1 //! Checks the licenses of third-party dependencies by inspecting vendors.
3 use std::collections::{BTreeSet, HashMap, HashSet};
6 use std::process::Command;
8 use serde::Deserialize;
11 const LICENSES: &[&str] = &[
18 "Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT", // wasi license
24 /// These are exceptions to Rust's permissive licensing policy, and
25 /// should be considered bugs. Exceptions are only allowed in Rust
26 /// tooling. It is _crucial_ that no exception crates be dependencies
27 /// of the Rust runtime (std/test).
28 const EXCEPTIONS: &[&str] = &[
29 "mdbook", // MPL2, mdbook
30 "openssl", // BSD+advertising clause, cargo, mdbook
31 "pest", // MPL2, mdbook via handlebars
32 "arrayref", // BSD-2-Clause, mdbook via handlebars via pest
33 "thread-id", // Apache-2.0, mdbook
34 "toml-query", // MPL-2.0, mdbook
35 "is-match", // MPL-2.0, mdbook
36 "cssparser", // MPL-2.0, rustdoc
37 "smallvec", // MPL-2.0, rustdoc
38 "rdrand", // ISC, mdbook, rustfmt
39 "fuchsia-cprng", // BSD-3-Clause, mdbook, rustfmt
40 "fuchsia-zircon-sys", // BSD-3-Clause, rustdoc, rustc, cargo
41 "fuchsia-zircon", // BSD-3-Clause, rustdoc, rustc, cargo (jobserver & tempdir)
42 "cssparser-macros", // MPL-2.0, rustdoc
43 "selectors", // MPL-2.0, rustdoc
44 "clippy_lints", // MPL-2.0, rls
45 "colored", // MPL-2.0, rustfmt
46 "ordslice", // Apache-2.0, rls
47 "cloudabi", // BSD-2-Clause, (rls -> crossbeam-channel 0.2 -> rand 0.5)
48 "ryu", // Apache-2.0, rls/cargo/... (because of serde)
49 "bytesize", // Apache-2.0, cargo
50 "im-rc", // MPL-2.0+, cargo
51 "adler32", // BSD-3-Clause AND Zlib, cargo dep that isn't used
52 "constant_time_eq", // CC0-1.0, rustfmt
53 "utf8parse", // Apache-2.0 OR MIT, cargo via strip-ansi-escapes
54 "vte", // Apache-2.0 OR MIT, cargo via strip-ansi-escapes
55 "sized-chunks", // MPL-2.0+, cargo via im-rc
56 "bitmaps", // MPL-2.0+, cargo via im-rc
57 // FIXME: this dependency violates the documentation comment above:
58 "fortanix-sgx-abi", // MPL-2.0+, libstd but only for `sgx` target
59 "dunce", // CC0-1.0 mdbook-linkcheck
60 "codespan-reporting", // Apache-2.0 mdbook-linkcheck
61 "codespan", // Apache-2.0 mdbook-linkcheck
62 "crossbeam-channel", // MIT/Apache-2.0 AND BSD-2-Clause, cargo
65 /// Which crates to check against the whitelist?
66 const WHITELIST_CRATES: &[CrateVersion<'_>] =
67 &[CrateVersion("rustc", "0.0.0"), CrateVersion("rustc_codegen_llvm", "0.0.0")];
69 /// Whitelist of crates rustc is allowed to depend on. Avoid adding to the list if possible.
