Skip to content

Latest commit

 

History

History
136 lines (86 loc) · 10.2 KB

CONTRIBUTING.md

File metadata and controls

136 lines (86 loc) · 10.2 KB

Contributing to OpenCRE

👍🎉 First off, thanks for taking the time to contribute! 🎉👍

The following is a set of guidelines for contributing. These are mostly guidelines, not rules. Use your best judgment, and feel free to propose changes to this document in a pull request.

Table Of Contents

Code of Conduct

This project and everyone participating in it is governed by the OWASP Code of Conduct. By participating, you are expected to uphold this code.

I don't want to read this whole thing I just have a question!!!

Note: Please don't file an issue to ask a question.

You can reach us in the OWASP Slack at channel #project-cre

or send a message to [email protected]

How Can I Contribute?

The "Issues" page lists a number of features we would like to implement, we have tagged the ones we believe are easy to pick up with the tag good first issue and/or beginner. Alternatively you can contribute content (see below) or request features or mappings by opening an Issue.

How can I contribute content (a standard mapping or changes to the CRE catalog)?

Adding a mapping to OpenCRE for a new standard X means that sections in X are each assigned to the corresponding ‘Common Requirement’ (or CRE number) at opencre.org. For example, the section 613-Insufficien Session expiration in the CWE standard is mapped to CRE 065-782 Ensure session timeout (soft/hard). The result is that when you go to the overview page of that requirement(CRE), users will see a link to CWE 613: https://www.opencre.org/cre/065-782

How to:

  1. Get the OpenCRE standard mapping template spreadsheet
  2. For every section in the standard, find the corresponding Common Requirement (CRE number) at OpenCRE and enter in that row the details of that section in the right columns: name, id, and hyperlink
  3. In case you identify opportunities to add Common Requirements: add those to the spreadsheet
  4. Send the mapping template file by creating a new github issue and add the file. That way, the community can see it, and we can use that issue to further communicate. Another option is to send the file to [email protected]. You can also use that mail address for any questions.

ad. 1 The mapping spreadsheet (Excel) can be obtained here.
Note, it contains one example, where it links the CRE for development processes to a section in NIST 800-53.

ad.2

The spreadsheet shows the hierarchical organization of Common Requirements. You can browse or search through it, to find a good match. That same content can also be found in our explorer: https://zeljkoobrenovic.github.io/opencre-explorer/ From that page you can click on the common requirements to see to what standard sections it has been mapped, to perhaps give you a better idea. We do not recommend to use an existing mapping from the standard to another standard that is already in OpenCRE (e.g. CWE). Typically, details get lost that way. Note that we are developing an AI module to help create an initial mapping to a new standard, based on the text of that standard.

ad.3 Sometimes the new standard can have more detail in topics than OpenCRE has. For example, OpenCRE has the Common requirement of Automated Dynamic security testing and the new standard distinguishes applying DAST tools and applying IAST tools, than you may suggest two new Common Requirements as children of Automated Dynamic security testing and link each of them to the corresponding sections in the new standard. For that, you make two new rows below. As code for the requirements you don’t enter an XXX-XXX number, but you enter ‘NEW|Apply DAST tools’ where the | character separates the code from the name of the requirement. In general, this will be rare.

ad.4 OpenCRE has an importing interface in case you run your own myOpenCRE, but for the public opencre.org we first perform some checks before we add a standard to it - hence the request to send the mapping to us in email.

Alternative, automated method of linking:

NOTE: there is an alternative method of linking a standard to OpenCRE, and it's the preferred way because it is self-maintaining. It requires editing the orginal standard text. What you do is you add to the standard a hyperlink reference to the relevant common requirement (e.g. Restrict XML parsing) in a section on that topic. And then you specify to us at OpenCRE how we can read your source (e.g. Github) automatically to extract those hyperlinks and to construct links to that section in the document, and parse the name and id. That way, the links between the standard and OpenCRE will stay intact if links move, or change. It's easy and no maintenance required. Again, this only works if you have control over the content of the standard. Contact us if you want to set this up. We'd be happy to help.

Reporting Bugs

When you are creating a bug report, please include as many details as possible. Fill out the required template, the information it asks for helps us resolve issues faster.

Note: If you find a Closed issue that seems like it is the same thing that you're experiencing, open a new issue and include a link to the original issue in the body of your new one.

How Do I Submit A (Good) Bug Report?

Bugs are tracked as GitHub issues. Create an issue and provide the following information by filling in the template.

Explain the problem and include additional details to help maintainers reproduce the problem:

  • Use a clear and descriptive title for the issue to identify the problem.
  • Describe the exact steps which reproduce the problem in as many details as possible.
  • Provide specific examples to demonstrate the steps. Include links to files or GitHub projects, or copy/pasteable snippets, which you use in those examples. If you're providing snippets in the issue, use Markdown code blocks.
  • Describe the behavior you observed after following the steps and point out what exactly is the problem with that behavior.
  • Explain which behavior you expected to see instead and why.

Suggesting Enhancements

This section guides you through submitting an enhancement suggestion, including completely new features and minor improvements to existing functionality. Following these guidelines helps maintainers and the community understand your suggestion 📝 and find related suggestions 🔎.

When you are creating an enhancement suggestion, please include as many details as possible. Fill in the template, including the steps that you imagine you would take if the feature you're requesting existed.

How Do I Submit A (Good) Enhancement Suggestion?

Enhancement suggestions are tracked as GitHub issues. Create an issue on that repository and provide the following information:

  • Use a clear and descriptive title for the issue to identify the suggestion.
  • Provide a step-by-step description of the suggested enhancement in as many details as possible.
  • Provide specific examples to demonstrate the steps. Include copy/pasteable snippets which you use in those examples, as Markdown code blocks.
  • Describe the current behavior and explain which behavior you expected to see instead and why.
  • Explain why this enhancement would be useful.

Your First Code Contribution

Unsure where to begin contributing? You can start by looking through these beginner, good first issue and help-wanted issues:

  • Beginner issues - issues which should only require a few lines of code, and a test or two.
  • Good first issue - issues which should require more substantial changes but can be done in an afternoon or two.
  • Help wanted issues - issues which should be a bit more involved than beginner issues.

Pull Requests

Each Pull Request should close a single ticket and only make changes necessary in order for this to be done. Please reference the relevant ticket in the Pull Request. After you submit your pull request, verify that all status checks are passing

What if the status checks are failing?If a status check is failing, and you believe that the failure is unrelated to your change, please leave a comment on the pull request explaining why you believe the failure is unrelated. A maintainer will re-run the status check for you. If we conclude that the failure was a false positive, then we will open an issue to track that problem with our status check suite.

Styleguides

We use eslint and black to enforce style. make lint should fix most style problems.

Git Commit Messages

  • Use the present tense ("Add feature" not "Added feature")
  • Use the imperative mood ("Move cursor to..." not "Moves cursor to...")
  • Limit the first line to 72 characters or less
  • Reference issues and pull requests liberally after the first line
  • When only changing documentation, include [ci skip] in the commit title.