Adding docs (#138)

* Add docs for similar tools.

* update readme

* Explicitly mention docker-compatible socket requirement.

* update doc

Author: evandowning

README.md

@@ -5,137 +5,45 @@
 [![PyPI version](https://badge.fury.io/py/it-depends.svg)](https://badge.fury.io/py/it-depends)
 [![Slack Status](https://slack.empirehacking.nyc/badge.svg)](https://slack.empirehacking.nyc)
 
-It-Depends is a tool to automatically build a dependency graph and Software Bill of Materials (SBOM) for packages and arbitrary source code repositories. You can use it to enumerate all third party dependencies for a software package, map those dependencies to known security vulnerabilities, as well as compare the similarity between two packages based on their dependencies.
+It-Depends is a tool to automatically build a dependency graph and Software Bill of Materials (SBOM) for packages and arbitrary source code repositories. It supports Go, JavaScript, Rust, Python, C/C++ (cmake and autotools), and Ubuntu packages.
 
-To the best of our knowledge, It-Depends is the only such tool with the following features:
+What makes it different from [similar tools](SIMILAR.md):
 
-* Support for C/C++ projects (both autootools and cmake)
-* Automated resolution of native library dependencies partially based on dynamic analysis (_e.g._, the Python package `pytz` depends on the native library `libtinfo.so.6`)
-* Enumeration of _all possible_ dependency resolutions, not just a _single feasible_ resolution
-* A comparison metric for the similarity between two packages based on their dependency graph
+* Resolves _all possible_ dependency versions, not just a single feasible resolution
+* C/C++ support via cmake and autotools without building the project
+* Automated native library dependency mapping via dynamic analysis (_e.g._, `pytz` depends on `libtinfo.so.6`)
+* Vulnerability scanning against the [OSV database](https://osv.dev/)
+* Dependency similarity comparison between packages
 
-## Features
-
-* Supports Go, JavaScript, Rust, Python, and C/C++ projects.
-* Accepts source code repositories or package specifications like `pip:it-depends`
-* Extracts dependencies of cmake/autotool repostories without building it
-* Finds native dependencies for high level languages like Python or JavaScript
-* Provides visualization based on vis.js or dot
-* Matches dependencies and CVEs
-* Export Software Bills of Materials (SBOMs)
-  * Machine-intelligible JSON output
-  * Support for the SPDX standard is [in active development](https://github.com/trailofbits/it-depends/tree/dev/spdx)
-
-### Can It-Depends Do It? It Depends.
-
-* It-Depends does not detect vendored or copy/pasted dependencies
-* Results from build systems like autotools and cmake that entail arbitrary computation at install time are
-   best-effort
-* Resolution of native dependencies is best-effort
-  * Some native dependencies are resolved through dynamic analysis
-  * Native dependencies are inferred by cross-referencing file requirements against paths provided by the Ubuntu
-     package repository; dependencies may be different across other Linux distributions or Ubuntu versions
-* It-Depends attempts to resolve _all_ possible package versions that satisfy a dependency
-  * It-Depends _does not_ find a single satisfying package resolution
-  * The list of resolved packages is intended to be a superset of the packages required by the installation of
-     a package on any system
-  * The `--audit` feature may discover vulnerabilities in upstream dependencies that are either not exploitable in the
-     target package or are in a package version that cannot exist in any valid dependency resolution of the target
-     package
-* It-Depends caches data that it expects to be immutable in a local database
-  * If a package is ever deleted or yanked from a package repository after it was already cached, It-Depends will
-     continue to use the cached data unless the cache is cleared with `--clear-cache`
-
-## Quickstart
+## Installation
 
 ```shell
 pip3 install it-depends
-python -c "import it_depends as it; print(it.__version__)"
-```
-
-### Running it
-
-Run `it-depends` in the root of the source repository you would like to analyze:
-
-```shell
-cd /path/to/project
-it-depends .
-```
-
-or alternatively point it to the path directly:
-
-```shell
-it-depends /path/to/project
-```
-
-or alternatively specify a package from a public package repository:
-
-```shell
-it-depends "pip:numpy"
-it-depends "ubuntu:libc6@2.31"
-it-depends "npm:lodash@>=4.17.0"
 ```
 
