Closed
Description
This is the Agenda for the two Monthly CRS Chats.
The general chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, 2024-02-05, at 20:30 CET. That's the 1st Monday of the month. A separate issue chat is happening at the same location, same time on Monday, 2023-02-19. That's the 3rd Monday of the month. Please note that we have a CRS calendar (maintained by @fzipi).
Archived previous meetings and their decision are here.
What happened in the meantime since the chat last month
Outside development
Trustwave is now actively seeking to hand over ModSecurity to an open source community.Trustwave is handing over ModSecurity to OWASP. See announcement.
Inside development
Rules
- Slowly working towards CRS v4.
CRS Sandbox
- No news here.
Security
- There is an upcoming ModSecurity release announced later this month.
Plugins
- Development continues
Documentation and Public Relations
- no news
Project Administration and Sponsor relationships
- CRS has closed the financial accounts for 2023 with a small plus.
- CRS GOLD sponsor F5 / NGINX stop their commitment and will not sponsor CRS in 2024.
Tools
- Changelog automation is in effect
Testing incl. Seaweed and many future plans
- No news here.
Containers
- New version will be out today, notable changes:
- Lua support
- Nginx version updated to 1.25
- There is a proposal to merge a new version with OpenResty support
CRS Status Page
- No further development since the last meeting.
Project discussions and decisions
- Fix regex patterns that look for multi-byte characters #3325. Discuss proposed solution to multi-byte character handling
- CRS v4: 15 open issues: https://github.com/coreruleset/coreruleset/issues?q=is%3Aissue+is%3Aopen+label%3Av4
Rules development, key project numbers
PRs that have been merged since the last meeting
- fix: match non-word-boundary of commands with options #3425
- fix: use stdin to pass PR body to gh CLI #3445
- fix: fix nightly publishing once and for all #3457
- fix: use GH token in nightly script #3452
- fix(ci): set draft option to false in nightly #3448
- chore: verify nightly release state after creation #3446
- chore: changelog updates for 2023-12-24, merged by @airween #3444
- fix: don't use
readfor multiline variables #3440 - docs: Added link to run tests #3438
- chore: debug nightly release #3436
- chore: try to fix draft nightlies by using GH CLI #3434
- chore: changelog updates for 2023-12-19, merged by @dune73 #3433
- fix: fix whitespace matching after PHP command (933160 PL1) #3432
- chore: changelog updates for 2023-12-14, merged by @fzipi #3427
- chore: changelog updates for 2023-12-16, merged by @dune73 #3430
- chore: do not run line linter on .changes-pending.md #3429
- chore: changelog updates for 2023-12-14, merged by @dune73 #3426
- fix: Added missing target name to logdata #3409
- fix: fix PR discovery #3424
- chore: changelog updates for 2023-12-13, merged by @dune73 #3423
- chore: changelog updates for 2023-12-13, merged by @dune73 #3421
- fix: fix formatting of PR body #3422
- fix(941390): add missing javascript
promptandconfirmmethods #3395 - fix: type error when writing pending changelog #3420
- fix: reword comment (900300 config) (Christian Folini) #3417
- fix: type error while writing changelog #3418
- chore: improve changelog-pre workflow #3416
- fix: 934130 and 934131 rules #3378
- feat: added new webshells and tests (955100 PL1) (Jozef Sudolski) #3405
- fix: solve false positive by shifting
Field cannot be emptyto PL2 (953100 PL1, 953101 PL2) (Esad Cetiner) #3407
We merged 30 PRs since the last monthly project chat.
Open PRs
Open PRs marked DRAFT or work in progress or needs action
- fix: JSON Unicode reflection for tests #3464
- chore: changelog updates for 2024-01-05, merged by @dune73 #3461
- feat: added unix commands #3465
- feat: Added new method: check for new unlisted tags #3437
- fix: 932236 932237 932239 FP with word settings #3394
- fix: adjust the order of t:urlDecodeUni and t:utf8toUnicode in 941160 PL1 #3450
- feat: auto-sync to coreruleset/documentation #3292
- chore: changelog updates for 2023-12-24, merged by @fzipi #3443
- chore: changelog updates for 2023-12-22, merged by @dune73 #3435
- fix: shift target of encoding checking rule from REQUEST_URI to REQUEST_URI_RAW (920220 PL1) #3410
- fix: fixed tests and descriptions #3201
- fix: Added t:urlDecodeUni for REQUEST_URI / REQUEST_BASENAME checks in phase 1 (921240 PL1, 920440 PL1, 920201 PL2, 920202 PL4) #3411
- fix: detect MySQL optimizer hints #3431
- Backport v3.2 from v3.3 #3347
- feat: Split Node-Validator keywords functionally #2637
Separate 2nd Meeting (Monday, 2024-01-22)
- Status of ModSec3 release scheduled for today. (-> Solves basic problem of CRS security issue V3E)
- fix: shift target of encoding checking rule from REQUEST_URI to REQUEST_URI_RAW (920220 PL1) #3410
- Only 5 v4 rule issues: https://github.com/coreruleset/coreruleset/issues?q=is%3Aissue+is%3Aopen+label%3Av4 - Let's look at them one by one
- Security tracker issues: Questionable status of 9KH, R4A, JX9.
- Preparing a release plan
How to get to our slack and join the meeting?
If you are not yet on the OWASP Slack, here is your invite: https://owasp.org/slack/invite .
Everybody is welcome to join our community chat.