Add draft project security threat-model document#13293
Conversation
Adds a draft project-level security threat-model document (draft-THREAT-MODEL.md) at repo root, improving discoverability for automated security scanners running against this repository. The file follows the rubric format used by several other ASF projects piloting security-model discoverability. The "draft-" prefix signals this is a proposal for the PMC to review, correct, or reject — not a finalised maintainer-blessed model. Every claim carries a provenance tag (documented / inferred / maintainer) so reviewers can see where each claim originates; §14 collects open questions for the maintainers. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #13293 +/- ##
============================================
+ Coverage 18.10% 20.40% +2.29%
- Complexity 16752 18789 +2037
============================================
Files 6037 5757 -280
Lines 542796 520921 -21875
Branches 66456 60823 -5633
============================================
+ Hits 98291 106300 +8009
+ Misses 433460 403044 -30416
- Partials 11045 11577 +532
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Markdown / typos / table-shape fixes per the CI lint output. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
There's a lot of details in the draft that needs a better set of eyes, so assigning @DaanHoogland @vishesh92 who're also PMC leads on the work. |
|
Thanks @DaanHoogland @yadvr @vishesh92 — agreed, let's make this (apache/cloudstack) the canonical project-level threat model and have the client/tooling repos inherit from it rather than each carrying a full copy. Concretely, mirroring what we've done for other multi-repo PMCs:
So let's converge here first. None of the satellite PRs are merged, so re-pointing them to reference this model once its shape is settled is cheap — I'll repurpose those into pointer PRs (or close + reopen) once you're happy with the parent. On "the fields we need": that's exactly the §14 "Open questions" section — each is a proposed answer for you to confirm, correct, or strike, grouped into waves so you can take a few at a time. Drop answers inline or here and I'll fold them in and promote the provenance tags. Happy to adjust the section set if CloudStack's shape calls for it. |
…po copy Drop the standalone draft-THREAT-MODEL.md and wire the discoverability chain AGENTS.md -> SECURITY.md -> the project-wide model in apache/cloudstack (apache/cloudstack#13293), so scanners find one canonical model and this repo inherits it rather than duplicating it. Generated-by: Claude Code
…po copy Drop the standalone draft-THREAT-MODEL.md and wire the discoverability chain AGENTS.md -> SECURITY.md -> the project-wide model in apache/cloudstack (apache/cloudstack#13293), so scanners find one canonical model and this repo inherits it rather than duplicating it. Generated-by: Claude Code
…po copy Drop the standalone draft-THREAT-MODEL.md and wire the discoverability chain AGENTS.md -> SECURITY.md -> the project-wide model in apache/cloudstack (apache/cloudstack#13293), so scanners find one canonical model and this repo inherits it rather than duplicating it. Generated-by: Claude Code
…po copy Drop the standalone draft-THREAT-MODEL.md and wire the discoverability chain AGENTS.md -> SECURITY.md -> the project-wide model in apache/cloudstack (apache/cloudstack#13293), so scanners find one canonical model and this repo inherits it rather than duplicating it. Generated-by: Claude Code
- Q15: sensitive-file ownership root:cloud, mode 0640 - Q24: same-IP host re-add updates existing record, gated by creds + key/certs (apache#13182); not an unauthenticated spoof path - Q29: data-at-rest delegation to storage/hypervisor confirmed by vishesh92 Generated-by: Claude Opus 4.8
|
Thanks
That clears the items that were still pending a second confirmation. The one remaining open ask on your side is Q37 — whenever convenient, 3-5 recurring "not a vuln" patterns from your inbound Unrelated to this PR: the red CI check is a component/integration test ( |
…po copy Drop the standalone draft-THREAT-MODEL.md and wire the discoverability chain AGENTS.md -> SECURITY.md -> the project-wide model in apache/cloudstack (apache/cloudstack#13293), so scanners find one canonical model and this repo inherits it rather than duplicating it. Generated-by: Claude Code
|
@vishesh92 can you please have a look if you've further feedback on this? @weizhouapache can we include this in 4.23.0 milestone? |
|
Thanks @shwstppr. From the ASF Security side this one is through pre-flight: One note for the milestone question: the red check is the No changes requested on our end; happy to see it land in 4.23.0. Once it merges |
|
@vishesh92, cc @shwstppr. Ready for merge (and the new flow of sec issues?) |
|
Thanks On "the new flow of sec issues" — assuming you mean what happens once this lands: merging completes pre-flight, so CloudStack enters the scan queue at its criticality rank. When the scan runs, the findings come back to your three designated recipients (dahn@, rohit@, vishesh@) verbatim, for the PMC to triage against this very threat model — the §13 disposition table is what turns each finding into VALID / hardening / out-of-model. That's the "new flow." If you meant something else, let me know and I'll point you at the right place. |
shwstppr
left a comment
There was a problem hiding this comment.
@DaanHoogland Tbh, at this point I'm not sure how this is to be reviewed or if it is ready for merge.
Maybe the contributors who volunteered to be maintainer should have a closer look. Just running Copilot review would not be enough in my opinion.
I see some issues around - API considered JSON only; in my reading I didn't see it establishes a difference between runtime configs - ConfigKey vs server.properties, hidden configs, etc. Some of the statements about CloudStack internals and worflows were not completely correct in my understanding.
