not confirmed.
  • (maintainer) — confirmed by a CloudStack PMC member in response
    to this draft. (Zero in this initial draft.)

Draft stats:

  • ~88 documented claims
  • ~64 inferred claims (each maps to a §14 question)
  • 38 open questions for maintainers in §14

§14 is the highest-leverage section: answering each question
either promotes one (inferred) tag to (maintainer) or corrects
the underlying claim.

Why "draft-" prefix?

The file is named draft-THREAT-MODEL.md rather than
SECURITY-THREAT-MODEL.md because this is a proposal for the
PMC to review — please correct, reject, or discuss as needed.

Once the PMC ratifies (or substantially edits) the content, the
file can be renamed in a follow-up PR and a discoverability
scaffold (AGENTS.mdSECURITY.md → the model) added so
scanners can mechanically follow the chain.

What this is, and what it is not

This is not a security audit. It is a working triage document
— the reference a triager holds against an inbound report to
decide whether the report is about a CloudStack vulnerability or
about caller misuse / operator misconfiguration / an out-of-scope
concern.

The draft was generated by an automated agentic security scan
being piloted by the ASF Security team; the discoverability work
is independent of any specific scan run.

How to review

  1. §14 first. Each answer either confirms one (inferred) tag or
    replaces the inferred claim with the correct one.
  2. After that, please skim §3 (out-of-scope) and §13 (triage
    dispositions) — those govern how a vulnerability report would
    be triaged.

Reply edits / corrections inline on the PR, or to the original
security@apache.org thread, whichever fits the PMC's workflow.

🤖 Generated with Claude Code

Adds a draft project-level security threat-model document
(draft-THREAT-MODEL.md) at repo root, improving discoverability
for automated security scanners running against this repository.
The file follows the rubric format used by several other ASF
projects piloting security-model discoverability.

The "draft-" prefix signals this is a proposal for the PMC to
review, correct, or reject — not a finalised maintainer-blessed
model. Every claim carries a provenance tag (documented /
inferred / maintainer) so reviewers can see where each claim
originates; §14 collects open questions for the maintainers.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@codecov

codecov Bot commented May 30, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 20.40%. Comparing base (7308dad) to head (0a0e38a).
⚠️ Report is 66 commits behind head on main.

Additional details and impacted files
@@             Coverage Diff              @@
##               main   #13293      +/-   ##
============================================
+ Coverage     18.10%   20.40%   +2.29%     
- Complexity    16752    18789    +2037     
============================================
  Files          6037     5757     -280     
  Lines        542796   520921   -21875     
  Branches      66456    60823    -5633     
============================================
+ Hits          98291   106300    +8009     
+ Misses       433460   403044   -30416     
- Partials      11045    11577     +532     
Flag Coverage Δ
uitests ?
unittests 20.40% <ø> (+1.13%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Markdown / typos / table-shape fixes per the CI lint output.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@yadvr yadvr requested review from DaanHoogland and vishesh92 June 1, 2026 07:16
@yadvr

yadvr commented Jun 1, 2026

Copy link
Copy Markdown
Member

There's a lot of details in the draft that needs a better set of eyes, so assigning @DaanHoogland @vishesh92 who're also PMC leads on the work.

Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
@potiuk

potiuk commented Jun 2, 2026

Copy link
Copy Markdown
Member Author

Thanks @DaanHoogland @yadvr @vishesh92 — agreed, let's make this (apache/cloudstack) the canonical project-level threat model and have the client/tooling repos inherit from it rather than each carrying a full copy.

Concretely, mirroring what we've done for other multi-repo PMCs:

  • apache/cloudstack/THREAT_MODEL.md is the single source of truth for the project-wide model: scope, trust boundaries, the management-server adversary model, in/out-of-scope classes, known non-findings, and triage dispositions.
  • The satellite repos (cloudstack-go, -cloudmonkey, -terraform-provider, -kubernetes-provider) get a short discoverability pointer — AGENTS.mdSECURITY.md → this model — plus, only where it adds something, a thin repo-specific addendum (e.g. the Go SDK's own input-trust surface) that references the parent instead of duplicating it.

So let's converge here first. None of the satellite PRs are merged, so re-pointing them to reference this model once its shape is settled is cheap — I'll repurpose those into pointer PRs (or close + reopen) once you're happy with the parent.

On "the fields we need": that's exactly the §14 "Open questions" section — each is a proposed answer for you to confirm, correct, or strike, grouped into waves so you can take a few at a time. Drop answers inline or here and I'll fold them in and promote the provenance tags. Happy to adjust the section set if CloudStack's shape calls for it.

potiuk added a commit to potiuk/cloudstack-go that referenced this pull request Jun 2, 2026
…po copy

Drop the standalone draft-THREAT-MODEL.md and wire the discoverability chain
AGENTS.md -> SECURITY.md -> the project-wide model in apache/cloudstack
(apache/cloudstack#13293), so scanners find one canonical model and this repo
inherits it rather than duplicating it.

