entrygraph 0.1.0__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- entrygraph-0.1.0/.github/workflows/ci.yml +27 -0
- entrygraph-0.1.0/.github/workflows/release.yml +92 -0
- entrygraph-0.1.0/.gitignore +227 -0
- entrygraph-0.1.0/LICENSE +21 -0
- entrygraph-0.1.0/PKG-INFO +204 -0
- entrygraph-0.1.0/README.md +157 -0
- entrygraph-0.1.0/RELEASING.md +83 -0
- entrygraph-0.1.0/pyproject.toml +57 -0
- entrygraph-0.1.0/src/entrygraph/__init__.py +87 -0
- entrygraph-0.1.0/src/entrygraph/__main__.py +8 -0
- entrygraph-0.1.0/src/entrygraph/_version.py +24 -0
- entrygraph-0.1.0/src/entrygraph/api.py +549 -0
- entrygraph-0.1.0/src/entrygraph/cli/__init__.py +0 -0
- entrygraph-0.1.0/src/entrygraph/cli/main.py +387 -0
- entrygraph-0.1.0/src/entrygraph/cli/render.py +136 -0
- entrygraph-0.1.0/src/entrygraph/data/sinks/csharp.toml +106 -0
- entrygraph-0.1.0/src/entrygraph/data/sinks/go.toml +87 -0
- entrygraph-0.1.0/src/entrygraph/data/sinks/java.toml +92 -0
- entrygraph-0.1.0/src/entrygraph/data/sinks/javascript.toml +112 -0
- entrygraph-0.1.0/src/entrygraph/data/sinks/lib_javascript.toml +34 -0
- entrygraph-0.1.0/src/entrygraph/data/sinks/lib_python.toml +39 -0
- entrygraph-0.1.0/src/entrygraph/data/sinks/php.toml +125 -0
- entrygraph-0.1.0/src/entrygraph/data/sinks/python.toml +160 -0
- entrygraph-0.1.0/src/entrygraph/data/sinks/ruby.toml +102 -0
- entrygraph-0.1.0/src/entrygraph/data/sinks/rust.toml +68 -0
- entrygraph-0.1.0/src/entrygraph/db/__init__.py +0 -0
- entrygraph-0.1.0/src/entrygraph/db/engine.py +34 -0
- entrygraph-0.1.0/src/entrygraph/db/meta.py +70 -0
- entrygraph-0.1.0/src/entrygraph/db/models.py +176 -0
- entrygraph-0.1.0/src/entrygraph/db/queries.py +155 -0
- entrygraph-0.1.0/src/entrygraph/detect/__init__.py +0 -0
- entrygraph-0.1.0/src/entrygraph/detect/entrypoints/__init__.py +22 -0
- entrygraph-0.1.0/src/entrygraph/detect/entrypoints/base.py +124 -0
- entrygraph-0.1.0/src/entrygraph/detect/entrypoints/configs.py +139 -0
- entrygraph-0.1.0/src/entrygraph/detect/entrypoints/csharp.py +156 -0
- entrygraph-0.1.0/src/entrygraph/detect/entrypoints/golang.py +158 -0
- entrygraph-0.1.0/src/entrygraph/detect/entrypoints/java.py +187 -0
- entrygraph-0.1.0/src/entrygraph/detect/entrypoints/javascript.py +211 -0
- entrygraph-0.1.0/src/entrygraph/detect/entrypoints/php.py +133 -0
- entrygraph-0.1.0/src/entrygraph/detect/entrypoints/python.py +335 -0
- entrygraph-0.1.0/src/entrygraph/detect/entrypoints/ruby.py +147 -0
- entrygraph-0.1.0/src/entrygraph/detect/entrypoints/rust.py +153 -0
- entrygraph-0.1.0/src/entrygraph/detect/frameworks.py +369 -0
- entrygraph-0.1.0/src/entrygraph/detect/manifests.py +234 -0
- entrygraph-0.1.0/src/entrygraph/detect/taint.py +224 -0
- entrygraph-0.1.0/src/entrygraph/errors.py +27 -0
- entrygraph-0.1.0/src/entrygraph/extract/__init__.py +0 -0
- entrygraph-0.1.0/src/entrygraph/extract/base.py +51 -0
- entrygraph-0.1.0/src/entrygraph/extract/csharp.py +502 -0
- entrygraph-0.1.0/src/entrygraph/extract/golang.py +342 -0
- entrygraph-0.1.0/src/entrygraph/extract/ir.py +105 -0
- entrygraph-0.1.0/src/entrygraph/extract/java.py +329 -0
- entrygraph-0.1.0/src/entrygraph/extract/javascript.py +400 -0
- entrygraph-0.1.0/src/entrygraph/extract/php.py +426 -0
- entrygraph-0.1.0/src/entrygraph/extract/python.py +390 -0
- entrygraph-0.1.0/src/entrygraph/extract/registry.py +43 -0
- entrygraph-0.1.0/src/entrygraph/extract/ruby.py +321 -0
- entrygraph-0.1.0/src/entrygraph/extract/rust.py +482 -0
- entrygraph-0.1.0/src/entrygraph/fs/__init__.py +0 -0
- entrygraph-0.1.0/src/entrygraph/fs/hashing.py +78 -0
- entrygraph-0.1.0/src/entrygraph/fs/lang.py +134 -0
- entrygraph-0.1.0/src/entrygraph/fs/walker.py +167 -0
- entrygraph-0.1.0/src/entrygraph/graph/__init__.py +0 -0
- entrygraph-0.1.0/src/entrygraph/graph/adjacency.py +146 -0
