Monthly Chat Agenda January 2022 (2022-01-03 and 2022-01-17)

This is the Agenda for the Monthly CRS Chat.

The general chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, 2022-01-03, at 20:30 CET. That’s the 1st Monday of the month. A separate issue chat is happening at the same location, same time on Monday, 2022-01-17. That’s the 3rd Monday of the month. Please note that we have a CRS calendar (maintained by @fzipi).

Items on the Agenda: (see previous meetings decisions: here)

What happend in the meantime since the chat last month

Outside development

• Introduction of the CRS Sandbox
• Coverage of CRS Sandbox in the “Daily Swig”
• Blog post about script wafparan01d3 that is an alternative to the CRS send-payload-pls.py script
• CRS Log4j / Log4Shell / CVE-2021-44228 coverage
• CRS Hunt for Log4j rule bypasses
• Swiss Newspaper NZZ covering CRS and project co-lead Christian Folini (link to English version of article)
• Gloo by Solo is an API Gateway with CRS support

PRs that have been merged since the last meeting

• #2214
• #2340
• #2338
• #2335
• #2327
• #2201
• #2325
• #2328
• #2279
• #2193
• #2324
• #2311
• #2306
• #2248

We merged 14 PRs since the last monthly project chat.

Open PRs

• #2345
• #2343
• #2333
• #2323
• #2322
• #2299
• #2288
• #2259

Open PRs marked DRAFT or work in progress or needs action

• #2303
• #2302
• #2301
• #2300
• #2290
• #2236
• #2222
• #2217
• #2070
• #2067
• #1993
• #1975

Dev retreat topics

• Demo / Sandbox site: @theMiddleBlue will schedule a call to talk about the setup and @lifeforms will contribute the documentation. They will let us know so that we can join in too: tentatively scheduled during meeting: Jan 19 at 17:00 (CET).
• Documentation: Updates: Plugins page to go live once the final blog is published. Sampling mode blog post to be converted into a page for /docs. Docker documentation discussion/meeting to happen at some point, to discuss what we want to document and where we want it to live. -> @RedXanadu will prepare some bullet points to get people thinking about the open questions and schedule a meeting. People can sign up during our Feb chat meeting.
• Technical Blog Posts: Plugin post is almost done. @dune73 will then attack the next topic. Plus 2-3 other blog posts he has in mind.
• Status page: We’re really stalled due to missing responses and Felipe is apparently away. We hope we can pick this up later in January.
• Coraza: Coraza passes the CRS test suite 100%, Coraza 2.0 has been released.

Other items

• Cleanup of anomaly scoring variables #2319
• Release schedule

Open Issues - Separate Issues Meeting (Monday, 2022-01-17)

Status of issues covered last month

We covered 8 issues in the last meeting. This is their state:

• Issue slot 1: #2319 (probably this covers also #1896)
• Issue slot 2: #2312 - we are getting closer to release date, this should be ready to go.
• Issue slot 3: #2163
• Issue slot 4: #2230
• Issue slot 5: #2227 + #2228
• Issue slot 6: #2332
• Issue slot 7: #2331 - what to do with the log4j rule and the existing 932130?
• Issue slot 8: #2318 - volunteer to write a new sqli rule needed
• Issue slot 9: #FIXME
• Issue slot 10: #FIXME

Stats

• Covered in chat: 9
• Closed: 5
• Pending: 4

This month’s issues

There are FIXME open issues at the beginning of the issue chat.

We generally cover 10 issues per month in a separate issue meeting. Add them as you see fit.

• Issue slot 1: #2319
• Issue slot 2: #2332
• Issue slot 3: #2318
• Issue slot 4: #2344
• Issue slot 5: #2341
• Issue slot 6: #2334
• Issue slot 7: #2329
• Issue slot 8: #2317
• Issue slot 9: #FIXME
• Issue slot 10: #FIXME

How to get to our slack and join the meeting?

If you are not yet on the OWASP Slack, here is your invite: https://owasp.org/slack/invite .

Everybody is welcome to join our community chat.