Apache Creadur RAT (Release Audit Tool) runs as a CLI, an Ant task, or a Maven plugin in the developer's or CI's own process — it is not a network service. It audits a source tree against operator-controlled license and header definitions.
Please report suspected security vulnerabilities privately to the Apache Security Team at security@apache.org, following the ASF vulnerability handling process. Please do not report security issues on public issue trackers or mailing lists.
-
Static analyzers may report
XXE_DOCUMENTon RAT's XML/XSLT reading. As of RAT-560 (#679) RAT builds its XML parsers through the hardenedStandardXmlFactory, which disables DOCTYPE and external general/parameter entities — so XXE is actively prevented and these reports are false positives against the hardened factory.-
Defense in depth: the configuration files and XSLT documents RAT reads are operator-controlled configuration, not request input, so the resource names are not attacker-controlled in the first place. Reports asserting SSRF or path traversal via these resolvers (assuming an attacker-controlled resource name) are out of scope under the documented threat model — XML and XSLT authorship, as well as resource configuration, are privileged operations.
-
Applications that thread untrusted input into XML configuration or XSLT documents should still validate that input before passing it to RAT. Responsibility for such validation rests with the application, not with RAT.
-
The full Apache Creadur RAT threat model — scope and intended use, trust boundaries, the security properties RAT provides and disclaims, the adversary model, and known non-findings — is documented in THREAT_MODEL.md. The scope notes above are a summary; THREAT_MODEL.md is the detailed companion.