8000 Dev Retreat 2023 Topics · coreruleset/coreruleset Wiki · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Dev Retreat 2023 Topics

Jump to bottom
Christian Folini edited this page Nov 12, 2023 · 90 revisions

Retreat Info

See separate page at https://github.com/coreruleset/coreruleset/wiki/Dev-Retreat-2023

Selected Topics

  • Weeklong Project #1: Quantitative Testing
  • Weeklong Project #2: Platform Specific Testing
  • Weeklong Project #3: Status Page
  • Weeklong Project #4: Cyclomatic Complexity
  • Workshop / Discussion #1: Sunday afternoon, late: Arrival, ModSec EOL, Coraza, dev retreat projects, Sponsoring and everything (preparation of roadmap discussion)
  • Workshop / Discussion #2: Monday afternoon, early: Roadmap discussion, subproject review
  • Workshop / Discussion #3: Monday afternoon, late: Whatever we discussed here
  • Workshop / Discussion #4: Wednesday afternoon, early: Renaming the project
  • Workshop / Discussion #5: Wednesday afternoon, late: crs-toolchain, maybe GitHub workflow
  • Workshop / Discussion #6: Thursday afternoon, early: Performance testing framework
  • Workshop / Discussion #7: Thursday afternoon, late: Untangle bug that is stuck on the tags, ID question (performance impact; CRSv4 showstopper)
  • Workshop / Discussion #8: Saturday afternoon, early: GSoC 2024
  • Workshop / Discussion #9: Saturday afternoon, late: Dev Retreat 2024

Freeform list of topics we want to address

Weeklong Projects

  • Project: CRS Status Page 👍 @airween, 👍 @dune73, 👍 @franbuehler, 👍 @redxanadu

    • Finish writing the tests, including for any new rules added since last year! (Issue: #2953)
    • Website, branding?

  • Project: Quantitative approach to false positives by testing rules (transformations + operator (regex, parallel match, etc.)) against large bodies of examples of natural language, e.g. Wikipedia, Reddit, news articles (example corpora: https://wortschatz.uni-leipzig.de/en/download), tangible results before we bring out CRSv4 - 👍 @theseion, 👍 @airween, 👍 @dune73, 👍 @m4tteop, 👍 @franbuehler, 👍 @themiddle, 👍 @redxanadu

  • Project: Bringing the ModSecurity v3 + Nginx tests up to the same level as the ModSecurity v2 + Apache tests, so we can enable them for the automated GitHub testing. - 👍 @theseion, 👍 @airween, 👍 @m4tteoP, 👍 @franbuehler, 👍 @themiddle, 👍 @redxanadu (together with Coraza?)

  • Project: One parser to rule them all. Having one parser where we can join our efforts and can be used from multiple programming languages can be done. 👍 @airween 👍 @fzipi, 👍 @themiddle -> transformed into a discussion, see below

  • Project: Adding a Coraza container option to https://github.com/coreruleset/modsecurity-crs-docker - 👍 @theseion 👍 @fzipi, 👍 @m4tteoP, 👍 @franbuehler

  • Project: Incorporating the Cyclomatic Complexity score into all rules based on the number of variables, the type of operators used, the count of transformation functions, as well as the quantity of ctl, setvar operations, and chain occurrences. 👍 @airween 👍 @themiddle

  • Project: Sandbox GitHub bot: adding a sandbox feature that creates a backend based on a PR just by adding a specific tag on GitHub

  • Project: Sandbox on Lambda: replacing OpenResty as the Sandbox front-end with an AWS Lambda function. -> Transformed into a discussion; see below.

  • Project: Testing: enhancing the FTW testing language. Discussion about features we want to support more engines/use cases. 👍 @fzipi (moved into Platform Specific Testing)

Workshops / Discussions

  • Discussion: Renaming the project: 👍 @dune73, 👍 @theseion, 👍 @franbuehler, 👍 @themiddle, 👍 @redxanadu, 👍 @m4tteoP

  • Workshop: Try out the GSoC performance testing framework - 👍 @theseion, 👍 @airween, 👍 @dune73, 👍 @m4tteoP, 👍 @franbuehler

  • Discussion: ModSecurity EOL in July 2024: Status and plans 👍 @airween, 👍 @franbuehler, 👍 @themiddle, 👍 @redxanadu

  • Discussion: Roadmap discussion, short release cycles, subproject review 👍 @dune73 👍 @fzipi, 👍 @franbuehler, 👍 @redxanadu

  • Discussion: Performance boosts by disabling many rules by tag. More tags = more overhead (more regex execution)? Is this an acceptably small performance hit? How should we use tags: should we document "users must not re-use CRS tags because CRS may disable entire tag categories"? Should we limit that certain tags must only be used within certain files, and enforce this with the linter? - 👍 @theseion, 👍 @airween, 👍 @themiddle, 👍 @redxanadu

  • Workshop: crs-toolchain update: 👍 @airween, 👍 @dune73, 👍 @redxanadu

    • What are the new features and how do you use them?
    • Review/walkthrough of constructs like 'unix-shell-upto3' etc. so we all understand what they mean and how they work, for when writing and updating rules etc.

  • Workshop: Walkthrough of all the GitHub Lang / GitHub Workflow / Actions we use on the CRS repo. Plus discussion of how can we document these for the knowledge/awareness of all CRS devs? 👍 @airween, 👍 @franbuehler, 👍 @redxanadu

  • Discussion: Come up with a plan to address updating lists 👍 @fzipi, 👍 @franbuehler

  • Discussion: Policy or at least advice and guide when and how to do plugin releases (see monthly meeting Aug 2023) - 👍 @theseion, 👍 @airween

  • Discussion / ideas board: Google Summer of Code: Potential project ideas etc. so we're slightly more ready for GSoC 2024 👍 @dune73 👍 @fzipi

  • Discussion: Engine optimized rules - chat 👍 @airween 👍 @fzipi

  • Discussion: Come up with a plan to address old and stale issues (see monthly meeting Aug 2023) 👍 @dune73

  • Discussion: Review Project organization into sub-projects 👍 @airween

  • Workshop: ‘Unix command’ rule set walkthrough (e.g. explanation of 932230, 932231, 932232, 932235… and friends and how they work, how they're linked, and how can we improve the documentation to better explain them to users?): 👍 @redxanadu

  • Discussion: Projects - we earmark a certain amount of our annual budget to fund a few projects. What projects do we want to fund over the next year?

  • Discussion: Moving rules with FPs from PL1 to PL2 has made it challenging to smoothly transition to PL2 in production with version 4.0. We need to find a solution.

  • Discussion: FP probability score (discussed ad hoc on nov 5)

  • Discussion: Changelog Updates (discussed ad hoc on Nov 5)

  • Discussion: One Parser to rule them all. Having one parser where we can join our efforts and can be used from multiple programming languages can be done.

  • Discussion: Sandbox on Lambda: replacing OpenResty as the Sandbox front-end with an AWS Lambda function. -> Transformed into a discussion; see below.

  • Discussion: Dev on Duty: Status, ideas, future

Clone this wiki locally
0