Skip to content

Add AGENTS.md + SECURITY.md security-model pointer for scanner discoverability#317

Closed
potiuk wants to merge 90 commits into
apache:maven-clean-plugin-3.xfrom
potiuk:asf-security/tm-pointer-3x-2026-07-08
Closed

Add AGENTS.md + SECURITY.md security-model pointer for scanner discoverability#317
potiuk wants to merge 90 commits into
apache:maven-clean-plugin-3.xfrom
potiuk:asf-security/tm-pointer-3x-2026-07-08

Conversation

@potiuk

@potiuk potiuk commented Jul 8, 2026

Copy link
Copy Markdown
Member

This is a proposal for the PMC to review — please correct, reject, or discuss as needed. Nothing here is a requirement; the maintainer is the decision-maker.

This adds a small AGENTS.md + SECURITY.md so an automated scan agent can mechanically discover the project's security model via the conventional AGENTS.md → SECURITY.md chain. It points at the Maven family's umbrella threat model, which the PMC merged in apache/maven (THREAT_MODEL.md) — no model content is duplicated here, just the pointer.

Context: the ASF Security team is preparing the Maven repositories for an automated agentic security scan we're piloting. Such scans refuse to run if the model isn't discoverable by that path. Discoverability is the one hard gate; everything else is suggestion.

Doc-only; questions / pushback welcome.

gnodet and others added 30 commits June 24, 2024 17:05
Bumps [org.apache.maven.plugins:maven-plugins](https://github.com/apache/maven-parent) from 42 to 43.
- [Release notes](https://github.com/apache/maven-parent/releases)
- [Commits](https://github.com/apache/maven-parent/commits)

---
updated-dependencies:
- dependency-name: org.apache.maven.plugins:maven-plugins
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps org.slf4j:slf4j-simple from 2.0.13 to 2.0.16.

---
updated-dependencies:
- dependency-name: org.slf4j:slf4j-simple
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
As we have a beta version on master we need a newer version of Maven which is not installed on jenkins
…ache#65)

* Use Files.createSymbolicLink instead of shelling out
desruisseaux and others added 28 commits May 3, 2025 23:38
…he#243)

Remove the dependency to Plexus, replaced by more reliance on `java.nio`. This commit contains the following work items:

* Replacement of Plexus includes/excludes filters by `java.nio.file.PathMatcher`.
* Use `java.nio.file.FileVisitor` for walking over files and directory trees.
* Changes in some logging messages and exceptions.
* The `IOException` throws by Java is no longer wrapped in another `IOException`.

Pull request: apache#243
Bumps [org.mockito:mockito-core](https://github.com/mockito/mockito) from 5.17.0 to 5.18.0.
- [Release notes](https://github.com/mockito/mockito/releases)
- [Commits](mockito/mockito@v5.17.0...v5.18.0)

---
updated-dependencies:
- dependency-name: org.mockito:mockito-core
  dependency-version: 5.18.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
This commit contains:

* Javadoc adjustments for uniformization before the addition of a new parameter.
* Replacements of <code>...</code> by {@code ...}.
* Replacements of </br> by <p>...</p>
* Addition of a `force` configuration option for deleting read-only files and directories.
* If a file has been deleted concurrently, report that fact as a log instead of considering the delete operation as a failure.
Bumps [org.apache.maven.plugins:maven-plugins](https://github.com/apache/maven-parent) from 44 to 45.
- [Release notes](https://github.com/apache/maven-parent/releases)
- [Commits](https://github.com/apache/maven-parent/commits)

---
updated-dependencies:
- dependency-name: org.apache.maven.plugins:maven-plugins
  dependency-version: '45'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
also:
- refactor deprecated config
- remove unnecessary jira config

Signed-off-by: Sandra Parsick <sandra@parsick.dev>
Bumps [org.mockito:mockito-core](https://github.com/mockito/mockito) from 5.18.0 to 5.19.0.
- [Release notes](https://github.com/mockito/mockito/releases)
- [Commits](mockito/mockito@v5.18.0...v5.19.0)

---
updated-dependencies:
- dependency-name: org.mockito:mockito-core
  dependency-version: 5.19.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [org.mockito:mockito-core](https://github.com/mockito/mockito) from 5.19.0 to 5.20.0.
- [Release notes](https://github.com/mockito/mockito/releases)
- [Commits](mockito/mockito@v5.19.0...v5.20.0)

---
updated-dependencies:
- dependency-name: org.mockito:mockito-core
  dependency-version: 5.20.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
… Maven core.