Generated-by: Claude Code
potiuk added a commit to potiuk/cloudstack-cloudmonkey that referenced this pull request Jun 2, 2026
…po copy

Drop the standalone draft-THREAT-MODEL.md and wire the discoverability chain
AGENTS.md -> SECURITY.md -> the project-wide model in apache/cloudstack
(apache/cloudstack#13293), so scanners find one canonical model and this repo
inherits it rather than duplicating it.

Generated-by: Claude Code
potiuk added a commit to potiuk/cloudstack-terraform-provider that referenced this pull request Jun 2, 2026
…po copy

Drop the standalone draft-THREAT-MODEL.md and wire the discoverability chain
AGENTS.md -> SECURITY.md -> the project-wide model in apache/cloudstack
(apache/cloudstack#13293), so scanners find one canonical model and this repo
inherits it rather than duplicating it.

Generated-by: Claude Code
potiuk added a commit to potiuk/cloudstack-kubernetes-provider that referenced this pull request Jun 2, 2026
…po copy

Drop the standalone draft-THREAT-MODEL.md and wire the discoverability chain
AGENTS.md -> SECURITY.md -> the project-wide model in apache/cloudstack
(apache/cloudstack#13293), so scanners find one canonical model and this repo
inherits it rather than duplicating it.

Generated-by: Claude Code
@DaanHoogland

Copy link
Copy Markdown
Contributor

@vishesh92, cc @shwstppr. Ready for merge (and the new flow of sec issues?)

@potiuk

potiuk commented Jul 4, 2026

Copy link
Copy Markdown
Member Author

Thanks DaanHoogland — nothing outstanding on our side, so this is ready to merge whenever you and vishesh92 are happy. All of your and Vishesh's review is folded in, the AGENTS.md → SECURITY.md → THREAT_MODEL.md chain resolves, and the one open item (Q37 — a few recurring "not a vuln" patterns from your security@ triage for the §11a suppression list) is an optional nice-to-have, not a blocker. The red check is the test_mm_*_limits integration test, unrelated to this docs-only PR.

On "the new flow of sec issues" — assuming you mean what happens once this lands: merging completes pre-flight, so CloudStack enters the scan queue at its criticality rank. When the scan runs, the findings come back to your three designated recipients (dahn@, rohit@, vishesh@) verbatim, for the PMC to triage against this very threat model — the §13 disposition table is what turns each finding into VALID / hardening / out-of-model. That's the "new flow." If you meant something else, let me know and I'll point you at the right place.

@shwstppr shwstppr left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@DaanHoogland Tbh, at this point I'm not sure how this is to be reviewed or if it is ready for merge.
Maybe the contributors who volunteered to be maintainer should have a closer look. Just running Copilot review would not be enough in my opinion.

I see some issues around - API considered JSON only; in my reading I didn't see it establishes a difference between runtime configs - ConfigKey vs server.properties, hidden configs, etc. Some of the statements about CloudStack internals and worflows were not completely correct in my understanding.

PS: My nudge on the PR was purely to have the process moving.

Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
@potiuk

potiuk commented Jul 5, 2026

Copy link
Copy Markdown
Member Author

@shwstppr fair question — this one reviews differently from a code PR. A few notes to unstick it:

  • It's docs-only: a single THREAT_MODEL.md plus the AGENTS.md → SECURITY.md wiring. No code path to review, and the red CI is CloudStack's normal code/integration checks, which don't apply to a docs change — safe to ignore here.
  • It's a v0 draft to react to, not a finished document. Every inferred claim is tagged and collected into open questions at the end (§14) — so "reviewing" it is really answering those (confirm / correct / strike) and fixing anything factually wrong for CloudStack. Vishesh already did a solid pass on the global-setting names; that's exactly the shape of review that helps.
  • Copilot / automated review won't say anything useful about a prose threat model — agreed.
  • Merging is the ratification: once it's in, the model is the CloudStack PMC's document, owned and refined in place. It doesn't have to be perfect at merge — just correct enough that the PMC is comfortable it represents the project.

Happy to jump on any specific §14 question if that helps reviewers move.

— Jarek

@DaanHoogland

Copy link
Copy Markdown
Contributor

@shwstppr , at only @vishesh92 , me and now you have reviewed. I would be very happy if we have more involvement, but on the other hand nothing here cannot be adjusted later.

