Skip to content

Add draft project security threat-model document#13293

Merged
DaanHoogland merged 10 commits into
apache:mainfrom
potiuk:asf-security/draft-threat-model-2026-05-30
Jul 6, 2026
Merged

Add draft project security threat-model document#13293
DaanHoogland merged 10 commits into
apache:mainfrom
potiuk:asf-security/draft-threat-model-2026-05-30

Conversation

@potiuk

@potiuk potiuk commented May 30, 2026

Copy link
Copy Markdown
Member

Summary

This PR adds an initial draft of a project-level security
threat-model document (draft-THREAT-MODEL.md) so that automated
security scanners running against this repository have a
maintainer-facing reference for which classes of findings are
in-scope vs. out-of-scope for the project.

The document follows the rubric format used by several other ASF
projects piloting improved security-model discoverability for
agentic scanners. Every claim carries a provenance tag:

  • (documented) — paraphrased from public artefacts (this repo or
    the project website), cited inline.
  • (inferred) — synthesised from code structure or domain
    knowledge; the PMC has not confirmed.
  • (maintainer) — confirmed by a CloudStack PMC member in response
    to this draft. (Zero in this initial draft.)

Draft stats:

  • ~88 documented claims
  • ~64 inferred claims (each maps to a §14 question)
  • 38 open questions for maintainers in §14

§14 is the highest-leverage section: answering each question
either promotes one (inferred) tag to (maintainer) or corrects
the underlying claim.

Why "draft-" prefix?

The file is named draft-THREAT-MODEL.md rather than
SECURITY-THREAT-MODEL.md because this is a proposal for the
PMC to review — please correct, reject, or discuss as needed.

Once the PMC ratifies (or substantially edits) the content, the
file can be renamed in a follow-up PR and a discoverability
scaffold (AGENTS.mdSECURITY.md → the model) added so
scanners can mechanically follow the chain.

What this is, and what it is not

This is not a security audit. It is a working triage document
— the reference a triager holds against an inbound report to
decide whether the report is about a CloudStack vulnerability or
about caller misuse / operator misconfiguration / an out-of-scope
concern.

The draft was generated by an automated agentic security scan
being piloted by the ASF Security team; the discoverability work
is independent of any specific scan run.

How to review

  1. §14 first. Each answer either confirms one (inferred) tag or
    replaces the inferred claim with the correct one.
  2. After that, please skim §3 (out-of-scope) and §13 (triage
    dispositions) — those govern how a vulnerability report would
    be triaged.

Reply edits / corrections inline on the PR, or to the original
security@apache.org thread, whichever fits the PMC's workflow.

🤖 Generated with Claude Code

Adds a draft project-level security threat-model document
(draft-THREAT-MODEL.md) at repo root, improving discoverability
for automated security scanners running against this repository.
The file follows the rubric format used by several other ASF
projects piloting security-model discoverability.

The "draft-" prefix signals this is a proposal for the PMC to
review, correct, or reject — not a finalised maintainer-blessed
model. Every claim carries a provenance tag (documented /
inferred / maintainer) so reviewers can see where each claim
originates; §14 collects open questions for the maintainers.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@codecov

codecov Bot commented May 30, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 20.40%. Comparing base (7308dad) to head (0a0e38a).
⚠️ Report is 66 commits behind head on main.

Additional details and impacted files
@@             Coverage Diff              @@
##               main   #13293      +/-   ##
============================================
+ Coverage     18.10%   20.40%   +2.29%     
- Complexity    16752    18789    +2037     
============================================
  Files          6037     5757     -280     
  Lines        542796   520921   -21875     
  Branches      66456    60823    -5633     
============================================
+ Hits          98291   106300    +8009     
+ Misses       433460   403044   -30416     
- Partials      11045    11577     +532     
Flag Coverage Δ
uitests ?
unittests 20.40% <ø> (+1.13%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Markdown / typos / table-shape fixes per the CI lint output.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@yadvr yadvr requested review from DaanHoogland and vishesh92 June 1, 2026 07:16
@yadvr

yadvr commented Jun 1, 2026

Copy link
Copy Markdown
Member

There's a lot of details in the draft that needs a better set of eyes, so assigning @DaanHoogland @vishesh92 who're also PMC leads on the work.

Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
@potiuk

potiuk commented Jun 2, 2026

Copy link
Copy Markdown
Member Author

Thanks @DaanHoogland @yadvr @vishesh92 — agreed, let's make this (apache/cloudstack) the canonical project-level threat model and have the client/tooling repos inherit from it rather than each carrying a full copy.

Concretely, mirroring what we've done for other multi-repo PMCs:

  • apache/cloudstack/THREAT_MODEL.md is the single source of truth for the project-wide model: scope, trust boundaries, the management-server adversary model, in/out-of-scope classes, known non-findings, and triage dispositions.
  • The satellite repos (cloudstack-go, -cloudmonkey, -terraform-provider, -kubernetes-provider) get a short discoverability pointer — AGENTS.mdSECURITY.md → this model — plus, only where it adds something, a thin repo-specific addendum (e.g. the Go SDK's own input-trust surface) that references the parent instead of duplicating it.

So let's converge here first. None of the satellite PRs are merged, so re-pointing them to reference this model once its shape is settled is cheap — I'll repurpose those into pointer PRs (or close + reopen) once you're happy with the parent.

On "the fields we need": that's exactly the §14 "Open questions" section — each is a proposed answer for you to confirm, correct, or strike, grouped into waves so you can take a few at a time. Drop answers inline or here and I'll fold them in and promote the provenance tags. Happy to adjust the section set if CloudStack's shape calls for it.

potiuk added a commit to potiuk/cloudstack-go that referenced this pull request Jun 2, 2026
…po copy

Drop the standalone draft-THREAT-MODEL.md and wire the discoverability chain
AGENTS.md -> SECURITY.md -> the project-wide model in apache/cloudstack
(apache/cloudstack#13293), so scanners find one canonical model and this repo
inherits it rather than duplicating it.

Generated-by: Claude Code
potiuk added a commit to potiuk/cloudstack-cloudmonkey that referenced this pull request Jun 2, 2026
…po copy

Drop the standalone draft-THREAT-MODEL.md and wire the discoverability chain
AGENTS.md -> SECURITY.md -> the project-wide model in apache/cloudstack
(apache/cloudstack#13293), so scanners find one canonical model and this repo
inherits it rather than duplicating it.

Generated-by: Claude Code
potiuk added a commit to potiuk/cloudstack-terraform-provider that referenced this pull request Jun 2, 2026
…po copy

Drop the standalone draft-THREAT-MODEL.md and wire the discoverability chain
AGENTS.md -> SECURITY.md -> the project-wide model in apache/cloudstack
(apache/cloudstack#13293), so scanners find one canonical model and this repo
inherits it rather than duplicating it.

Generated-by: Claude Code
potiuk added a commit to potiuk/cloudstack-kubernetes-provider that referenced this pull request Jun 2, 2026
…po copy

Drop the standalone draft-THREAT-MODEL.md and wire the discoverability chain
AGENTS.md -> SECURITY.md -> the project-wide model in apache/cloudstack
(apache/cloudstack#13293), so scanners find one canonical model and this repo
inherits it rather than duplicating it.

Generated-by: Claude Code
- Q15: sensitive-file ownership root:cloud, mode 0640
- Q24: same-IP host re-add updates existing record, gated by creds + key/certs
  (apache#13182); not an unauthenticated spoof path
- Q29: data-at-rest delegation to storage/hypervisor confirmed by vishesh92

Generated-by: Claude Opus 4.8
@potiuk

potiuk commented Jun 17, 2026

Copy link
Copy Markdown
Member Author

Thanks vishesh92 — folded your three follow-ups in (draft-THREAT-MODEL.md):

  • Q15 (file ownership): recorded as root:cloud, mode 0640 (rw for owner, r for the cloud group) for the four sensitive artifacts. Resolved.
  • Q24 (same-IP host): captured that re-adding a host with the same IP updates the existing record rather than creating a spoofed peer, and is gated by root-admin access + the keys/certs needed to reach the management server (with Don't allow adding of existing host to another zone, pod or cluster #13182 refining it) — so not an unauthenticated identity-spoof path. Resolved.
  • Q29 (data-at-rest): marked confirmed by both of you (delegated to the storage layer / hypervisor).

That clears the items that were still pending a second confirmation. The one remaining open ask on your side is Q37 — whenever convenient, 3-5 recurring "not a vuln" patterns from your inbound security@ triage would make §11a (the scanner's suppression list) much stronger; no rush.

