Skip to content

Add AGENTS.md + SECURITY.md security-model pointer for scanner discoverability#1073

Closed
potiuk wants to merge 147 commits into
apache:maven-compiler-plugin-3.xfrom
potiuk:asf-security/tm-pointer-3x-2026-07-08
Closed

Add AGENTS.md + SECURITY.md security-model pointer for scanner discoverability#1073
potiuk wants to merge 147 commits into
apache:maven-compiler-plugin-3.xfrom
potiuk:asf-security/tm-pointer-3x-2026-07-08

Conversation

@potiuk

@potiuk potiuk commented Jul 8, 2026

Copy link
Copy Markdown
Member

This is a proposal for the PMC to review — please correct, reject, or discuss as needed. Nothing here is a requirement; the maintainer is the decision-maker.

This adds a small AGENTS.md + SECURITY.md so an automated scan agent can mechanically discover the project's security model via the conventional AGENTS.md → SECURITY.md chain. It points at the Maven family's umbrella threat model, which the PMC merged in apache/maven (THREAT_MODEL.md) — no model content is duplicated here, just the pointer.

Context: the ASF Security team is preparing the Maven repositories for an automated agentic security scan we're piloting. Such scans refuse to run if the model isn't discoverable by that path. Discoverability is the one hard gate; everything else is suggestion.

Doc-only; questions / pushback welcome.

gnodet and others added 30 commits June 25, 2024 00:43
…l` (apache#243)

Co-authored-by: Guillaume Nodet <gnodet@gmail.com>
No need to call System.getPropery with magic names 'path.separator' and 'line.separator'.
Java does that for us and provides friendly methods/fields for them.
Initialize patchModules = new LinkedHashSet with capacity.

Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
Bumps commons-io:commons-io from 2.7 to 2.14.0.

---
updated-dependencies:
- dependency-name: commons-io:commons-io
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
apache#271)

* Rewrite the plugin using standard `javax.tools` API instead of Plexus.
Other aspects that are rewritten include incremental build mechanism
and how the overwriting of `module-info.java` in tests is handled.
For details and impact on users, see pull request description at
apache#271

* Temporarily disable the MCOMPILER-346 integration test.
It will be re-enabled after Maven 4.0.0-beta-6 release.

apache/maven#1865

* Remove the replacement of `/` by `\` on the Windows platform in GLOB syntax.
It appears that the GLOB matcher expects `/` even on Windows.

* Add a log at the error level when the compiler threw an exception instead of returning the Boolean `false` value.
Adjust what is the cause and what is the suppressed exception.

* Set the `maven-plugin-testing-harness` version to 4.0.0-beta-2.

* Dummy change for forcing a new CI build.
Bumps org.ow2.asm:asm from 9.7 to 9.7.1.

---
updated-dependencies:
- dependency-name: org.ow2.asm:asm
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Remove version properties for dependencies that are not used.
Revert "Temporarily disable the MCOMPILER-346 integration test."
dependabot Bot and others added 28 commits December 10, 2025 17:19
Bumps [org.mockito:mockito-core](https://github.com/mockito/mockito) from 5.20.0 to 5.21.0.
- [Release notes](https://github.com/mockito/mockito/releases)
- [Commits](mockito/mockito@v5.20.0...v5.21.0)

---
updated-dependencies:
- dependency-name: org.mockito:mockito-core
  dependency-version: 5.21.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps org.ow2.asm:asm from 9.9 to 9.9.1.

---
updated-dependencies:
- dependency-name: org.ow2.asm:asm
  dependency-version: 9.9.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bug fixes in the handling of `--patch-module` option for tests and for multi-release projects:

