1 // Copyright 2016 The Rust Project Developers. See the COPYRIGHT
2 // file at the top-level directory of this distribution and at
3 // http://rust-lang.org/COPYRIGHT.
5 // Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
6 // http://www.apache.org/licenses/LICENSE-2.0> or the MIT license
7 // <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your
8 // option. This file may not be copied, modified, or distributed
9 // except according to those terms.
11 //! Check license of third-party deps by inspecting src/vendor
13 use std::collections::{BTreeSet, HashSet, HashMap};
17 use std::process::Command;
21 static LICENSES: &'static [&'static str] = &[
32 /// These are exceptions to Rust's permissive licensing policy, and
33 /// should be considered bugs. Exceptions are only allowed in Rust
34 /// tooling. It is _crucial_ that no exception crates be dependencies
35 /// of the Rust runtime (std / test).
36 static EXCEPTIONS: &'static [&'static str] = &[
37 "mdbook", // MPL2, mdbook
38 "openssl", // BSD+advertising clause, cargo, mdbook
39 "pest", // MPL2, mdbook via handlebars
40 "thread-id", // Apache-2.0, mdbook
41 "toml-query", // MPL-2.0, mdbook
42 "is-match", // MPL-2.0, mdbook
43 "cssparser", // MPL-2.0, rustdoc
44 "smallvec", // MPL-2.0, rustdoc
45 "fuchsia-zircon-sys", // BSD-3-Clause, rustdoc, rustc, cargo
46 "fuchsia-zircon", // BSD-3-Clause, rustdoc, rustc, cargo (jobserver & tempdir)
47 "cssparser-macros", // MPL-2.0, rustdoc
48 "selectors", // MPL-2.0, rustdoc
49 "clippy_lints", // MPL-2.0, rls
50 "colored", // MPL-2.0, rustfmt
51 "ordslice", // Apache-2.0, rls
52 "cloudabi", // BSD-2-Clause, (rls -> crossbeam-channel 0.2 -> rand 0.5)
53 "ryu", // Apache-2.0, rls/cargo/... (b/c of serde)
56 /// Which crates to check against the whitelist?
57 static WHITELIST_CRATES: &'static [CrateVersion] = &[
58 CrateVersion("rustc", "0.0.0"),
59 CrateVersion("rustc_codegen_llvm", "0.0.0"),
62 /// Whitelist of crates rustc is allowed to depend on. Avoid adding to the list if possible.
63 static WHITELIST: &'static [Crate] = &[
64 Crate("aho-corasick"),
68 Crate("backtrace-sys"),
73 Crate("chalk-engine"),
74 Crate("chalk-macros"),
77 Crate("crossbeam-deque"),
78 Crate("crossbeam-epoch"),
79 Crate("crossbeam-utils"),
86 Crate("fuchsia-zircon"),
87 Crate("fuchsia-zircon-sys"),
91 Crate("kernel32-sys"),
96 Crate("log_settings"),
104 Crate("parking_lot"),
105 Crate("parking_lot_core"),
107 Crate("polonius-engine"),
108 Crate("quick-error"),
111 Crate("redox_syscall"),
112 Crate("redox_termios"),
114 Crate("regex-syntax"),
115 Crate("remove_dir_all"),
116 Crate("rustc-demangle"),
118 Crate("rustc-rayon"),
119 Crate("rustc-rayon-core"),
123 Crate("stable_deref_trait"),
128 Crate("thread_local"),
130 Crate("unicode-width"),
131 Crate("unreachable"),
132 Crate("utf8-ranges"),
133 Crate("version_check"),
136 Crate("winapi-build"),
137 Crate("winapi-i686-pc-windows-gnu"),
138 Crate("winapi-util"),
139 Crate("winapi-x86_64-pc-windows-gnu"),
143 // Some types for Serde to deserialize the output of `cargo metadata` to...
145 #[derive(Deserialize)]
150 #[derive(Deserialize)]
152 nodes: Vec<ResolveNode>,
155 #[derive(Deserialize)]
158 dependencies: Vec<String>,
161 /// A unique identifier for a crate
162 #[derive(Copy, Clone, PartialOrd, Ord, PartialEq, Eq, Debug, Hash)]
163 struct Crate<'a>(&'a str); // (name,)
165 #[derive(Copy, Clone, PartialOrd, Ord, PartialEq, Eq, Debug, Hash)]
166 struct CrateVersion<'a>(&'a str, &'a str); // (name, version)
169 pub fn id_str(&self) -> String {
170 format!("{} ", self.0)
174 impl<'a> CrateVersion<'a> {
175 /// Returns the struct and whether or not the dep is in-tree
176 pub fn from_str(s: &'a str) -> (Self, bool) {
177 let mut parts = s.split(' ');
178 let name = parts.next().unwrap();
179 let version = parts.next().unwrap();
180 let path = parts.next().unwrap();
182 let is_path_dep = path.starts_with("(path+");
184 (CrateVersion(name, version), is_path_dep)
187 pub fn id_str(&self) -> String {
188 format!("{} {}", self.0, self.1)
192 impl<'a> From<CrateVersion<'a>> for Crate<'a> {
193 fn from(cv: CrateVersion<'a>) -> Crate<'a> {
198 /// Checks the dependency at the given path. Changes `bad` to `true` if a check failed.
