Add AGENTS.md + SECURITY.md security-model pointer for scanner discoverability#317
Closed
potiuk wants to merge 90 commits into
Closed
Add AGENTS.md + SECURITY.md security-model pointer for scanner discoverability#317potiuk wants to merge 90 commits into
potiuk wants to merge 90 commits into
Conversation
* Clean up assertions
Bumps [org.apache.maven.plugins:maven-plugins](https://github.com/apache/maven-parent) from 42 to 43. - [Release notes](https://github.com/apache/maven-parent/releases) - [Commits](https://github.com/apache/maven-parent/commits) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-plugins dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps org.slf4j:slf4j-simple from 2.0.13 to 2.0.16. --- updated-dependencies: - dependency-name: org.slf4j:slf4j-simple dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
As we have a beta version on master we need a newer version of Maven which is not installed on jenkins
…ache#65) * Use Files.createSymbolicLink instead of shelling out
…he#243) Remove the dependency to Plexus, replaced by more reliance on `java.nio`. This commit contains the following work items: * Replacement of Plexus includes/excludes filters by `java.nio.file.PathMatcher`. * Use `java.nio.file.FileVisitor` for walking over files and directory trees. * Changes in some logging messages and exceptions. * The `IOException` throws by Java is no longer wrapped in another `IOException`. Pull request: apache#243
Bumps [org.mockito:mockito-core](https://github.com/mockito/mockito) from 5.17.0 to 5.18.0. - [Release notes](https://github.com/mockito/mockito/releases) - [Commits](mockito/mockito@v5.17.0...v5.18.0) --- updated-dependencies: - dependency-name: org.mockito:mockito-core dependency-version: 5.18.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
This commit contains:
* Javadoc adjustments for uniformization before the addition of a new parameter.
* Replacements of <code>...</code> by {@code ...}.
* Replacements of </br> by <p>...</p>
* Addition of a `force` configuration option for deleting read-only files and directories.
* If a file has been deleted concurrently, report that fact as a log instead of considering the delete operation as a failure.
Bumps [org.apache.maven.plugins:maven-plugins](https://github.com/apache/maven-parent) from 44 to 45. - [Release notes](https://github.com/apache/maven-parent/releases) - [Commits](https://github.com/apache/maven-parent/commits) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-plugins dependency-version: '45' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
also: - refactor deprecated config - remove unnecessary jira config Signed-off-by: Sandra Parsick <sandra@parsick.dev>
Bumps [org.mockito:mockito-core](https://github.com/mockito/mockito) from 5.18.0 to 5.19.0. - [Release notes](https://github.com/mockito/mockito/releases) - [Commits](mockito/mockito@v5.18.0...v5.19.0) --- updated-dependencies: - dependency-name: org.mockito:mockito-core dependency-version: 5.19.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [org.mockito:mockito-core](https://github.com/mockito/mockito) from 5.19.0 to 5.20.0. - [Release notes](https://github.com/mockito/mockito/releases) - [Commits](mockito/mockito@v5.19.0...v5.20.0) --- updated-dependencies: - dependency-name: org.mockito:mockito-core dependency-version: 5.20.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
… Maven core. This is in anticipation for possible replacement by a shared implementation.
The intend is to prepare the replacement by a shared implementation.
In the list of directories to delete, include the values specified in the `<targetPath>` child of `<source>` elements. Remove the `reportDirectory` field because its value (read-only) was identical to `outputDirectory` (also read-only).
Co-authored-by: Moderne <team@moderne.io>
…apache#286) - Move the `FAST_MODE_*` string constants to an enumeration. - Move the code for background execution in a separated `BakgroundCleaner` subclass. - Use `java.util.concurrent.ExecutorService` instead of a thread with our own lifecycle management. - Add explanation about why a directory may be moved twice (same algorithm as before, just explained). - Reduce the number of directory levels by one (no need for a directory which will always contain exactly one directory). - Consolidation of exception handling, including the addition of error reporting at the end. - Add integration test for "fast-delete" using a non-default directory and complete existing test.
Bumps [org.mockito:mockito-core](https://github.com/mockito/mockito) from 5.20.0 to 5.21.0. - [Release notes](https://github.com/mockito/mockito/releases) - [Commits](mockito/mockito@v5.20.0...v5.21.0) --- updated-dependencies: - dependency-name: org.mockito:mockito-core dependency-version: 5.21.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [org.apache.maven.plugins:maven-plugins](https://github.com/apache/maven-parent) from 45 to 46. - [Release notes](https://github.com/apache/maven-parent/releases) - [Commits](https://github.com/apache/maven-parent/commits) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-plugins dependency-version: '46' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [org.apache.maven.plugins:maven-plugins](https://github.com/apache/maven-parent) from 46 to 47. - [Release notes](https://github.com/apache/maven-parent/releases) - [Commits](https://github.com/apache/maven-parent/commits) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-plugins dependency-version: '47' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
-- Co-authored-by: Moderne <team@moderne.io>
Bumps [org.mockito:mockito-core](https://github.com/mockito/mockito) from 5.21.0 to 5.23.0. - [Release notes](https://github.com/mockito/mockito/releases) - [Commits](mockito/mockito@v5.21.0...v5.23.0) --- updated-dependencies: - dependency-name: org.mockito:mockito-core dependency-version: 5.23.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [org.apache.maven.plugins:maven-plugins](https://github.com/apache/maven-parent) from 47 to 48. - [Release notes](https://github.com/apache/maven-parent/releases) - [Commits](https://github.com/apache/maven-parent/commits) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-plugins dependency-version: '48' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps org.slf4j:slf4j-simple from 2.0.17 to 2.0.18. --- updated-dependencies: - dependency-name: org.slf4j:slf4j-simple dependency-version: 2.0.18 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [org.apache.maven.plugins:maven-plugins](https://github.com/apache/maven-parent) from 48 to 49. - [Release notes](https://github.com/apache/maven-parent/releases) - [Commits](https://github.com/apache/maven-parent/commits) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-plugins dependency-version: '49' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…erability Generated-by: Claude Code
Member
Author
|
Closing — this was opened against the maven-clean-plugin 3.x branch but the branch was cut from master, so the diff is the whole master↔3.x delta rather than the intended two-file docs pointer. We'll reopen it correctly (branched from the 3.x base, just AGENTS.md + SECURITY.md). Apologies for the noise. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is a proposal for the PMC to review — please correct, reject, or discuss as needed. Nothing here is a requirement; the maintainer is the decision-maker.
This adds a small
AGENTS.md+SECURITY.mdso an automated scan agent can mechanically discover the project's security model via the conventionalAGENTS.md → SECURITY.mdchain. It points at the Maven family's umbrella threat model, which the PMC merged inapache/maven(THREAT_MODEL.md) — no model content is duplicated here, just the pointer.Context: the ASF Security team is preparing the Maven repositories for an automated agentic security scan we're piloting. Such scans refuse to run if the model isn't discoverable by that path. Discoverability is the one hard gate; everything else is suggestion.
Doc-only; questions / pushback welcome.