Skip to content

Security: apache/creadur-rat

Security

SECURITY.md

Security

Apache Creadur RAT (Release Audit Tool) runs as a CLI, an Ant task, or a Maven plugin in the developer's or CI's own process — it is not a network service. It audits a source tree against operator-controlled license and header definitions.

Reporting a Vulnerability

Please report suspected security vulnerabilities privately to the Apache Security Team at security@apache.org, following the ASF vulnerability handling process. Please do not report security issues on public issue trackers or mailing lists.

Known Non-Findings

  • Static analyzers may report XXE_DOCUMENT on RAT's XML/XSLT reading. As of RAT-560 (#679) RAT builds its XML parsers through the hardened StandardXmlFactory, which disables DOCTYPE and external general/parameter entities — so XXE is actively prevented and these reports are false positives against the hardened factory.

    • Defense in depth: the configuration files and XSLT documents RAT reads are operator-controlled configuration, not request input, so the resource names are not attacker-controlled in the first place. Reports asserting SSRF or path traversal via these resolvers (assuming an attacker-controlled resource name) are out of scope under the documented threat model — XML and XSLT authorship, as well as resource configuration, are privileged operations.

    • Applications that thread untrusted input into XML configuration or XSLT documents should still validate that input before passing it to RAT. Responsibility for such validation rests with the application, not with RAT.

Threat Model

The full Apache Creadur RAT threat model — scope and intended use, trust boundaries, the security properties RAT provides and disclaims, the adversary model, and known non-findings — is documented in THREAT_MODEL.md. The scope notes above are a summary; THREAT_MODEL.md is the detailed companion.

There aren't any published security advisories