Automated license checking for rust. cargo lichking is a Cargo subcommand that checks licensing information for dependencies.

Overview

cargo-lichking travis-badge crate-badge license-badge rust-version-badge

Automated license checking for rust. cargo lichking is a Cargo subcommand that checks licensing information for dependencies.

Liches are not lawyers, the information output from this tool is provided as a hint to where you may need to look for licensing issues but in no way represents legal advice or guarantees correctness. The tool relies at a minimum on package metadata containing correct licensing information, this is not guaranteed so for real license checking it's necessary to verify all dependencies manually.

Rust Version Policy

This crate only supports the current stable version of Rust, patch releases may use new features at any time.

Installation

To install simply run cargo install cargo-lichking.

Usage

To get a list of all your (transitive) dependencies licenses run cargo lichking list. To check license compatibility based off this License Slide by David A. Wheeler run cargo lichking check.

Developing

When running via cargo run you'll need to provide an initial lichking argument to simulate running as a cargo subcommand, e.g. cargo run -- lichking check.

License

Licensed under either of

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you shall be dual licensed as above, without any additional terms or conditions.

Comments
  • The dependency tree should be fully resolved

    The dependency tree should be fully resolved

    I don't know how to fix this error:

    $ cargo build --no-default-features
    <snip>
    $ cargo lichking list
    warning: IANAL: This is not legal advice and is not guaranteed to be correct.
    thread 'main' panicked at 'The dependency tree should be fully resolved', src/libcore/option.rs:785
    note: Run with `RUST_BACKTRACE=1` for a backtrace.
    

    How can the dependencies not be resolved? I just successfully built the program.

    The code is here if you need it but will take a long time to compile.

    OSX 10.9.5, rustc 1.18.0-nightly (63c77214c 2017-04-24), cargo 0.19.0-nightly (8326a3683 2017-04-19), cargo-lichking 0.4.1

    opened by durka 8
  • Set 2018 edition, and remove unused lints

    Set 2018 edition, and remove unused lints

    Ran:

    • Cargo check
    • Cargo fix (--edition)
    • Cargo fmt
    • Cargo clippy --all

    Some people have auto fmt on save in their editors. This change will make diffs smaller for them as well

    opened by meltinglava 5
  • Open to large PRs?

    Open to large PRs?

    Hello!

    I've been working on a fork of cargo-lichking with the original intent of making a PR here with my changes. However, things have started to diverge a lot. Differences include:

    • Full rewrite of discovery.rs and bundle.rs
    • Many added templates and a few added licenses
    • (soon) ability to serialize the thirdparty license texts to json or a text document similar to what is produced now
    • (soon) ability to compare found licenses against an existing thirdparty file to check for changes / update changed sections
    • Changed log levels so everything is not an error

    Ideally I want a user to be able run bundle, inform them of missing licenses that they should add on their own, and then having something in CI that will check the THRIDPARTY file for changes over time.

    If this sounds like more change than you are interested in OR you aren't interested in lots of activity happening here in the next month or so I intend to create a new project with a new name that solely focuses on the functionality in the bundle command, with proper attribution to cargo-lichking. It concerns me that the last commit to this project was over a year ago and there are many open PRs and issues. At the moment I lean to creating a new thing to fit my needs / iterate quickly that won't encroach on the primary check functionality here.

    LMK your thoughts!

    opened by sstadick 3
  • Handle CC0-1.0

    Handle CC0-1.0

    Based on an educated guess that CC0-1.0 is a public domain-like license. It's also acknowledged as compatible with GPL: https://www.gnu.org/licenses/license-list.html#CC0

    The changes build upon the GPL pull request.

    opened by rhn 3
  • Update cargo dependency

    Update cargo dependency

    Would you please update the dependency on cargo to the latest version, 0.31? I'd like to package cargo-lichking for Debian and build it against cargo 0.31 so that we don't have to package an old version of cargo.

    help wanted 
    opened by kraai 3
  • list --long

    list --long

    Would be nice to get license list in a way that's more immediately accessible for machine

    Something like cargo lichking list --long which emits:

    log-mdc : Any(MIT, Apache-2.0)
    serde_derive : Any(MIT, Apache-2.0)
    openssl_pkey : Apache-2.0
    

    instead of

    Any(MIT, Apache-2.0): log-mdc, serde_derive
    Apache-2.0: openssl_pkey
    
    opened by blakehawkins 3
  • thread-id has incompatible license

    thread-id has incompatible license

    https://github.com/ruuda/thread-id is only licensed under Apache-2.0 which fails the check as cargo-lichking is supposedly Apache-2.0/MIT. Does this actually matter at all? If so it probably matters a lot more for cargo itself since they are actually distributing binaries...