- entrygraph-0.1.0/src/entrygraph/graph/cte.py +123 -0
- entrygraph-0.1.0/src/entrygraph/graph/scoring.py +101 -0
- entrygraph-0.1.0/src/entrygraph/kinds.py +51 -0
- entrygraph-0.1.0/src/entrygraph/parsing/__init__.py +0 -0
- entrygraph-0.1.0/src/entrygraph/parsing/parsers.py +49 -0
- entrygraph-0.1.0/src/entrygraph/parsing/queries.py +39 -0
- entrygraph-0.1.0/src/entrygraph/pipeline/__init__.py +0 -0
- entrygraph-0.1.0/src/entrygraph/pipeline/scanner.py +506 -0
- entrygraph-0.1.0/src/entrygraph/pipeline/worker.py +49 -0
- entrygraph-0.1.0/src/entrygraph/pipeline/writer.py +41 -0
- entrygraph-0.1.0/src/entrygraph/py.typed +0 -0
- entrygraph-0.1.0/src/entrygraph/queries/csharp/calls.scm +4 -0
- entrygraph-0.1.0/src/entrygraph/queries/csharp/definitions.scm +29 -0
- entrygraph-0.1.0/src/entrygraph/queries/csharp/imports.scm +4 -0
- entrygraph-0.1.0/src/entrygraph/queries/go/calls.scm +2 -0
- entrygraph-0.1.0/src/entrygraph/queries/go/definitions.scm +24 -0
- entrygraph-0.1.0/src/entrygraph/queries/go/imports.scm +1 -0
- entrygraph-0.1.0/src/entrygraph/queries/java/calls.scm +2 -0
- entrygraph-0.1.0/src/entrygraph/queries/java/definitions.scm +14 -0
- entrygraph-0.1.0/src/entrygraph/queries/java/imports.scm +2 -0
- entrygraph-0.1.0/src/entrygraph/queries/javascript/calls.scm +4 -0
- entrygraph-0.1.0/src/entrygraph/queries/javascript/definitions.scm +4 -0
- entrygraph-0.1.0/src/entrygraph/queries/javascript/imports.scm +6 -0
- entrygraph-0.1.0/src/entrygraph/queries/php/calls.scm +8 -0
- entrygraph-0.1.0/src/entrygraph/queries/php/definitions.scm +24 -0
- entrygraph-0.1.0/src/entrygraph/queries/php/imports.scm +1 -0
- entrygraph-0.1.0/src/entrygraph/queries/python/calls.scm +2 -0
- entrygraph-0.1.0/src/entrygraph/queries/python/definitions.scm +11 -0
- entrygraph-0.1.0/src/entrygraph/queries/python/imports.scm +2 -0
- entrygraph-0.1.0/src/entrygraph/queries/ruby/calls.scm +4 -0
- entrygraph-0.1.0/src/entrygraph/queries/ruby/definitions.scm +20 -0
- entrygraph-0.1.0/src/entrygraph/queries/ruby/imports.scm +7 -0
- entrygraph-0.1.0/src/entrygraph/queries/rust/calls.scm +5 -0
- entrygraph-0.1.0/src/entrygraph/queries/rust/definitions.scm +26 -0
- entrygraph-0.1.0/src/entrygraph/queries/rust/imports.scm +4 -0
- entrygraph-0.1.0/src/entrygraph/resolve/__init__.py +0 -0
- entrygraph-0.1.0/src/entrygraph/resolve/externals.py +61 -0
- entrygraph-0.1.0/src/entrygraph/resolve/hierarchy.py +152 -0
- entrygraph-0.1.0/src/entrygraph/resolve/resolver.py +275 -0
- entrygraph-0.1.0/src/entrygraph/resolve/symbol_table.py +48 -0
- entrygraph-0.1.0/src/entrygraph/results.py +138 -0
- entrygraph-0.1.0/tests/conftest.py +40 -0
- entrygraph-0.1.0/tests/fixtures/csharp/aspnet_app/Controllers/ReportsController.cs +22 -0
- entrygraph-0.1.0/tests/fixtures/csharp/aspnet_app/Program.cs +6 -0
- entrygraph-0.1.0/tests/fixtures/csharp/aspnet_app/Services/ReportService.cs +11 -0
- entrygraph-0.1.0/tests/fixtures/csharp/aspnet_app/app.csproj +13 -0
- entrygraph-0.1.0/tests/fixtures/go/gin_app/go.mod +5 -0
- entrygraph-0.1.0/tests/fixtures/go/gin_app/main.go +44 -0
- entrygraph-0.1.0/tests/fixtures/go/gin_app/service.go +20 -0
- entrygraph-0.1.0/tests/fixtures/java/spring_app/pom.xml +24 -0
- entrygraph-0.1.0/tests/fixtures/java/spring_app/src/main/java/com/example/Application.java +8 -0
- entrygraph-0.1.0/tests/fixtures/java/spring_app/src/main/java/com/example/ReportRunner.java +15 -0
- entrygraph-0.1.0/tests/fixtures/java/spring_app/src/main/java/com/example/ReportService.java +10 -0
- entrygraph-0.1.0/tests/fixtures/java/spring_app/src/main/java/com/example/UserController.java +23 -0
- entrygraph-0.1.0/tests/fixtures/javascript/express_app/package.json +7 -0
- entrygraph-0.1.0/tests/fixtures/javascript/express_app/src/routes.js +23 -0
