Merge branch 'main' into renovate/mcr.microsoft.com-devcontainers-base-debian

Author: fzipi

.github/workflows/test.yml

@@ -21,7 +21,7 @@ jobs:
     runs-on: ubuntu-latest
     env:
       # renovate: datasource=github-releases depName=gohugoio/hugo
-      HUGO_VERSION: 0.149.0
+      HUGO_VERSION: 0.150.1
     steps:
       - name: Install Hugo CLI
         run: |
@@ -55,7 +55,7 @@ jobs:
 
       - name: Restore lychee cache
         id: restore-cache
-        uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4
+        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:
             path: .lycheecache
             key: cache-lychee-${{ github.sha }}
@@ -71,14 +71,14 @@ jobs:
 
       - name: Create Issue From File
         if: env.lychee_exit_code != 0
-        uses: peter-evans/create-issue-from-file@e8ef132d6df98ed982188e460ebb3b5d4ef3a9cd # v5
+        uses: peter-evans/create-issue-from-file@fca9117c27cdc29c6c4db3b86c48e4115a786710 # v6
         with:
           title: Link Checker Report
           content-filepath: ./lychee/out.md
           labels: report, automated issue
 
       - name: Save lychee cache
-        uses: actions/cache/save@0400d5f644dc74513175e3cd8d07132dd4860809 # v4
+        uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         if: always()
         with:
           path: .lycheecache

assets/scss/_footer.scss

@@ -1,4 +1,5 @@
 @use "variables";
+@use "global";
 
 .footer {
     // Space from content.
@@ -16,7 +17,7 @@
     }
     // Reset lists.
     ul {
-        @extend .ul-reset !optional;
+        @extend .ul-reset;
         padding-inline-start: 0;
     }
 

config/_default/params.yaml

@@ -13,7 +13,7 @@ images: ["images/social-preview.svg"]
 
 crs:
   release_url_prefix: "https://github.com/coreruleset/coreruleset/releases/tag"
-  latest_major_version: "4.17.1"
+  latest_major_version: "4.18.0"
   prev_major_version: "3.3.7"
 
 github:
@@ -29,7 +29,7 @@ social_links:
   instagram: ""
   landscape: ""
   linkedin: "https://www.linkedin.com/company/owasp-crs"
-  mastodon: ""
+  mastodon: "https://infosec.exchange/@coreruleset"
   pinterest: ""
   rss: ""
   slack: "https://owasp.slack.com/archives/CBKGH8A5P"

content/blog/2017-08-10-testing-wafs-ftw-version-1-0-released.md

@@ -12,7 +12,7 @@ The OWASP Project maintains an open source set of rules known as the the OWASP C
 
 During this same timeframe we have seen Quality Assurance (QA)/DevOps techniques adjust to new Agile development methodologies. To a large extent this Agile pattern matches the historical development practices of CRS. As a result, during the development of the latest CRS version 3.0, the development team decided that a serious overhaul of the regression/unit tests was overdue. While some existing Perl regression tests existed, these were incomplete and considered difficult for the average user to run. The CRS development team also concluded that a more refined testing methodology commits to a higher quality product and allows for a demonstration of the effectiveness of OWASP CRS compared to many other rule sets and WAFs.
 
-{{< figure src="images/2017/08/FTW1.png" >}}
+{{< figure src="/images/2017/08/FTW1.png" >}}
 
 As a result of extensive regression test development we are hoping to address a frequent user request to provide a capability to compare the effectiveness of various WAFs. Such comparisons can be tricky as they often attempt to compare varying features. In many situations OWASP CRS comes out favorably as can be seen in the latest Gartner report ([https://www.gartner.com/doc/reprints?id=1-3C4V1AS&amp;ct=160721&amp;st=sb](https://www.gartner.com/doc/reprints?id=1-3C4V1AS&ct=160721&st=sb)), where ModSecurity with CRS effectively acts as a baseline. However comparisons such as these have historically put very little work on testing overall WAF effectiveness. Our hope is to provide a set of tests that will act as a minimum benchmark between WAFs.
 
@@ -59,6 +59,6 @@ To aid the developer, tests are designed to only require minimal effort to desig
 
 FTW follows the same extendible concept as ModSecurity. While the project provides the capability to develop extremely flexible web based testing, the core project is provided with only limited tests files itself. The CRS team provides a continuously expanding corpus of tests designed for OWASP CRS 3 within their repo at: <https://github.com/coreruleset/coreruleset/tree/v3.0/dev/util/regression-tests>. While these tests were designed with CRS in mind, they provide a set of web-based attacks to test security features of any WAF against the OWASP CRS Top 10 web attacks. Such testing has already uncovered several underperforming rules such as can be seen in Github issue #480 (<https://github.com/coreruleset/coreruleset/pull/480>), as well as providing a methodical way to develop and test more complex functionality, such as the revamped RCE rules in CRS 3 (<https://github.com/coreruleset/coreruleset/pull/430>).
 