    opened by Nemo157 3
  • lichking does not support alternative registries

    lichking does not support alternative registries

    Cargo lichking with configured alternative registries does not function.

    cargo lichking list warning: IANAL: This is not legal advice and is not guaranteed to be correct. error: failed to parse manifest at C:\projects\cic\master\srv\jaims\validator\Cargo.toml

    Caused by: the cargo feature alternative-registries requires a nightly version of Cargo, but this is the dev channel

    There is no alternative-registries feature any more, it's been stabilized at .34

    (FYI: I'm poking around on how to bring it up to .41, which has lots of errors, but I have a problem in that I have to go through a corporate process before I would be allowed to do a pull request)

    opened by jrpascucci 2
  • Sort output of lichking list.

    Sort output of lichking list.

    We use itertools as it has sorted, join and sorted_by_key. All of the places that had collect, itertools does the same in the background. And it cleans up nicely.

    fixes: #59

    bonus pun: We have now purged the unorder in Stratholme

    opened by meltinglava 2
  • Can't compile due to bitflags dependency

    Can't compile due to bitflags dependency

    Rust 1.19.0 on Ubuntu 16.04.

    mshapiro:~/c/p/rust-media-libs$ cargo install cargo-lichking
        Updating registry `https://github.com/rust-lang/crates.io-index`
     Downloading cargo-lichking v0.5.4
      Installing cargo-lichking v0.5.4
     Downloading clap v2.29.2
     Downloading cargo v0.18.0
     Downloading void v1.0.2
     Downloading shell-escape v0.1.3
     Downloading env_logger v0.4.3
     Downloading flate2 v0.2.20
     Downloading git2-curl v0.7.0
     Downloading libc v0.2.36
     Downloading crossbeam v0.2.12
     Downloading log v0.3.9
     Downloading libgit2-sys v0.6.19
     Downloading glob v0.2.11
     Downloading semver v0.6.0
     Downloading serde_json v0.9.10
     Downloading num_cpus v1.8.0
     Downloading tempdir v0.3.6
     Downloading url v1.6.0
     Downloading chrono v0.2.25
     Downloading docopt v0.7.0
     Downloading serde v0.9.15
     Downloading tar v0.4.14
     Downloading curl v0.4.11
     Downloading crates-io v0.7.0
     Downloading serde_ignored v0.0.2
     Downloading fs2 v0.4.3
     Downloading git2 v0.6.11
     Downloading toml v0.3.2
     Downloading serde_derive v0.9.15
     Downloading filetime v0.1.15
     Downloading regex v0.2.5
     Downloading regex-syntax v0.4.2
     Downloading memchr v2.0.1
     Downloading utf8-ranges v1.0.0
     Downloading aho-corasick v0.6.4
     Downloading thread_local v0.3.5
     Downloading unreachable v1.0.0
     Downloading lazy_static v1.0.0
     Downloading log v0.4.1
     Downloading miniz-sys v0.1.10
     Downloading cc v1.0.4
     Downloading socket2 v0.3.1
     Downloading curl-sys v0.4.1
     Downloading libz-sys v1.0.18
     Downloading pkg-config v0.3.9
     Downloading matches v0.1.6
     Downloading percent-encoding v1.0.1
     Downloading idna v0.1.4
     Downloading unicode-normalization v0.1.5
     Downloading unicode-bidi v0.3.4
     Downloading bitflags v0.9.1
     Downloading libssh2-sys v0.2.6
     Downloading cmake v0.1.29
     Downloading semver-parser v0.7.0
     Downloading dtoa v0.4.2
     Downloading num-traits v0.1.42
     Downloading itoa v0.3.4
     Downloading rand v0.4.2
     Downloading remove_dir_all v0.3.0
     Downloading num v0.1.41
     Downloading time v0.1.39
     Downloading num-iter v0.1.34
     Downloading num-integer v0.1.35
     Downloading serde_codegen_internals v0.14.2
     Downloading openssl v0.9.23
     Downloading openssl-probe v0.1.2
     Downloading openssl-sys v0.9.24
     Downloading foreign-types v0.3.2
     Downloading foreign-types-shared v0.1.1
       Compiling itoa v0.3.4
       Compiling regex-syntax v0.4.2
       Compiling unicode-normalization v0.1.5
       Compiling rustc-serialize v0.3.24
       Compiling matches v0.1.6
       Compiling shell-escape v0.1.3
       Compiling bitflags v1.0.1
       Compiling unicode-width v0.1.4
    error: expected ident, found #
       --> /home/mshapiro/.cargo/registry/src/github.com-1ecc6299db9ec823/bitflags-1.0.1/src/lib.rs:423:29
        |
    423 |                               #[allow(deprecated)]
        |                               ^
        | 
       ::: /home/mshapiro/.cargo/registry/src/github.com-1ecc6299db9ec823/bitflags-1.0.1/src/example_generated.rs
        |
    4   | / bitflags! {
    5   | |     /// This is the same `Flags` struct defined in the [crate level example](../index.html#example).
    6   | |     /// Note that this struct is just for documentation purposes only, it must not be used outside
    7   | |     /// this crate.
    ...   |
    13  | |     }
    14  | | }
        | |_- in this macro invocation
    
