8000 Monthly Chat Agenda March 2023 (2023-03-06 and 2022-03-20) · Issue #3039 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Monthly Chat Agenda March 2023 (2023-03-06 and 2022-03-20) #3039

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dune73 opened this issue Nov 30, 2022 · 2 comments
Closed

Monthly Chat Agenda March 2023 (2023-03-06 and 2022-03-20) #3039

dune73 opened this issue Nov 30, 2022 · 2 comments
Labels
🔖 Meeting Agenda

Comments

@dune73
Copy link
Member
dune73 commented Nov 30, 2022
edited
Loading

This is the Agenda for the two Monthly CRS Chats.

The general chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, 2023-03-06, at 20:30 CET. That's the 1st Monday of the month. A separate issue chat is happening at the same location, same time on Monday, 2023-03-20. That's the 3rd Monday of the month. Please note that we have a CRS calendar (maintained by @fzipi).

Archived previous meetings and their decision are here.

What happened in the meantime since the chat last month

Outside development

  • 🇮🇪 The CRS Community Summit took place in Dublin and was a success. 15 CRS developers, users, and interested parties attended a day of CRS-related talks. The videos are available at https://www.youtube.com/@owaspmodsecuritycoreruleset; blog post is in the making
  • 🌍 OWASP Global AppSec Dublin 2023 also took place, with several project members in attendance.
    Note that OWASP has officially changed its name (the W has changed from Web to Worldwide).
  • Commercial ModSecurity integrator Atomicorp hosted an online conference. The videos have been published at https://atomicorp.wistia.com/projects/rkpj16lgce

Inside development

Rules

  • FIXME: Please fill in

CRS Sandbox

  • fix sandbox bot (update, status)
  • add response header x-crs-last-commit with the last commit hash

CRS Bug Bounty and Security

  • All Bug Bounty Findings addresses, everything blocked at PL2 (with very few wont-fix items).
  • We're currently tracking 4 security reports in our private repo.

Plugins

  • added test infrastructure and a couple of tests to the nextcloud plugin
  • fixed some setup issues with plugin tests

Documentation and Public Relations

  • 📜 New blog post published: A new rule to prevent SQL in JSON
    Covers our new rule 942550 which combats the recent JSON SQL syntax problem.
  • regex-assembly documentation has been updated.
  • Website (which includes documentation) updated with new OWASP name: Web -> Worldwide.
  • Issue templates have been updated. They ask for example curl requests to reproduce the problem now.

Project Administration and Sponsor relationships

  • No news to report other than OWASP is currently paying out CRS reimbursement requests for the dev retreat last year

Tools

  • work started on separating test specification from the test runner; this will allow us to evolve the test format and have proper versioning
  • crs-toolchain no longer includes any patterns that end up in the output (except for some internal fixups). Instead, patterns such as those used by the cmdline processors are read from the toolchain.yaml configuration file.

Testing incl. Seaweed and many future plans

  • Seaweed: we detached the repo and fixed CI runs by upgrading nuclei version.

Containers

  • Latest version published with tag ending in 202303020603 now creates a new certificate (if it doesn't exist) dynamically each time you start the container. This fixes long-standing problem of shipping the certificate baked into the image.

CRS Status Page

  • No news to report. Waiting for CRS v4 until we pick this up for real.

Project Decisions

  • FIXME: Please fill in

Rules development, key project numbers

PRs that have been merged since the last meeting

We merged 16 PRs since the last monthly project chat.

Open PRs

Open PRs marked DRAFT or work in progress or needs action

Open issues and PRs

  • As of Monday, we have 101 open issues.
  • As of Monday, we have 16 open pull requests.

Agenda for Monthly meeting

Separate 2nd Meeting (Monday, 2023-03-20)

How to get to our slack and join the meeting?

If you are not yet on the OWASP Slack, here is your invite: https://owasp.org/slack/invite.

Everybody is welcome to join our community chat.
@franbuehler
Copy link
Contributor
franbuehler commented Mar 6, 2023
edited
Loading

Decisions March 6

@dune73 dune73 mentioned this issue Mar 19, 2023
Merged
@franbuehler
Copy link
Contributor
franbuehler commented Mar 20, 2023
edited
Loading

Decisions March 20

  • Plugins may need to be able to hook into any of the rules files #3154: we agree on the pragmatic approach: wait for 4.1 and for now set in plugin. setvar:'tx.allowed_methods=%{tx.allowed_methods} GET POST OPTIONS HEAD PUT PATCH CHECKOUT COPY DELETE LOCK MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH SEARCH UNLOCK REPORT TRACE jsonp'". The arguments for this are:
    • it's easy to do
    • we gain more time
    • it shouldn't happen often
  • Slack message from @jcchavezs: Hallo CRSers, could something like https://github.com/jcchavezs/coraza-httpbin replace the CRS playground? It is httpbin with coraza as reverse proxy.
    • Andrea and Max will bring this as a new backend in our sandbox, probably this week.
    • This brings us Coraza back as a backend.

@theseion theseion mentioned this issue Mar 27, 2023
Closed
@fzipi fzipi closed this as completed Sep 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🔖 Meeting Agenda
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dune73 @fzipi @franbuehler
0