1 //! Checks the licenses of third-party dependencies.
3 use cargo_metadata::{Metadata, Package, PackageId, Resolve};
4 use std::collections::{BTreeSet, HashSet};
7 /// These are licenses that are allowed for all crates, including the runtime,
9 const LICENSES: &[&str] = &[
16 "Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT", // wasi license
20 "0BSD OR MIT OR Apache-2.0", // adler license
21 "Zlib OR Apache-2.0 OR MIT", // tinyvec
24 /// These are exceptions to Rust's permissive licensing policy, and
25 /// should be considered bugs. Exceptions are only allowed in Rust
26 /// tooling. It is _crucial_ that no exception crates be dependencies
27 /// of the Rust runtime (std/test).
28 const EXCEPTIONS: &[(&str, &str)] = &[
29 ("mdbook", "MPL-2.0"), // mdbook
30 ("openssl", "Apache-2.0"), // cargo, mdbook
31 ("fuchsia-zircon-sys", "BSD-3-Clause"), // rustdoc, rustc, cargo
32 ("fuchsia-zircon", "BSD-3-Clause"), // rustdoc, rustc, cargo (jobserver & tempdir)
33 ("colored", "MPL-2.0"), // rustfmt
34 ("ordslice", "Apache-2.0"), // rls
35 ("ryu", "Apache-2.0 OR BSL-1.0"), // rls/cargo/... (because of serde)
36 ("bytesize", "Apache-2.0"), // cargo
37 ("im-rc", "MPL-2.0+"), // cargo
38 ("constant_time_eq", "CC0-1.0"), // rustfmt
39 ("sized-chunks", "MPL-2.0+"), // cargo via im-rc
40 ("bitmaps", "MPL-2.0+"), // cargo via im-rc
41 ("crossbeam-queue", "MIT/Apache-2.0 AND BSD-2-Clause"), // rls via rayon
42 ("arrayref", "BSD-2-Clause"), // cargo-miri/directories/.../rust-argon2 (redox)
43 ("instant", "BSD-3-Clause"), // rustc_driver/tracing-subscriber/parking_lot
44 ("snap", "BSD-3-Clause"), // rustc
45 // FIXME: this dependency violates the documentation comment above:
46 ("fortanix-sgx-abi", "MPL-2.0"), // libstd but only for `sgx` target
49 /// These are the root crates that are part of the runtime. The licenses for
50 /// these and all their dependencies *must not* be in the exception list.
51 const RUNTIME_CRATES: &[&str] = &["std", "core", "alloc", "test", "panic_abort", "panic_unwind"];
53 /// Crates whose dependencies must be explicitly permitted.
54 const RESTRICTED_DEPENDENCY_CRATES: &[&str] = &["rustc_middle", "rustc_codegen_llvm"];
56 /// Crates rustc is allowed to depend on. Avoid adding to the list if possible.
58 /// This list is here to provide a speed-bump to adding a new dependency to
59 /// rustc. Please check with the compiler team before adding an entry.
60 const PERMITTED_DEPENDENCIES: &[&str] = &[
100 "fuchsia-zircon-sys",
134 "perf-event-open-sys",
169 "stable_deref_trait",
178 "tracing-attributes",
181 "unicode-normalization",
191 "winapi-i686-pc-windows-gnu",
193 "winapi-x86_64-pc-windows-gnu",
196 /// Dependency checks.
198 /// `root` is path to the directory with the root `Cargo.toml` (for the workspace). `cargo` is path
199 /// to the cargo executable.
200 pub fn check(root: &Path, cargo: &Path, bad: &mut bool) {
201 let mut cmd = cargo_metadata::MetadataCommand::new();
202 cmd.cargo_path(cargo)
203 .manifest_path(root.join("Cargo.toml"))
204 .features(cargo_metadata::CargoOpt::AllFeatures);
205 let metadata = t!(cmd.exec());
206 check_exceptions(&metadata, bad);
207 check_dependencies(&metadata, bad);
208 check_crate_duplicate(&metadata, bad);
211 /// Check that all licenses are in the valid list in `LICENSES`.