-To list resolvers compatible for the specified target, use the `--list` option:
+Ecosystem-specific tools must be installed separately: `npm` for JavaScript, `cargo` for Rust, `pip` for Python, `autotools`/`cmake` for C/C++. Native dependency resolution and Ubuntu package analysis require a Docker-compatible container runtime with an accessible socket (_e.g._, Docker Desktop, Podman, or Colima).
 
-```shell
-it-depends . --list
-```
-
-It-Depends will output the full dependency hierarchy in JSON format. Additional output formats such
-as Graphviz/Dot are available via the `--output-format` option.
-
-It-Depends can automatically try to match packages against the [OSV vulnerability database](https://osv.dev/) with the
-`--audit` option. This is a best-effort matching as it is based on package names, which might not always consistent.
-Any discovered vulnerabilities are added to the JSON output.
-
-It-Depends attempts to parallelize as much of its effort as possible. To limit the maximum number of parallel tasks, use
-the `--max-workers` option.
-
-By default, It-Depends recursively resolves all packages' dependencies to construct a complete dependency graph. The
-depth of the recursion can be limited using the `--depth-limit` option. For example,
+## Usage
 
 ```shell
-it-depends pip:graphtage --depth-limit 1
+it-depends .                            # Analyze current directory
+it-depends /path/to/project             # Analyze a source repository
+it-depends "pip:numpy"                  # Analyze a pip package
+it-depends "ubuntu:libc6@2.31"          # Analyze an Ubuntu package
+it-depends "npm:lodash@>=4.17.0"        # Specify a version constraint
+it-depends --audit pip:numpy            # Include vulnerability audit
+it-depends . --list                     # List compatible resolvers
+it-depends --output-format dot .        # Output as Graphviz/Dot
+it-depends --depth-limit 1 pip:numpy    # Only direct dependencies
 ```
 
-will only enumerate the direct dependencies of Graphtage.
-
-### Examples
-
-Here is an example of running It-Depends on its own source repository:
-![](https://gist.githubusercontent.com/feliam/e906ce723333b2b55237a71c4028559e/raw/e60f46c35b215a73a37a1d1ce3bb43eaead76af4/it-depends-demo.svg?sanitize=1)
-
-This is the resulting [json](https://gist.github.com/feliam/2bdec76f7aa50602869059bfa14df156)
-with all the discovered dependencies.
-This is the resulting [Graphviz dot file](https://gist.github.com/feliam/275951f5788c23a477bc7cf758a32cc2)
-producing this
-![dependency graph](https://user-images.githubusercontent.com/1017522/116887041-33903b80-ac00-11eb-9288-f3d286231e47.png)
-
-This is the resulting dependency graph:
-![dependency graph](https://user-images.githubusercontent.com/1017522/126380710-0bf4fd66-0d2f-4cb1-a0ff-96fe715c4981.png)
-
-### It-Depends' Dependencies
-
-* JavaScript requires `npm`
-* Rust requires `cargo`
-* Python requires `pip`
-* C/C++ requires `autotools` and/or `cmake`
-* Several native dependencies are resolved using Ubuntu’s file to path database `apt-file`, but this is seamlessly handled through an Ubuntu `docker` container on other distributions and operating systems
-* Currently `docker` is used to resolve native dependencies
-
 ## Development
 
 ```shell
 git clone https://github.com/trailofbits/it-depends
 cd it-depends
 make dev
 uv run it-depends --help
-```
-
-Format and lint code before contributing
-
-```shell
 make format lint
 ```
 

