Skip to content
This repository was archived by the owner on May 14, 2020. It is now read-only.

Release Procedure

Jump to bottom
Christian Folini edited this page Jun 27, 2019 · 26 revisions

Step by Step Guide Through CRS release

Preparation

  • Update CHANGES File
  • Add new contributors to CONTRIBUTORS.md (e.g. git shortlog -s v3.0.1..v3.0/dev)
  • Update copyright in all the files if there is a new year
 import os
  excluded = ['.git']
  directory = "owasp-modsecurity-crs/"
  # Iterate over over all files in the directory
  for root, dirs, files in os.walk(directory):
      for name in files:
          found = False
          # if our path contains an excluded name mark it as found
          for exclude_term in excluded:
              if root.find(exclude_term) != -1:
                  found = True
          # if we have an excluded path, skip
          if found is True:
              continue
          file_name = os.path.join(root, name)
          with open(file_name, 'r') as fil:
              filedata = fil.read()
S>            filedata = filedata.replace('# Copyright (c) 2006-2017', '# Copyright (c) 2006-2018')
          with open(file_name, 'w') as fil:
              fil.write(filedata)
  • Update CRS version in crs-setup.conf.example (tx.crs_setup_version) and rules/REQUEST-901-INITIALIZATION.conf (SecComponentSignature)
  • Update CRS version in all rules, e.g. ver:'OWASP_CRS/3.0.0'
  • Update all copyright for new versions
grep -rl "OWASP ModSecurity Core Rule Set ver\.3\.0\.0" owasp-modsecurity-crs/ | xargs sed -i s@"OWASP ModSecurity Core Rule Set ver\.3\.0\.0"@"OWASP ModSecurity Core Rule Set ver\.3\.0\.2"@g
  • In case of a new release branch (e.g. 3.3/dev), update Dockerfile to use the new branch
  • Run tests. Make sure that a vanilla request does not trigger any rules due to messup (problem with 3.0.1 release)
  • Tag release

Communication

  • Finish release message
  • Send release message to crs mailinglist
  • Crosspost release message to modsec mailinglist
  • Post to OWASP slack channel
  • Make sure release is mentioned in monthly OWASP connector
  • Update CRS homepage with new version and release date
  • Update OWASP project page with new version (folini 2019-06-27: version no longer mentioned on OWASP project page)
  • Write blog post on CRS site
  • Announce blog post on twitter with CoreRuleSet twitter account
  • Ask Trustwave to tweet about release with ModSecurity twitter account
Clone this wiki locally