- entrygraph-0.1.0/tests/fixtures/javascript/express_app/src/services.js +20 -0
- entrygraph-0.1.0/tests/fixtures/php/laravel_app/app/Http/Controllers/ReportController.php +11 -0
- entrygraph-0.1.0/tests/fixtures/php/laravel_app/artisan +0 -0
- entrygraph-0.1.0/tests/fixtures/php/laravel_app/composer.json +1 -0
- entrygraph-0.1.0/tests/fixtures/php/laravel_app/routes/web.php +5 -0
- entrygraph-0.1.0/tests/fixtures/python/flask_app/app/__init__.py +0 -0
- entrygraph-0.1.0/tests/fixtures/python/flask_app/app/db.py +10 -0
- entrygraph-0.1.0/tests/fixtures/python/flask_app/app/routes.py +25 -0
- entrygraph-0.1.0/tests/fixtures/python/flask_app/app/services.py +31 -0
- entrygraph-0.1.0/tests/fixtures/python/flask_app/cli.py +16 -0
- entrygraph-0.1.0/tests/fixtures/python/flask_app/requirements.txt +4 -0
- entrygraph-0.1.0/tests/fixtures/ruby/sinatra_app/Gemfile +4 -0
- entrygraph-0.1.0/tests/fixtures/ruby/sinatra_app/app.rb +13 -0
- entrygraph-0.1.0/tests/fixtures/ruby/sinatra_app/services/runner.rb +16 -0
- entrygraph-0.1.0/tests/fixtures/rust/axum_app/Cargo.toml +8 -0
- entrygraph-0.1.0/tests/fixtures/rust/axum_app/src/handlers.rs +11 -0
- entrygraph-0.1.0/tests/fixtures/rust/axum_app/src/main.rs +16 -0
- entrygraph-0.1.0/tests/test_api.py +133 -0
- entrygraph-0.1.0/tests/test_cli.py +86 -0
- entrygraph-0.1.0/tests/test_engine_pragmas.py +53 -0
- entrygraph-0.1.0/tests/test_entrypoint_expansion.py +158 -0
- entrygraph-0.1.0/tests/test_entrypoints.py +89 -0
- entrygraph-0.1.0/tests/test_extract_csharp.py +286 -0
- entrygraph-0.1.0/tests/test_extract_go.py +217 -0
- entrygraph-0.1.0/tests/test_extract_java.py +304 -0
- entrygraph-0.1.0/tests/test_extract_javascript.py +146 -0
- entrygraph-0.1.0/tests/test_extract_php.py +192 -0
- entrygraph-0.1.0/tests/test_extract_python.py +143 -0
- entrygraph-0.1.0/tests/test_extract_ruby.py +232 -0
- entrygraph-0.1.0/tests/test_extract_rust.py +214 -0
- entrygraph-0.1.0/tests/test_frameworks.py +82 -0
- entrygraph-0.1.0/tests/test_hardening.py +67 -0
- entrygraph-0.1.0/tests/test_incremental.py +153 -0
- entrygraph-0.1.0/tests/test_indexer.py +100 -0
- entrygraph-0.1.0/tests/test_lang.py +48 -0
- entrygraph-0.1.0/tests/test_manifests.py +124 -0
- entrygraph-0.1.0/tests/test_models.py +110 -0
- entrygraph-0.1.0/tests/test_reachability.py +106 -0
- entrygraph-0.1.0/tests/test_render.py +48 -0
- entrygraph-0.1.0/tests/test_resolver.py +224 -0
- entrygraph-0.1.0/tests/test_scoring.py +61 -0
- entrygraph-0.1.0/tests/test_sink_catalog.py +51 -0
- entrygraph-0.1.0/tests/test_taint.py +74 -0
- entrygraph-0.1.0/tests/test_walker.py +68 -0
- entrygraph-0.1.0/uv.lock +480 -0
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
name: CI
|
|
2
|
+
|
|
3
|
+
# Test pull requests and non-main branch pushes. main is covered by the test
|
|
4
|
+
# gate in release.yml, so it's excluded here to avoid duplicate runs.
|
|
5
|
+
on:
|
|
6
|
+
pull_request: {}
|
|
7
|
+
push:
|
|
8
|
+
branches-ignore: [main]
|
|
9
|
+
|
|
10
|
+
concurrency:
|
|
11
|
+
group: ci-${{ github.ref }}
|
|
12
|
+
cancel-in-progress: true
|
|
13
|
+
|
|
14
|
+
jobs:
|
|
15
|
+
test:
|
|
16
|
+
runs-on: ubuntu-latest
|
|
17
|
+
strategy:
|
|
18
|
+
fail-fast: false
|
|
19
|
+
matrix:
|
|
20
|
+
python-version: ["3.11", "3.12", "3.13"]
|
|
21
|
+
steps:
|
|
22
|
+
- uses: actions/checkout@v4
|
|
23
|
+
- uses: astral-sh/setup-uv@v5
|
|
24
|
+
with:
|
|
25
|
+
python-version: ${{ matrix.python-version }}
|
|
26
|
+
- name: Run test suite
|
|
27
|
+
run: uv run --extra dev pytest -q
|
|
@@ -0,0 +1,92 @@
|
|
|
1
|
+
name: Release
|
|
2
|
+
|
|
3
|
+
# Every merge/push to main auto-bumps the patch version (via a new git tag) and
|
|
4
|
+
# publishes the built package to PyPI using Trusted Publishing (OIDC — no tokens).
|
|
5
|
+
on:
|
|
6
|
+
push:
|
|
7
|
+
branches: [main]
