Closed
Description
This is the Agenda for the two Monthly CRS Chats.
The general chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, 2024-10-07, at 20:30 CET. That's the 1st Monday of the month. A separate issue chat is happening at the same location, same time on Monday, 2024-10-21. That's the 3rd Monday of the month. Please note that we have a CRS calendar (maintained by @fzipi).
Archived previous meetings and their decision are here.
What happend in the meantime since the chat last month
Outside development
- CRS dev retreat is happening partially within the OWASP Project summit in Center Parcs. More information in the website https://owaspprojectsummit.org/
⚠️ We need to decide which discussions/projects are the ones to focus on the developer retreat, so go to the 2024 retreat topics and add your 👍 to the topic you would like to work while there. Or propose yours! Deadline will be Oct 20th so we can have the agenda filled before our issues chat.
Inside development
Rules
- FIXME: Please fill in
CRS Sandbox
- Ongoing work: I've teamed with my colleague RB (@nitrocode) to update the AWS setting for the Sandbox. He will also add his expertise on enhancing the setup (if this can be done).
Security
- Contacted author of a new report, still didn't answered after two weeks.
Plugins
- No news
Documentation and Public Relations
- No news.
Project Administration and Sponsor relationships
- We are going to invite sponsors to the CRS developer retreat in the UK.
Tools
- No news here.
Testing incl. Seaweed and many future plans
- No news here.
Containers
- modsecurity nginx had the geoip/maxmind libraries fixed
CRS Status Page
- No news here.
Project discussions and decisions
- Proposal: move code utils out of the main repo, and any documentation to the docs. For tools, we cannot test them properly, and they are related but they could be siblings to other major tools like ftw or the toolchain. Other stuff should be in the docs.
- When should we / do we want to: retire old CRS rules/detections
- We could have a full discussion/workshop about this at the dev retreat, if we need more time than 1 meeting (or if this is controversial).
- This was briefly discussed at a previous meeting. The general consensus was that we want to actively retire old rules/detections.
- After the original discussion: a comment from a Coraza developer re: a report that old vulnerabilities are much more actively exploited and problematic than new vulnerabilities.
- Occasionally, there are other reports / conference talks etc. that share the experience that very old vulnerabilities (10-15+ years old) continue to be actively exploited and still cause real world problems. Consider also: legacy systems (plenty of these still in prod.), systems/devices that cannot be updated (lots of IoT endpoints, embedded devices, etc.).
- The question here is: Do we definitely want to start removing old detections? Is this wise?
- Possible ideas:
- Metadata: tag old rules/detections (e.g. 'old-vuln', 'discovered-2011', etc.). Old detections are on by default, can easily disable if desired (if user doesn't care about old vulns. and wants maximum performance)
- Plugin: move old rules/detections to an optional plugin. Old detections are off by default, can add old rules if desired (most users will not do this, so the detections are mostly lost).
- Possible ideas:
Rules development, key project numbers### PRs that have been merged since the last meeting
- fix: old test schema field in 932239.yaml #3847
- feat: check if rule use TX:N target without capture action #3825
- refactor: 3835 pylint interventions #3837
- ci: enable linter check back #3830
- chore: post release/v4.7.0 #3827
- chore: release v4.7.0 #3826
- fix: Changed regex (920470) to match multiple whitespaces after
Content-Typeparameters to avoid false-positives #3818 - fix: update xss detection with onwebkitplaybacktargetavailabilitychanged event #3822
- feat: added sendgrid.env into restricted files #3823
- feat: refactoring (944110 PL1) #3715
- fix: fp with user-agent containing ; pg (932239 PL2) #3727
We merged 11 PRs since the last monthly project chat.
Open PRs
Open PRs marked DRAFT or work in progress or needs action
- fix(933150): moving printf to 933160 for additional php syntax check (933150 PL-1, 933160 PL-1) #3840
- fix(942120): update operators #3841
- feat: added detection for quote evasion #3813
- fix(942520): SQL operators can be one or more characters #3845
- fix: prevent invalid commands matches on 5 characters or less (932220 PL-2, 932230 PL-1, 932232 PL-3, 932235 PL-1, 932236 PL-2, 932237 PL-3, 932238 PL-3, 932239 PL-2, 932250 PL-1, 932260 PL-1) #3735
- feat: accidental firewall disability prevention #3650
- ci: do not run pipeline twice #3832
- fix(security): remove double URL decode (921151 PL2, 932190 PL3, 942441 PL2, 942442 PL2, 942460 PL3) #3741
- feat: added rule to detect Bash Brace Expansion #3780
- fix(security): resolve SQL injection protection bypass (942380 PL2) #3720
- fix(932130): use lazy regex #3730
- feat: add product name tags #3815
- No regression testing for
modsec3-nginx? #3843 (it's not a PR but I can't participate on next meeting - @airween)
Separate 2nd Meeting (Monday, 2024-10-21)
- Dev Retreat topics defined
- Clean up rules 942180 and 942340 #2471
- Use removeWhiteSpace in 922110 #3114
How to get to our slack and join the meeting?
If you are not yet on the OWASP Slack, here is your invite: https://owasp.org/slack/invite .
Everybody is welcome to join our community chat.