Juan Pablo Tosso 11:55:08 UTC
Meeting starting soon
Juan Pablo Tosso 12:00:42 UTC
Welcome to the OWASP Coraza monthly meeting
Juan Pablo Tosso 12:02:31 UTC
@Roshan Piyush @JC @bxlxx.wu you joining?
JC 12:04:35 UTC
Yep I am here.
Juan Pablo Tosso 12:06:11 UTC
@fzipitria is also not available today, so it’s going to be a small meeting
Juan Pablo Tosso 12:06:50 UTC
So about the project status! I want you to know that we are reviewing GSOC applications for our three projects, GraphQL, coraza-server, and rate limiting, we have 6 applications and we are very proud of it (10% OWASP applications)
Juan Pablo Tosso 12:08:06 UTC
We released v2 (stable version)
Juan Pablo Tosso 12:08:30 UTC
And we fixed the following issues: Thanks everyone for your contributions
Juan Pablo Tosso 12:10:08 UTC
Finally, I would like to welcome @Roshan Piyush to the core, he is an amazing engineer and a modsecurity expert. He understands coraza pretty well and he is a highly skilled developer and researcher
Juan Pablo Tosso 12:12:03 UTC
The report for CRS compatibility
Juan Pablo Tosso 12:12:19 UTC
CRS is preparing v4 and they have made some awesome upgrades
Juan Pablo Tosso 12:12:32 UTC
sadly we haven’t been able to pick up and we have had some compatibility issues
Juan Pablo Tosso 12:13:16 UTC
we are currently experiencing issues with 32 tests but we are fixing them asap. You can find the status in this PR corazawaf/coraza#224
Juan Pablo Tosso 12:14:11 UTC
Regarding Lua, it is going to be supported as a plugin
Juan Pablo Tosso 12:14:21 UTC
The C wrappers (libcoraza) are undergoing tests, we are still having issues with the garbage collection. We are also having problems with the log callback function.
Juan Pablo Tosso 12:14:59 UTC
It seems that we don’t have much people today but don’t worry! I will leave the topics over here and feel free to comment them 🙂
airween 12:15:34 UTC
The C wrappers (libcoraza) are undergoing tests, we are still having issues with the garbage collection. We are also having problems with the log callback function. - logging function is important for Nginx connector too, I guess
Juan Pablo Tosso 12:19:23 UTC
Yes, it is important, we are having a design issue, Coraza has a Waf type, it represents a Server in nginx. Basically our logger is attached to the waf (Server)
Juan Pablo Tosso 12:19:33 UTC
Modsecurity expects a logger per transaction
Juan Pablo Tosso 12:19:55 UTC
we can still make it work but it requires more testing
airween 12:24:06 UTC
Modsecurity expects a logger per transaction - are you sure? It seems it works with (WAF) instance based logger
see this:
I just added the callback function to engine itself, not to the transaction
Juan Pablo Tosso 12:25:00 UTC
Transaction * transaction = msc_new_transaction( (ModSecurity *)engine->engine_instance, #ifdef MSC_USE_RULES_SET (RulesSet *)engine->rules, #else (Rules *)engine->rules, #endif NULL);I believe the last NULL is a second logger
airween 12:25:16 UTC
yes, but that's optional
airween 12:25:36 UTC
the first one is suggested
Juan Pablo Tosso 12:25:37 UTC
still, I think that should make things easier but we still have the GC issues
Juan Pablo Tosso 12:26:01 UTC
we are receiving errors when we call the logger
Juan Pablo Tosso 12:26:45 UTC
Maybe there is a type casting error, we will eventually figure it out. I will give it more priority once we fix the Include function