SIMILAR.md

@@ -0,0 +1,43 @@
+# Similar Tools
+
+It-Depends is a dependency analyzer that builds complete dependency graphs and SBOMs. Unlike most tools in this space, it resolves *all possible* dependency versions (not just a single feasible resolution), supports C/C++ projects via cmake/autotools, and maps native library dependencies through dynamic analysis.
+
+This document compares it to related tools across several categories.
+
+## Comparison
+
+| Tool | Type | All-version resolution | C/C++ support | Native lib mapping | SBOM | Vuln scanning | Open source |
+|------|------|:---:|:---:|:---:|:---:|:---:|:---:|
+| **It-Depends** | Dependency analyzer | Yes | Yes | Yes | Yes | Yes | Yes |
+| [Syft](https://github.com/anchore/syft) | SBOM generator | No | No | No | Yes | No | Yes |
+| [Trivy](https://github.com/aquasecurity/trivy) | SBOM / scanner | No | No | No | Yes | Yes | Yes |
+| [Grype](https://github.com/anchore/grype) | Vuln scanner | No | No | No | No | Yes | Yes |
+| [OSV-Scanner](https://github.com/google/osv-scanner) | Vuln scanner | No | No | No | Yes | Yes | Yes |
+| [ORT](https://github.com/oss-review-toolkit/ort) | SCA / compliance | No | Partial | No | Yes | Yes | Yes |
+| [Snyk](https://snyk.io/) | SCA platform | No | Partial | No | Yes | Yes | No |
+| [OWASP Dep-Check](https://github.com/jeremylong/DependencyCheck) | SCA / vuln scanner | No | No | No | Yes | Yes | Yes |
+| [Dependabot](https://github.com/dependabot) | Dependency updater | No | No | No | No | No | Yes |
+| [Renovate](https://github.com/renovatebot/renovate) | Dependency updater | No | No | No | No | No | Yes |
+
+## Categories
+
+### SBOM Generators
+
+- **[Syft](https://github.com/anchore/syft)** -- Generates SBOMs from container images and filesystems. Supports CycloneDX and SPDX formats. Focused on cataloging what's installed rather than resolving dependency trees.
+- **[Trivy](https://github.com/aquasecurity/trivy)** -- All-in-one security scanner for containers, filesystems, and git repositories. Generates SBOMs and scans for vulnerabilities, misconfigurations, and secrets.
+
+### Dependency Analysis / SCA
+
+- **[ORT](https://github.com/oss-review-toolkit/ort)** (OSS Review Toolkit) -- Comprehensive open-source compliance toolchain. Analyzes dependencies, scans for licenses, and generates reports. Broad ecosystem support but resolves a single dependency tree.
+- **[Snyk](https://snyk.io/)** -- Commercial SCA platform that monitors dependencies for vulnerabilities. Integrates with CI/CD pipelines and provides fix suggestions. Closed-source core.
+- **[OWASP Dependency-Check](https://github.com/jeremylong/DependencyCheck)** -- Identifies known vulnerabilities in project dependencies by cross-referencing against the NVD. Primarily Java-focused but supports other ecosystems.
+
+### Vulnerability Scanners
+
+- **[Grype](https://github.com/anchore/grype)** -- Vulnerability scanner for container images and filesystems. Pairs with Syft for SBOM-based scanning. Fast and focused on matching packages to CVEs.
+- **[OSV-Scanner](https://github.com/google/osv-scanner)** -- Google's scanner that matches dependencies against the OSV vulnerability database. Supports lockfile and SBOM input. It-Depends uses the same OSV database for its `--audit` feature.
+
+### Dependency Update Bots
+
+- **[Dependabot](https://github.com/dependabot)** -- GitHub-native bot that opens PRs to update outdated or vulnerable dependencies. Operates as a CI integration, not a standalone analysis tool.
+- **[Renovate](https://github.com/renovatebot/renovate)** -- Automated dependency update tool supporting many platforms and ecosystems. Highly configurable. Like Dependabot, it updates dependencies rather than analyzing them.