* Fix a compilation errors when a module exists only for a Java version higher than the base version.
* Add the base version in the module path for avoiding recompilation of classes of the base version.
* Determine the modules to patch by scanning the output directory instead of the <source> elements.
* Change dependency collections from List to Deque for efficient prepending/removal operations.
* Enable a test which was previously disabled because of toolchain.
* Remove the hack that consisted in temporarily delete `module-info.class` when overwriting that file.
* Refactor `compile()` method for better readability, with sub-tasks moved to helper methods.
* Add `DirectoryHierarchy` enumeration in replacement of boolean flags.
* Separate the handling of classpath project and modular project cases in two inner classes.
* Refactor `WorkaroundForPatchModule` for making the workaround less intrusive in main code.
---------
Co-authored-by: Gerd Aschemann <gerd@aschemann.net>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Bumps [org.apache.maven.plugins:maven-plugins](https://github.com/apache/maven-parent) from 45 to 46.
- [Release notes](https://github.com/apache/maven-parent/releases)
- [Commits](https://github.com/apache/maven-parent/commits)

---
updated-dependencies:
- dependency-name: org.apache.maven.plugins:maven-plugins
  dependency-version: '46'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [org.apache.maven.plugins:maven-plugins](https://github.com/apache/maven-parent) from 46 to 47.
- [Release notes](https://github.com/apache/maven-parent/releases)
- [Commits](https://github.com/apache/maven-parent/commits)

---
updated-dependencies:
- dependency-name: org.apache.maven.plugins:maven-plugins
  dependency-version: '47'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Simplify lambdas
* Remove unneeded code
* Javadoc fixes

* Iterable

* typos
Bumps [org.mockito:mockito-core](https://github.com/mockito/mockito) from 5.21.0 to 5.23.0.
- [Release notes](https://github.com/mockito/mockito/releases)
- [Commits](mockito/mockito@v5.21.0...v5.23.0)

---
updated-dependencies:
- dependency-name: org.mockito:mockito-core
  dependency-version: 5.23.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps org.ow2.asm:asm from 9.9.1 to 9.10.

---
updated-dependencies:
- dependency-name: org.ow2.asm:asm
  dependency-version: '9.10'
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps org.ow2.asm:asm from 9.10 to 9.10.1.

---
updated-dependencies:
- dependency-name: org.ow2.asm:asm
  dependency-version: 9.10.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [org.apache.maven.plugins:maven-plugins](https://github.com/apache/maven-parent) from 47 to 48.
- [Release notes](https://github.com/apache/maven-parent/releases)
- [Commits](https://github.com/apache/maven-parent/commits)

---
updated-dependencies:
- dependency-name: org.apache.maven.plugins:maven-plugins
  dependency-version: '48'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [com.google.inject:guice](https://github.com/google/guice) from 6.0.0 to 7.0.0.
- [Release notes](https://github.com/google/guice/releases)
- [Commits](google/guice@6.0.0...7.0.0)

---
updated-dependencies:
- dependency-name: com.google.inject:guice
  dependency-version: 7.0.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [org.codehaus.plexus:plexus-utils](https://github.com/codehaus-plexus/plexus-utils) from 3.0.24 to 3.6.1.
- [Release notes](https://github.com/codehaus-plexus/plexus-utils/releases)
- [Commits](codehaus-plexus/plexus-utils@plexus-utils-3.0.24...plexus-utils-3.6.1)

---
updated-dependencies:
- dependency-name: org.codehaus.plexus:plexus-utils
  dependency-version: 3.6.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [org.apache.maven.plugins:maven-plugins](https://github.com/apache/maven-parent) from 48 to 49.
- [Release notes](https://github.com/apache/maven-parent/releases)
- [Commits](https://github.com/apache/maven-parent/commits)

---
updated-dependencies:
- dependency-name: org.apache.maven.plugins:maven-plugins
  dependency-version: '49'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…che#1071)

Files.walk() returns a Stream that holds a DirectoryStream handle.
Without try-with-resources, the handle is not released until GC,
which can cause 'Too many open files' errors on projects with
many multi-release version directories.

Fixes apache#1070
@potiuk

potiuk commented Jul 8, 2026

Copy link
Copy Markdown
Member Author

Closing — this was opened against the maven-compiler-plugin 3.x branch but the branch was cut from master, so the diff is the whole master↔3.x delta rather than the intended two-file docs pointer. We'll reopen it correctly (branched from the 3.x base, just AGENTS.md + SECURITY.md). Apologies for the noise.

@potiuk potiuk closed this Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.