Comments (5)
+1 on this. WAYYY to much access is being requested
from owasp-threat-dragon.
I think getting a read-write deploy key for the repo would be sufficient. That would only allow access to repo files, but not any of the settings/metatdata/issues/etc.
from owasp-threat-dragon.
Thanks for your interest in Threat Dragon. I know what you mean about the scope. The problem is that the app wants to write to the repo to store the model files and GitHub scopes don't allow anything less than repo
access as far as I can see. With the empty scope it would be able to read models but not save them.
The only other way I can think of to make this work is to use git to push the model files from my server to GitHub instead of using the GitHub API. The problem is, this would mean storing and handling your GH creds, which is worse than the repo
scope IMO.
Or, maybe I could do git from the browser using a javascript git implementation. That way your creds would never need to leave the browser...
This was one of the main reasons for creating the desktop variant. Would that be of interest?
Any suggestions on the way forward would be very welcome.
from owasp-threat-dragon.
This is linked to a similar issue #148 , because of the scopes available in github this has become a documentation issue
from owasp-threat-dragon.
Migrated to new issue in the OWASP area repo : OWASP/threat-dragon#5
from owasp-threat-dragon.
Related Issues (20)
- local model storage (for the webapp) HOT 2
- Server script fails only when running on Linux
- Update login page
- Link and reference OWASP cheat sheets HOT 1
- LGTM alert HOT 1
- Too many GitHub permissions required HOT 5
- Auto save desktop version HOT 3
- draw.io and/or visio intergration HOT 3
- User session timeout not handled HOT 1
- How to deploy it on local.[enviroment variables] HOT 9
- Undo - threat model diagram editor HOT 1
- File - Save - threat model diagram HOT 1
- Update the threat Dragon Home Page HOT 2
- Navigation (Usage Question) HOT 1
- Content on threatdragon.org HOT 4
- Are there any plans to add support for other SCM providers ? HOT 3
- Improve the DFD printing HOT 2
- Improve the movement option - Enhancement request HOT 2
- OWASP Threat Dragon fails on Macintosh HOT 1
- Viewer HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from owasp-threat-dragon.