CLI tool for collecting software supply chain security metrics

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for alkamod from gravatar.com alkamod

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License Expression: AGPL-3.0-or-later
    SPDX License Expression
  • Author: SEMCL
  • Tags metrics , purl , sbom , security , supply-chain
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers
Report project as malware

This project has been archived.

The maintainers of this project have marked this project as archived. No new releases are expected.

Project description

CCDA-CLI - Supply Chain Security Metrics

License Python 3.10+ PyPI version

A command-line tool for analyzing software packages across ecosystems (npm, PyPI, Cargo, Maven, Go). Provides health scores, maintainer burnout risk, and comprehensive supply chain security metrics to help developers make informed decisions about their dependencies.

Features

  • Multi-Ecosystem Support: Analyze packages from npm, PyPI, Cargo, Maven, and Go
  • Health Scoring: Comprehensive package health assessment (0-100 score)
  • Burnout Detection: Identify maintainer sustainability risks
  • CHAOSS Metrics: Bus factor, pony factor, elephant factor analysis
  • Supply Chain Security: License compliance, binary detection, suspicious file scanning
  • GitHub Integration: Stars, forks, issues, PRs, and release metrics
  • Flexible Output: JSON reports for integration with other tools

How It Works

ccda-cli runs a comprehensive 7-step analysis pipeline:

  1. Discovery - Fetch package metadata from deps.dev, ecosyste.ms, and package registries
  2. Clone - Download the source repository for deep analysis
  3. Git Metrics - Calculate CHAOSS metrics (bus factor, contributors, companies)
  4. GitHub API - Gather community health indicators (stars, forks, issues, PRs)
  5. Tarball Scan - Analyze package contents for licenses, binaries, and suspicious files
  6. Health Score - Compute overall package health across multiple dimensions
  7. Burnout Score - Assess maintainer sustainability and stress indicators

Installation

pip install ccda-cli

For development:

git clone https://github.com/SemClone/ccda-cli.git
cd ccda-cli
pip install -e .

Quick Start

# Analyze a package
ccda-cli analyze pkg:npm/express

# Save results to file
ccda-cli analyze pkg:pypi/requests --output report.json

# Analyze different ecosystems
ccda-cli analyze pkg:cargo/serde
ccda-cli analyze pkg:maven/org.opensearch/opensearch
ccda-cli analyze pkg:go/github.com/hashicorp/terraform

# Discovery only (no deep analysis)
ccda-cli discover pkg:npm/lodash

Usage

CLI Commands

# Full package analysis
ccda-cli analyze pkg:npm/express --output analysis.json

# Metadata discovery only
ccda-cli discover pkg:pypi/requests

# View cache information
ccda-cli cache info

# Clear cache
ccda-cli cache clear --all

# Check version
ccda-cli --version

Supported Package URL (PURL) Formats

# npm packages
pkg:npm/express
pkg:npm/@babel/core@7.24.0

# PyPI packages
pkg:pypi/requests
pkg:pypi/requests@2.31.0

# Cargo (Rust) packages
pkg:cargo/serde
pkg:cargo/tokio@1.32.0

# Maven packages
pkg:maven/org.opensearch/opensearch
pkg:maven/org.apache.commons/commons-lang3@3.12.0

# Go modules
pkg:go/github.com/hashicorp/terraform

# GitHub repositories
pkg:github/expressjs/express

Output Format

The tool outputs JSON reports with the following metrics:

Health Score (0-100)

  • Commit activity and release frequency
  • Contributor diversity (bus factor, pony factor)
  • Issue/PR responsiveness
  • License compliance
  • Branch protection and security

Burnout Score (0-100)

  • Issue backlog pressure
  • Response time gaps
  • Triage overhead
  • Workload concentration
  • Activity decline trends

Additional Metrics

  • CHAOSS metrics (bus/pony/elephant factors)
  • GitHub community health (stars, forks, issues, PRs)
  • License information
  • Binary and suspicious file detection

Documentation

Configuration

GitHub Token (Recommended)

Set up a GitHub token for higher rate limits:

export GITHUB_TOKEN=ghp_your_token_here

See GitHub Token Setup for detailed instructions.

Cache Configuration

# Via environment variable
export CCDA_CACHE_DIR=/custom/path

# Or in ~/.ccda/config.yaml
cache:
  directory: /custom/path

Contributing

We welcome contributions! Please see CONTRIBUTING.md for details on:

  • Code of conduct
  • Development setup
  • Submitting pull requests
  • Reporting issues

Support

For support and questions:

License

GNU Affero General Public License v3.0 - see LICENSE file for details.

Authors

See AUTHORS.md for a list of contributors.

Part of the SEMCL.ONE ecosystem for comprehensive OSS compliance and code analysis.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for alkamod from gravatar.com alkamod

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License Expression: AGPL-3.0-or-later
    SPDX License Expression
  • Author: SEMCL
  • Tags metrics , purl , sbom , security , supply-chain
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

0.2.2

0.2.1

0.2.0

0.1.10

0.1.9

0.1.8

0.1.7

0.1.6

This version

0.1.5

0.1.4

0.1.3

0.1.2

0.1.1

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ccda_cli-0.1.5.tar.gz (200.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ccda_cli-0.1.5-py3-none-any.whl (80.2 kB view details)

Uploaded Python 3

File details

Details for the file ccda_cli-0.1.5.tar.gz.

File metadata

  • Download URL: ccda_cli-0.1.5.tar.gz
  • Upload date:
  • Size: 200.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for ccda_cli-0.1.5.tar.gz
Algorithm Hash digest
SHA256 37832c697ed1e629d5d208748ac0e6899e6cb0d889bb5d323a1cdcd74ab58c0f
MD5 8abda703c07ecf7f441c3ceb41a194e1
BLAKE2b-256 faa6cb9a60907c29529ab733d387d93fcf471274995744b7bf7e4e0320d19723

See more details on using hashes here.

Provenance

The following attestation bundles were made for ccda_cli-0.1.5.tar.gz:

Publisher: python-publish.yml on SemClone/ccda-cli

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file ccda_cli-0.1.5-py3-none-any.whl.

File metadata

  • Download URL: ccda_cli-0.1.5-py3-none-any.whl
  • Upload date:
  • Size: 80.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for ccda_cli-0.1.5-py3-none-any.whl
Algorithm Hash digest
SHA256 71cad247c3e824e41dc40dcb86ae79932290fc759e1acb9daf347e9b6aee12ca
MD5 2e22a1ee4be69f777c9105c6ef202d2d
BLAKE2b-256 7db2927faebab7b17fdb68e4fb729b5268bdce40577162c71994739655c9d581

See more details on using hashes here.

Provenance

The following attestation bundles were made for ccda_cli-0.1.5-py3-none-any.whl:

Publisher: python-publish.yml on SemClone/ccda-cli

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page