-{{< figure src="images/2017/08/FTW2.png" >}}
+{{< figure src="/images/2017/08/FTW2.png" >}}
 
 At this point the CRS regressions has over 1500 test cases designed for it and this number is growing daily. To utilize such extensive tests we plan to enforce the use of [Travis-CI](https://travis-ci.org/) starting with the promotion of OWASP CRS 3.0 to the master branch. It is our sincere hope that an increased reliance on testing and automation will vastly increase the quality of both the CRS ruleset and WAFs as a whole.

content/blog/2017-10-03-crs-project-nominated-for-swiss-dinacon-award.md

@@ -20,7 +20,7 @@ The Swiss Open Source Awards have played a key role in this development. For 201
 
 This is an abbreviation of "Digitale Nachhaltigkeit Conference", which can be translated as the conference on digital sustainability. This means, the Open Source idea has been opened up to a wider group of projects and initiatives that go behind pure software: open data, open access and sustainability of digital projects in general are now also covered.
 
-{{< figure src="images/2017/10/dinacon-nomination.png" caption="The Nomination of the CRS Project">}}
+{{< figure src="/images/2017/10/dinacon-nomination.png" caption="The Nomination of the CRS Project">}}
 
 But how does this apply to the [Core Rule Set](https://coreruleset.org) project?
 
@@ -30,7 +30,7 @@ CRS has been a one-man show for many years. In early 2016, [Chaim Sanders](https
 
 This nomination comes at exactly the right moment and means an additional push for our project. It comes at a moment when we are actively working on the sustainability and the transparency of our rule base. Traditionally, the rules of the Core Rule Set have been very hard to read. Yet, new initiatives like the rules cleanup project are changing the situation and lately, Franziska Bühler has committed the [pull request](https://github.com/coreruleset/coreruleset/pull/907) that disassembles all the incomprehensible regular expressions and makes them reproducible and understandable. That work is key and if you have looked at the regular expressions that we leverage in the rule set, you understand why we are in awe of her work.
 
-{{< figure src="images/2017/10/crs-pr-907.png" caption="The PR by Fränzi Bühler passes all the tests." >}}
+{{< figure src="/images/2017/10/crs-pr-907.png" caption="The PR by Fränzi Bühler passes all the tests." >}}
 
 As I said, it is a tough market in Switzerland for Open Source projects and especially when it comes to webserver security. The commercial products all have a very high TCO, either via high license costs or integration and support contracts. Yet the commercial players are all well established and Open Source alternatives like ModSecurity and the Core Rule Set have a hard time finding their way on webservers around here and probably worldwide. But we need to spread the word that there is a transparent and highly secure open source alternative to commercial black boxes. Smaller companies, public administrations and organisations on a tight budget need to know they can get the best tools on the market without spending big money: ModSecurity and the Core Rule Set are at their disposal serving as the 1st line of defense against web application attacks like those covered by the [OWASP Top 10](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project).
 

content/blog/2017-11-21-top-5-ways-crs-can-help-you-fight-owasp-top-10.md

@@ -60,7 +60,7 @@ In the list of alerts seen above, the SQL Injection attacks are prevalent. This
 
 OWASP Top Ten tells you that CRS can detect attacks as seen above under A10. But it does not tell you, that CRS can also stop many of the attacks for you.
 
-{{< figure src="images/2017/11/tmp.png" caption="Burp vs. CRS" >}}
+{{< figure src="/images/2017/11/tmp.png" caption="Burp vs. CRS" >}}
 
 Here is a graphic that depicts a scan as carried out by the Burp vulnerability scanner. In our example, Burp probed a special vulnerable application. In the first column, you see Burp's report when no protection shielded the application. In the 2nd column, you see a CRS default installation used as a 1st line of defense in front of the vulnerable service. Unlike under A10, we are immediately blocking the probes here. Again, false positives are very rare in the default installation and they can be handled with relative ease thanks to existing guides.
 

content/blog/2017-12-07-core-rule-set-project-winning-osbar-award.md

@@ -13,7 +13,7 @@ slug: 'core-rule-set-project-winning-osbar-award'
 
 The OWASP ModSecurity Core Rule Set Project is very excited about winning one of the OSBAR awards of the [German Open Source Business Alliance](http://osb-alliance.de/). The prize is awarded to projects, start-ups and outstanding ideas from the open source environment. The increased attention should make it easier for the award winners to attract users, developers and supporters.
 
