Merge upstream/main into fix-chatbot-error-handling-v2 and resolve chatbot.tsx conflicts

Author: PRAteek-singHWY

CODE_OF_CONDUCT.md

@@ -0,0 +1,62 @@
+# Code of Conduct
+
+Participation in the OpenCRE project and its community is conditional upon adhering to this Code of Conduct. By participating—including contributing code, opening or commenting on issues, participating in discussions, or otherwise engaging with the project—you agree to comply with the following.
+
+This Code of Conduct is aligned with the [OWASP Foundation Code of Conduct](https://owasp.org/www-policy/operational/code-of-conduct.html) and reflects the same ethical standards expected across OWASP activities.
+
+## Our Standards
+
+### Conduct Generally
+
+Participants are expected to:
+
+- **Comply with applicable laws** — Follow all applicable local, state, national, and international laws, including export control, trade sanctions, and antitrust laws where relevant.
+- **Act with integrity** — Comply with high ethical principles; discharge responsibilities with diligence and honesty.
+- **Communicate openly and honestly** — Be constructive and transparent in technical and community discussions.
+- **Treat everyone with respect and dignity** — Welcome people of all backgrounds. Do not engage in harassment or any intimidating, discriminatory, abusive, derogatory, or demeaning behavior or communication.
+- **Respect intellectual property** — Provide proper attribution; avoid plagiarism and copyright infringement. Ensure work you submit is your own or properly attributed and permitted.
+- **Maintain confidentiality** — Do not disclose sensitive or proprietary information encountered in the course of project activities without authorization.
+- **Avoid conflicts of interest** — Refrain from activity that could constitute a conflict of interest or damage the reputation of the project, employers, or the security community.
+- **Reject inappropriate pressure** — Maintain objectivity and independence; reject pressure from industry or others that would compromise ethical behavior.
+- **Support application security** — In line with OWASP’s mission, promote the implementation of and compliance with sound application security standards and practices.
+
+### Unacceptable Behavior
+
+Unacceptable behavior includes, but is not limited to:
+
+- **Harassment** — Any conduct a reasonable person would find unwelcome, intimidating, hostile, threatening, abusive, or offensive, including that related to gender, gender identity and expression, sexual orientation, disability, national origin, race, age, religion, or similar matters. This also includes stalking, unwelcome following, harassing photography or recording, sustained disruption of discussions or meetings, inappropriate physical contact, and unwelcome sexual attention.
+- **Discrimination** — Treating people unfairly based on protected characteristics or other irrelevant factors.
+- **Abuse or intimidation** — Personal attacks, trolling, insulting or derogatory comments, and public or private harassment.
+- **Misrepresentation** — Claiming others’ work as your own or misrepresenting your affiliation or authority.
+- **Other harmful conduct** — Any behavior that could reasonably result in harm to individuals, the project, or the broader community.
+
+## Scope
+
+This Code of Conduct applies to all project spaces and related activities, including:
+
+- Repositories, pull requests, issues, and comments
+- Mailing lists, chat channels, and other communication channels used by the project
+- In-person or virtual events and meetings associated with OpenCRE
+- Any other context where you are participating as a member of the OpenCRE community
+
+## Reporting
+
+If you believe someone has violated this Code of Conduct, please report it. Reports will be handled with discretion and in line with the project’s commitment to a safe and respectful environment.
+
+- **How to report:** Contact the project maintainers (e.g. via the repository’s contact or maintainer information, or through OWASP channels if applicable). For serious or sensitive matters, you may refer to the [OWASP Whistleblower & Anti-Retaliation Policy](https://owasp.org/www-policy/operational/whistleblower.html).
+- **What to include:** Your contact details (if you are comfortable sharing them), names of those involved, description of the incident, and any relevant links or evidence.
+- **Confidentiality:** We will keep reports confidential to the extent possible while still allowing a fair and effective response.
+
+Good-faith reporters will not be retaliated against.
+
+## Enforcement
+
+Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, issues, and other contributions that are not aligned with this Code of Conduct, and to take other actions they deem appropriate, including temporary or permanent bans from the project’s spaces.
+
+- **Typical response:** For minor or first-time issues, a warning and request to change behavior may be sufficient.
+- **Serious or repeated violations:** May result in temporary or permanent restriction from participation (e.g. blocking from the repository, mailing list, or events).
+- **Escalation:** For matters that involve OWASP Foundation policies, legal issues, or broader community impact, reports may be escalated to the OWASP Foundation (e.g. Compliance Officer or Executive Director) in line with the [OWASP Code of Conduct](https://owasp.org/www-policy/operational/code-of-conduct.html) and related policies.
+
+## Attribution
+
+This Code of Conduct is adapted from the [OWASP Foundation Code of Conduct](https://owasp.org/www-policy/operational/code-of-conduct.html) and is intended to be consistent with OWASP’s standards for community participation.

