Skip to content

Commit 1e38bfb

Browse files
committed
docs: Update README and CHANGELOG for v1.2.0
- Add workspace & monorepo support documentation - Update sample output with colored circle indicators - Add --no-workspaces flag to CLI reference - Update roadmap to v1.2 (current) with completed features - Add CHANGELOG entry for v1.2.0 release
1 parent b35a7d1 commit 1e38bfb

File tree

2 files changed

+64
-19
lines changed

2 files changed

+64
-19
lines changed

CHANGELOG.md

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,25 @@ All notable changes to QRAMM CryptoDeps will be documented in this file.
55
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
66
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
77

8+
## [1.2.0] - 2025-12-27
9+
10+
### Added
11+
- **Workspace & monorepo support**: Automatically discovers all manifest files in project directories
12+
- npm/yarn workspaces via `package.json` workspaces field
13+
- pnpm workspaces via `pnpm-workspace.yaml`
14+
- Go workspaces via `go.work` files
15+
- Recursive directory walking with smart filtering (skips node_modules, vendor, .git, etc.)
16+
- **Multi-project output**: Aggregated results across all discovered projects
17+
- **`--no-workspaces` flag**: Disable workspace discovery for single-manifest scanning
18+
19+
### Changed
20+
- **Output formatting**: Clean, professional terminal design with colored status indicators
21+
- 🔴 Vulnerable (quantum-broken by Shor's algorithm)
22+
- 🟡 Partial risk (weakened by Grover's algorithm)
23+
- 🟢 Safe (quantum-resistant)
24+
- Improved remediation guidance layout with aligned fields
25+
- Call trace formatting now uses `>` prefix for cleaner output
26+
827
## [1.1.0] - 2025-12-26
928

1029
### Added
@@ -42,5 +61,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
4261
- Maps findings to CNSA 2.0 compliance requirements
4362
- Supports OMB M-23-02 cryptographic inventory requirements
4463

64+
[1.2.0]: https://github.com/csnp/qramm-cryptodeps/compare/v1.1.0...v1.2.0
4565
[1.1.0]: https://github.com/csnp/qramm-cryptodeps/compare/v1.0.0...v1.1.0
4666
[1.0.0]: https://github.com/csnp/qramm-cryptodeps/releases/tag/v1.0.0

README.md

Lines changed: 44 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -153,15 +153,32 @@ CryptoDeps goes beyond simple dependency scanning by analyzing your code's call
153153
| Python | `requirements.txt`, `pyproject.toml`, `Pipfile` |
154154
| Maven | `pom.xml` |
155155

156+
### Workspace & Monorepo Support
157+
158+
CryptoDeps automatically discovers all manifest files in workspaces and monorepos:
159+
160+
- **npm/yarn/pnpm**: Detects `workspaces` in package.json and pnpm-workspace.yaml
161+
- **Go**: Detects `go.work` files and all `go.mod` in subdirectories
162+
- **Recursive discovery**: Walks directory tree to find all manifests
163+
- **Smart filtering**: Skips node_modules, vendor, .git, build directories
164+
165+
```bash
166+
# Scan entire monorepo - finds all projects automatically
167+
cryptodeps analyze /path/to/monorepo
168+
169+
# Disable workspace discovery (scan single manifest only)
170+
cryptodeps analyze /path/to/monorepo --no-workspaces
171+
```
172+
156173
### Quantum Risk Classification
157174

158175
Every finding is classified by quantum computing threat level:
159176

160177
| Symbol | Risk Level | Quantum Threat | Examples |
161178
|--------|------------|----------------|----------|
162-
| `[!]` | VULNERABLE | Shor's algorithm | RSA, ECDSA, Ed25519, ECDH, DH, DSA |
163-
| `[~]` | PARTIAL | Grover's algorithm | AES-128, SHA-256, HMAC-SHA256 |
164-
| `[OK]` | SAFE | Resistant | AES-256, SHA-384+, ChaCha20, Argon2 |
179+
| 🔴 | VULNERABLE | Shor's algorithm | RSA, ECDSA, Ed25519, ECDH, DH, DSA |
180+
| 🟡 | PARTIAL | Grover's algorithm | AES-128, SHA-256, HMAC-SHA256 |
181+
| 🟢 | SAFE | Resistant | AES-256, SHA-384+, ChaCha20, Argon2 |
165182

