README
¶
depusage
Multi-language source-code reachability primitives for Go. Tree-sitter
under the hood; no IO, no project model — give it a []byte of source
and it tells you what was imported, which symbols were used, and (per
file) who calls who.
Built for dependency analyzers, SBOM enrichers, and SAST tooling that
need to distinguish "lockfile entry imported and called" from "sitting
in node_modules and never touched."
Status
Pre-1.0 — public types are stable, but new languages and rare syntactic edge cases may still bend the API. Tracking the design in aegis-cli#25.
Languages
| Language | Imports | Used symbols | Callgraph |
|---|---|---|---|
| JavaScript | ✓ | ✓ | ✓ |
| TypeScript | ✓ | ✓ | ✓ |
| Python | ✓ | ✓ | ✓ |
| Go | ✓ | ✓ | ✓ |
| Java | ✓ | ✓ | ✓ |
| PHP | ✓ | ✓ | ✓ |
| Rust | ✓ | — | ✓ |
| Ruby | ✓ | — | ✓ |
| C# | ✓ | — | ✓ |
Used-symbol caveat. The pass tracks bindings that an import /
use statement introduces by name (import { foo } from 'bar',
use Foo\Bar, etc.). Rust's use brings names into scope but the
typical reachability hook is a derive macro on a struct rather than
a call site, so the result is sparse and we omit it for now. Ruby's
require doesn't bind a local name at all — gem entry-points become
runtime globals. C#'s using NS; opens a namespace without naming a
binding either. For all three, callers should treat
Reachability=Used as the strongest signal available.
Usage
import "github.com/qwexvf/depusage"
src := []byte(`
import { merge } from "lodash";
function transform(x) { return merge({}, x); }
function main() { return transform({a: 1}); }
`)
res, err := depusage.Extract(depusage.JavaScript, src, depusage.Options{
IncludeImports: true,
IncludeSymbols: true,
IncludeCallGraph: true,
})
if err != nil {
log.Fatal(err)
}
for _, imp := range res.Imports {
fmt.Println("import", imp.DepKey, imp.Symbols) // lodash [merge]
}
for _, u := range res.UsedSymbols {
fmt.Println("used", u.DepKey, u.Symbol) // lodash merge
}
for caller, callees := range res.CallGraph.Edges {
fmt.Println("calls", caller, "->", callees) // main -> [transform]
}
Each pass is opt-in via Options. Passing zero options returns an
empty Result — every cost is gated.
Requirements
- Go 1.24+
- CGo enabled — tree-sitter ships a C runtime. Each language grammar adds ~3–4 MB to the final binary.
Development
make test # go test -race ./...
make lint # golangci-lint run ./...
make fmt # gofumpt + goimports
make check # lint + test
Per-language extractors live under internal/lang/<name>/. Each
sub-package owns its own tree-sitter query, parser pool, and
DepKey normalizer; the public dispatcher in extract.go picks one
based on the Language argument.
Releases are tag-driven: pushing a v*.*.* tag runs the full quality
bar via .github/workflows/release.yml and creates a GitHub Release
with auto-generated notes. Per-version notes live in
CHANGELOG.md.
License
MIT
Documentation
¶
Overview ¶
Package depusage extracts dependency-usage facts from source code: which modules a file imports, which symbols of those imports are actually used, and (within a single file) who calls who.
It is built for tools that need to answer "does the user's code reach this dependency?" without committing to a full whole-program callgraph: dependency analyzers cutting noise from unreachable CVEs, SBOM enrichers tagging used-vs-transitive, SAST tools gating findings on actual call paths.
Tree-sitter does the parsing. Callers pass a Language enum and a []byte of source; the result is a typed Result with imports, optional [UsedSymbol]s, and an optional intra-file CallGraph.
No IO, no project model, no multi-file resolution — keep that in the consumer.
Index ¶
Constants ¶
const ( JavaScript = extract.JavaScript TypeScript = extract.TypeScript Python = extract.Python Go = extract.Go Rust = extract.Rust Ruby = extract.Ruby Java = extract.Java PHP = extract.PHP CSharp = extract.CSharp )
const ( ImportStatic = extract.ImportStatic ImportDynamic = extract.ImportDynamic ImportRequire = extract.ImportRequire ImportRelative = extract.ImportRelative )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ImportKind ¶
type ImportKind = extract.ImportKind
type Result ¶
func Extract ¶
Extract is the top-level dispatcher. It picks the per-language extractor implementation, runs the requested passes, and returns the aggregated result.
Per-language extractors live under internal/lang/<name>. Each one owns its own tree-sitter parser pool, query, and dep-key normalizer.
Concurrency: safe for concurrent callers — every per-language extractor maintains its own pool.
type UsedSymbol ¶
type UsedSymbol = extract.UsedSymbol
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
internal
|
|
|
extract
Package extract holds the shared types used by depusage's public API and its per-language sub-packages.
|
Package extract holds the shared types used by depusage's public API and its per-language sub-packages. |
|
lang/csharp
Package csharp implements the C# import extractor.
|
Package csharp implements the C# import extractor. |
|
lang/golang
Package golang implements the Go import extractor.
|
Package golang implements the Go import extractor. |
|
lang/java
Package java implements the Java import extractor.
|
Package java implements the Java import extractor. |
|
lang/javascript
Package javascript implements the JavaScript (and TypeScript) import extractor.
|
Package javascript implements the JavaScript (and TypeScript) import extractor. |
|
lang/php
Package php implements the PHP import extractor.
|
Package php implements the PHP import extractor. |
|
lang/python
Package python implements the Python import extractor.
|
Package python implements the Python import extractor. |
|
lang/ruby
Package ruby implements the Ruby import extractor.
|
Package ruby implements the Ruby import extractor. |
|
lang/rust
Package rust implements the Rust import extractor.
|
Package rust implements the Rust import extractor. |
|
tsutil
Package tsutil holds tree-sitter helpers shared across the per-language extractors: a per-language parser pool and a tiny query-compile-once wrapper.
|
Package tsutil holds tree-sitter helpers shared across the per-language extractors: a per-language parser pool and a tiny query-compile-once wrapper. |