README
¶
depusage
Multi-language source-code reachability primitives for Go. Tree-sitter
under the hood; no IO, no project model — give it a []byte of source
and it tells you what was imported, which symbols were used, and (per
file) who calls who.
Built for dependency analyzers, SBOM enrichers, and SAST tooling that
need to distinguish "lockfile entry imported and called" from "sitting
in node_modules and never touched."
Status
Pre-1.0. API may shift. Tracking the design in aegis-cli#25.
Languages
| Language | Imports | Used symbols | Callgraph |
|---|---|---|---|
| JavaScript | ✓ | — | — |
| TypeScript | ✓ | — | — |
| Python | ✓ | — | — |
| Go | ✓ | — | — |
| Rust | ✓ | — | — |
| Ruby | ✓ | — | — |
| Java | ✓ | — | — |
| PHP | ✓ | — | — |
| C# | ✓ | — | — |
Usage
import "github.com/qwexvf/depusage"
src := []byte(`import { merge } from "lodash"; merge({}, {});`)
res, err := depusage.Extract(depusage.JavaScript, src, depusage.Options{
IncludeImports: true,
})
if err != nil {
log.Fatal(err)
}
for _, imp := range res.Imports {
fmt.Println(imp.DepKey, imp.Symbols) // lodash [merge]
}
Requirements
- Go 1.24+
- CGo enabled — tree-sitter ships a C runtime. Each language grammar adds ~3–4 MB to the final binary.
License
MIT
Documentation
¶
Overview ¶
Package depusage extracts dependency-usage facts from source code: which modules a file imports, which symbols of those imports are actually used, and (within a single file) who calls who.
It is built for tools that need to answer "does the user's code reach this dependency?" without committing to a full whole-program callgraph: dependency analyzers cutting noise from unreachable CVEs, SBOM enrichers tagging used-vs-transitive, SAST tools gating findings on actual call paths.
Tree-sitter does the parsing. Callers pass a Language enum and a []byte of source; the result is a typed Result with imports, optional [UsedSymbol]s, and an optional intra-file CallGraph.
No IO, no project model, no multi-file resolution — keep that in the consumer.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CallGraph ¶
CallGraph is the per-file caller→callees graph. Edges keys are Function.Name values; entries point at other Function names within the same file. Calls to non-local symbols are excluded.
type Function ¶
type Function struct {
Name string
Exported bool // visible outside the file per language rules
StartLn int
EndLn int
}
Function is a function-or-method definition discovered in the file.
type Import ¶
type Import struct {
Module string
DepKey string
Symbols []string // imported binding names; ["*"] wildcard, ["default"] default
Aliases map[string]string // local-name → canonical-symbol within Module
Kind ImportKind
Line int
Column int
}
Import is a single reference to an external (or relative) module.
Module is the verbatim string from the source. DepKey is the per-ecosystem normalization to a lockfile key (e.g. npm scoped `@scope/pkg/sub` → `@scope/pkg`); empty when normalization can't resolve to a single key (e.g. relative paths, computed imports).
type ImportKind ¶
type ImportKind string
ImportKind classifies how a module reference enters the file.
const ( // ImportStatic is a top-level static import: ES `import`, // Python `from ... import`, Go `import "x"`, Java `import com.x.Y`. ImportStatic ImportKind = "static" // ImportDynamic is a runtime import expression: `import("x")`, // `__import__`, `Class.forName`. The argument may be a literal // (captured) or computed (skipped). ImportDynamic ImportKind = "dynamic" // ImportRequire is a function-style import: node `require("x")`, // Ruby `require "x"`, PHP `require_once`. ImportRequire ImportKind = "require" // ImportRelative covers same-project paths (`./x`, `../x`). The // raw Module is preserved; DepKey is empty. ImportRelative ImportKind = "relative" )
type Language ¶
type Language string
Language identifies the source-language grammar to use. Each value corresponds to one tree-sitter grammar bundled by the library.
type Options ¶
Options selects which passes to run. Each pass gates downstream passes — UsedSymbols depends on Imports, CallGraph is independent.
type Result ¶
type Result struct {
Imports []Import
UsedSymbols []UsedSymbol
CallGraph *CallGraph
ParseError error
}
Result aggregates one extraction pass.
ParseError is non-nil when tree-sitter recovered from a syntax error; the surfaced facts may be partial but are not garbage.
func Extract ¶
Extract is the top-level dispatcher. It picks the per-language extractor implementation, runs the requested passes, and returns the aggregated result.
All language extractors live in this package as siblings (js.go, py.go, ...) and share the parser pool / cursor pool helpers from internal/tsutil. Per-language tree-sitter queries live under lang/<x>/queries.scm and are //go:embed'd by the matching .go file.
Concurrency: safe for concurrent callers. Each per-language extractor maintains its own parser/cursor pool.
Source Files
¶
Directories
¶
| Path | Synopsis |
|---|---|
|
internal
|
|
|
tsutil
Package tsutil holds tree-sitter helpers shared across the per-language extractors: a per-language parser pool and a tiny query-compile-once wrapper.
|
Package tsutil holds tree-sitter helpers shared across the per-language extractors: a per-language parser pool and a tiny query-compile-once wrapper. |
|
lang
|
|