213 /// Packages listed in `EXCEPTIONS` are allowed for tools.
214 fn check_exceptions(metadata: &Metadata, bad: &mut bool) {
215 // Validate the EXCEPTIONS list hasn't changed.
216 for (name, license) in EXCEPTIONS {
217 // Check that the package actually exists.
218 if !metadata.packages.iter().any(|p| p.name == *name) {
221 "could not find exception package `{}`\n\
222 Remove from EXCEPTIONS list if it is no longer used.",
226 // Check that the license hasn't changed.
227 for pkg in metadata.packages.iter().filter(|p| p.name == *name) {
228 if pkg.name == "fuchsia-cprng" {
229 // This package doesn't declare a license expression. Manual
230 // inspection of the license file is necessary, which appears
231 // to be BSD-3-Clause.
232 assert!(pkg.license.is_none());
239 "dependency exception `{}` does not declare a license expression",
243 Some(pkg_license) => {
244 if pkg_license.as_str() != *license {
245 if *name == "crossbeam-queue"
246 && *license == "MIT/Apache-2.0 AND BSD-2-Clause"
248 // We have two versions of crossbeam-queue and both
253 println!("dependency exception `{}` license has changed", name);
254 println!(" previously `{}` now `{}`", license, pkg_license);
255 println!(" update EXCEPTIONS for the new license");
263 let exception_names: Vec<_> = EXCEPTIONS.iter().map(|(name, _license)| *name).collect();
264 let runtime_ids = compute_runtime_crates(metadata);
266 // Check if any package does not have a valid license.
267 for pkg in &metadata.packages {
268 if pkg.source.is_none() {
269 // No need to check local packages.
272 if !runtime_ids.contains(&pkg.id) && exception_names.contains(&pkg.name.as_str()) {
275 let license = match &pkg.license {
276 Some(license) => license,
278 tidy_error!(bad, "dependency `{}` does not define a license expression", pkg.id);
282 if !LICENSES.contains(&license.as_str()) {
283 if pkg.name == "fortanix-sgx-abi" {
284 // This is a specific exception because SGX is considered
285 // "third party". See
286 // https://github.com/rust-lang/rust/issues/62620 for more. In
287 // general, these should never be added.
290 tidy_error!(bad, "invalid license `{}` in `{}`", license, pkg.id);
295 /// Checks the dependency of `RESTRICTED_DEPENDENCY_CRATES` at the given path. Changes `bad` to
296 /// `true` if a check failed.
298 /// Specifically, this checks that the dependencies are on the `PERMITTED_DEPENDENCIES`.
299 fn check_dependencies(metadata: &Metadata, bad: &mut bool) {
300 // Check that the PERMITTED_DEPENDENCIES does not have unused entries.
301 for name in PERMITTED_DEPENDENCIES {
302 if !metadata.packages.iter().any(|p| p.name == *name) {
305 "could not find allowed package `{}`\n\
306 Remove from PERMITTED_DEPENDENCIES list if it is no longer used.",
311 // Get the list in a convenient form.
312 let permitted_dependencies: HashSet<_> = PERMITTED_DEPENDENCIES.iter().cloned().collect();
314 // Check dependencies.
315 let mut visited = BTreeSet::new();
316 let mut unapproved = BTreeSet::new();
317 for &krate in RESTRICTED_DEPENDENCY_CRATES.iter() {
318 let pkg = pkg_from_name(metadata, krate);
320 check_crate_dependencies(&permitted_dependencies, metadata, &mut visited, pkg);
321 unapproved.append(&mut bad);
324 if !unapproved.is_empty() {
325 tidy_error!(bad, "Dependencies not explicitly permitted:");
326 for dep in unapproved {
327 println!("* {}", dep);
332 /// Checks the dependencies of the given crate from the given cargo metadata to see if they are on
333 /// the list of permitted dependencies. Returns a list of disallowed dependencies.
