Add AGENTS.md + SECURITY.md security-model pointer for scanner discoverability#1073
Closed
potiuk wants to merge 147 commits into
Closed
Add AGENTS.md + SECURITY.md security-model pointer for scanner discoverability#1073potiuk wants to merge 147 commits into
potiuk wants to merge 147 commits into
Conversation
…l` (apache#243) Co-authored-by: Guillaume Nodet <gnodet@gmail.com>
…Timestamp is empty (apache#244)
No need to call System.getPropery with magic names 'path.separator' and 'line.separator'. Java does that for us and provides friendly methods/fields for them.
Initialize patchModules = new LinkedHashSet with capacity. Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
Bumps commons-io:commons-io from 2.7 to 2.14.0. --- updated-dependencies: - dependency-name: commons-io:commons-io dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
apache#271) * Rewrite the plugin using standard `javax.tools` API instead of Plexus. Other aspects that are rewritten include incremental build mechanism and how the overwriting of `module-info.java` in tests is handled. For details and impact on users, see pull request description at apache#271 * Temporarily disable the MCOMPILER-346 integration test. It will be re-enabled after Maven 4.0.0-beta-6 release. apache/maven#1865 * Remove the replacement of `/` by `\` on the Windows platform in GLOB syntax. It appears that the GLOB matcher expects `/` even on Windows. * Add a log at the error level when the compiler threw an exception instead of returning the Boolean `false` value. Adjust what is the cause and what is the suppressed exception. * Set the `maven-plugin-testing-harness` version to 4.0.0-beta-2. * Dummy change for forcing a new CI build.
Bumps org.ow2.asm:asm from 9.7 to 9.7.1. --- updated-dependencies: - dependency-name: org.ow2.asm:asm dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Remove version properties for dependencies that are not used. Revert "Temporarily disable the MCOMPILER-346 integration test."
Bumps [org.mockito:mockito-core](https://github.com/mockito/mockito) from 5.20.0 to 5.21.0. - [Release notes](https://github.com/mockito/mockito/releases) - [Commits](mockito/mockito@v5.20.0...v5.21.0) --- updated-dependencies: - dependency-name: org.mockito:mockito-core dependency-version: 5.21.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps org.ow2.asm:asm from 9.9 to 9.9.1. --- updated-dependencies: - dependency-name: org.ow2.asm:asm dependency-version: 9.9.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bug fixes in the handling of `--patch-module` option for tests and for multi-release projects: * Fix a compilation errors when a module exists only for a Java version higher than the base version. * Add the base version in the module path for avoiding recompilation of classes of the base version. * Determine the modules to patch by scanning the output directory instead of the <source> elements. * Change dependency collections from List to Deque for efficient prepending/removal operations. * Enable a test which was previously disabled because of toolchain. * Remove the hack that consisted in temporarily delete `module-info.class` when overwriting that file. * Refactor `compile()` method for better readability, with sub-tasks moved to helper methods. * Add `DirectoryHierarchy` enumeration in replacement of boolean flags. * Separate the handling of classpath project and modular project cases in two inner classes. * Refactor `WorkaroundForPatchModule` for making the workaround less intrusive in main code. --------- Co-authored-by: Gerd Aschemann <gerd@aschemann.net> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Bumps [org.apache.maven.plugins:maven-plugins](https://github.com/apache/maven-parent) from 45 to 46. - [Release notes](https://github.com/apache/maven-parent/releases) - [Commits](https://github.com/apache/maven-parent/commits) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-plugins dependency-version: '46' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [org.apache.maven.plugins:maven-plugins](https://github.com/apache/maven-parent) from 46 to 47. - [Release notes](https://github.com/apache/maven-parent/releases) - [Commits](https://github.com/apache/maven-parent/commits) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-plugins dependency-version: '47' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Simplify lambdas
* Remove unneeded code
* Javadoc fixes * Iterable * typos
Bumps [org.mockito:mockito-core](https://github.com/mockito/mockito) from 5.21.0 to 5.23.0. - [Release notes](https://github.com/mockito/mockito/releases) - [Commits](mockito/mockito@v5.21.0...v5.23.0) --- updated-dependencies: - dependency-name: org.mockito:mockito-core dependency-version: 5.23.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps org.ow2.asm:asm from 9.9.1 to 9.10. --- updated-dependencies: - dependency-name: org.ow2.asm:asm dependency-version: '9.10' dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps org.ow2.asm:asm from 9.10 to 9.10.1. --- updated-dependencies: - dependency-name: org.ow2.asm:asm dependency-version: 9.10.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [org.apache.maven.plugins:maven-plugins](https://github.com/apache/maven-parent) from 47 to 48. - [Release notes](https://github.com/apache/maven-parent/releases) - [Commits](https://github.com/apache/maven-parent/commits) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-plugins dependency-version: '48' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [com.google.inject:guice](https://github.com/google/guice) from 6.0.0 to 7.0.0. - [Release notes](https://github.com/google/guice/releases) - [Commits](google/guice@6.0.0...7.0.0) --- updated-dependencies: - dependency-name: com.google.inject:guice dependency-version: 7.0.0 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [org.codehaus.plexus:plexus-utils](https://github.com/codehaus-plexus/plexus-utils) from 3.0.24 to 3.6.1. - [Release notes](https://github.com/codehaus-plexus/plexus-utils/releases) - [Commits](codehaus-plexus/plexus-utils@plexus-utils-3.0.24...plexus-utils-3.6.1) --- updated-dependencies: - dependency-name: org.codehaus.plexus:plexus-utils dependency-version: 3.6.1 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [org.apache.maven.plugins:maven-plugins](https://github.com/apache/maven-parent) from 48 to 49. - [Release notes](https://github.com/apache/maven-parent/releases) - [Commits](https://github.com/apache/maven-parent/commits) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-plugins dependency-version: '49' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…che#1071) Files.walk() returns a Stream that holds a DirectoryStream handle. Without try-with-resources, the handle is not released until GC, which can cause 'Too many open files' errors on projects with many multi-release version directories. Fixes apache#1070
…erability Generated-by: Claude Code
Member
Author
|
Closing — this was opened against the maven-compiler-plugin 3.x branch but the branch was cut from master, so the diff is the whole master↔3.x delta rather than the intended two-file docs pointer. We'll reopen it correctly (branched from the 3.x base, just AGENTS.md + SECURITY.md). Apologies for the noise. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is a proposal for the PMC to review — please correct, reject, or discuss as needed. Nothing here is a requirement; the maintainer is the decision-maker.
This adds a small
AGENTS.md+SECURITY.mdso an automated scan agent can mechanically discover the project's security model via the conventionalAGENTS.md → SECURITY.mdchain. It points at the Maven family's umbrella threat model, which the PMC merged inapache/maven(THREAT_MODEL.md) — no model content is duplicated here, just the pointer.Context: the ASF Security team is preparing the Maven repositories for an automated agentic security scan we're piloting. Such scans refuse to run if the model isn't discoverable by that path. Discoverability is the one hard gate; everything else is suggestion.
Doc-only; questions / pushback welcome.