Metadata-Version: 2.4
Name: depreach
Version: 0.1.0
Summary: SCA with reachability — find out if vulnerable code is actually reachable
Author: DepReach
License-Expression: MIT
Project-URL: Homepage, https://github.com/akiracrying/DepReach
Project-URL: Repository, https://github.com/akiracrying/DepReach
Keywords: sca,security,vulnerability,reachability,sbom,cyclonedx
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: Security
Requires-Python: >=3.10
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: appthreat-vulnerability-db>=6.6.0
Requires-Dist: apsw>=3.51
Requires-Dist: cyclonedx-bom>=5.0
Requires-Dist: cyclonedx-python-lib>=9.0
Requires-Dist: rich>=13.0
Requires-Dist: requests>=2.28
Requires-Dist: packageurl-python>=0.15
Requires-Dist: custom-json-diff>=0.3
Requires-Dist: pydantic>=2.0
Requires-Dist: defusedxml>=0.7
Requires-Dist: SQLAlchemy>=2.0
Provides-Extra: dev
Requires-Dist: pytest>=7.0; extra == "dev"
Dynamic: license-file

<p align="center">
  <strong>DepReach</strong>
</p>
<p align="center">
  <em>SCA with reachability — find out if vulnerable code is actually reachable</em>
</p>

<p align="center">
  <a href="LICENSE"><img src="https://img.shields.io/badge/license-MIT-blue.svg" alt="License: MIT"></a>
  <img src="https://img.shields.io/badge/Python-3.10+-3776AB?logo=python&logoColor=white" alt="Python 3.10+">
  <img src="https://img.shields.io/badge/CycloneDX-SBOM-orange" alt="CycloneDX SBOM">
  <img src="https://img.shields.io/badge/Docker-optional-2496ED?logo=docker&logoColor=white" alt="Docker optional">
  <img src="https://img.shields.io/badge/SCA-reachability-green" alt="SCA reachability">
</p>

## What is DepReach?

**DepReach** is a [Software Composition Analysis](https://owasp.org/www-project-software-composition-analysis/) (SCA) tool that goes beyond listing CVEs: it tells you whether vulnerable code is **reachable** from your project. It builds call graphs, maps fixes from GitHub diffs to affected functions and marks issues as reachable or not — so you can prioritize what actually matters.

## Preview

![Report](docs/report-preview.png)

## Features

| Feature | Description |
|--------|-------------|
| **SBOM** | CycloneDX via cyclonedx-py (Python) or cdxgen (Docker) |
| **Vulnerability lookup** | Local VDB (e.g. appthreat-vulnerability-db) |
| **Reachability** | Call graph + AST + GitHub diff → which vuln code is reachable |
| **Caching** | SQLite cache for reachability results |
| **HTML report** | Interactive dependency graph, filter by package, zoom, “hide clean” |

## Requirements

- **Python** 3.10+
- **Docker** (optional) — only if using cdxgen for SBOM
- **Git** — for reachability (GitHub diffs)

## Install

```bash
pip install depreach
```

Requires **Python 3.10+**.

## Usage

```bash
depreach -i <path_to_project> -o report.json [options]
```

Reports are written to `reports/<project_name>/` (JSON, SBOM, HTML). Optionally use `--sarif <file>` to output SARIF 2.1.

| Option | Description |
|--------|-------------|
| `-i`, `--input` | Source code directory (required) |
| `-o`, `--output` | Report filename; output dir is `reports/<project_name>/` |
| `--skip-update` | Skip VDB update |
| `--cache` | Cache reachability in SQLite |
| `-j`, `--jobs` | Parallel jobs for reachability (default: 6) |
| `--ignore` | Comma-separated package names to ignore (e.g. `flask,requests`) |
| `--sarif` | Write SARIF 2.1 file (reachability in `result.properties`) for ASPM/Code Scanning |

**Exit codes:** `0` = no vulns, `1` = vulns but none reachable, `2` = at least one reachable.

**Example**

```bash
depreach -i ./my-app -o report.json --cache --ignore "flask" --sarif report.sarif
```

## Output

| Artifact | Path | Description |
|----------|------|-------------|
| JSON report | `reports/<name>/report.json` | Vulns with CVE, severity, description, references, reachability |
| SBOM | `reports/<name>/<name>_sbom.json` | CycloneDX SBOM |
| HTML report | `reports/<name>/report.html` | Interactive graph, filter by package, zoom |
| Console | — | Rich table with reachability status |
| Log | `depreach.log` | Debug log |
| SARIF | path from `--sarif` | SARIF 2.1 with `isReachable` in result properties (for ASPM) |

## Use as a library

```python
from depreach import run

vulns, exit_code = run(
    input_dir="./my-app",
    output_file="report.json",
    skip_update=False,
    cache=True,
    jobs=6,
    ignore="flask,requests",
    sarif_path="report.sarif",
)
# exit_code: 0 = ok, 1 = vulns, 2 = reachable vulns
```