-{{< figure width="225px" src="images/2017/12/osbar.jpeg" caption="CRS hackers Christian Folini and Franziska Bühler with the OSBAR award trophy (photo Fridolin Zurlinden)" >}}
+{{< figure width="225px" src="/images/2017/12/osbar.jpeg" caption="CRS hackers Christian Folini and Franziska Bühler with the OSBAR award trophy (photo Fridolin Zurlinden)" >}}
 
 [ModSecurity](https://www.modsecurity.org) is a Web Application Firewall (WAF) with open source code that is also widely used in commercial products. The award-winning CRS project develops a set of about 150 generic rules for use with ModSecurity and related solutions. The CRS project was founded more than ten years ago and is now run as a flagship project by the Foundation Open Web Application Security Project ([OWASP](https://owasp.org)). The rules are available under license from the Apache Foundation and are also used in several commercial WAF solutions (where that is not always advertised).
 

content/blog/2017-12-14-practical-ftw-testing-the-core-rule-set-or-any-other-waf.md

@@ -285,7 +285,7 @@ CRS_Tests.py::test_crs[ruleset0-Example_Tests -- 920272-3] PASSED
 
 We are now seeing quite a few failed tests. This has nothing to do with ftw or the CRS, it's the tests that are not yet written correctly. User [@azhao155](https://github.com/azhao155) is very active with fixing these to give us better coverage (and he could use some help with this task). Because of these errors, our continuos integration setup on github does not call all the tests. Instead, Travis only covers those we known to be working:
 
-{{< figure width="967px" src="images/2017/12/tmp.png" caption="Not all tests are executed by Travis so far. The 920xxx rules are skipped as of this writing" >}}
+{{< figure width="967px" src="/images/2017/12/tmp.png" caption="Not all tests are executed by Travis so far. The 920xxx rules are skipped as of this writing" >}}
 
 As soon as we have all of them sorted out, we can get include all of them and start to cover those rules where a test is not yet in place.
 

content/blog/2018-03-20-save-the-date-crs-community-summit-on-july-4-2018.md

@@ -11,7 +11,7 @@ title: 'Save the Date: CRS Community Summit on July 4, 2018'
 
 The OWASP ModSecurity Core Rule Set project will meet on Wednesday July 4, at 4pm in London to hold it's first community summit. We scheduled this for the night before the AppSecEU conference in London on Thursday and Friday so people would have a real incentive to make the trip.
 
-{{ figure src="images/2018/03/16367769605_dec3772aa8_k.jpg" caption="London Tower Bridge by night (Photo by Arijit_Roy; flickr)" >}}
+{{ figure src="/images/2018/03/16367769605_dec3772aa8_k.jpg" caption="London Tower Bridge by night (Photo by Arijit_Roy; flickr)" >}}
 
 Truth be told, the three project leads, Chaim, Walter and me have never met in person and physical contact is similarly rare between the committers, let alone the commercial suppliers or the thousands of users worldwide.
 

content/blog/2018-06-19-the-core-rule-set-as-part-of-devops-ci-pipeline.md

@@ -73,19 +73,19 @@ I have implemented a proof of concept in CircleCI. Of course, the continuous int
 
 In the basic setup, we have application tests that are performed against the application. Naturally, these application tests should succeed:
 
-{{< figure src="images/2018/06/Setup1.png" >}}
+{{< figure src="/images/2018/06/Setup1.png" >}}
 
 As a next step, we put CRS in front of the same application in order to funnel the same tests through the WAF. We expect the application tests to still succeed and the log to remain empty. This would confirm that no CRS rule were triggered by the tests.
 
-{{< figure src="images/2018/06/Setup2.png" >}}
+{{< figure src="/images/2018/06/Setup2.png" >}}
 
 Each of these components runs in a separate Docker container.
 
 The time taken to pull and start the Core Rule Set container and to run the application tests are only a small part (approx. 1 minute and 30 seconds in this PoC) of the overall testing process (approx. 3 minutes and 30 seconds in my example). 
 
 The message here is: We do not waste a lot of time but get a lot of extra security.
 
-{{< figure src="images/2018/06/circleci_output.png" >}}
+{{< figure src="/images/2018/06/circleci_output.png" >}}
 
 
 ### CI Configuration