The GitHub Actions job "Build JDO & Run TCK" on db-jdo.git/main has succeeded. Run started by GitHub user mboapache (triggered by mboapache).
Head commit for run: 8673ab0ad1ae0eaf4e1308c6bf0291047a7cd824 / Jarek Potiuk <[email protected]> Add security threat model (THREAT_MODEL.md + SECURITY.md + AGENTS.md) (#127) * Add security threat model + AGENTS.md -> SECURITY.md -> THREAT_MODEL.md chain Adds a threat model for Apache JDO (the jdo-api jar), drafted at the JDO PMC's request following the Apache Security team's threat-model rubric, plus a SECURITY.md disclosure pointer and an AGENTS.md that routes vulnerability- research agents through the model (AGENTS.md -> SECURITY.md -> THREAT_MODEL.md). The model scopes jdo-api as an API-definition library: query (JDOQL/SQL) execution, connection handling, and persistence are the implementation's (e.g. DataNucleus) responsibility and out of scope; jdo-api's own surface is trusted bootstrap configuration (XXE-hardened jdoconfig.xml parsing via disallow-doctype-decl, reflection confined to configured class names) plus the contract / identity / exception types. The TCK and exectck are out of scope. DRAFT for PMC review: section 14 carries open questions for the maintainers to confirm the inferred trust assumptions. Generated-by: Claude Opus 4.8 (1M context) * Update THREAT_MODEL.md Update status to APPROVED. Resolve questions in section 14. --------- Co-authored-by: Craig L Russell <[email protected]> Report URL: https://github.com/apache/db-jdo/actions/runs/27477453944 With regards, GitHub Actions via GitBox
