8000 Monthly Chat Agenda December 2023 (2023-12-04 and 2023-12-18) · Issue #3398 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Monthly Chat Agenda December 2023 (2023-12-04 and 2023-12-18) #3398

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dune73 opened this issue Nov 30, 2023 · 2 comments
Closed

Monthly Chat Agenda December 2023 (2023-12-04 and 2023-12-18) #3398

dune73 opened this issue Nov 30, 2023 · 2 comments
Labels
🔖 Meeting Agenda

Comments

@dune73
Copy link
Member
dune73 commented Nov 30, 2023
edited
Loading

This is the Agenda for the two Monthly CRS Chats.

The general chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, 2023-12-04, at 20:30 CET. That's the 1st Monday of the month. A separate issue chat is happening at the same location, same time on Monday, 2023-12-18. That's the 3rd Monday of the month. Please note that we have a CRS calendar (maintained by @fzipi).

Archived previous meetings and their decision are here.

What happend in the meantime since the chat last month

Outside development

Inside development

Rules

  • Additional tests implemented. We have 80% coverage for PL1 with isolated tests now (see status page)

CRS Sandbox

  • We fixed one problem with the sandbox where the filesystem got full from executions. Cleaning up and adding more disk solved the problem.

Security

  • Project is discussing a security finding. Fix is unclear so far.

Plugins

  • A couple of fixes to WP and NextCloud

Documentation and Public Relations

A blog post to counter Open-AppSec's FUD campaign is in the making.

Project Administration and Sponsor relationships

  • Swiss Post signed up as sponsor
  • OWASP changed the payment provider for reimbursements. So far all looks OK for us.

Tools

Testing incl. Seaweed and many future plans

Containers

  • No changes since last meeting.

CRS Status Page

Project discussions and decisions

  • Course of action around security issue V3E (issue documented in private security tracker repo, technical details discussed in private dev channel, discussion about course of action during chat)
  • Discuss improvement of security process (Vulnerability Disclosure Process? Establishing a Security Team?)
  • Define threshold for FPs for CRSv4 (see Quantitative testing: Round 1 of testing and squashing natural language false positives #3392)
  • Backport of fixes in 3.3.5 to 3.2.4.

Rules development, key project numbers

PRs that have been merged since the last meeting

We merged 21 PRs since the last monthly project chat.

Open PRs

Open PRs marked DRAFT or work in progress or needs action

Separate 2nd Meeting (Monday, 2023-12-18)

How to get to our slack and join the meeting?

If you are not yet on the OWASP Slack, here is your invite: https://owasp.org/slack/invite .

Everybody is welcome to join our community chat.
@dune73 dune73 changed the title Title: Monthly Chat Agenda December 2023 (2023-12-04 and 2023-12-18) Monthly Chat Agenda December 2023 (2023-12-04 and 2023-12-18) Dec 2, 2023
@franbuehler
Copy link
Contributor
franbuehler commented Dec 4, 2023
edited
Loading

Decisions December 4th

OpenCRE:

  • 🔵 Decisions: @airween will write a script for checking the tags we had in v3.3.5 and the ones that changed in v4, probably with the msc_pyparser.

modsecurity-cli:

  • 🔵 Info: This is similar to what @airween has written. But it only supports v3.

ModSecurity community is getting nervous:

  • 🔵 Info: Our response should be: There are efforts coming along the way to see how OWASP can help.

Course of action around security issue V3E:

  • 🔵 Decisions: We will prepare as well as possible (work around and blog post) and make a new decision at the issue chat meeting in 2 weeks. Depending on, first, what the answer looks like and second, whether we are ready or not?

Improvement of security process:

Define threshold for FPs for CRSv4:

  • 🔵 Decisions: We're not ready yet to decide on thresholds. But the current/preliminary results can be used to squash FPs right now on a best efforts basis.

Backport of fixes in 3.3.5 to 3.2.4.

  • 🔵 Info: No news

@franbuehler
Copy link
Contributor
franbuehler commented Dec 18, 2023
edited
Loading

Decisions Monday, 2023-12-18

  • 🔵 Decision: Wednesday, June 26, 2024: Official CRS Community Summit in Lisbon, Portugal
  • 🔵 Decision: January meeetings: Jan 8 for the chat meeting and Jan 22 for the issue meeting.
  • 🔵 Decision: By vote: the V3E issue will be handled by waiting for the vendor to provide a fix (promised for early 2024)
  • 🔵 Decision: @theMiddleBlue and @theseion will fix the regex issue discovered in fix: fixed tests and descriptions #3201 in a separate PR for v4. The test improvements can be postponed until after v4.0.

@airween airween mentioned this issue Dec 18, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🔖 Meeting Agenda
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dune73 @franbuehler
0