|
|
8
|
+
workflow_dispatch: {} # allow a manual release from the Actions tab
|
|
9
|
+
|
|
10
|
+
# Serialize releases so two quick merges can't race on the tag / version.
|
|
11
|
+
concurrency:
|
|
12
|
+
group: release
|
|
13
|
+
cancel-in-progress: false
|
|
14
|
+
|
|
15
|
+
jobs:
|
|
16
|
+
test:
|
|
17
|
+
runs-on: ubuntu-latest
|
|
18
|
+
steps:
|
|
19
|
+
- uses: actions/checkout@v4
|
|
20
|
+
- uses: astral-sh/setup-uv@v5
|
|
21
|
+
with:
|
|
22
|
+
python-version: "3.12"
|
|
23
|
+
- name: Run test suite
|
|
24
|
+
run: uv run --extra dev pytest -q
|
|
25
|
+
|
|
26
|
+
release:
|
|
27
|
+
needs: test
|
|
28
|
+
runs-on: ubuntu-latest
|
|
29
|
+
permissions:
|
|
30
|
+
contents: write # push the new version tag
|
|
31
|
+
id-token: write # PyPI Trusted Publishing (OIDC)
|
|
32
|
+
steps:
|
|
33
|
+
- uses: actions/checkout@v4
|
|
34
|
+
with:
|
|
35
|
+
fetch-depth: 0 # full history + all tags so hatch-vcs can resolve the version
|
|
36
|
+
|
|
37
|
+
- name: Compute next version
|
|
38
|
+
id: ver
|
|
39
|
+
run: |
|
|
40
|
+
set -euo pipefail
|
|
41
|
+
git fetch --tags --force --quiet
|
|
42
|
+
# Idempotency: if this commit is already released, do nothing.
|
|
43
|
+
if git describe --exact-match --tags HEAD >/dev/null 2>&1; then
|
|
44
|
+
echo "HEAD is already tagged — nothing to release."
|
|
45
|
+
echo "release=false" >> "$GITHUB_OUTPUT"
|
|
46
|
+
exit 0
|
|
47
|
+
fi
|
|
48
|
+
latest="$(git tag --list 'v[0-9]*' --sort=-v:refname | head -n1)"
|
|
49
|
+
if [ -z "$latest" ]; then
|
|
50
|
+
next="0.1.0" # first release
|
|
51
|
+
else
|
|
52
|
+
v="${latest#v}"
|
|
53
|
+
IFS=. read -r major minor patch <<< "$v"
|
|
54
|
+
next="${major}.${minor}.$((patch + 1))" # bump patch on every merge
|
|
55
|
+
fi
|
|
56
|
+
echo "Releasing v${next} (previous: ${latest:-none})"
|
|
57
|
+
echo "release=true" >> "$GITHUB_OUTPUT"
|
|
58
|
+
echo "version=${next}" >> "$GITHUB_OUTPUT"
|
|
59
|
+
|
|
60
|
+
- name: Create and push tag
|
|
61
|
+
if: steps.ver.outputs.release == 'true'
|
|
62
|
+
run: |
|
|
63
|
+
set -euo pipefail
|
|
64
|
+
git config user.name "github-actions[bot]"
|
|
65
|
+
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
|
|
66
|
+
git tag -a "v${{ steps.ver.outputs.version }}" -m "Release v${{ steps.ver.outputs.version }}"
|
|
67
|
+
git push origin "v${{ steps.ver.outputs.version }}"
|
|
68
|
+
|
|
69
|
+
- uses: astral-sh/setup-uv@v5
|
|
70
|
+
if: steps.ver.outputs.release == 'true'
|
|
71
|
+
with:
|
|
72
|
+
python-version: "3.12"
|
|
73
|
+
|
|
74
|
+
- name: Build sdist + wheel
|
|
75
|
+
if: steps.ver.outputs.release == 'true'
|
|
76
|
+
run: uv build # hatch-vcs reads the tag we just created -> clean X.Y.Z version
|
|
77
|
+
|
|
78
|
+
- name: Publish to PyPI
|
|
79
|
+
if: steps.ver.outputs.release == 'true'
|
|
80
|
+
uses: pypa/gh-action-pypi-publish@release/v1
|
|
81
|
+
# No password/token: uses OIDC. Configure a Trusted Publisher on PyPI
|
|
82
|
+
# (see RELEASING.md) that maps this repo + workflow to the project.
|
|
83
|
+
|
|
84
|
+
- name: Create GitHub Release
|
|
85
|
+
if: steps.ver.outputs.release == 'true'
|
|
86
|
+
env:
|
|
87
|
+
GH_TOKEN: ${{ github.token }}
|
|
88
|
+
run: |
|
|
89
|
+
gh release create "v${{ steps.ver.outputs.version }}" \
|
|
90
|
+
--title "v${{ steps.ver.outputs.version }}" \
|
|
91
|
+
--generate-notes \
|
|
92
|
+
dist/*
|
|
@@ -0,0 +1,227 @@
|
|
|
1
|
+
# Byte-compiled / optimized / DLL files
|
|
2
|
+
__pycache__/
|
|
3
|
+
*.py[codz]
