Skip to content

OWASP/OpenCRE

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Code style: black GitHub Super-Linter Main Branch Build

Issues
PR's Welcome GitHub contributors GitHub last commit GitHub commit activity

Open in GitHub Codespaces

OpenCRE

Go to https://www.opencre.org to see OpenCRE working and more explanation.
OpenCRE stands for Open Common Requirement enumeration. It is an interactive content linking platform for uniting security standards and guidelines. It offers easy and robust access to relevant information when designing, developing, testing and procuring secure software.

OpenCRE consists of:

  • The application: a python web and cli application to access the data, running publicly at opencre.org
  • The catalog data: a catalog of Common Requirements (CREs)
  • The mapping data: links from each CRE to relevant sections in a range of standards
  • Tools and guidelines to contribute to the data and to run the application locally

Contribute code or mappings

To see how you can contribute to the application or to the data (catalog or standard mappings), see Contributing.
We really welcome you!

Roadmap

For a roadmap please see the issues.

Running your own OpenCRE

You are free to use the public opencre application at opencre.org. Apart from that, you can run your own if you want to include your own security standards and guidelines for example. We call that myOpenCRE.

Locally

Docker

The easiest way to run OpenCRE locally is by running the published docker container. You can do so by running: docker run -p 5000:5000 ghcr.io/owasp/opencre/opencre:latest After the container has finished downloading the remote information you can access it in localhost

Command Line

To run outside of Docker you need to install OpenCRE. To install this application you need python3, yarn and virtualenv.

  • Clone the repository:
git clone https://github.com/OWASP/common-requirement-enumeration 
  • Install dependencies
 make install 
  • Download the latest CRE graph from upstream by running
python cre.py --upstream_sync

Keep in mind that until Issue #534 is fixed you won't have access to gap analysis results locally

To run the CLI application, you can run

python cre.py --help

To download a remote cre spreadsheet locally you can run

python cre.py --review --from_spreadsheet < google sheets url>

To add a remote spreadsheet to your local database you can run

python cre.py --add --from_spreadsheet < google sheets url>

To run the web application for development you can run

$ make start-containers
$ make start-worker 

# in a seperate shell
$ make dev-flask

Alternatively, you can use the dockerfile with

make docker && make docker-run

Some features like Gap Analysis require a neo4j DB running, you can start this with

make docker-neo4j

enviroment varaibles for app to connect to neo4jDB (default):

  • NEO4J_URL (neo4j//neo4j:password@localhost:7687)

To run the web application for production you need gunicorn and you can run from within the cre_sync dir

make prod-run

Using the OpenCRE API

See the myOpenCRE user guide on using the OpenCRE API to for example add your own security guidelines and standards.

Docker building and running

You can build the production or the development docker images with make docker-prod and make docker-dev respectively The environment variables used by OpenCRE are:

        - name: NEO4J_URL
        - name: NO_GEN_EMBEDDINGS
        - name: FLASK_CONFIG
        - name: DEV_DATABASE_URL
        - name: INSECURE_REQUESTS # development or TLS terminated environments only
        - name: REDIS_HOST
        - name: REDIS_PORT
        - name: REDIS_NO_SSL
        - name: REDIS_URL # in case REDIS_HOST and REDIS_PORT are unavailable
        - name: GCP_NATIVE # if there are ambient GCP credentials, only useful for VERTEX chatbot
        - name: GOOGLE_SECRET_JSON # if not running on GCP
        - name: GOOGLE_CLIENT_ID # useful for login only
        - name: GOOGLE_CLIENT_SECRET # useful for login only
        - name: LOGIN_ALLOWED_DOMAINS # useful for login only
        - name: OpenCRE_gspread_Auth # useful only when importing data, possible values 'oauth' or 'service_account'

You can run the containers with make docker-prod-run and make-docker-dev-run

Developing

You can run backend tests with

make test

You can run get a coverage report with

make cover

Try to keep the coverage above 70%