10000 Monthly Chat Agenda February 2022 (2022-02-07 and 2022-02-21) Meeting Agenda · Issue #2350 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Monthly Chat Agenda February 2022 (2022-02-07 and 2022-02-21) Meeting Agenda #2350

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dune73 opened this issue Jan 12, 2022 · 1 comment
Closed

Monthly Chat Agenda February 2022 (2022-02-07 and 2022-02-21) Meeting Agenda #2350

dune73 opened this issue Jan 12, 2022 · 1 comment
Labels
🔖 Meeting Agenda

Comments

@dune73
Copy link
Member
dune73 commented Jan 12, 2022
edited
Loading

This is the Agenda for the Monthly CRS Chat.

The general chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, 2022-02-07, at 20:30 CET. That's the 1st Monday of the month. A separate issue chat is happening at the same location, same time on Monday, 2022-02-21. That's the 3rd Monday of the month. Please note that we have a CRS calendar (maintained by @fzipi).

Items on the Agenda: (see previous meetings decisions: here)

What happend in the meantime since the chat last month

Outside development

Plugins

PRs that have been merged since the last meeting

We merged 17 PRs since the last monthly project chat.

Open PRs

Open PRs marked DRAFT or work in progress or needs action

Dev retreat topics

  • Demo / Sandbox site: Running smooth, waiting for Bug Bounty
  • Documentation: Making progress, one page at a time
  • Technical Blog Posts: Plugin blog post + blog post about fake-bot-plugin as example published
  • Status page: @fzipi has picked this up again and is now working on a modified go-ftw that would allow to test on the HTTP return code (instead of looking at the logfile)
  • Coraza: Coraza has joined OWASP as a new OWASP project

Other items

Open Issues - Separate Issues Meeting (Monday, 2022-02-21)

Status of issues covered last month

Stats

  • Covered in chat: 8
  • Closed: 4
  • Pending: 4

This month's issues

There are FIXME open issues at the beginning of the issue chat.

We generally cover 10 issues per month in a separate issue meeting. Add them as you see fit.

How to get to our slack and join the meeting?

If you are not yet on the OWASP Slack, here is your invite: https://owasp.org/slack/invite .

Everybody is welcome to join our community chat.
@fzipi fzipi mentioned this issue Feb 5, 2022
Closed
2 tasks
@lifeforms
Copy link
Member
lifeforms commented Feb 7, 2022
edited by franbuehler
Loading

Meeting notes

PRs

  • @emphazer will review Remove negative look behind: update rule 920120 #2371 and Remove negative look behind: clean repository #2372.
  • @airween will review two PRs with backslash removals by xanadu: Backslashes 941330 #2375 and Backslashes 942330 #2376.
  • Another PMA FP #2351 is merged
  • Improve logging in some special cases #2347 won't work with multiple args but is a big improvement and the best we can do with ModSec. We would like some tests. @fzipi will help @azurit with adding tests.
  • Log4j rules: Experimental rule needs improvements to fix some evasions. @theseion will help @dune73 with the advanced regexing.
  • Rule Id: 932150 false positive on time keyword #2044 @franbuehler will help @lifeforms with this long-open FP.
  • @fzipi is officially announced as a new co-lead for the project, which brings us closer to world domination.
  • Technical blog posts: @dune73 worked on fake plugin bot post, auto-decode plugin will be next.
  • Status page: @fzipi is making progress, but needs work on fixing tests, parsing output, and making a script that modifies our test. (ex: if it says no_log_contains, we assume it will be status: [200] and and if it says log_contains, then status: [403]. A ticket is incoming.
  • @jptosso will help @theMiddleBlue with a Sandbox problem with the caddy backend.
  • Bug bounty test run: still waiting for the first submission. The run has been extended by a week, bounties increased. Wait and see (there will be a debriefing by Yahoo, which should give us some insight in what is going on).
  • OAuth2 plugin needs to be tested with real data. @lifeforms thinks he can test it in his staging environment.
  • We will talk about @dune73's new proposal for the scoring variable names in the issue meeting in two weeks to give everyone time to read it properly.
  • The workaround for the DOS rules on NGiNX will become part of CRS but as part of the plugin (@RedXanadu is currently moving the rules into a plugin). We could then, for example, create two plugins, one for Apache with the current rules and one for NGiNX with the workaround.
  • Release v4: we should all use the GitHub milestone CRS v4.0.0 to mark open issues and open PR's that we think should make it into the release. Also create new issues for things that should go into the release and haven't been addressed yet.

Issues

Release CRS v4.0.0

  • New stuff has to be merged by early April and afterwards we concentrate on regressions until the release.
  • April meeting is on April 4.
  • April 5 is the feature freeze and from then on all decisions in the hand of the release manager?
  • @lifeforms is the release manager

@theseion theseion modified the milestone: CRS v3.4.0 Feb 7, 2022
@dune73 dune73 mentioned this issue Feb 21, 2022
Closed
@dune73 dune73 closed this as completed Mar 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🔖 Meeting Agenda
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@theseion @dune73 @fzipi @lifeforms @RedXanadu
0