Add security threat model (THREAT_MODEL.md) + SECURITY.md and AGENTS.md discoverability#4547
Add security threat model (THREAT_MODEL.md) + SECURITY.md and AGENTS.md discoverability#4547potiuk wants to merge 8 commits into
Conversation
… discoverability v0 threat model produced by the ASF Security team via threat-model-producer (Michael Scovetta rubric, run with Claude Opus) for the PMC to review, correct, and own. Wires the AGENTS.md -> SECURITY.md -> THREAT_MODEL.md discoverability chain the scan agent follows. Every non-trivial claim is provenance-tagged; open questions for the PMC are collected in THREAT_MODEL.md section 14. Generated-by: Claude Opus 4.8 (1M context)
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds a security policy and initial threat model documentation, and wires both into the repository’s agent guidance to standardize vulnerability reporting and triage.
Changes:
- Added
SECURITY.mdwith private reporting guidance and links to the threat model. - Added
THREAT_MODEL.md(v0 draft) defining scope, trust boundaries, and triage dispositions. - Updated
AGENTS.mdwith a Security section pointing contributors/triagers to the new docs.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| THREAT_MODEL.md | Introduces a draft threat model, boundaries, and triage taxonomy |
| SECURITY.md | Adds vulnerability reporting instructions and references threat model |
| AGENTS.md | Adds security workflow steps and links to the new security docs |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| | Lever | Why it matters | | ||
| | --- | --- | | ||
| | Authentication / initial-admin setup | decides whether the REST/UI front door is open and how the first admin is provisioned. | | ||
| | Role / permission model | decides whether non-admin users are bounded to their own resources. | | ||
| | TLS on REST + broker + datastore | decides whether sessions/events are on the wire in clear. | | ||
| | Extension installation policy | decides who may deploy adapter/processor code into the runtime. | |
There was a problem hiding this comment.
I think it doesn't apply to this specific table.
| This file is **v0** and carries open questions for the StreamPipes PMC in | ||
| `THREAT_MODEL.md` §14. |
| **Wave 4 — meta** | ||
| 13. StreamPipes has a root `AGENTS.md` but no `SECURITY.md`/`THREAT_MODEL.md`; | ||
| this PR adds them and appends a `## Security` section to the existing | ||
| `AGENTS.md` wiring `AGENTS.md → SECURITY.md → THREAT_MODEL.md`. Confirm this | ||
| in-repo model is canonical, and who owns revisions. |
| | TLS on REST + broker + datastore | decides whether sessions/events are on the wire in clear. | | ||
| | Extension installation policy | decides who may deploy adapter/processor code into the runtime. | | ||
|
|
||
| ## §11a — Known non-findings (seed for scanner/AI triage) |
| JAR) from an SCA scanner — triage upstream unless StreamPipes' own code | ||
| reaches the vulnerable path with untrusted input. | ||
|
|
||
| ## §13 — Triage dispositions |
Avoids the 'this PR adds them' reference that goes stale post-merge; states the repo ships the discoverability files and how they wire. Generated-by: Claude Opus 4.8 (1M context)
|
Thanks @obermeier — agreed on the table comments; the On Copilot's other points: the I did take the timeless-wording point on §14.13 — reworded so it no longer references "this PR adds them" (just pushed). The rest of the Copilot comments are outdated against the current revision. |
| | Component | Role | Primary surface | | ||
| | --- | --- | --- | | ||
| | **`streampipes-rest`** | the HTTP/REST front door — auth, user/resource management, pipeline + adapter control | network (the primary untrusted boundary) *(inferred — §11 Q1)* | | ||
| | **`streampipes-service-core`** | bootstrapping, **security**, migrations, scheduling *(documented: AGENTS.md)* | in-process | | ||
| | **`*-management` modules** | business/domain logic (pipelines, adapters, data lake) | in-process | | ||
| | **Connect adapters (extensions)** | ingest data from **external** industrial sources (OPC-UA, MQTT, HTTP, files, DB, …) | the external-data ingestion boundary *(inferred — §11 Q2)* | | ||
| | **Pipeline elements (processors/sinks)** | run processing logic over the event streams; deployable as extensions | in-process / extension-runtime code *(inferred — §11 Q2)* | | ||
| | **Message broker + data lake** | event transport (Kafka/MQTT/NATS-class) and time-series persistence | intra-deployment infra *(inferred — §11 Q3)* | | ||
| | **UI** (`ui/`) | browser client | client trust domain | |
| | Lever | Why it matters | | ||
| | --- | --- | | ||
| | Authentication / initial-admin setup | decides whether the REST/UI front door is open and how the first admin is provisioned. | | ||
| | Role / permission model | decides whether non-admin users are bounded to their own resources. | | ||
| | TLS on REST + broker + datastore | decides whether sessions/events are on the wire in clear. | | ||
| | Extension installation policy | decides who may deploy adapter/processor code into the runtime. | |
| - **Memory safety on well-formed input** to the JVM's extent (StreamPipes is | ||
| primarily Java). |
| > **Status:** v0 draft produced by the ASF Security team (Michael Scovetta | ||
| > rubric, run with Claude Opus) for the Apache StreamPipes PMC to review, |
| **privately** to the StreamPipes security list at | ||
| `security@streampipes.apache.org`, following the | ||
| [Apache Software Foundation security process](https://www.apache.org/security/). | ||
| Do **not** open public GitHub issues or pull requests for security reports — a |
Revise the Threat Model document for clarity, structure, and accuracy. Update sections on purpose, assets, adversaries, trust boundaries, and key configurations.
Removed descriptions for 'streampipes-service-core' and '*-management' modules in the threat model.
Updated the language for clarity regarding the control boundary and external data ingestion.
Updated language for clarity and consistency regarding the threat model version and maintenance notes.
Added versioning information and clarified references to sections in the threat model document.
|
I did some adjustments in THREAT_MODEL to be more SP-specific and tried to answer the provided questions. What do you think about it? |
|
@obermeier this is great — thank you for taking it over and making it A few things I especially like:
From our side it clears the completeness bar comfortably: scope/assets, the No changes requested on my end. Merge whenever you're happy with it; once it |
This adds a v0 security threat model + discoverability wiring to
apache/streampipes, produced by the ASF Security team for the StreamPipes PMC to review and own — the pre-flight step for the Glasswing security scan the PMC opted into (path 3).What's here
THREAT_MODEL.md(new) — a v0 model (Michael Scovetta rubric, run with Claude Opus) covering thestreampipes-restfront door, the external-data ingestion boundary at the adapters, and the extension runtime (custom adapters/processors/sinks as code-execution by design): trust boundaries, in/out-of-scope adversaries, what StreamPipes upholds vs. what it leaves to the operator (TLS, network isolation, extension vetting, source trust), known non-findings, and triage dispositions. Every non-trivial claim is provenance-tagged(documented)/(maintainer)/(inferred).SECURITY.md(new) — private reporting viasecurity@streampipes.apache.org+ a pointer to the model.AGENTS.md(amended) — appends a## Securitysection to your existing rootAGENTS.md, wiringAGENTS.md → SECURITY.md → THREAT_MODEL.md(your existing guidance is untouched).How to engage — this is a draft to react to.
THREAT_MODEL.md§14 collects open questions in waves; the highest-leverage one is Q2 — the ingestion boundary: what StreamPipes guarantees about handling hostile data from an external source an adapter connects to. Answer inline a few at a time, correct anything wrong, and the model becomes the PMC's. Once you're happy, we queue the scan in OSS-criticality order. No deadline pressure with the Mythos 5 window being extended.Generated-by: Claude Opus 4.8 (1M context)