|
|
4
|
+
*$py.class
|
|
5
|
+
|
|
6
|
+
# C extensions
|
|
7
|
+
*.so
|
|
8
|
+
|
|
9
|
+
# Distribution / packaging
|
|
10
|
+
.Python
|
|
11
|
+
build/
|
|
12
|
+
develop-eggs/
|
|
13
|
+
dist/
|
|
14
|
+
downloads/
|
|
15
|
+
eggs/
|
|
16
|
+
.eggs/
|
|
17
|
+
lib/
|
|
18
|
+
lib64/
|
|
19
|
+
parts/
|
|
20
|
+
sdist/
|
|
21
|
+
var/
|
|
22
|
+
wheels/
|
|
23
|
+
share/python-wheels/
|
|
24
|
+
*.egg-info/
|
|
25
|
+
.installed.cfg
|
|
26
|
+
*.egg
|
|
27
|
+
MANIFEST
|
|
28
|
+
|
|
29
|
+
# PyInstaller
|
|
30
|
+
# Usually these files are written by a python script from a template
|
|
31
|
+
# before PyInstaller builds the exe, so as to inject date/other infos into it.
|
|
32
|
+
*.manifest
|
|
33
|
+
*.spec
|
|
34
|
+
|
|
35
|
+
# Installer logs
|
|
36
|
+
pip-log.txt
|
|
37
|
+
pip-delete-this-directory.txt
|
|
38
|
+
|
|
39
|
+
# Unit test / coverage reports
|
|
40
|
+
htmlcov/
|
|
41
|
+
.tox/
|
|
42
|
+
.nox/
|
|
43
|
+
.coverage
|
|
44
|
+
.coverage.*
|
|
45
|
+
.cache
|
|
46
|
+
nosetests.xml
|
|
47
|
+
coverage.xml
|
|
48
|
+
*.cover
|
|
49
|
+
*.py.cover
|
|
50
|
+
.hypothesis/
|
|
51
|
+
.pytest_cache/
|
|
52
|
+
cover/
|
|
53
|
+
|
|
54
|
+
# Translations
|
|
55
|
+
*.mo
|
|
56
|
+
*.pot
|
|
57
|
+
|
|
58
|
+
# Django stuff:
|
|
59
|
+
*.log
|
|
60
|
+
local_settings.py
|
|
61
|
+
db.sqlite3
|
|
62
|
+
db.sqlite3-journal
|
|
63
|
+
|
|
64
|
+
# Flask stuff:
|
|
65
|
+
instance/
|
|
66
|
+
.webassets-cache
|
|
67
|
+
|
|
68
|
+
# Scrapy stuff:
|
|
69
|
+
.scrapy
|
|
70
|
+
|
|
71
|
+
# Sphinx documentation
|
|
72
|
+
docs/_build/
|
|
73
|
+
|
|
74
|
+
# PyBuilder
|
|
75
|
+
.pybuilder/
|
|
76
|
+
target/
|
|
77
|
+
|
|
78
|
+
# Jupyter Notebook
|
|
79
|
+
.ipynb_checkpoints
|
|
80
|
+
|
|
81
|
+
# IPython
|
|
82
|
+
profile_default/
|
|
83
|
+
ipython_config.py
|
|
84
|
+
|
|
85
|
+
# pyenv
|
|
86
|
+
# For a library or package, you might want to ignore these files since the code is
|
|
87
|
+
# intended to run in multiple environments; otherwise, check them in:
|
|
88
|
+
# .python-version
|
|
89
|
+
|
|
90
|
+
# pipenv
|
|
91
|
+
# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
|
|
92
|
+
# However, in case of collaboration, if having platform-specific dependencies or dependencies
|
|
93
|
+
# having no cross-platform support, pipenv may install dependencies that don't work, or not
|
|
94
|
+
# install all needed dependencies.
|
|
95
|
+
# Pipfile.lock
|
|
96
|
+
|
|
97
|
+
# UV
|
|
98
|
+
# Similar to Pipfile.lock, it is generally recommended to include uv.lock in version control.
|
|
99
|
+
# This is especially recommended for binary packages to ensure reproducibility, and is more
|
|
100
|
+
# commonly ignored for libraries.
|
|
101
|
+
# uv.lock
|
|
102
|
+
|
|
103
|
+
# poetry
|
|
104
|
+
# Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
|
|
105
|
+
# This is especially recommended for binary packages to ensure reproducibility, and is more
|
|
106
|
+
# commonly ignored for libraries.
|
|
107
|
+
# https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
|
|
108
|
+
# poetry.lock
|
|
109
|
+
# poetry.toml
|
|
110
|
+
|
|
111
|
+
# pdm
|
|
112
|
+
# Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
|
|
113
|
+
# pdm recommends including project-wide configuration in pdm.toml, but excluding .pdm-python.
|
|
114
|
+
# https://pdm-project.org/en/latest/usage/project/#working-with-version-control
|
|
115
|
+
# pdm.lock
|
|
116
|
+
# pdm.toml
|
|
117
|
+
.pdm-python
|
|
118
|
+
.pdm-build/
|
|
119
|
+
|
|
120
|
+
# pixi
|
|
121
|
+
# Similar to Pipfile.lock, it is generally recommended to include pixi.lock in version control.
|
|
122
|
+
# pixi.lock
|
|
123
|
+
# Pixi creates a virtual environment in the .pixi directory, just like venv module creates one
|
|
124
|
+
# in the .venv directory. It is recommended not to include this directory in version control.
|
|
125
|
+
.pixi
|
|
126
|
+
|
|
127
|
+
# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
|
|
128
|
+
__pypackages__/
|
|
129
|
+
|
|
130
|
+
# Celery stuff
|
|
131
|
+
celerybeat-schedule
|
|
132
|
+
celerybeat.pid
|
|
133
|
+
|
|
134
|
+
# Redis
|
|
135
|
+
*.rdb
|
|
136
|
+
*.aof
|
|
137
|
+
*.pid
|
|
138
|
+
|
|
139
|
+
# RabbitMQ
|
|
140
|
+
mnesia/
|
|
141
|
+
rabbitmq/
|
|
142
|
+
rabbitmq-data/
|
|
143
|
+
|
|
144
|
+
# ActiveMQ
|
|
145
|
+
activemq-data/
|
|
146
|
+
|
|
147
|
+
# SageMath parsed files
|
|
148
|
+
*.sage.py
|
|
149
|
+
|
|
150
|
+
# Environments
|
|
151
|
+
.env
|
|
152
|
+
.envrc
|
|
153
|
+
.venv
|
|
154
|
+
env/
|
|
155
|
+
venv/
|
|