PS: My nudge on the PR was purely to have the process moving.
|
@shwstppr fair question — this one reviews differently from a code PR. A few notes to unstick it:
Happy to jump on any specific §14 question if that helps reviewers move. — Jarek |
|
@shwstppr , at only @vishesh92 , me and now you have reviewed. I would be very happy if we have more involvement, but on the other hand nothing here cannot be adjusted later. |
|
It looks good to me. The only thing left is Q37 which is to add more patterns based on the existing security issues to use here. |
shwstppr
left a comment
There was a problem hiding this comment.
Looks good for start. We can refine this as we proceed.
Some suggestions from @DaanHoogland can be applied if no objections.
Co-authored-by: Abhishek Kumar <abhishek.mrt22@gmail.com> Co-authored-by: dahn <daan.hoogland@gmail.com>
There was a problem hiding this comment.
Pull request overview
Adds a project-level draft security threat-model document intended to help maintainers and automated security scanners quickly triage findings as in-scope vs out-of-scope for apache/cloudstack.
Changes:
- Introduces
draft-THREAT-MODEL.mddescribing scope, trust boundaries, adversary model, claimed/non-claimed properties, and triage dispositions. - Captures configuration-sensitive security posture details (e.g., Root CA strictness, proxy header verification, integration port exposure).
- Includes a maintainer Q&A / resolution section intended to ratify or correct inferred claims.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| carry their own delta models. | ||
| - **Commit:** `7308dad1` (HEAD of `main` at draft time). | ||
| - **Date:** 2026-05-29. | ||
| - **Authors:** ASF Security team draft, awaiting CloudStack PMC review. |
There was a problem hiding this comment.
I don’t see how this is still valid, we can add maintainers but in my view the statsu already was “reviewed”/“approved”, and not “draft". guess it slipped through the cracks.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
vishesh92
left a comment
There was a problem hiding this comment.
lgtm. There might be some issues but let's get it merged and we can revisit once we have some output.
| > models are short *deltas* that inherit §3 / §4 / §7 from this | ||
| > document and add only what each satellite uniquely introduces (`§4 B1` | ||
| > reachability, the credential file shape, the wrapper-of-SDK contract, | ||
| > etc.). The deltas live at `/tmp/claude/cloudstack-<repo>-threat-model-draft.md`. | ||
| > The satellite clients' interfaces point **inward** at the management-server |
| - **Authors:** ASF Security team draft, awaiting CloudStack PMC review. | ||
| - **Status:** Draft — under maintainer review. |
| - CloudStack does not document a maximum signed-API request size; assumed | ||
| to be servlet-container default (Jetty / Tomcat) *(inferred — §14 Q21)*. |
| - API rate limiting is per-account via the global config knobs `api.throttling.*` | ||
| *(inferred — §14 Q22)*; an attacker with a valid API key can be rate- | ||
| limited at the application layer. |
| **Q21.** API request size cap and cluster/agent RPC payload size cap — | ||
| are these explicitly bounded, or "whatever Jetty / NIO defaults give"? **RESOLVED** *(maintainer: DaanHoogland)* — the UI server sets an explicit cap, `org.apache.cloudstack.ServerDaemon.DEFAULT_REQUEST_CONTENT_SIZE = 1048576` (1 MiB); for other components the sizes are capped by the upstream components used. *(maps to §6, §9)* |
| response to this draft; *(inferred)* = synthesized by the producer from | ||
| code structure or domain knowledge, awaiting PMC ratification (every | ||
| *(inferred)* tag has a matching §14 question). | ||
| - **Draft confidence (provenance-tag tally):** 51 *(documented)* / 42 |
Summary
This PR adds an initial draft of a project-level security
threat-model document (
draft-THREAT-MODEL.md) so that automatedsecurity scanners running against this repository have a
maintainer-facing reference for which classes of findings are
in-scope vs. out-of-scope for the project.
The document follows the rubric format used by several other ASF
projects piloting improved security-model discoverability for
agentic scanners. Every claim carries a provenance tag:
the project website), cited inline.
knowledge; the PMC has not confirmed.
to this draft. (Zero in this initial draft.)
Draft stats:
§14 is the highest-leverage section: answering each question
either promotes one (inferred) tag to (maintainer) or corrects
the underlying claim.
Why "draft-" prefix?
The file is named
draft-THREAT-MODEL.mdrather thanSECURITY-THREAT-MODEL.mdbecause this is a proposal for thePMC to review — please correct, reject, or discuss as needed.
Once the PMC ratifies (or substantially edits) the content, the
file can be renamed in a follow-up PR and a discoverability
scaffold (
AGENTS.md→SECURITY.md→ the model) added soscanners can mechanically follow the chain.
What this is, and what it is not
This is not a security audit. It is a working triage document
— the reference a triager holds against an inbound report to
decide whether the report is about a CloudStack vulnerability or
about caller misuse / operator misconfiguration / an out-of-scope
concern.
The draft was generated by an automated agentic security scan
being piloted by the ASF Security team; the discoverability work
is independent of any specific scan run.
How to review
replaces the inferred claim with the correct one.
dispositions) — those govern how a vulnerability report would
be triaged.
Reply edits / corrections inline on the PR, or to the original
security@apache.orgthread, whichever fits the PMC's workflow.🤖 Generated with Claude Code