Unrelated to this PR: the red CI check is a component/integration test (test_mm_*_limits), not anything this docs-only change touches.

potiuk added a commit to potiuk/cloudstack-go that referenced this pull request Jun 17, 2026
…po copy

Drop the standalone draft-THREAT-MODEL.md and wire the discoverability chain
AGENTS.md -> SECURITY.md -> the project-wide model in apache/cloudstack
(apache/cloudstack#13293), so scanners find one canonical model and this repo
inherits it rather than duplicating it.

Generated-by: Claude Code
@weizhouapache weizhouapache added this to the 4.24.0 milestone Jun 29, 2026
@shwstppr

shwstppr commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

@vishesh92 can you please have a look if you've further feedback on this?

@weizhouapache can we include this in 4.23.0 milestone?

@potiuk

potiuk commented Jul 4, 2026

Copy link
Copy Markdown
Member Author

Thanks @shwstppr. From the ASF Security side this one is through pre-flight:
the model has folded in all of @DaanHoogland's and @vishesh92's review, and
the discovery chain (AGENTS.md -> SECURITY.md -> THREAT_MODEL.md) resolves. The
only outstanding item is optional — a few recurring "not a vuln" patterns from
your security@ triage to strengthen the §11a suppression list (Q37), a
nice-to-have rather than a blocker.

One note for the milestone question: the red check is the test_mm_*_limits
component/integration test, which this docs-only PR doesn't touch — it's
unrelated to these changes, so it shouldn't gate the merge.

No changes requested on our end; happy to see it land in 4.23.0. Once it merges
we're ready on our side.

@DaanHoogland

Copy link
Copy Markdown
Contributor

@vishesh92, cc @shwstppr. Ready for merge (and the new flow of sec issues?)

@potiuk

potiuk commented Jul 4, 2026

Copy link
Copy Markdown
Member Author

Thanks DaanHoogland — nothing outstanding on our side, so this is ready to merge whenever you and vishesh92 are happy. All of your and Vishesh's review is folded in, the AGENTS.md → SECURITY.md → THREAT_MODEL.md chain resolves, and the one open item (Q37 — a few recurring "not a vuln" patterns from your security@ triage for the §11a suppression list) is an optional nice-to-have, not a blocker. The red check is the test_mm_*_limits integration test, unrelated to this docs-only PR.

On "the new flow of sec issues" — assuming you mean what happens once this lands: merging completes pre-flight, so CloudStack enters the scan queue at its criticality rank. When the scan runs, the findings come back to your three designated recipients (dahn@, rohit@, vishesh@) verbatim, for the PMC to triage against this very threat model — the §13 disposition table is what turns each finding into VALID / hardening / out-of-model. That's the "new flow." If you meant something else, let me know and I'll point you at the right place.

@shwstppr shwstppr left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@DaanHoogland Tbh, at this point I'm not sure how this is to be reviewed or if it is ready for merge.
Maybe the contributors who volunteered to be maintainer should have a closer look. Just running Copilot review would not be enough in my opinion.

I see some issues around - API considered JSON only; in my reading I didn't see it establishes a difference between runtime configs - ConfigKey vs server.properties, hidden configs, etc. Some of the statements about CloudStack internals and worflows were not completely correct in my understanding.

PS: My nudge on the PR was purely to have the process moving.

Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md Outdated
@potiuk

potiuk commented Jul 5, 2026

Copy link
Copy Markdown
Member Author

@shwstppr fair question — this one reviews differently from a code PR. A few notes to unstick it:

  • It's docs-only: a single THREAT_MODEL.md plus the AGENTS.md → SECURITY.md wiring. No code path to review, and the red CI is CloudStack's normal code/integration checks, which don't apply to a docs change — safe to ignore here.
  • It's a v0 draft to react to, not a finished document. Every inferred claim is tagged and collected into open questions at the end (§14) — so "reviewing" it is really answering those (confirm / correct / strike) and fixing anything factually wrong for CloudStack. Vishesh already did a solid pass on the global-setting names; that's exactly the shape of review that helps.
  • Copilot / automated review won't say anything useful about a prose threat model — agreed.
  • Merging is the ratification: once it's in, the model is the CloudStack PMC's document, owned and refined in place. It doesn't have to be perfect at merge — just correct enough that the PMC is comfortable it represents the project.

Happy to jump on any specific §14 question if that helps reviewers move.

