Monthly Chat Agenda September 2023 (2023-09-04 and 2023-09-18) #3279

dune73 · 2023-08-08T09:22:03Z

Monthly Chat Agenda September 2023 (2023-09-04 and 2023-09-18)

This is the Agenda for the two Monthly CRS Chats.

The general chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, 2023-09-04, at 20:30 CET. That's the 1st Monday of the month. A separate issue chat is happening at the same location, same time on Monday, 2023-09-18. That's the 3rd Monday of the month. Please note that we have a CRS calendar (maintained by @fzipi).

Archived previous meetings and their decision are here.

What happend in the meantime since the chat last month

Outside development

25min Youtube video bypassing CRS, quite instructional Bypass visible from 13:00
Paper: Adversarial ModSecurity: Countering Adversarial SQL Injections with Robust Machine Learning
OWASP Coraza WAF CVE-2023-40586 - update to at least Coraza 3.0.1 (current stable is 3.0.3)

Inside development

Rules

Only a handful of rule fixes / keyword list updates remain for CRS v4 release candiate, but we have a hard time solving them

CRS Sandbox

See discussion about supported version below

Security

2 open security items. None of them is new.

Plugins

FIXME: Please fill in

Documentation and Public Relations

📝 The project to rework the INSTALL documentation carries on slowly.
Blocked dev portraits are being finished as we speak
Draft project renaming document is being overhauled before presentation to devs
🔁 A welcome proposal to sync the 'Contributing Guidelines' across repos using GitHub actions feat: auto-sync to coreruleset/documentation #3292.

Project Administration and Sponsor relationships

Dev Retreat in Budapest (Nov 5 - Nov 12) preparations are coming along. Participants number around the same size.
One SILVER sponsor upgraded to GOLD, other sponsor talks are dragging along
Renewal talks are happening with existing sponsors

Tools

FIXME: Please fill in

Testing incl. Seaweed and many future plans

Performance testing project for GSoC 2023 finished and integrated at https://github.com/coreruleset/rules-performance-tests
Blog post explaining the new tool set is in the making

Containers

Released container with CRS version 3.3.5.

CRS Status Page

Postponed until after CRSv4.

Project discussions and decisions

CRS sandbox: Working with version numbers: unclear behavior, non-documented features etc. (Also https://github.com/coreruleset/crs-sandbox/issues/67)
We should discuss the issue #3288 ("Rule 932260 false positive with "scheduledAt" keyword")
The complex of PRs and issues around curl and wget are matched in User-Agent header #3189, fix: exclude well known user agents from unix commands #3190 and feat: update word list for 932232 #3276.
Prepare dev retreat topics

Rules development, key project numbers

PRs that have been merged since the last meeting

We merged 4 PRs since the last monthly project chat.

Open PRs

Open PRs marked DRAFT or work in progress or needs action

Open issues and PRs

As of Monday, we have 111 open issues.
As of Monday, we have 11 open pull requests.

Separate 2nd Meeting (Monday, 2023-09-17)

False positives with 953100 #3304 - Do we want to fix this FP in general or do we add this fix to the new Roundcube exclusion plugin only?
Move DoS rules to plugin #2373 - initcol actions must run before plugin configuration
fix: change order of base64decode in NODEJS Attack #3184 - base64decode woes. We should take over the PR. Should we use t:jsDecode on all Javascript rules or just Node.js rules?
Dependencies for issues and PRs

How to get to our slack and join the meeting?

If you are not yet on the OWASP Slack, here is your invite: https://owasp.org/slack/invite .

Everybody is welcome to join our community chat.

The text was updated successfully, but these errors were encountered:

franbuehler · 2023-09-04T13:23:51Z

Decisions September 4th

⏳ CRS sandbox: Working with version numbers: unclear behavior, non-documented features etc. (Also https://github.com/coreruleset/crs-sandbox/issues/67)

🔵 Decision: @theMiddleBlue self assigned the linked issue and will implement this in the next few weeks.

📝 Issue #3288 ("Rule 932260 false positive with "scheduledAt" keyword")

🔵 Decisions:
- Any PR for this issue should wait until feat: update word list for 932232 #3276 has been merged.
- @RedXanadu will provide a PR that @dune73 will review.

❓ The complex of PRs and issues around #3189, #3190 and #3276.

🔵 Decisions:
- fix: exclude well known user agents from unix commands #3190 will be dropped in favor of the other PRs.
- @theseion will finish his work on feat: update word list for 932232 #3276.
- @franbuehler will provide the include-except PR discussed in curl and wget are matched in User-Agent header #3189.

