Go to https://www.opencre.org to see OpenCRE working and more explanation.
OpenCRE stands for Open Common Requirement enumeration. It is an interactive content linking platform for uniting security standards and guidelines. It offers easy and robust access to relevant information when designing, developing, testing and procuring secure software.
OpenCRE consists of:
- The application: a python web and cli application to access the data, running publicly at opencre.org
- The catalog data: a catalog of Common Requirements (CREs)
- The mapping data: links from each CRE to relevant sections in a range of standards
- Tools and guidelines to contribute to the data and to run the application locally
To see how you can contribute to the application or to the data (catalog or standard mappings), see Contributing.
We really welcome you!
For a roadmap please see the issues.
You are free to use the public opencre application at opencre.org. Apart from that, you can run your own if you want to include your own security standards and guidelines for example. We call that myOpenCRE.
The easiest way to run OpenCRE locally is by running the published docker container.
You can do so by running:
docker run -p 5000:5000 ghcr.io/owasp/opencre/opencre:latest
After the container has finished downloading the remote information you can access it in localhost
To run outside of Docker you need to install OpenCRE. To install this application you need python3, yarn and virtualenv.
- Clone the repository:
git clone https://github.com/OWASP/common-requirement-enumeration
- Install dependencies
make install
- Download the latest CRE graph from upstream by running
python cre.py --upstream_sync
Keep in mind that until Issue #534 is fixed you won't have access to gap analysis results locally
To run the CLI application, you can run
python cre.py --help
To download a remote cre spreadsheet locally you can run
python cre.py --review --from_spreadsheet < google sheets url>
To add a remote spreadsheet to your local database you can run
python cre.py --add --from_spreadsheet < google sheets url>
To run the web application for development you can run
$ make start-containers $ make start-worker # in a seperate shell $ make dev-flask
Alternatively, you can use the dockerfile with
make docker && make docker-run
Some features like Gap Analysis require a neo4j DB running, you can start this with
make docker-neo4j
enviroment varaibles for app to connect to neo4jDB (default):
- NEO4J_URL (neo4j//neo4j:password@localhost:7687)
To run the web application for production you need gunicorn and you can run from within the cre_sync dir
make prod-run
See the myOpenCRE user guide on using the OpenCRE API to for example add your own security guidelines and standards.
You can build the production or the development docker images with
make docker-prod and make docker-dev respectively
The environment variables used by OpenCRE are:
- name: NEO4J_URL
- name: NO_GEN_EMBEDDINGS
- name: FLASK_CONFIG
- name: DEV_DATABASE_URL
- name: INSECURE_REQUESTS # development or TLS terminated environments only
- name: REDIS_HOST
- name: REDIS_PORT
- name: REDIS_NO_SSL
- name: REDIS_URL # in case REDIS_HOST and REDIS_PORT are unavailable
- name: GCP_NATIVE # if there are ambient GCP credentials, only useful for VERTEX chatbot
- name: GOOGLE_SECRET_JSON # if not running on GCP
- name: GOOGLE_CLIENT_ID # useful for login only
- name: GOOGLE_CLIENT_SECRET # useful for login only
- name: LOGIN_ALLOWED_DOMAINS # useful for login only
- name: OpenCRE_gspread_Auth # useful only when importing data, possible values 'oauth' or 'service_account'
You can run the containers with make docker-prod-run and make-docker-dev-run
You can run backend tests with
make test
You can run get a coverage report with
make cover
Try to keep the coverage above 70%