156
|
+
ENV/
|
|
157
|
+
env.bak/
|
|
158
|
+
venv.bak/
|
|
159
|
+
|
|
160
|
+
# Spyder project settings
|
|
161
|
+
.spyderproject
|
|
162
|
+
.spyproject
|
|
163
|
+
|
|
164
|
+
# Rope project settings
|
|
165
|
+
.ropeproject
|
|
166
|
+
|
|
167
|
+
# mkdocs documentation
|
|
168
|
+
/site
|
|
169
|
+
|
|
170
|
+
# mypy
|
|
171
|
+
.mypy_cache/
|
|
172
|
+
.dmypy.json
|
|
173
|
+
dmypy.json
|
|
174
|
+
|
|
175
|
+
# Pyre type checker
|
|
176
|
+
.pyre/
|
|
177
|
+
|
|
178
|
+
# pytype static type analyzer
|
|
179
|
+
.pytype/
|
|
180
|
+
|
|
181
|
+
# Cython debug symbols
|
|
182
|
+
cython_debug/
|
|
183
|
+
|
|
184
|
+
# PyCharm
|
|
185
|
+
# JetBrains specific template is maintained in a separate JetBrains.gitignore that can
|
|
186
|
+
# be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
|
|
187
|
+
# and can be added to the global gitignore or merged into this file. For a more nuclear
|
|
188
|
+
# option (not recommended) you can uncomment the following to ignore the entire idea folder.
|
|
189
|
+
# .idea/
|
|
190
|
+
|
|
191
|
+
# Abstra
|
|
192
|
+
# Abstra is an AI-powered process automation framework.
|
|
193
|
+
# Ignore directories containing user credentials, local state, and settings.
|
|
194
|
+
# Learn more at https://abstra.io/docs
|
|
195
|
+
.abstra/
|
|
196
|
+
|
|
197
|
+
# Visual Studio Code
|
|
198
|
+
# Visual Studio Code specific template is maintained in a separate VisualStudioCode.gitignore
|
|
199
|
+
# that can be found at https://github.com/github/gitignore/blob/main/Global/VisualStudioCode.gitignore
|
|
200
|
+
# and can be added to the global gitignore or merged into this file. However, if you prefer,
|
|
201
|
+
# you could uncomment the following to ignore the entire vscode folder
|
|
202
|
+
# .vscode/
|
|
203
|
+
# Temporary file for partial code execution
|
|
204
|
+
tempCodeRunnerFile.py
|
|
205
|
+
|
|
206
|
+
# Ruff stuff:
|
|
207
|
+
.ruff_cache/
|
|
208
|
+
|
|
209
|
+
# PyPI configuration file
|
|
210
|
+
.pypirc
|
|
211
|
+
|
|
212
|
+
# Marimo
|
|
213
|
+
marimo/_static/
|
|
214
|
+
marimo/_lsp/
|
|
215
|
+
__marimo__/
|
|
216
|
+
|
|
217
|
+
# Streamlit
|
|
218
|
+
.streamlit/secrets.toml
|
|
219
|
+
|
|
220
|
+
# entrygraph build artifacts
|
|
221
|
+
dist/
|
|
222
|
+
build/
|
|
223
|
+
*.egg-info/
|
|
224
|
+
.entrygraph.db
|
|
225
|
+
*.entrygraph.db
|
|
226
|
+
# generated by hatch-vcs at build time
|
|
227
|
+
src/entrygraph/_version.py
|
entrygraph-0.1.0/LICENSE
ADDED
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
MIT License
|
|
2
|
+
|
|
3
|
+
Copyright (c) 2026 Brett Bergin
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
|
7
|
+
in the Software without restriction, including without limitation the rights
|
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
|
10
|
+
furnished to do so, subject to the following conditions:
|
|
11
|
+
|
|
12
|
+
The above copyright notice and this permission notice shall be included in all
|
|
13
|
+
copies or substantial portions of the Software.
|
|
14
|
+
|
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
21
|
+
SOFTWARE.
|
|
@@ -0,0 +1,204 @@
|
|
|
1
|
+
Metadata-Version: 2.4
|
|
2
|
+
Name: entrygraph
|
|
3
|
+
Version: 0.1.0
|
|
4
|
+
Summary: Language-agnostic code graph: query symbols, entrypoints, and source-to-sink call paths from a SQLite index
|
|
5
|
+
Project-URL: Repository, https://github.com/brettbergin/entrygraph
|
|
6
|
+
Author-email: Brett Bergin <brettberginbc@yahoo.com>
|
|
7
|
+
License: MIT License
|
|
8
|
+
|
|
9
|
+
Copyright (c) 2026 Brett Bergin
|
|
10
|
+
|
|
11
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
12
|
+
of this software and associated documentation files (the "Software"), to deal
|
|
13
|
+
in the Software without restriction, including without limitation the rights
|
|
14
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
15
|
+
copies of the Software, and to permit persons to whom the Software is
|
|
16
|
+
furnished to do so, subject to the following conditions:
|
|
17
|
+
|
|
18
|
+
The above copyright notice and this permission notice shall be included in all
|
|
19
|
+
copies or substantial portions of the Software.
|
|
20
|
+
|
|
21
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
22
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
23
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
24
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
25
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
26
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
27
|
+
SOFTWARE.