README.md

@@ -46,7 +46,7 @@ To install this application you need python3, yarn and virtualenv.
 Clone the repository:
 
 ```bash
-git clone https://github.com/OWASP/common-requirement-enumeration
+git clone https://github.com/OWASP/OpenCRE
 ```
 
 (Recommended) Create and activate a Python virtual environment:

application/config.py

@@ -8,6 +8,10 @@ class Config:
     SQLALCHEMY_RECORD_QUERIES = False
     ITEMS_PER_PAGE = 20
     SLOW_DB_QUERY_TIME = 0.5
+    # Feature toggle for gap analysis optimization (default: False for safety)
+    GAP_ANALYSIS_OPTIMIZED = (
+        os.environ.get("GAP_ANALYSIS_OPTIMIZED", "False").lower() == "true"
+    )
 
 
 class DevelopmentConfig(Config):

application/database/db.py

@@ -561,6 +561,175 @@ def link_CRE_to_Node(self, CRE_id, node_id, link_type):
         raise Exception(f"Unknown relation type {link_type} for Nodes to CREs")
 
     @classmethod
+    def gap_analysis(self, name_1, name_2):
+        """
+        Gap analysis with feature toggle support.
+
+        Toggle between original exhaustive traversal (default) and
+        optimized tiered pruning (opt-in via GAP_ANALYSIS_OPTIMIZED env var).
+        """
+        from application.config import Config
+
+        if Config.GAP_ANALYSIS_OPTIMIZED:
+            logger.info(
+                f"Gap Analysis: Using OPTIMIZED tiered pruning for {name_1}>>{name_2}"
+            )
+            return self._gap_analysis_optimized(name_1, name_2)
+        else:
+            logger.info(
+                f"Gap Analysis: Using ORIGINAL exhaustive traversal for {name_1}>>{name_2}"
+            )
+            return self._gap_analysis_original(name_1, name_2)
+
+    @classmethod
+    def _gap_analysis_optimized(self, name_1, name_2):
+        """
+        OPTIMIZED: Tiered Pruning Strategy with Early Exit
+
+        Tier 1: Strong links only (LINKED_TO, SAME, AUTOMATICALLY_LINKED_TO)
+        Tier 2: Add hierarchical (CONTAINS) if Tier 1 empty
+        Tier 3: Fallback to wildcard if both tiers empty
+        """
+        logger.info(
+            f"Performing OPTIMIZED GraphDB queries for gap analysis {name_1}>>{name_2}"
+        )
+        base_standard = NeoStandard.nodes.filter(name=name_1)
+        denylist = ["Cross-cutting concerns"]
+
+        # Tier 1: Strong Links (LINKED_TO, SAME, AUTOMATICALLY_LINKED_TO)
+        path_records, _ = db.cypher_query(
+            """
+         MATCH (BaseStandard:NeoStandard {name: $name1})
+         MATCH (CompareStandard:NeoStandard {name: $name2})
+         MATCH p = allShortestPaths((BaseStandard)-[:(LINKED_TO|AUTOMATICALLY_LINKED_TO|SAME)*..20]-(CompareStandard))
+         WITH p
+         WHERE length(p) > 1 AND ALL(n in NODES(p) WHERE (n:NeoCRE or n = BaseStandard or n = CompareStandard) AND NOT n.name in $denylist)
+         RETURN p
+            """,
+            {"name1": name_1, "name2": name_2, "denylist": denylist},
+            resolve_objects=True,
+        )
+
+        # If strict strong links found, return early (Pruning)
+        if path_records and len(path_records) > 0:
+            logger.info(
+                f"Gap Analysis: Tier 1 (Strong) found {len(path_records)} paths. Pruning remainder."
+            )
+            return self._format_gap_analysis_response(base_standard, path_records)
+
+        # Tier 2: Medium Links (Add CONTAINS to the mix)
+        path_records, _ = db.cypher_query(
+            """
+         MATCH (BaseStandard:NeoStandard {name: $name1})
+         MATCH (CompareStandard:NeoStandard {name: $name2})
+         MATCH p = allShortestPaths((BaseStandard)-[:(LINKED_TO|AUTOMATICALLY_LINKED_TO|SAME|CONTAINS)*..20]-(CompareStandard))
+         WITH p
+         WHERE length(p) > 1 AND ALL(n in NODES(p) WHERE (n:NeoCRE or n = BaseStandard or n = CompareStandard) AND NOT n.name in $denylist)
+         RETURN p
+            """,
+            {"name1": name_1, "name2": name_2, "denylist": denylist},
+            resolve_objects=True,
+        )
+
+        if path_records and len(path_records) > 0:
+            logger.info(
+                f"Gap Analysis: Tier 2 (Medium) found {len(path_records)} paths. Pruning remainder."
+            )
+            return self._format_gap_analysis_response(base_standard, path_records)