@vishesh92

Copy link
Copy Markdown
Member

It looks good to me. The only thing left is Q37 which is to add more patterns based on the existing security issues to use here.

Comment thread draft-THREAT-MODEL.md Outdated

@shwstppr shwstppr left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good for start. We can refine this as we proceed.
Some suggestions from @DaanHoogland can be applied if no objections.

Co-authored-by: Abhishek Kumar <abhishek.mrt22@gmail.com>
Co-authored-by: dahn <daan.hoogland@gmail.com>
Copilot AI review requested due to automatic review settings July 6, 2026 07:13

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a project-level draft security threat-model document intended to help maintainers and automated security scanners quickly triage findings as in-scope vs out-of-scope for apache/cloudstack.

Changes:

  • Introduces draft-THREAT-MODEL.md describing scope, trust boundaries, adversary model, claimed/non-claimed properties, and triage dispositions.
  • Captures configuration-sensitive security posture details (e.g., Root CA strictness, proxy header verification, integration port exposure).
  • Includes a maintainer Q&A / resolution section intended to ratify or correct inferred claims.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread draft-THREAT-MODEL.md
Comment thread draft-THREAT-MODEL.md
carry their own delta models.
- **Commit:** `7308dad1` (HEAD of `main` at draft time).
- **Date:** 2026-05-29.
- **Authors:** ASF Security team draft, awaiting CloudStack PMC review.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don’t see how this is still valid, we can add maintainers but in my view the statsu already was “reviewed”/“approved”, and not “draft". guess it slipped through the cracks.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@potiuk , can you advice?

Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md
Comment thread draft-THREAT-MODEL.md
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 6, 2026 09:46

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 4 comments.

Comment thread draft-THREAT-MODEL.md
Comment thread draft-THREAT-MODEL.md
Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 6, 2026 10:19

@vishesh92 vishesh92 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm. There might be some issues but let's get it merged and we can revisit once we have some output.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 6 comments.

Comment thread draft-THREAT-MODEL.md
Comment on lines +28 to +32
> models are short *deltas* that inherit §3 / §4 / §7 from this
> document and add only what each satellite uniquely introduces (`§4 B1`
> reachability, the credential file shape, the wrapper-of-SDK contract,
> etc.). The deltas live at `/tmp/claude/cloudstack-<repo>-threat-model-draft.md`.
> The satellite clients' interfaces point **inward** at the management-server
Comment thread draft-THREAT-MODEL.md
Comment on lines +48 to +49
- **Authors:** ASF Security team draft, awaiting CloudStack PMC review.
- **Status:** Draft — under maintainer review.
Comment thread draft-THREAT-MODEL.md
Comment on lines +402 to +403
- CloudStack does not document a maximum signed-API request size; assumed
to be servlet-container default (Jetty / Tomcat) *(inferred — §14 Q21)*.
Comment thread draft-THREAT-MODEL.md
Comment on lines +404 to +406
- API rate limiting is per-account via the global config knobs `api.throttling.*`
*(inferred — §14 Q22)*; an attacker with a valid API key can be rate-
limited at the application layer.
Comment thread draft-THREAT-MODEL.md
Comment on lines +1046 to +1047
**Q21.** API request size cap and cluster/agent RPC payload size cap —
are these explicitly bounded, or "whatever Jetty / NIO defaults give"? **RESOLVED** *(maintainer: DaanHoogland)* — the UI server sets an explicit cap, `org.apache.cloudstack.ServerDaemon.DEFAULT_REQUEST_CONTENT_SIZE = 1048576` (1 MiB); for other components the sizes are capped by the upstream components used. *(maps to §6, §9)*
Comment thread draft-THREAT-MODEL.md
response to this draft; *(inferred)* = synthesized by the producer from
code structure or domain knowledge, awaiting PMC ratification (every
*(inferred)* tag has a matching §14 question).
- **Draft confidence (provenance-tag tally):** 51 *(documented)* / 42
@DaanHoogland DaanHoogland merged commit 4beab94 into apache:main Jul 6, 2026
24 of 27 checks passed
vishesh92 pushed a commit to apache/cloudstack-kubernetes-provider that referenced this pull request Jul 13, 2026
…tack threat model (#97)

* Add draft project security threat-model document

Adds a draft project-level security threat-model document
(draft-THREAT-MODEL.md) at repo root, improving discoverability
for automated security scanners running against this repository.
The file follows the rubric format used by several other ASF
projects piloting security-model discoverability.

