OpenCRE

Go to https://www.opencre.org to see OpenCRE working and more explanation. OpenCRE stands for Open Common Requirement enumeration. It is an interactive content linking platform for uniting security standards and guidelines. It offers easy and robust access to relevant information when designing, developing, testing and procuring secure software.

OpenCRE consists of:

• The application: a python web and cli application to access the data, running publicly at opencre.org
• The catalog data: a catalog of Common Requirements (CREs)
• The mapping data: links from each CRE to relevant sections in a range of standards
• Tools and guidelines to contribute to the data and to run the application locally

Contribute code or mappings

To see how you can contribute to the application or to the data (catalog or standard mappings), see Contributing. We really welcome you!

Roadmap

For a roadmap please see the issues.

Running your own OpenCRE

You are free to use the public opencre application at opencre.org. Apart from that, you can run your own if you want to include your own security standards and guidelines for example. We call that myOpenCRE.

Locally

Docker

The easiest way to run OpenCRE locally is by running the published docker container. You can do so by running:

docker run -p 5000:5000 ghcr.io/owasp/opencre/opencre:latest

After the container has finished downloading the remote information you can access it in http://127.0.0.1:5000.

If you want to develop on OpenCRE or docker is not available in your environment, you can alternatively run it via CLI.

Command Line

To run outside of Docker you need to install OpenCRE. To install this application you need python3, yarn and virtualenv.

Clone the repository:

git clone https://github.com/OWASP/common-requirement-enumeration

(Recommended) Create and activate a Python virtual environment:

python3 -m venv venv
source venv/bin/activate

Install dependencies:

make install

Download the latest CRE graph from upstream by running:

make upstream-sync

Keep in mind that until Issue #534 is fixed you won't have access to gap analysis results locally.

To run CRE locally then you can do:

make dev-flask

To run the CLI application, you can run:

python cre.py --help

To download a remote CRE spreadsheet locally you can run:

python cre.py --review --from_spreadsheet <google sheets url>

To add a remote spreadsheet to your local database you can run:

python cre.py --add --from_spreadsheet <google sheets url>

To run the web application for development you can run:

make start-containers
make start-worker

# in a separate shell
make dev-flask

Alternatively, you can use the dockerfile with:

make docker && make docker-run

Some features like Gap Analysis require a neo4j DB running, you can start this with:

make docker-neo4j

Environment variables for app to connect to neo4jDB (default):

• NEO4J_URL (neo4j//neo4j:password@localhost:7687)

To run the web application for production you need gunicorn and you can run from within the cre_sync dir:

make prod-run

---

macOS Notes (Apple Silicon & Intel)

OpenCRE is fully supported on macOS. The following notes are optional and intended to help contributors running OpenCRE locally on macOS systems.

Prerequisites

Install required tools using Homebrew:

brew install python@3.11 yarn make

Note: Python 3.11 is recommended. Newer Python versions may cause dependency incompatibilities.

Verify Python version:

python3 --version

Virtual Environment Setup

Create and activate a virtual environment explicitly using Python 3:

python3 -m venv venv
source venv/bin/activate

Upgrade pip:

pip install --upgrade pip

Dependency Installation

Install dependencies using the standard workflow:

make install

If you encounter build issues, ensure Xcode Command Line Tools are installed:

xcode-select --install

Running Locally

Sync upstream CRE data (requires internet access):

make upstream-sync

Then start the local server:

make dev-flask

The application will be available at:

http://127.0.0.1:5000

Tip: For most macOS users, running via Docker is the simplest and most reliable approach.

---

Using the OpenCRE API

See the myOpenCRE user guide on using the OpenCRE API to, for example, add your own security guidelines and standards.

Docker building and running

You can build the production or the development docker images with:

make docker-prod
make docker-dev

The environment variables used by OpenCRE are:

- NEO4J_URL
- NO_GEN_EMBEDDINGS
- FLASK_CONFIG
- DEV_DATABASE_URL
- INSECURE_REQUESTS
- REDIS_HOST
- REDIS_PORT
- REDIS_NO_SSL
- REDIS_URL
- GCP_NATIVE
- GOOGLE_SECRET_JSON
- GOOGLE_CLIENT_ID
- GOOGLE_CLIENT_SECRET
- LOGIN_ALLOWED_DOMAINS
- OpenCRE_gspread_Auth

You can run the containers with:

make docker-prod-run
make docker-dev-run

Developing

You can run backend tests with:

make test

You can get a coverage report with:

make cover

Try to keep the coverage above 70%.

---