|
|
28
|
+
License-File: LICENSE
|
|
29
|
+
Keywords: call-graph,code-analysis,entrypoints,static-analysis,tree-sitter
|
|
30
|
+
Classifier: Development Status :: 3 - Alpha
|
|
31
|
+
Classifier: Intended Audience :: Developers
|
|
32
|
+
Classifier: Programming Language :: Python :: 3
|
|
33
|
+
Classifier: Programming Language :: Python :: 3.11
|
|
34
|
+
Classifier: Programming Language :: Python :: 3.12
|
|
35
|
+
Classifier: Programming Language :: Python :: 3.13
|
|
36
|
+
Classifier: Topic :: Software Development :: Quality Assurance
|
|
37
|
+
Requires-Python: >=3.11
|
|
38
|
+
Requires-Dist: pathspec<1.0,>=0.12
|
|
39
|
+
Requires-Dist: rich>=13.0
|
|
40
|
+
Requires-Dist: sqlalchemy<3.0,>=2.0.30
|
|
41
|
+
Requires-Dist: tree-sitter-language-pack>=1.10
|
|
42
|
+
Requires-Dist: tree-sitter<0.26,>=0.25
|
|
43
|
+
Provides-Extra: dev
|
|
44
|
+
Requires-Dist: pytest-cov; extra == 'dev'
|
|
45
|
+
Requires-Dist: pytest>=8.0; extra == 'dev'
|
|
46
|
+
Description-Content-Type: text/markdown
|
|
47
|
+
|
|
48
|
+
# entrygraph
|
|
49
|
+
|
|
50
|
+
Query your codebase like a graph. `entrygraph` indexes a repository into a
|
|
51
|
+
SQLite database (through the SQLAlchemy ORM) and answers questions about
|
|
52
|
+
**symbols**, **classes/methods**, **entrypoints** (HTTP routes, CLI commands,
|
|
53
|
+
main functions, tasks, lambda handlers), and **source → sink call-graph
|
|
54
|
+
reachability** ("can any HTTP route reach `subprocess.run`?").
|
|
55
|
+
|
|
56
|
+
Language-agnostic via [tree-sitter](https://tree-sitter.github.io/); first-class
|
|
57
|
+
support for **Python, JavaScript/TypeScript, Go, Java, Ruby, C#, PHP, and
|
|
58
|
+
Rust**, with language *and* framework detection.
|
|
59
|
+
|
|
60
|
+
Reachability is a heuristic taint tier, not just call-edge closure: paths are
|
|
61
|
+
**risk-ranked**, **sanitizers** prune or discount them, **class-hierarchy
|
|
62
|
+
analysis** recovers virtual dispatch, and confidence flags trade recall for
|
|
63
|
+
precision. Entrypoints include decorator/attribute routes, call-based route
|
|
64
|
+
registration, middleware, and config-file handlers (serverless, SAM, Procfile,
|
|
65
|
+
Dockerfile).
|
|
66
|
+
|
|
67
|
+
## Install
|
|
68
|
+
|
|
69
|
+
```bash
|
|
70
|
+
pip install entrygraph # or: uv pip install entrygraph
|
|
71
|
+
```
|
|
72
|
+
|
|
73
|
+
Requires Python ≥ 3.11. Depends on `sqlalchemy`, `tree-sitter`,
|
|
74
|
+
`tree-sitter-language-pack`, and `pathspec`.
|
|
75
|
+
|
|
76
|
+
## Python API
|
|
77
|
+
|
|
78
|
+
```python
|
|
79
|
+
from entrygraph import CodeGraph
|
|
80
|
+
|
|
81
|
+
# Index a repo (creates <repo>/.entrygraph.db by default)
|
|
82
|
+
graph = CodeGraph.index("/path/to/repo")
|
|
83
|
+
|
|
84
|
+
# ...or open an existing index
|
|
85
|
+
graph = CodeGraph.open("graph.db")
|
|
86
|
+
|
|
87
|
+
# Symbols — glob on name or qualified name, filter by kind or file
|
|
88
|
+
graph.symbols(kind="class", name="User*")
|
|
89
|
+
graph.symbol("app.services.Runner.execute") # exact; raises if missing
|
|
90
|
+
|
|
91
|
+
# Detection
|
|
92
|
+
report = graph.detect()
|
|
93
|
+
report.languages # -> [DetectedLanguage(name="python", percent=96.7, ...), ...]
|
|
94
|
+
report.frameworks # -> [DetectedFramework(name="flask", confidence=0.94, ...), ...]
|
|
95
|
+
|
|
96
|
+
# Entrypoints
|
|
97
|
+
graph.entrypoints(framework="flask")
|
|
98
|
+
graph.entrypoints(kind="http_route", route="/api/*")
|
|
99
|
+
|
|
100
|
+
# Call graph
|
|
101
|
+
graph.callers("app.services.run_report") # who calls it
|
|
102
|
+
graph.callees("app.services.run_report", depth=3) # what it (transitively) calls
|
|
103
|
+
graph.references("app.models.CONST") # inbound edges of any kind
|
|
104
|
+
|
|
105
|
+
# Source -> sink reachability (paths are risk-ranked, highest first)
|
|
106
|
+
paths = graph.paths(source="app.routes.*", sink_category="command_exec")
|
|
107
|
+
for p in paths:
|
|
108
|
+
print(p.risk_score, p.render(), "(+may continue)" if p.may_continue else "")
|
|
109
|
+
# 0.72 app.routes.create_report -> app.services.run_report (line 20)
|
|
110
|
+
# -> ...ReportRunner.render_and_execute (line 17) -> py:subprocess.run (line 22)
|
|
111
|
+
|
|
112
|
+
graph.reachable(source="app.routes.upload", sink="py:subprocess.run") # -> bool
|
|
113
|
+
|
|
114
|
+
# Precision/recall dial. By default only EXACT/IMPORT and unique-name FUZZY
|
|
115
|
+
# edges are traversed. Opt into wider (noisier) traversal:
|
|
116
|
+
graph.paths(source="app.routes.*", sink_category="sql",
|
|
117
|
+
include_unresolved=True) # follow py:*.execute wildcard-sink guesses
|
|
118
|
+
graph.paths(source="app.routes.*", sink_category="command_exec",
|
|
119
|
+
include_fuzzy=True) # follow speculative class-hierarchy (CHA) edges
|
|
120
|
+
graph.paths(source="app.routes.*", sink_category="command_exec",
|
|
121
|
+
prune_sanitized=True) # drop paths neutralized by a shlex.quote etc.