    error: Could not compile `bitflags`.
    Build failed, waiting for other jobs to finish...
    error: failed to compile `cargo-lichking v0.5.4`, intermediate artifacts can be found at `/tmp/cargo-install.hURVI9iOmvZ0`
    
    

    Any suggestions?

    opened by KallDrexx 2
  • New syntax for FSF licenses

    New syntax for FSF licenses

    According to https://www.gnu.org/licenses/identify-licenses-clearly.html, there will be a new syntax for FSF licenses:

    • If the software is licensed only under a particular version of the license, the identifier is LICENSE-VERSION-only (e.g., GPL-3.0-only).
    • If the software is licensed under a particular version of the license or any later version, the identifier is LICENSE-VERSION-or-later (e.g., GPL-3.0-or-later).

    It would be nice if cargo-lichking supported this new syntax.

    opened by kraai 2
  • dependencies + new licences + fixes

    dependencies + new licences + fixes

    This little PR takes care of those major things

    • updates the used dependencies
    • fixes issues caused by newer deps
    • fixes clippy lints
    • contains the [PR #75](https://github.com/Nemo157/cargo-lichking/pull/75]
    • adds the Boost BSL licence
    • bumps the version number to 0.9.1
    opened by sassman 0
  • display indirect dependency chain for incompatible crates

    display indirect dependency chain for incompatible crates

    I've run lichking check on my crate and it found depencency with incompatible license. Since it is not direct dependency, I've tried to find how it comes into my project and failed. The cargo tree does not show it at all, yet lichking is able to find it.

    Reproduction

    My project is not public yet, but reproduction can be done on lalrpop v0.18.1. Running check tells us that arrayref is not compatible:

    $ cargo lichking check
     ERROR cargo_lichking::check > lalrpop cannot include package arrayref, license BSD-2-Clause is incompatible with MIT / Apache-2.0
     ERROR cargo_lichking        > Incompatible license
    

    Using cargo tree to find where it comes from gives nothing:

    $ cargo tree | grep arrayref
    ... no output ...
    
    $ cargo tree --all-features --edges all | grep arrayref
    ... no output ...
    
    $ cargo tree --all-features --edges all --invert arrayref
    ... no output...
    

    Since cargo tree does not see the arrayref as dependency of lalrpop project, where the lichking gets the information?

    It might be good idea to introduce --verbose (or similar) parameter to check command that would display name of the crate with incompatible license together with dependency chain that lead to its inclusion into project.

    opened by zdenek-crha 3
  • Can MIT software include BSD-2-Clause software?

    Can MIT software include BSD-2-Clause software?

    https://github.com/Nemo157/cargo-lichking/blob/4cd86f04c8a17e9f6b3dc1079ef7edbc7fa584ed/src/license.rs#L119

    I googled a little and BSD-2-Clause dependency seems to be redistributable as MIT (IANAL), but I cannot find clear trustable answer whether it is allowed or not.

    • "BSD-new" in https://dwheeler.com/essays/floss-license-slide.html is BSD-3-Clause, but not BSD-2-Clause.
      • The page does not say anything about BSD-2-Clause.
    • https://opensource.stackexchange.com/a/582 says "Especially considering that both licenses are considered compatible," but they might not be a lawyer...

    cc: https://github.com/Nemo157/cargo-lichking/issues/30#issuecomment-615946785

    opened by lo48576 0
  • Output parseable bundle format

    Output parseable bundle format

    Come to think of it exporting to some form of output like xml (or something nicer) with all the fields (including full license text) would make it easy to automatically generate any documents required by different companies compliance departments.