+
+        # Tier 3: Weak/All Links (Wildcard - The original expensive query)
+        logger.info(
+            "Gap Analysis: Tiers 1 & 2 empty. Executing Tier 3 (Wildcard search)."
+        )
+        path_records_all, _ = db.cypher_query(
+            """
+         MATCH (BaseStandard:NeoStandard {name: $name1})
+         MATCH (CompareStandard:NeoStandard {name: $name2})
+         MATCH p = allShortestPaths((BaseStandard)-[*..20]-(CompareStandard))
+         WITH p
+         WHERE length(p) > 1 AND ALL (n in NODES(p) where (n:NeoCRE or n = BaseStandard or n = CompareStandard) AND NOT n.name in $denylist) 
+         RETURN p
+            """,
+            {"name1": name_1, "name2": name_2, "denylist": denylist},
+            resolve_objects=True,
+        )
+
+        return self._format_gap_analysis_response(base_standard, path_records_all)
+
+    @classmethod
+    def _gap_analysis_original(self, name_1, name_2):
+        """
+        ORIGINAL: Exhaustive traversal (always runs both queries)
+
+        This is the safe default - maintains backward compatibility.
+        """
+        logger.info(
+            f"Performing ORIGINAL GraphDB queries for gap analysis {name_1}>>{name_2}"
+        )
+        base_standard = NeoStandard.nodes.filter(name=name_1)
+        denylist = ["Cross-cutting concerns"]
+        from datetime import datetime
+
+        # Query 1: Wildcard (all relationships)
+        path_records_all, _ = db.cypher_query(
+            """
+         MATCH (BaseStandard:NeoStandard {name: $name1})
+         MATCH (CompareStandard:NeoStandard {name: $name2})
+         MATCH p = allShortestPaths((BaseStandard)-[*..20]-(CompareStandard))
+         WITH p
+         WHERE length(p) > 1 AND ALL (n in NODES(p) where (n:NeoCRE or n = BaseStandard or n = CompareStandard) AND NOT n.name in $denylist) 
+         RETURN p
+            """,
+            {"name1": name_1, "name2": name_2, "denylist": denylist},
+            resolve_objects=True,
+        )
+
+        # Query 2: Filtered (LINKED_TO, AUTOMATICALLY_LINKED_TO, CONTAINS)
+        path_records, _ = db.cypher_query(
+            """
+         MATCH (BaseStandard:NeoStandard {name: $name1})
+         MATCH (CompareStandard:NeoStandard {name: $name2})
+         MATCH p = allShortestPaths((BaseStandard)-[:(LINKED_TO|AUTOMATICALLY_LINKED_TO|CONTAINS)*..20]-(CompareStandard))
+         WITH p
+         WHERE length(p) > 1 AND ALL(n in NODES(p) WHERE (n:NeoCRE or n = BaseStandard or n = CompareStandard) AND NOT n.name in $denylist)
+         RETURN p
+            """,
+            {"name1": name_1, "name2": name_2, "denylist": denylist},
+            resolve_objects=True,
+        )
+
+        # Combine results (original behavior)
+        def format_segment(seg: StructuredRel, nodes):
+            relation_map = {
+                RelatedRel: "RELATED",
+                ContainsRel: "CONTAINS",
+                LinkedToRel: "LINKED_TO",
+                AutoLinkedToRel: "AUTOMATICALLY_LINKED_TO",
+            }
+            start_node = [
+                node for node in nodes if node.element_id == seg._start_node_element_id
+            ][0]
+            end_node = [
+                node for node in nodes if node.element_id == seg._end_node_element_id
+            ][0]
+
+            return {
+                "start": NEO_DB.parse_node_no_links(start_node),
+                "end": NEO_DB.parse_node_no_links(end_node),
+                "relationship": relation_map[type(seg)],
+            }
+
+        def format_path_record(rec):
+            return {
+                "start": NEO_DB.parse_node_no_links(rec.start_node),
+                "end": NEO_DB.parse_node_no_links(rec.end_node),
+                "path": [format_segment(seg, rec.nodes) for seg in rec.relationships],
+            }
+
+        return [NEO_DB.parse_node_no_links(rec) for rec in base_standard], [
+            format_path_record(rec[0]) for rec in (path_records + path_records_all)
+        ]
+
     def gap_analysis(self, name_1, name_2):
         logger.info(f"Performing GraphDB queries for gap analysis {name_1}>>{name_2}")
         base_standard = NeoStandard.nodes.filter(name=name_1)

