Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update OWASP CRS to 4.4.0 #11510

Closed
jessebot opened this issue Jun 27, 2024 · 3 comments · Fixed by #11511
Closed

Update OWASP CRS to 4.4.0 #11510

jessebot opened this issue Jun 27, 2024 · 3 comments · Fixed by #11511
Labels
kind/feature Categorizes issue or PR as related to a new feature. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.

Comments

@jessebot
Copy link
Contributor

jessebot commented Jun 27, 2024
edited
Loading

I'd like to see the bundled OWASP_CRS/3.3.5 be updated to 4.4.0. You can view the changes to the major version in the release notes for 4.0.0.

Currently, in the logs, while using the helm chart (version 4.10.1), I see:

    "producer": {
      "modsecurity": "ModSecurity v3.0.12 (Linux)",
      "connector": "ModSecurity-nginx v1.0.3",
      "secrules_engine": "Enabled",
      "components": [
        "OWASP_CRS/3.3.5\""
      ]
    },

Which tracks with:

ingress-nginx/images/nginx/rootfs/build.sh

Line 66 in f228895

export OWASP_MODSECURITY_CRS_VERSION=v3.3.5

3.3.5 is from July last year. 4.4.0 would put us at June of this year.

Semi related to #10744 but that one is about updating ModSecurity itself, not the core rule set.

If all that's needed is submitting a PR to update that one line in images/nginx/rootfs/build.sh, I can submit that PR.

Thanks!
@jessebot jessebot added the kind/feature Categorizes issue or PR as related to a new feature. label Jun 27, 2024
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Jun 27, 2024
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

jessebot added a commit to jessebot/ingress-nginx that referenced this issue Jun 27, 2024
@jessebot
fix kubernetes#11510 - Upgrade OWASP_MODSECURITY_CRS_VERSION 3.3.5 ->…
f4c1bcc 
… 4.4.0
@jessebot jessebot mentioned this issue Jun 27, 2024
Merged
10 tasks
@jessebot
Copy link
Contributor Author

It may also be worth noting that 4.x introduces the concept of plugins to the CRS:

Plugins are not part of the CRS 3.3.x release line. They are released officially with CRS 4.0.

Perhaps in a future PR, it makes sense to take the plugin configs as ConfigMaps or Secrets to be templated out as volumeMounts that are present in /etc/nginx/owasp-modsecurity-crs/crs/plugins/. This is mostly useful when a user is running something with a large (or small but very serious) attack vector such as Nextcloud, which OWASP provides this plugin for: https://github.com/coreruleset/nextcloud-rule-exclusions-plugin

Getting the CRS updated to 4.4.0 is my first priority though.

@longwuyuan
Copy link
Contributor

oh, this plugin thing is not 100% info. As in the impact on controller and managing expectations related to it.

cc @tao12345666333 seek comments because there is a PR now to bump OWASP which introduces previsously non0-existing feature of plugins for rulesets

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.
Projects
[sig-network] Ingress-Nginx
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

NGINX: Upgrade ModSecurity to v4.4.0. jessebot/ingress-nginx
3 participants
@jessebot @longwuyuan @k8s-ci-robot