— Jarek

@DaanHoogland

Copy link
Copy Markdown
Contributor

@shwstppr , at only @vishesh92 , me and now you have reviewed. I would be very happy if we have more involvement, but on the other hand nothing here cannot be adjusted later.

@vishesh92

Copy link
Copy Markdown
Member

It looks good to me. The only thing left is Q37 which is to add more patterns based on the existing security issues to use here.

Comment thread draft-THREAT-MODEL.md Outdated

@shwstppr shwstppr left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good for start. We can refine this as we proceed.
Some suggestions from @DaanHoogland can be applied if no objections.

Co-authored-by: Abhishek Kumar <abhishek.mrt22@gmail.com>
Co-authored-by: dahn <daan.hoogland@gmail.com>
Copilot AI review requested due to automatic review settings July 6, 2026 07:13

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a project-level draft security threat-model document intended to help maintainers and automated security scanners quickly triage findings as in-scope vs out-of-scope for apache/cloudstack.

Changes:

  • Introduces draft-THREAT-MODEL.md describing scope, trust boundaries, adversary model, claimed/non-claimed properties, and triage dispositions.
  • Captures configuration-sensitive security posture details (e.g., Root CA strictness, proxy header verification, integration port exposure).
  • Includes a maintainer Q&A / resolution section intended to ratify or correct inferred claims.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread draft-THREAT-MODEL.md
Comment thread draft-THREAT-MODEL.md
carry their own delta models.
- **Commit:** `7308dad1` (HEAD of `main` at draft time).
- **Date:** 2026-05-29.
- **Authors:** ASF Security team draft, awaiting CloudStack PMC review.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don’t see how this is still valid, we can add maintainers but in my view the statsu already was “reviewed”/“approved”, and not “draft". guess it slipped through the cracks.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@potiuk , can you advice?

Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md
Comment thread draft-THREAT-MODEL.md
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 6, 2026 09:46

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 4 comments.

Comment thread draft-THREAT-MODEL.md
Comment thread draft-THREAT-MODEL.md
Comment thread draft-THREAT-MODEL.md Outdated
Comment thread draft-THREAT-MODEL.md
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 6, 2026 10:19

@vishesh92 vishesh92 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm. There might be some issues but let's get it merged and we can revisit once we have some output.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 6 comments.

Comment thread draft-THREAT-MODEL.md
Comment on lines +28 to +32
> models are short *deltas* that inherit §3 / §4 / §7 from this
> document and add only what each satellite uniquely introduces (`§4 B1`
> reachability, the credential file shape, the wrapper-of-SDK contract,
> etc.). The deltas live at `/tmp/claude/cloudstack-<repo>-threat-model-draft.md`.
> The satellite clients' interfaces point **inward** at the management-server
Comment thread draft-THREAT-MODEL.md
Comment on lines +48 to +49
- **Authors:** ASF Security team draft, awaiting CloudStack PMC review.
- **Status:** Draft — under maintainer review.
Comment thread draft-THREAT-MODEL.md
Comment on lines +402 to +403
- CloudStack does not document a maximum signed-API request size; assumed
to be servlet-container default (Jetty / Tomcat) *(inferred — §14 Q21)*.
Comment thread draft-THREAT-MODEL.md
Comment on lines +404 to +406
- API rate limiting is per-account via the global config knobs `api.throttling.*`
*(inferred — §14 Q22)*; an attacker with a valid API key can be rate-
limited at the application layer.
Comment thread draft-THREAT-MODEL.md
Comment on lines +1046 to +1047
**Q21.** API request size cap and cluster/agent RPC payload size cap —
are these explicitly bounded, or "whatever Jetty / NIO defaults give"? **RESOLVED** *(maintainer: DaanHoogland)* — the UI server sets an explicit cap, `org.apache.cloudstack.ServerDaemon.DEFAULT_REQUEST_CONTENT_SIZE = 1048576` (1 MiB); for other components the sizes are capped by the upstream components used. *(maps to §6, §9)*
Comment thread draft-THREAT-MODEL.md
response to this draft; *(inferred)* = synthesized by the producer from
code structure or domain knowledge, awaiting PMC ratification (every
*(inferred)* tag has a matching §14 question).
- **Draft confidence (provenance-tag tally):** 51 *(documented)* / 42
@DaanHoogland DaanHoogland merged commit 4beab94 into apache:main Jul 6, 2026
24 of 27 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

7 participants