👍🎉 First off, thanks for taking the time to contribute! 🎉👍
The following is a set of guidelines for contributing. These are mostly guidelines, not rules. Use your best judgment, and feel free to propose changes to this document in a pull request.
- Contributing to OpenCRE - Table Of Contents
This project and everyone participating in it is governed by the OWASP Code of Conduct. By participating, you are expected to uphold this code.
Note: Please don't file an issue to ask a question. Issues need to be meaningful.
You can reach us in the OWASP Slack at channel #project-cre
The "Issues" page lists a number of features we would like to implement, we have tagged the ones we believe are easy to pick up with the tag good first issue and/or beginner. Alternatively you can contribute content (see below) or request features or mappings by opening an Issue.
Note: Due to a wave of low effort, poorly tested and often destructive AI-powered issues often created only for the sake of opening a pull request, we will be aggressively closing both issues and pull requests that link to issues not acknowledged by the maintainers.
Adding a mapping to OpenCRE for a new standard X means that sections in X are each assigned to the corresponding ‘Common Requirement’ (or CRE number) at opencre.org. For example, the section 613-Insufficien Session expiration in the CWE standard is mapped to CRE 065-782 Ensure session timeout (soft/hard). The result is that when you go to the overview page of that requirement(CRE), users will see a link to CWE 613: https://www.opencre.org/cre/065-782
How to:
- Get the OpenCRE standard mapping template spreadsheet
- For every section in the standard, find the corresponding Common Requirement (CRE number) at OpenCRE and enter in that row the details of that section in the right columns: name, id, and hyperlink
- In case you identify opportunities to add Common Requirements: add those to the spreadsheet
- Send the mapping template file by creating a new github issue and add the file. That way, the community can see it, and we can use that issue to further communicate. Another option is to send the file to rob.vanderveer@owasp.org. You can also use that mail address for any questions.
ad. 1
The mapping spreadsheet (Excel) can be obtained here.
Note, it contains one example, where it links the CRE for development processes to a section in NIST 800-53.
ad.2
The spreadsheet shows the hierarchical organization of Common Requirements. You can browse or search through it, to find a good match. That same content can also be found in our explorer: https://zeljkoobrenovic.github.io/opencre-explorer/ From that page you can click on the common requirements to see to what standard sections it has been mapped, to perhaps give you a better idea. We do not recommend to use an existing mapping from the standard to another standard that is already in OpenCRE (e.g. CWE). Typically, details get lost that way. Note that we are developing an AI module to help create an initial mapping to a new standard, based on the text of that standard.
ad.3 Sometimes the new standard can have more detail in topics than OpenCRE has. For example, OpenCRE has the Common requirement of Automated Dynamic security testing and the new standard distinguishes applying DAST tools and applying IAST tools, than you may suggest two new Common Requirements as children of Automated Dynamic security testing and link each of them to the corresponding sections in the new standard. For that, you make two new rows below. As code for the requirements you don’t enter an XXX-XXX number, but you enter ‘NEW|Apply DAST tools’ where the | character separates the code from the name of the requirement. In general, this will be rare.
ad.4 OpenCRE has an importing interface in case you run your own myOpenCRE, but for the public opencre.org we first perform some checks before we add a standard to it - hence the request to send the mapping to us in email.
NOTE: there is an alternative method of linking a standard to OpenCRE, and it's the preferred way because it is self-maintaining. It requires editing the orginal standard text. What you do is you add to the standard a hyperlink reference to the relevant common requirement (e.g. Restrict XML parsing) in a section on that topic. And then you specify to us at OpenCRE how we can read your source (e.g. Github) automatically to extract those hyperlinks and to construct links to that section in the document, and parse the name and id. That way, the links between the standard and OpenCRE will stay intact if links move, or change. It's easy and no maintenance required. Again, this only works if you have control over the content of the standard. Contact us if you want to set this up. We'd be happy to help.
When you are creating a bug report, please include as many details as possible. Fill out the required template, the information it asks for helps us resolve issues faster.
Note: If you find a Closed issue that seems like it is the same thing that you're experiencing, open a new issue and include a link to the original issue in the body of your new one.
Please avoid opening GitHub issues for small frontend or cosmetic bugs such as:
- Minor spacing inconsistencies
- Small UI alignment issues
- Text capitalization fixes
- One-line styling adjustments
- Specific page looks a bit off on screens of size X.
Bugs are tracked as GitHub issues. Create an issue and provide the following information by filling in the template.
Explain the problem and include additional details to help maintainers reproduce the problem:
- Ensure the issue doesn't already exist
- Use a clear and descriptive title for the issue to identify the problem.
- Describe the exact steps which reproduce the problem in as many details as possible.