This is in anticipation for possible replacement by a shared implementation.
The intend is to prepare the replacement by a shared implementation.
In the list of directories to delete, include the values specified in the `<targetPath>` child of `<source>` elements.
Remove the `reportDirectory` field because its value (read-only) was identical to `outputDirectory` (also read-only).
Co-authored-by: Moderne <team@moderne.io>
…apache#286)

- Move the `FAST_MODE_*` string constants to an enumeration.
- Move the code for background execution in a separated `BakgroundCleaner` subclass.
- Use `java.util.concurrent.ExecutorService` instead of a thread with our own lifecycle management.
- Add explanation about why a directory may be moved twice (same algorithm as before, just explained).
- Reduce the number of directory levels by one (no need for a directory which will always contain exactly one directory).
- Consolidation of exception handling, including the addition of error reporting at the end.
- Add integration test for "fast-delete" using a non-default directory and complete existing test.
Bumps [org.mockito:mockito-core](https://github.com/mockito/mockito) from 5.20.0 to 5.21.0.
- [Release notes](https://github.com/mockito/mockito/releases)
- [Commits](mockito/mockito@v5.20.0...v5.21.0)

---
updated-dependencies:
- dependency-name: org.mockito:mockito-core
  dependency-version: 5.21.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [org.apache.maven.plugins:maven-plugins](https://github.com/apache/maven-parent) from 45 to 46.
- [Release notes](https://github.com/apache/maven-parent/releases)
- [Commits](https://github.com/apache/maven-parent/commits)

---
updated-dependencies:
- dependency-name: org.apache.maven.plugins:maven-plugins
  dependency-version: '46'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [org.apache.maven.plugins:maven-plugins](https://github.com/apache/maven-parent) from 46 to 47.
- [Release notes](https://github.com/apache/maven-parent/releases)
- [Commits](https://github.com/apache/maven-parent/commits)

---
updated-dependencies:
- dependency-name: org.apache.maven.plugins:maven-plugins
  dependency-version: '47'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
--

Co-authored-by: Moderne <team@moderne.io>
Bumps [org.mockito:mockito-core](https://github.com/mockito/mockito) from 5.21.0 to 5.23.0.
- [Release notes](https://github.com/mockito/mockito/releases)
- [Commits](mockito/mockito@v5.21.0...v5.23.0)

---
updated-dependencies:
- dependency-name: org.mockito:mockito-core
  dependency-version: 5.23.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [org.apache.maven.plugins:maven-plugins](https://github.com/apache/maven-parent) from 47 to 48.
- [Release notes](https://github.com/apache/maven-parent/releases)
- [Commits](https://github.com/apache/maven-parent/commits)

---
updated-dependencies:
- dependency-name: org.apache.maven.plugins:maven-plugins
  dependency-version: '48'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps org.slf4j:slf4j-simple from 2.0.17 to 2.0.18.

---
updated-dependencies:
- dependency-name: org.slf4j:slf4j-simple
  dependency-version: 2.0.18
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [org.apache.maven.plugins:maven-plugins](https://github.com/apache/maven-parent) from 48 to 49.
- [Release notes](https://github.com/apache/maven-parent/releases)
- [Commits](https://github.com/apache/maven-parent/commits)

---
updated-dependencies:
- dependency-name: org.apache.maven.plugins:maven-plugins
  dependency-version: '49'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@potiuk

potiuk commented Jul 8, 2026

Copy link
Copy Markdown
Member Author

Closing — this was opened against the maven-clean-plugin 3.x branch but the branch was cut from master, so the diff is the whole master↔3.x delta rather than the intended two-file docs pointer. We'll reopen it correctly (branched from the 3.x base, just AGENTS.md + SECURITY.md). Apologies for the noise.

@potiuk potiuk closed this Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.