70 const WHITELIST: &[Crate<'_>] = &[
72 Crate("aho-corasick"),
73 Crate("annotate-snippets"),
79 Crate("backtrace-sys"),
86 Crate("chalk-engine"),
87 Crate("chalk-macros"),
90 Crate("compiler_builtins"),
93 Crate("crossbeam-deque"),
94 Crate("crossbeam-epoch"),
95 Crate("crossbeam-queue"),
96 Crate("crossbeam-utils"),
104 Crate("fortanix-sgx-abi"),
105 Crate("fuchsia-zircon"),
106 Crate("fuchsia-zircon-sys"),
114 Crate("kernel32-sys"),
115 Crate("lazy_static"),
120 Crate("log_settings"),
126 Crate("miniz_oxide"),
127 Crate("miniz_oxide_c_api"),
131 Crate("parking_lot"),
132 Crate("parking_lot_core"),
134 Crate("polonius-engine"),
136 Crate("proc-macro2"),
138 Crate("quick-error"),
141 Crate("rand_chacha"),
146 Crate("rand_xorshift"),
147 Crate("redox_syscall"),
148 Crate("redox_termios"),
150 Crate("regex-syntax"),
151 Crate("remove_dir_all"),
152 Crate("rustc-demangle"),
154 Crate("rustc-rayon"),
155 Crate("rustc-rayon-core"),
156 Crate("rustc_version"),
160 Crate("semver-parser"),
162 Crate("serde_derive"),
164 Crate("stable_deref_trait"),
166 Crate("synstructure"),
172 Crate("thread_local"),
174 Crate("unicode-normalization"),
175 Crate("unicode-script"),
176 Crate("unicode-security"),
177 Crate("unicode-width"),
178 Crate("unicode-xid"),
179 Crate("unreachable"),
180 Crate("utf8-ranges"),
182 Crate("version_check"),
186 Crate("winapi-build"),
187 Crate("winapi-i686-pc-windows-gnu"),
188 Crate("winapi-util"),
189 Crate("winapi-x86_64-pc-windows-gnu"),
194 // Some types for Serde to deserialize the output of `cargo metadata` to.
196 #[derive(Deserialize)]
201 #[derive(Deserialize)]
203 nodes: Vec<ResolveNode>,
206 #[derive(Deserialize)]
209 dependencies: Vec<String>,
212 /// A unique identifier for a crate.
213 #[derive(Copy, Clone, PartialOrd, Ord, PartialEq, Eq, Debug, Hash)]
214 struct Crate<'a>(&'a str); // (name)
216 #[derive(Copy, Clone, PartialOrd, Ord, PartialEq, Eq, Debug, Hash)]
217 struct CrateVersion<'a>(&'a str, &'a str); // (name, version)
220 pub fn id_str(&self) -> String {
221 format!("{} ", self.0)
225 impl<'a> CrateVersion<'a> {
226 /// Returns the struct and whether or not the dependency is in-tree.
227 pub fn from_str(s: &'a str) -> (Self, bool) {
228 let mut parts = s.split(' ');
229 let name = parts.next().unwrap();
230 let version = parts.next().unwrap();
231 let path = parts.next().unwrap();
233 let is_path_dep = path.starts_with("(path+");
235 (CrateVersion(name, version), is_path_dep)
238 pub fn id_str(&self) -> String {
239 format!("{} {}", self.0, self.1)
243 impl<'a> From<CrateVersion<'a>> for Crate<'a> {
244 fn from(cv: CrateVersion<'a>) -> Crate<'a> {
249 /// Checks the dependency at the given path. Changes `bad` to `true` if a check failed.
251 /// Specifically, this checks that the license is correct.
252 pub fn check(path: &Path, bad: &mut bool) {
254 let path = path.join("../vendor");
255 assert!(path.exists(), "vendor directory missing");
256 let mut saw_dir = false;
257 for dir in t!(path.read_dir()) {
261 // Skip our exceptions.
262 let is_exception = EXCEPTIONS.iter().any(|exception| {
263 dir.path().to_str().unwrap().contains(&format!("vendor/{}", exception))
269 let toml = dir.path().join("Cargo.toml");
270 *bad = !check_license(&toml) || *bad;
272 assert!(saw_dir, "no vendored source");
275 /// Checks the dependency of `WHITELIST_CRATES` at the given path. Changes `bad` to `true` if a
278 /// Specifically, this checks that the dependencies are on the `WHITELIST`.
279 pub fn check_whitelist(path: &Path, cargo: &Path, bad: &mut bool) {
280 // Get dependencies from Cargo metadata.
281 let resolve = get_deps(path, cargo);
283 // Get the whitelist in a convenient form.
284 let whitelist: HashSet<_> = WHITELIST.iter().cloned().collect();
286 // Check dependencies.
