Docs: scaffold plan for optional OWASP CRS auto-update

[Divyateja2709]

Hi @adrianwinckles

I've just started working with this repository and I went through the GSoC OWASP ideas file to find some potential projects to contribute to. I would be very interested in working on the project idea: "Auto-update OWASP Core Rule Set (CRS) in the Docker-based ModSecurity/Coraza WAF honeypot."

This PR:
Documents the proposed CSR auto-update feature.
Lays out a review-friendly PR plan

My proposal for building this:

Leave current behavior unchanged if nothing changes (by default the container continues using CRS bundled within the image unless updates are explicitly turned on).
If updates are enabled (CRSUPDATE=true) then run a small updater at container startup which instead of pulling "latest" pulls the exact pinned CRS version(CRSVERSION=...) that the user desires.
The updater will download and sanity check CRS to a temporary folder first then switch into place atomically, so the ruleset does not exist in half-installed state at any point.
Existing ModSec include paths are not altered by keeping installed CRS the same folder/file layout.
If it should fail, it simply logs the error, falls back to bundled CRS, and the container continues to start as normal.

Next steps:
The script's actual implementation .

Confirmations:
Is it okay to continue working on this project with this approach, starting with small PRs .
Thank you in advance!

[adrianwinckles]

That makes logical sense

[Divyateja2709]

That makes logical sense

Hi @adrianwinckles , i have worked on chameleon persona system mainly . the first 7 prs were inclined towards the crs auto update side and the main focus was on developing websites mimicing cve s of drupal and wordpress
i m planning to add sharepoint next .