application/frontend/src/components/DocumentNode/DocumentNode.tsx

@@ -89,7 +89,7 @@ export const DocumentNode: FunctionComponent<DocumentNode> = ({
     return (
       <>
         <span>Reference:</span>
-        <a href={hyperlink.hyperlink} target="_blank">
+        <a href={hyperlink.hyperlink} target="_blank" rel="noopener noreferrer">
           {' '}
           {hyperlink.hyperlink}
         </a>
@@ -103,7 +103,7 @@ export const DocumentNode: FunctionComponent<DocumentNode> = ({
     }
 
     return (
-      <a href={hyperlink.hyperlink} target="_blank">
+      <a href={hyperlink.hyperlink} target="_blank" rel="noopener noreferrer">
         <Icon name="external" />
       </a>
     );

application/frontend/src/pages/CommonRequirementEnumeration/CommonRequirementEnumeration.tsx

@@ -63,7 +63,7 @@ export const CommonRequirementEnumeration = () => {
           {display && display.hyperlink && (
             <>
               <span>Reference: </span>
-              <a href={display?.hyperlink} target="_blank">
+              <a href={display?.hyperlink} target="_blank" rel="noopener noreferrer">
                 {' '}
                 {display.hyperlink}
               </a>

application/frontend/src/pages/Explorer/LinkedStandards.tsx

@@ -53,7 +53,7 @@ export const LinkedStandards = ({ creCode, linkedTo, applyHighlight, filter }) =
         {uniqueLinkedTo.map((x: LinkedTreeDocument) => (
           <Fragment key={x.document.name}>
             {isExternalLink(x, linkedTo) && (
-              <a href={x.document.hyperlink} target="_blank">
+              <a href={x.document.hyperlink} target="_blank" rel="noopener noreferrer">
                 <Label>
                   <Icon name="external" />
                   {applyHighlight(x.document.name, filter)}