287 let mut visited = BTreeSet::new();
288 let mut unapproved = BTreeSet::new();
289 for &krate in WHITELIST_CRATES.iter() {
290 let mut bad = check_crate_whitelist(&whitelist, &resolve, &mut visited, krate, false);
291 unapproved.append(&mut bad);
294 if !unapproved.is_empty() {
295 println!("Dependencies not on the whitelist:");
296 for dep in unapproved {
297 println!("* {}", dep.id_str());
302 check_crate_duplicate(&resolve, bad);
305 fn check_license(path: &Path) -> bool {
307 panic!("{} does not exist", path.display());
309 let contents = t!(fs::read_to_string(&path));
311 let mut found_license = false;
312 for line in contents.lines() {
313 if !line.starts_with("license") {
316 let license = extract_license(line);
317 if !LICENSES.contains(&&*license) {
318 println!("invalid license {} in {}", license, path.display());
321 found_license = true;
325 println!("no license in {}", path.display());
332 fn extract_license(line: &str) -> String {
333 let first_quote = line.find('"');
334 let last_quote = line.rfind('"');
335 if let (Some(f), Some(l)) = (first_quote, last_quote) {
336 let license = &line[f + 1..l];
339 "bad-license-parse".into()
343 /// Gets the dependencies of the crate at the given path using `cargo metadata`.
344 fn get_deps(path: &Path, cargo: &Path) -> Resolve {
345 // Run `cargo metadata` to get the set of dependencies.
346 let output = Command::new(cargo)
348 .arg("--format-version")
350 .arg("--manifest-path")
351 .arg(path.join("../Cargo.toml"))
353 .expect("Unable to run `cargo metadata`")
355 let output = String::from_utf8_lossy(&output);
356 let output: Output = serde_json::from_str(&output).unwrap();
361 /// Checks the dependencies of the given crate from the given cargo metadata to see if they are on
362 /// the whitelist. Returns a list of illegal dependencies.
363 fn check_crate_whitelist<'a>(
364 whitelist: &'a HashSet<Crate<'_>>,
365 resolve: &'a Resolve,
366 visited: &mut BTreeSet<CrateVersion<'a>>,
367 krate: CrateVersion<'a>,
368 must_be_on_whitelist: bool,
369 ) -> BTreeSet<Crate<'a>> {
370 // This will contain bad deps.
371 let mut unapproved = BTreeSet::new();
373 // Check if we have already visited this crate.
374 if visited.contains(&krate) {
378 visited.insert(krate);
380 // If this path is in-tree, we don't require it to be on the whitelist.
381 if must_be_on_whitelist {
382 // If this dependency is not on `WHITELIST`, add to bad set.
383 if !whitelist.contains(&krate.into()) {
384 unapproved.insert(krate.into());
388 // Do a DFS in the crate graph (it's a DAG, so we know we have no cycles!).
389 let to_check = resolve
392 .find(|n| n.id.starts_with(&krate.id_str()))
393 .expect("crate does not exist");
395 for dep in to_check.dependencies.iter() {
396 let (krate, is_path_dep) = CrateVersion::from_str(dep);
398 let mut bad = check_crate_whitelist(whitelist, resolve, visited, krate, !is_path_dep);
399 unapproved.append(&mut bad);
405 fn check_crate_duplicate(resolve: &Resolve, bad: &mut bool) {
406 const FORBIDDEN_TO_HAVE_DUPLICATES: &[&str] = &[
407 // These two crates take quite a long time to build, so don't allow two versions of them
408 // to accidentally sneak into our dependency graph, in order to ensure we keep our CI times
413 let mut name_to_id: HashMap<_, Vec<_>> = HashMap::new();
414 for node in resolve.nodes.iter() {
415 name_to_id.entry(node.id.split_whitespace().next().unwrap()).or_default().push(&node.id);
418 for name in FORBIDDEN_TO_HAVE_DUPLICATES {
419 if name_to_id[name].len() <= 1 {
422 println!("crate `{}` is duplicated in `Cargo.lock`", name);
423 for id in name_to_id[name].iter() {
424 println!(" * {}", id);