200 /// Specifically, this checks that the license is correct.
201 pub fn check(path: &Path, bad: &mut bool) {
203 let path = path.join("vendor");
204 assert!(path.exists(), "vendor directory missing");
205 let mut saw_dir = false;
206 for dir in t!(path.read_dir()) {
210 // skip our exceptions
211 if EXCEPTIONS.iter().any(|exception| {
215 .contains(&format!("src/vendor/{}", exception))
220 let toml = dir.path().join("Cargo.toml");
221 *bad = *bad || !check_license(&toml);
223 assert!(saw_dir, "no vendored source");
226 /// Checks the dependency of WHITELIST_CRATES at the given path. Changes `bad` to `true` if a check
229 /// Specifically, this checks that the dependencies are on the WHITELIST.
230 pub fn check_whitelist(path: &Path, cargo: &Path, bad: &mut bool) {
231 // Get dependencies from cargo metadata
232 let resolve = get_deps(path, cargo);
234 // Get the whitelist into a convenient form
235 let whitelist: HashSet<_> = WHITELIST.iter().cloned().collect();
237 // Check dependencies
238 let mut visited = BTreeSet::new();
239 let mut unapproved = BTreeSet::new();
240 for &krate in WHITELIST_CRATES.iter() {
241 let mut bad = check_crate_whitelist(&whitelist, &resolve, &mut visited, krate, false);
242 unapproved.append(&mut bad);
245 if unapproved.len() > 0 {
246 println!("Dependencies not on the whitelist:");
247 for dep in unapproved {
248 println!("* {}", dep.id_str());
253 check_crate_duplicate(&resolve, bad);
256 fn check_license(path: &Path) -> bool {
258 panic!("{} does not exist", path.display());
260 let mut contents = String::new();
261 t!(t!(File::open(path)).read_to_string(&mut contents));
263 let mut found_license = false;
264 for line in contents.lines() {
265 if !line.starts_with("license") {
268 let license = extract_license(line);
269 if !LICENSES.contains(&&*license) {
270 println!("invalid license {} in {}", license, path.display());
273 found_license = true;
277 println!("no license in {}", path.display());
284 fn extract_license(line: &str) -> String {
285 let first_quote = line.find('"');
286 let last_quote = line.rfind('"');
287 if let (Some(f), Some(l)) = (first_quote, last_quote) {
288 let license = &line[f + 1..l];
291 "bad-license-parse".into()
295 /// Get the dependencies of the crate at the given path using `cargo metadata`.
296 fn get_deps(path: &Path, cargo: &Path) -> Resolve {
297 // Run `cargo metadata` to get the set of dependencies
298 let output = Command::new(cargo)
300 .arg("--format-version")
302 .arg("--manifest-path")
303 .arg(path.join("Cargo.toml"))
305 .expect("Unable to run `cargo metadata`")
307 let output = String::from_utf8_lossy(&output);
308 let output: Output = serde_json::from_str(&output).unwrap();
313 /// Checks the dependencies of the given crate from the given cargo metadata to see if they are on
314 /// the whitelist. Returns a list of illegal dependencies.
315 fn check_crate_whitelist<'a, 'b>(
316 whitelist: &'a HashSet<Crate>,
317 resolve: &'a Resolve,
318 visited: &'b mut BTreeSet<CrateVersion<'a>>,
319 krate: CrateVersion<'a>,
320 must_be_on_whitelist: bool,
321 ) -> BTreeSet<Crate<'a>> {
322 // Will contain bad deps
323 let mut unapproved = BTreeSet::new();
325 // Check if we have already visited this crate
326 if visited.contains(&krate) {
330 visited.insert(krate);
332 // If this path is in-tree, we don't require it to be on the whitelist
333 if must_be_on_whitelist {
334 // If this dependency is not on the WHITELIST, add to bad set
335 if !whitelist.contains(&krate.into()) {
336 unapproved.insert(krate.into());
340 // Do a DFS in the crate graph (it's a DAG, so we know we have no cycles!)
341 let to_check = resolve
344 .find(|n| n.id.starts_with(&krate.id_str()))
345 .expect("crate does not exist");
347 for dep in to_check.dependencies.iter() {
348 let (krate, is_path_dep) = CrateVersion::from_str(dep);
350 let mut bad = check_crate_whitelist(whitelist, resolve, visited, krate, !is_path_dep);
351 unapproved.append(&mut bad);
357 fn check_crate_duplicate(resolve: &Resolve, bad: &mut bool) {
358 const FORBIDDEN_TO_HAVE_DUPLICATES: &[&str] = &[
359 // These two crates take quite a long time to build, let's not let two
360 // versions of them accidentally sneak into our dependency graph to
361 // ensure we keep our CI times under control
362 // "cargo", // FIXME(#53005)
365 let mut name_to_id: HashMap<_, Vec<_>> = HashMap::new();
366 for node in resolve.nodes.iter() {
367 name_to_id.entry(node.id.split_whitespace().next().unwrap())
372 for name in FORBIDDEN_TO_HAVE_DUPLICATES {
373 if name_to_id[name].len() <= 1 {
376 println!("crate `{}` is duplicated in `Cargo.lock`", name);
377 for id in name_to_id[name].iter() {
378 println!(" * {}", id);