🎉 Prepare dev retreat topics

🔵 Decisions:
- Prepared Wiki page for topics is: https://github.com/coreruleset/coreruleset/wiki/Dev-Retreat-2023-Topics.
- Everyone should add topics and/or comment the proposals and indicate his or her preferences.
- A commitee will decide on the final topics.

franbuehler · 2023-09-18T18:51:41Z

Decisions September 18th

🎉 We merged a huge PR by @theseion today: #3276

💻 CRS v4.0

🔵 Decisions:
- We would like to do a feature freeze at the end of the month (Sep 30) and to try to do RC2 in Mid-October. Full release before the retreat is probably too aggressive. But maybe November.
- We'll use the label v4 to mark issues or PRs that should go into this major release.

❕ #3304 - Do we want to fix this FP in general or do we add this fix to the new Roundcube exclusion plugin only?

🔵 Decision: We decided to fix this in general and we asked the reporter to open a PR. Here would be the place to put the exclusion: rules/php-errors-pl2.data.

⌚ #2373 - `initcol` actions must run before plugin configuration

Problem: The rules in the *-config.conf and *-before.confg files are read before 901-INITIALIZATION. DoS rules should run and to block as early as possible -> *-after would be stupid.
🔵 Decision: @theseion with help of @dune73 and @airween will try to check for initcol. If the collection is initialized by the plugin -> remove the 901 rule via ctl statement and do initcol yourself.

👩‍💻 #3184 - base64decode woes. We should take over the PR. Should we use `t:jsDecode` on all Javascript rules or just Node.js rules?

🔵 Decision: @RedXanadu will work on this, sort it out and maybe provide some performance numbers (we're not sure if this has a performance impact). @theseion will help with JS.

📦 Dependencies for issues and PRs

🔵 Info by Max: In PRs you can now create dependencies. A dependency means that an additional merge check will prevent merges until the dependency has been resolved. To declare a dependency you have to mention it in the PR description (aka the first comment). For example depends on #4. The link can point to either a PR or an issue, so PRs can be dependent on issues. This also works when the dependency is added later by editing the PR description.

3 additional infos:

OWASP published the candidates for the board elections in October. OWASP members should execute their right to vote.
We have 2 drafts for the release poster. We'll share with devs once it's a reasonable quality.
Info by @airween: We have approximately two weeks to finalise number of participants in Budapest retreat. 5th of October is the last date when we can modify the number. After that we lost some money if we decrease the amount, but we can increase it later.

dune73 added the 🔖 Meeting Agenda label Aug 8, 2023

dune73 changed the title ~~Monthly Chat Agenda September 2023 (2023-09-03 and 2023-09-17)~~ Monthly Chat Agenda September 2023 (2023-09-04 and 2023-09-18) Sep 3, 2023

M4tteoP mentioned this issue Sep 18, 2023

fix: moves FP prone phrase file size is to PL2 #3314

Merged

franbuehler closed this as completed Oct 16, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Monthly Chat Agenda September 2023 (2023-09-04 and 2023-09-18) #3279

Monthly Chat Agenda September 2023 (2023-09-04 and 2023-09-18) #3279

Uh oh!

Uh oh!

Uh oh!

Monthly Chat Agenda September 2023 (2023-09-04 and 2023-09-18) #3279

Monthly Chat Agenda September 2023 (2023-09-04 and 2023-09-18) #3279

Comments

Uh oh!

Monthly Chat Agenda September 2023 (2023-09-04 and 2023-09-18)

What happend in the meantime since the chat last month

Outside development

Inside development

Rules

CRS Sandbox

Security

Plugins

Documentation and Public Relations

Project Administration and Sponsor relationships

Tools

Testing incl. Seaweed and many future plans

Containers

CRS Status Page

Project discussions and decisions

Rules development, key project numbers

PRs that have been merged since the last meeting

Open PRs

Open PRs marked DRAFT or work in progress or needs action

Open issues and PRs

Separate 2nd Meeting (Monday, 2023-09-17)

How to get to our slack and join the meeting?

Uh oh!

Decisions September 4th

⏳ CRS sandbox: Working with version numbers: unclear behavior, non-documented features etc. (Also https://github.com/coreruleset/crs-sandbox/issues/67)

📝 Issue #3288 ("Rule 932260 false positive with "scheduledAt" keyword")

❓ The complex of PRs and issues around #3189, #3190 and #3276.

🎉 Prepare dev retreat topics

Uh oh!

Uh oh!

Decisions September 18th

🎉 We merged a huge PR by @theseion today: #3276

💻 CRS v4.0

❕ #3304 - Do we want to fix this FP in general or do we add this fix to the new Roundcube exclusion plugin only?

⌚ #2373 - initcol actions must run before plugin configuration

👩‍💻 #3184 - base64decode woes. We should take over the PR. Should we use t:jsDecode on all Javascript rules or just Node.js rules?

📦 Dependencies for issues and PRs

3 additional infos:

Uh oh!

⌚ #2373 - `initcol` actions must run before plugin configuration

👩‍💻 #3184 - base64decode woes. We should take over the PR. Should we use `t:jsDecode` on all Javascript rules or just Node.js rules?