    — @xd009642 https://github.com/Nemo157/cargo-lichking/issues/68#issue-533664940

    Should be trivial to add another bundle variant that just pipes the result through serde to output a handful of popular formats (first CLI idea, cargo lichking bundle --variant serialize:toml if it's possible to easily support a key-value value like that in clap, otherwise I guess something like cargo lichking bundle --variant serialize --format toml).

    opened by Nemo157 0
Owner
Nemo157
Nemo157
Find unused dependencies in Cargo.toml

cargo-udeps Find unused dependencies in Cargo.toml. While compilation of this tool also works on Rust stable, it needs Rust nightly to actually run. I

null 997 Jan 4, 2023
Detects usage of unsafe Rust in a Rust crate and its dependencies.

cargo-geiger ☢️ A program that lists statistics related to the usage of unsafe Rust code in a Rust crate and all its dependencies. This cargo plugin w

Rust Secure Code Working Group 1.1k Dec 26, 2022
A neofetch alike program that shows hardware and distro information written in rust.

nyafetch A neofetch alike program that shows hardware and distro information written in rust. installing install $ make install # by default, install

null 16 Dec 15, 2022
cargo extension that can generate BitBake recipes utilizing the classes from meta-rust

cargo-bitbake cargo bitbake is a Cargo subcommand that generates a BitBake recipe that uses meta-rust to build a Cargo based project for Yocto Install

null 60 Oct 28, 2022
Create ctags/etags for a cargo project

rusty-tags A command line tool that creates tags - for source code navigation by using ctags - for a cargo project, all of its direct and indirect dep

Daniel Trstenjak 367 Dec 21, 2022
Bundle Cargo crates for use with macOS/iOS in Xcode

cargo-cocoapods - Build Rust code for Xcode integration Installing cargo install cargo-cocoapods You'll also need to install all the toolchains you i

Brendan Molloy 14 Dec 29, 2022
Cargo command to create the README.md from your crate's documentation

Cargo rdme Cargo command to create your README from your crate’s documentation. Installation You can install cargo rdme with cargo by running cargo in

Diogo Sousa 42 Dec 24, 2022
allows you to run multiple cargo commands in a row

Cargo Do Allows you to put multiple cargo commands on one line, e.g. $ cargo do clean, update, build Installation cargo install cargo-do From Source

Paul Woolcock 20 Sep 11, 2022
cargo extension that can generate ebuilds using the in-tree eclasses

cargo-ebuild cargo ebuild is a Cargo subcommand that generates an ebuild recipe that uses cargo.eclass to build a Cargo based project for Gentoo Insta

Doug Goldstein 79 Dec 12, 2022
Powerful database anonymizer with flexible rules. Written in Rust.

[Data]nymizer Powerful database anonymizer with flexible rules. Written in Rust. Datanymizer is created & supported by Evrone. What else we develop wi

[Data]nymizer 381 Dec 26, 2022
⚡️Lightning-fast linter for .env files. Written in Rust 🦀

⚡️ Lightning-fast linter for .env files. Written in Rust ?? Dotenv-linter can check / fix / compare .env files for problems that may cause the applica

null 1.5k Jan 9, 2023
Rust Code Completion utility

Racer - code completion for Rust RACER = Rust Auto-Complete-er. A utility intended to provide Rust code completion for editors and IDEs. Maybe one day

null 3.4k Jan 4, 2023
Format Rust code

rustfmt Quick start On the Stable toolchain On the Nightly toolchain Installing from source Usage Running cargo fmt Running rustfmt directly Verifying

The Rust Programming Language 4.8k Jan 7, 2023
The Rust toolchain installer

rustup: the Rust toolchain installer Master CI Build Status Windows macOS Linux Etc rustup installs The Rust Programming Language from the official re

The Rust Programming Language 5.1k Jan 8, 2023
Repository for the Rust Language Server (aka RLS)

Rust Language Server (RLS) The RLS provides a server that runs in the background, providing IDEs, editors, and other tools with information about Rust

The Rust Programming Language 3.6k Jan 7, 2023
🦀 The ultimate search extension for Rust

Rust Search Extension 简体中文 The ultimate search extension for Rust Search docs, crates, builtin attributes, official books, and error codes, etc in you

Huhu 962 Dec 30, 2022
a freeform Rust build system

tinyrick: a freeform Rust build system .---. ^ o{__ω__ o{ ^0^ -Let me out! ~~ ( // *|* \xx\) xx`|' = =

Andrew 48 Dec 16, 2022
The Curly programming language (now in Rust!)

Curly Curly is a functional programming language that focuses on iterators. Some of its main implementation features include sum types, iterators, lis

Curly Language 30 Jan 6, 2023
Some WIP payload in Rust running on M1.

m1saka Some WIP payload in Rust running on M1. Project informations The aim of this payload is to provide exploration capabilities while providing a s

Mary 10 Mar 7, 2021