166183
### Smart Remediation
167184

@@ -209,6 +226,7 @@ Analyze Flags:
209226
--reachability Analyze call graph for actual crypto usage (default true, Go only)
210227
--deep Force AST analysis for packages not in database
211228
--offline Use only local database, skip auto-updates
229+
--no-workspaces Disable workspace discovery (scan single manifest only)
212230
--risk string Filter by risk: vulnerable, partial, all
213231
--min-severity string Minimum severity to report
214232
-h, --help Show help
@@ -244,38 +262,43 @@ cryptodeps status
244262
## Sample Output
245263

246264
```
247-
Scanning go.mod... found 36 dependencies
265+
[*] Scanning go.mod... found 36 dependencies
248266
249-
CONFIRMED - Actually used by your code (requires action):
267+
[!] CONFIRMED - Actually used by your code (requires action):
250268
──────────────────────────────────────────────────────────────────────────────────────────
251-
[!] Ed25519 VULNERABLE [short-term] Effort: Low (simple change)
269+
🔴 Ed25519 VULNERABLE 1-2yr low
252270
└─ golang.org/x/crypto@v0.31.0
253271
> Called from: crypto.GenerateEd25519KeyPair
254272
> Called from: crypto.SignMessage
255273
256-
[~] HS256 PARTIAL [medium-term] Effort: Low (simple change)
274+
🟡 HS256 PARTIAL - low
257275
└─ github.com/golang-jwt/jwt/v5@v5.3.0
258276
> Called from: auth.JWTService.GenerateAccessToken
259277
260-
AVAILABLE - In dependencies but not called (lower priority):
278+
🟢 bcrypt SAFE - -
279+
└─ golang.org/x/crypto@v0.31.0
280+
> Called from: auth.HashPassword
281+
282+
[.] AVAILABLE - In dependencies but not called (lower priority):
261283
──────────────────────────────────────────────────────────────────────────────────────────
262284
golang.org/x/crypto@v0.31.0
263-
└─ [!] X25519, [OK] ChaCha20-Poly1305, [OK] Argon2
285+
└─ 🔴 X25519, 🟢 ChaCha20-Poly1305, 🟢 Argon2
264286
265287
══════════════════════════════════════════════════════════════════════════════════════════
266288
SUMMARY: 36 deps | 2 with crypto | 8 vulnerable | 2 partial
267-
REACHABILITY: 2 confirmed | 0 reachable | 11 available-only
289+
REACHABILITY: 3 confirmed | 0 reachable | 11 available-only
268290
269-
REMEDIATION - Action Required:
291+
REMEDIATION GUIDANCE:
270292
══════════════════════════════════════════════════════════════════════════════════════════
271293
272-
[!] Ed25519
294+
🔴 Ed25519 [PRIORITY]
273295
──────────────────────────────────────────────────
274-
Action: Plan migration to ML-DSA; prioritize if signing long-lived data
275-
Replace: ML-DSA-65 (FIPS 204)
276-
Timeline: Short-term (1-2 years)
277-
Effort: Low (simple change)
278-
Libraries: github.com/cloudflare/circl/sign/mldsa
296+
Action: Plan migration to ML-DSA; prioritize if signing long-lived data
297+
Replace with: ML-DSA-65 (FIPS 204)
298+
NIST: FIPS 204
299+
Timeline: Short-term (1-2 years)
300+
Effort: Low (simple change)
301+
Libraries: github.com/cloudflare/circl/sign/mldsa
279302
```
280303

281304
---
@@ -424,7 +447,7 @@ qramm-cryptodeps/
424447
425448
## Roadmap
426449
427-
### v1.0 (Current Release)
450+
### v1.2 (Current Release)
428451
429452
- [x] Multi-ecosystem dependency scanning (Go, npm, Python, Maven)
430453
- [x] Reachability analysis for Go projects
@@ -433,8 +456,10 @@ qramm-cryptodeps/
433456
- [x] Smart remediation guidance with NIST references
434457
- [x] GitHub repository URL scanning
435458
- [x] Curated database of 1,100+ packages
459+
- [x] Workspace & monorepo support (npm, pnpm, Go workspaces)
460+
- [x] Multi-project aggregated results
436461
437-
### v1.1 (Next)
462+
### v1.3 (Next)
438463
439464
- [ ] Improved reachability for npm/Python projects
440465
- [ ] Transitive dependency crypto inheritance

0 commit comments

Comments
 (0)