application/frontend/src/pages/Explorer/explorer.tsx

@@ -137,7 +137,7 @@ export const Explorer = () => {
         <h1>Open CRE Explorer</h1>
         <p>
           A visual explorer of Open Common Requirement Enumerations (CREs). Originally created by:{' '}
-          <a target="_blank" href="https://zeljkoobrenovic.github.io/opencre-explorer/">
+          <a target="_blank" rel="noopener noreferrer" href="https://zeljkoobrenovic.github.io/opencre-explorer/">
             Zeljko Obrenovic
           </a>
           .
@@ -158,13 +158,13 @@ export const Explorer = () => {
                 <a href="/explorer/circles">Zoomable circles</a>
               </li>
             </ul>
-            {/* <a target="_blank" href="visuals/force-graph-3d-contains.html">
+            {/* <a target="_blank" rel="noopener noreferrer" href="visuals/force-graph-3d-contains.html">
               hierarchy only
             </a>
-            <a target="_blank" href="visuals/force-graph-3d-related.html">
+            <a target="_blank" rel="noopener noreferrer" href="visuals/force-graph-3d-related.html">
               related only
             </a>
-            <a target="_blank" href="visuals/force-graph-3d-linked.html">
+            <a target="_blank" rel="noopener noreferrer" href="visuals/force-graph-3d-linked.html">
               links to external standards
             </a>*/}
           </div>

application/frontend/src/pages/GapAnalysis/GapAnalysis.tsx

@@ -44,22 +44,22 @@ function useQuery() {
 const GetStrength = (score) => {
   if (score == 0) return 'Direct';
   if (score <= GA_STRONG_UPPER_LIMIT) return 'Strong';
-  if (score >= 20) return 'Weak';
+  if (score >= 7) return 'Weak';
   return 'Average';
 };
 
 const GetStrengthColor = (score) => {
   if (score === 0) return 'darkgreen';
   if (score <= GA_STRONG_UPPER_LIMIT) return '#93C54B';
-  if (score >= 20) return 'Red';
+  if (score >= 7) return 'Red';
   return 'Orange';
 };
 
 const GetResultLine = (path, gapAnalysis, key) => {
   let segmentID = gapAnalysis[key].start.id;
   return (
     <div key={path.end.id} style={{ marginBottom: '.25em', fontWeight: 'bold' }}>
-      <a href={getInternalUrl(path.end)} target="_blank">
+      <a href={getInternalUrl(path.end)} target="_blank" rel="noopener noreferrer">
         <Popup
           wide="very"
           size="large"
@@ -102,7 +102,7 @@ const GetResultLine = (path, gapAnalysis, key) => {
             <b style={{ color: GetStrengthColor(6) }}>{GetStrength(6)}</b>: Connected likely to have partial
             overlap
             <br />
-            <b style={{ color: GetStrengthColor(22) }}>{GetStrength(22)}</b>: Weakly connected likely to have
+            <b style={{ color: GetStrengthColor(7) }}>{GetStrength(7)}</b>: Weakly connected likely to have
             small or no overlap
           </Popup.Content>
         </Popup>
@@ -293,7 +293,7 @@ export const GapAnalysis = () => {
                 .map((key) => (
                   <Table.Row key={key}>
                     <Table.Cell textAlign="left" verticalAlign="top" selectable>
-                      <a href={getInternalUrl(gapAnalysis[key].start)} target="_blank">
+                      <a href={getInternalUrl(gapAnalysis[key].start)} target="_blank" rel="noopener noreferrer">
                         <p>
                           <b>{getDocumentDisplayName(gapAnalysis[key].start, true)}</b>
                         </p>

application/frontend/src/pages/Graph/Graph.tsx

@@ -39,7 +39,7 @@ const documentToReactFlowNode = (cDoc: Document | any): CREGraph => {
     position: { x: 0, y: 0 },
     data: {
       label: (
-        <a target="_blank" href={cDoc.hyperlink}>
+        <a target="_blank" rel="noopener noreferrer" href={cDoc.hyperlink}>
           {' '}
           {cDoc.id} - {cDoc.name}
         </a>
@@ -60,7 +60,7 @@ const documentToReactFlowNode = (cDoc: Document | any): CREGraph => {
         position: { x: 0, y: 0 },
         data: {
           label: (
-            <a target="_blank" href={hyperlink}>
+            <a target="_blank" rel="noopener noreferrer" href={hyperlink}>
               {' '}
               {node_label}
             </a>