- Provide specific examples to demonstrate the steps. Include links to files or GitHub projects, or copy/pasteable snippets, which you use in those examples. If you're providing snippets in the issue, use Markdown code blocks.
- Describe the behavior you observed after following the steps and point out what exactly is the problem with that behavior.
- Explain which behavior you expected to see instead and why.
This section guides you through submitting an enhancement suggestion, including completely new features and minor improvements to existing functionality. Following these guidelines helps maintainers and the community understand your suggestion 📝 and find related suggestions 🔎.
When you are creating an enhancement suggestion, please include as many details as possible. Fill in the template, including the steps that you imagine you would take if the feature you're requesting existed.
Enhancement suggestions are tracked as GitHub issues. Create an issue on that repository and provide the following information:
- Use a clear and descriptive title for the issue to identify the suggestion.
- Provide a step-by-step description of the suggested enhancement in as many details as possible.
- Provide specific examples to demonstrate the steps. Include copy/pasteable snippets which you use in those examples, as Markdown code blocks.
- Describe the current behavior and explain which behavior you expected to see instead and why.
- Explain why this enhancement would be useful.
Unsure where to begin contributing? You can start by looking through these beginner, good first issue and help-wanted issues:
- Beginner issues - issues of low complexity, they usually can be implemented without changing a lot of existing functionality, are easy to describe and only require a test or two.
- Good first issue - issues which should require more substantial changes but can be done in a few days.
- Help wanted issues - issues which should be a bit more involved than
beginnerissues.
High quality contributions are preferred over quantity.
Before submitting a pull request:
- Check if a similar PR already exists, we will be closing duplicate PRs.
- Verify that the issue is not already solved and it exists in the latest deployed branch.
- Ensure the change provides meaningful value, "part of the website looks flat", "single typo fixes" and similar single prompt or 30 minute with vibe-coding type of contributions that take longer to review and test than to write are unwelcome. The maintainer team also has access to the same tools.
- Run tests and lint checks locally, also run the application locally and check visually.
Repeated low-effort pull requests may be closed by maintainers.
Each Pull Request should close a single ticket and only make the minimum amount of changes necessary in order for this to be done. Please reference the relevant ticket in the Pull Request. After you submit your pull request, verify that all status checks are passing
What if the status checks are failing?
If a status check is failing, and you believe that the failure is unrelated to your change, please leave a comment on the pull request explaining why you believe the failure is unrelated. A maintainer will re-run the status check for you. If we conclude that the failure was a false positive, then we will open an issue to track that problem with our status check suite.If a pull request addresses multiple issues, each commit should address a single issue. Commits should also be atomic, that means we can merge single commits if we want to.
Please avoid opening GitHub issues for extremely small frontend or cosmetic bugs such as:
- Minor spacing inconsistencies
- Small UI alignment issues
- Text capitalization fixes
- One-line styling adjustments
If the issue can be fixed quickly (for example within ~30 minutes), please submit a pull request instead of opening a separate issue. Opening tickets for trivial issues increases maintenance overhead and slows down triage for real bugs.
While AI tools such as Cursor, Claude, or ChatGPT can help contributors, pull requests generated entirely by LLMs without proper validation are discouraged. We will be closing low effort-low value PRs.
Before submitting a PR:
- Ensure you fully understand the change.
- Verify that the solution was tested locally and doesn't break other functionality.
- Confirm that the change actually improves the project.
- Confirm that the change is a needed change by the maintaining team.
Please avoid opening multiple pull requests for similar or closely related issues.
Examples of discouraged behavior:
- Opening several PRs fixing similar UI problems separately
- Submitting many small fixes that could be grouped together
- Creating PRs for issues that could be solved in the same patch
If you find several related issues, combine them into one well-structured pull request with separate commits addressing each one.
Before opening a new issue or pull request:
- Search existing issues
- Check open pull requests
- Confirm that the problem has not already been reported
- Before starting work on an issue, please wait for a maintainer to acknowledge or assign the ticket.
- Maintainers reserve the right to close low-effort or duplicate contributions without review.
This helps prevent duplicate work and ensures that the proposed change aligns with the project's roadmap. Pull requests submitted for issues that have not been acknowledged may be closed.
We use eslint and black to enforce style. make lint should fix most style problems.
- Use the present tense ("Add feature" not "Added feature")
- Use the imperative mood ("Move cursor to..." not "Moves cursor to...")
- Limit the first line to 72 characters or less
- Reference issues and pull requests liberally after the first line
- When only changing documentation, include
[ci skip]in the commit title.
You can start the frontend in a debuggable instance separate from the backend using the following:
After you have installed the application following the README. You can start the backend server with:
make dev-flask
Then in a separate terminal
cd application/frontend
and finally start the frontend in a debug session:
yarn start