The "draft-" prefix signals this is a proposal for the PMC to
review, correct, or reject — not a finalised maintainer-blessed
model. Every claim carries a provenance tag (documented /
inferred / maintainer) so reviewers can see where each claim
originates; §14 collects open questions for the maintainers.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Point to the project-wide CloudStack threat model instead of a per-repo copy

Drop the standalone draft-THREAT-MODEL.md and wire the discoverability chain
AGENTS.md -> SECURITY.md -> the project-wide model in apache/cloudstack
(apache/cloudstack#13293), so scanners find one canonical model and this repo
inherits it rather than duplicating it.

Generated-by: Claude Code

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
vishesh92 pushed a commit to apache/cloudstack-go that referenced this pull request Jul 13, 2026
…tack threat model (#149)

* Add draft project security threat-model document

Adds a draft project-level security threat-model document
(draft-THREAT-MODEL.md) at repo root, improving discoverability
for automated security scanners running against this repository.
The file follows the rubric format used by several other ASF
projects piloting security-model discoverability.

The "draft-" prefix signals this is a proposal for the PMC to
review, correct, or reject — not a finalised maintainer-blessed
model. Every claim carries a provenance tag (documented /
inferred / maintainer) so reviewers can see where each claim
originates; §14 collects open questions for the maintainers.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Point to the project-wide CloudStack threat model instead of a per-repo copy

Drop the standalone draft-THREAT-MODEL.md and wire the discoverability chain
AGENTS.md -> SECURITY.md -> the project-wide model in apache/cloudstack
(apache/cloudstack#13293), so scanners find one canonical model and this repo
inherits it rather than duplicating it.

Generated-by: Claude Code

* Exclude SECURITY.md + AGENTS.md from RAT

These scaffold files carry an SPDX license header, but this repo's Apache RAT
check doesn't scan headers embedded in Markdown, so list them in .rat-excludes.

Generated-by: Claude Code

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-authored-by: dahn <daan.hoogland@gmail.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
vishesh92 pushed a commit to apache/cloudstack-cloudmonkey that referenced this pull request Jul 13, 2026
…tack threat model (#212)

* Add draft project security threat-model document

Adds a draft project-level security threat-model document
(draft-THREAT-MODEL.md) at repo root, improving discoverability
for automated security scanners running against this repository.
The file follows the rubric format used by several other ASF
projects piloting security-model discoverability.

The "draft-" prefix signals this is a proposal for the PMC to
review, correct, or reject — not a finalised maintainer-blessed
model. Every claim carries a provenance tag (documented /
inferred / maintainer) so reviewers can see where each claim
originates; §14 collects open questions for the maintainers.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Point to the project-wide CloudStack threat model instead of a per-repo copy

Drop the standalone draft-THREAT-MODEL.md and wire the discoverability chain
AGENTS.md -> SECURITY.md -> the project-wide model in apache/cloudstack
(apache/cloudstack#13293), so scanners find one canonical model and this repo
inherits it rather than duplicating it.

Generated-by: Claude Code

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-authored-by: dahn <daan.hoogland@gmail.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
vishesh92 pushed a commit to apache/cloudstack-terraform-provider that referenced this pull request Jul 13, 2026
…tack threat model (#292)

* Add draft project security threat-model document

Adds a draft project-level security threat-model document
(draft-THREAT-MODEL.md) at repo root, improving discoverability
for automated security scanners running against this repository.
The file follows the rubric format used by several other ASF
projects piloting security-model discoverability.

The "draft-" prefix signals this is a proposal for the PMC to
review, correct, or reject — not a finalised maintainer-blessed
model. Every claim carries a provenance tag (documented /
inferred / maintainer) so reviewers can see where each claim
originates; §14 collects open questions for the maintainers.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Point to the project-wide CloudStack threat model instead of a per-repo copy

Drop the standalone draft-THREAT-MODEL.md and wire the discoverability chain
AGENTS.md -> SECURITY.md -> the project-wide model in apache/cloudstack
(apache/cloudstack#13293), so scanners find one canonical model and this repo
inherits it rather than duplicating it.

Generated-by: Claude Code

* Apply suggestions from code review

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-authored-by: dahn <daan.hoogland@gmail.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
vishesh92 pushed a commit that referenced this pull request Jul 13, 2026
The project-wide security threat model merged (#13293)
as draft-THREAT-MODEL.md, but the canonical discoverability name that
scanners and satellite-repo SECURITY.md pointers follow is THREAT_MODEL.md.

This renames the file to THREAT_MODEL.md and updates the in-repo
SECURITY.md reference, making the pointer in apache/cloudstack-cloudmonkey
(which already targets .../blob/main/THREAT_MODEL.md) resolve. The
document's own review-status wording is unchanged.

Generated-by: Claude Opus 4.8 (1M context)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

7 participants