CLI tool for collecting software supply chain security metrics

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for alkamod from gravatar.com alkamod

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License Expression: AGPL-3.0-or-later
    SPDX License Expression
  • Author: SEMCL
  • Tags metrics , purl , sbom , security , supply-chain
  • Requires: Python >=3.10
  • Provides-Extra: all , dev , scanner
Classifiers
Report project as malware

This project has been archived.

The maintainers of this project have marked this project as archived. No new releases are expected.

Project description

CCDA-CLI - Supply Chain Security Metrics

License Python 3.10+ PyPI version

A command-line tool for analyzing software packages across ecosystems (npm, PyPI, Cargo, Maven, Go). Provides health scores, maintainer burnout risk, and comprehensive supply chain security metrics to help developers make informed decisions about their dependencies.

Features

  • Multi-Ecosystem Support: Analyze packages from npm, PyPI, Cargo, Maven, and Go
  • Health Scoring: Comprehensive package health assessment (0-100 score)
  • Burnout Detection: Identify maintainer sustainability risks
  • CHAOSS Metrics: Bus factor, pony factor, elephant factor analysis
  • Supply Chain Security: License compliance, binary detection, suspicious file scanning
  • GitHub Integration: Stars, forks, issues, PRs, and release metrics
  • Flexible Output: JSON reports for integration with other tools

How It Works

ccda-cli runs a comprehensive 7-step analysis pipeline:

  1. Discovery - Fetch package metadata from deps.dev, ecosyste.ms, and package registries
  2. Clone - Download the source repository for deep analysis
  3. Git Metrics - Calculate CHAOSS metrics (bus factor, contributors, companies)
  4. GitHub API - Gather community health indicators (stars, forks, issues, PRs)
  5. Tarball Scan - Analyze package contents for licenses, binaries, and suspicious files
  6. Health Score - Compute overall package health across multiple dimensions
  7. Burnout Score - Assess maintainer sustainability and stress indicators

Installation

pip install ccda-cli

For development:

git clone https://github.com/SemClone/ccda-cli.git
cd ccda-cli
pip install -e .

Quick Start

# Analyze a package
ccda-cli analyze pkg:npm/express

# Save results to file
ccda-cli analyze pkg:pypi/requests --output report.json

# Analyze different ecosystems
ccda-cli analyze pkg:cargo/serde
ccda-cli analyze pkg:maven/org.opensearch/opensearch
ccda-cli analyze pkg:go/github.com/hashicorp/terraform

# Discovery only (no deep analysis)
ccda-cli discover pkg:npm/lodash

Usage

CLI Commands

# Full package analysis
ccda-cli analyze pkg:npm/express --output analysis.json

# Metadata discovery only
ccda-cli discover pkg:pypi/requests

# View cache information
ccda-cli cache info

# Clear cache
ccda-cli cache clear --all

# Check version
ccda-cli --version

Supported Package URL (PURL) Formats

# npm packages
pkg:npm/express
pkg:npm/@babel/core@7.24.0

# PyPI packages
pkg:pypi/requests
pkg:pypi/requests@2.31.0

# Cargo (Rust) packages
pkg:cargo/serde
pkg:cargo/tokio@1.32.0

# Maven packages
pkg:maven/org.opensearch/opensearch
pkg:maven/org.apache.commons/commons-lang3@3.12.0

# Go modules
pkg:go/github.com/hashicorp/terraform

# GitHub repositories
pkg:github/expressjs/express

Output Format

The tool outputs JSON reports with the following metrics:

Health Score (0-100)

  • Commit activity and release frequency
  • Contributor diversity (bus factor, pony factor)
  • Issue/PR responsiveness
  • License compliance
  • Branch protection and security

Burnout Score (0-100)

  • Issue backlog pressure
  • Response time gaps
  • Triage overhead
  • Workload concentration
  • Activity decline trends

Additional Metrics

  • CHAOSS metrics (bus/pony/elephant factors)
  • GitHub community health (stars, forks, issues, PRs)
  • License information
  • Binary and suspicious file detection

Documentation

Configuration

GitHub Token (Recommended)

Set up a GitHub token for higher rate limits:

export GITHUB_TOKEN=ghp_your_token_here

See GitHub Token Setup for detailed instructions.

Cache Configuration

# Via environment variable
export CCDA_CACHE_DIR=/custom/path

# Or in ~/.ccda/config.yaml
cache:
  directory: /custom/path

Contributing

We welcome contributions! Please see CONTRIBUTING.md for details on:

  • Code of conduct
  • Development setup
  • Submitting pull requests
  • Reporting issues

Support

For support and questions:

License

GNU Affero General Public License v3.0 - see LICENSE file for details.

Authors

See AUTHORS.md for a list of contributors.

Part of the SEMCL.ONE ecosystem for comprehensive OSS compliance and code analysis.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for alkamod from gravatar.com alkamod

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License Expression: AGPL-3.0-or-later
    SPDX License Expression
  • Author: SEMCL
  • Tags metrics , purl , sbom , security , supply-chain
  • Requires: Python >=3.10
  • Provides-Extra: all , dev , scanner
Classifiers

Release history Release notifications | RSS feed

0.2.2

0.2.1

0.2.0

0.1.10

0.1.9

0.1.8

0.1.7

0.1.6

0.1.5

This version

0.1.4

0.1.3

0.1.2

0.1.1

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ccda_cli-0.1.4.tar.gz (201.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ccda_cli-0.1.4-py3-none-any.whl (81.9 kB view details)

Uploaded Python 3

File details

Details for the file ccda_cli-0.1.4.tar.gz.

File metadata

  • Download URL: ccda_cli-0.1.4.tar.gz
  • Upload date:
  • Size: 201.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for ccda_cli-0.1.4.tar.gz
Algorithm Hash digest
SHA256 36faf4db4496b131429cbdd709f3f1759a12244da3d53fb8de567e29944c28ee
MD5 76ddc9e962c8c385c732a77743394b70
BLAKE2b-256 7c39ca176560ffdd603fbe6db4b2c0e7be13a9133c649c42588967481d0d9cc9

See more details on using hashes here.

Provenance

The following attestation bundles were made for ccda_cli-0.1.4.tar.gz:

Publisher: python-publish.yml on SemClone/ccda-cli

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file ccda_cli-0.1.4-py3-none-any.whl.

File metadata

  • Download URL: ccda_cli-0.1.4-py3-none-any.whl
  • Upload date:
  • Size: 81.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for ccda_cli-0.1.4-py3-none-any.whl
Algorithm Hash digest
SHA256 a2356c44f4354a0fe3d70bc8218ac0e495c2eeef0f5bcc69da81133836c5d27c
MD5 a0586a6f780060d58d87bcd0df1c6208
BLAKE2b-256 722e05b71718a1dc26d17965d0af3430a6b875adec6f37649082a196747a812c

See more details on using hashes here.

Provenance

The following attestation bundles were made for ccda_cli-0.1.4-py3-none-any.whl:

Publisher: python-publish.yml on SemClone/ccda-cli

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page