|
|
122
|
+
|
|
123
|
+
# Incremental re-index (only changed/added/deleted files are reparsed)
|
|
124
|
+
graph.refresh()
|
|
125
|
+
|
|
126
|
+
# Escape hatches
|
|
127
|
+
graph.session() # raw SQLAlchemy Session
|
|
128
|
+
graph.sql("SELECT ...") # textual query -> list[dict]
|
|
129
|
+
```
|
|
130
|
+
|
|
131
|
+
Every result is a frozen, immutable dataclass detached from the DB session, so
|
|
132
|
+
results are safe to hold and trivial to serialize.
|
|
133
|
+
|
|
134
|
+
## CLI
|
|
135
|
+
|
|
136
|
+
Human-readable output is rendered with [Rich](https://github.com/Textualize/rich) —
|
|
137
|
+
colored tables, language/confidence bars, a progress spinner while indexing, and
|
|
138
|
+
risk-ranked reachability rendered as call trees (sink nodes highlighted, per-hop
|
|
139
|
+
confidence, sanitizer/const-arg badges). Piped or `--json` output stays plain.
|
|
140
|
+
|
|
141
|
+
```bash
|
|
142
|
+
entrygraph index PATH [--full] [--paranoid] # incremental by default
|
|
143
|
+
entrygraph detect
|
|
144
|
+
entrygraph symbols --kind class --name 'User*'
|
|
145
|
+
entrygraph entrypoints --framework flask
|
|
146
|
+
entrygraph callers app.services.run_report --depth 2
|
|
147
|
+
entrygraph callees app.services.run_report
|
|
148
|
+
entrygraph paths --source 'app.routes.*' --sink-category command_exec
|
|
149
|
+
entrygraph stats
|
|
150
|
+
```
|
|
151
|
+
|
|
152
|
+
Add `--json` to any query command for machine-readable output. `entrygraph paths`
|
|
153
|
+
exits 0 when a path is found and 1 when none is — handy in CI:
|
|
154
|
+
|
|
155
|
+
```bash
|
|
156
|
+
entrygraph paths --source '*' --sink-category command_exec && echo "reachable!"
|
|
157
|
+
```
|
|
158
|
+
|
|
159
|
+
## How it works
|
|
160
|
+
|
|
161
|
+
1. **Walk** — `os.scandir` with hard-pruned junk dirs (`node_modules`, `.venv`,
|
|
162
|
+
…), `.gitignore` rules, and size/binary/minified gates. Every skip is recorded
|
|
163
|
+
with a reason.
|
|
164
|
+
2. **Extract** — tree-sitter `.scm` queries harvest definitions/imports/calls;
|
|
165
|
+
small per-language "shaper" modules build qualified names, import maps, and
|
|
166
|
+
receiver info. Parsing runs across a process pool for large repos.
|
|
167
|
+
3. **Resolve** — a two-pass resolver binds references to symbols with a
|
|
168
|
+
confidence level (`exact` / `import` / `fuzzy` / `unresolved`). External
|
|
169
|
+
callees (`subprocess.run`, `child_process.exec`, …) become placeholder nodes
|
|
170
|
+
so sinks are real graph terminals.
|
|
171
|
+
4. **Detect** — frameworks are scored from manifest dependencies plus code
|
|
172
|
+
signals (noisy-or); entrypoint rules map framework patterns to route/command
|
|
173
|
+
records.
|
|
174
|
+
5. **Store** — everything persists to SQLite via the SQLAlchemy 2.0 ORM with
|
|
175
|
+
bulk inserts and app-assigned keys. Re-indexing is incremental and
|
|
176
|
+
content-hash driven.
|
|
177
|
+
6. **Query** — reachability runs over an in-memory adjacency cache (BFS/DFS with
|
|
178
|
+
cycle handling); a recursive-CTE SQL engine is available as a fallback
|
|
179
|
+
(`engine="sql"`).
|
|
180
|
+
|
|
181
|
+
## Extending
|
|
182
|
+
|
|
183
|
+
- **Custom sinks/sources/sanitizers** — drop an `entrygraph.toml` in the repo
|
|
184
|
+
root with `[[sink]]` / `[[source]]` / `[[sanitizer]]` tables (same schema as
|
|
185
|
+
the built-in `data/sinks/*.toml`), or call
|
|
186
|
+
`entrygraph.detect.taint.register_sink(...)` / `register_sanitizer(...)`. A
|
|
187
|
+
`[[sanitizer]]` with `effect = "neutralizes"` prunes a path for its category;
|
|
188
|
+
`effect = "reduces"` only discounts the risk score. Third-party wrapper
|
|
189
|
+
libraries that reach a sink internally are covered by `data/sinks/lib_*.toml`
|
|
190
|
+
"library summaries" (same schema, with a `library = "..."` tag).
|
|
191
|
+
- **New frameworks / entrypoints** — register a `FrameworkSpec` and an
|
|
192
|
+
`EntrypointRule`; adding a framework is usually a few lines.
|
|
193
|
+
- **New languages** — add a `<lang>/{definitions,imports,calls}.scm` query set
|
|
194
|
+
and a shaper implementing the `LanguageExtractor` protocol.
|
|
195
|
+
|
|
196
|
+
## Releasing
|
|
197
|
+
|
|
198
|
+
Merging to `main` auto-bumps the patch version (via a git tag) and publishes to
|
|
199
|
+
PyPI through Trusted Publishing — see [RELEASING.md](RELEASING.md). The package
|
|
200
|
+
version is derived from git tags by `hatch-vcs`, so it's never hand-edited.
|
|
201
|
+
|
|
202
|
+
## License
|
|
203
|
+
|
|
204
|
+
MIT
|