334 fn check_crate_dependencies<'a>(
335 permitted_dependencies: &'a HashSet<&'static str>,
336 metadata: &'a Metadata,
337 visited: &mut BTreeSet<&'a PackageId>,
339 ) -> BTreeSet<&'a PackageId> {
340 // This will contain bad deps.
341 let mut unapproved = BTreeSet::new();
343 // Check if we have already visited this crate.
344 if visited.contains(&krate.id) {
348 visited.insert(&krate.id);
350 // If this path is in-tree, we don't require it to be explicitly permitted.
351 if krate.source.is_some() {
352 // If this dependency is not on `PERMITTED_DEPENDENCIES`, add to bad set.
353 if !permitted_dependencies.contains(krate.name.as_str()) {
354 unapproved.insert(&krate.id);
358 // Do a DFS in the crate graph.
359 let to_check = deps_of(metadata, &krate.id);
361 for dep in to_check {
362 let mut bad = check_crate_dependencies(permitted_dependencies, metadata, visited, dep);
363 unapproved.append(&mut bad);
369 /// Prevents multiple versions of some expensive crates.
370 fn check_crate_duplicate(metadata: &Metadata, bad: &mut bool) {
371 const FORBIDDEN_TO_HAVE_DUPLICATES: &[&str] = &[
372 // These two crates take quite a long time to build, so don't allow two versions of them
373 // to accidentally sneak into our dependency graph, in order to ensure we keep our CI times
376 "rustc-ap-rustc_ast",
379 for &name in FORBIDDEN_TO_HAVE_DUPLICATES {
380 let matches: Vec<_> = metadata.packages.iter().filter(|pkg| pkg.name == name).collect();
381 match matches.len() {
385 "crate `{}` is missing, update `check_crate_duplicate` \
386 if it is no longer used",
394 "crate `{}` is duplicated in `Cargo.lock`, \
395 it is too expensive to build multiple times, \
396 so make sure only one version appears across all dependencies",
400 println!(" * {}", pkg.id);
407 /// Returns a list of dependencies for the given package.
408 fn deps_of<'a>(metadata: &'a Metadata, pkg_id: &'a PackageId) -> Vec<&'a Package> {
409 let resolve = metadata.resolve.as_ref().unwrap();
413 .find(|n| &n.id == pkg_id)
414 .unwrap_or_else(|| panic!("could not find `{}` in resolve", pkg_id));
418 metadata.packages.iter().find(|pkg| pkg.id == dep.pkg).unwrap_or_else(|| {
419 panic!("could not find dep `{}` for pkg `{}` in resolve", dep.pkg, pkg_id)
425 /// Finds a package with the given name.
426 fn pkg_from_name<'a>(metadata: &'a Metadata, name: &'static str) -> &'a Package {
427 let mut i = metadata.packages.iter().filter(|p| p.name == name);
429 i.next().unwrap_or_else(|| panic!("could not find package `{}` in package list", name));
430 assert!(i.next().is_none(), "more than one package found for `{}`", name);
434 /// Finds all the packages that are in the rust runtime.
435 fn compute_runtime_crates<'a>(metadata: &'a Metadata) -> HashSet<&'a PackageId> {
436 let resolve = metadata.resolve.as_ref().unwrap();
437 let mut result = HashSet::new();
438 for name in RUNTIME_CRATES {
439 let id = &pkg_from_name(metadata, name).id;
440 normal_deps_of_r(resolve, id, &mut result);
445 /// Recursively find all normal dependencies.
446 fn normal_deps_of_r<'a>(
447 resolve: &'a Resolve,
448 pkg_id: &'a PackageId,
449 result: &mut HashSet<&'a PackageId>,
451 if !result.insert(pkg_id) {
457 .find(|n| &n.id == pkg_id)
458 .unwrap_or_else(|| panic!("could not find `{}` in resolve", pkg_id));
459 // Don't care about dev-dependencies.
460 // Build dependencies *shouldn't* matter unless they do some kind of
461 // codegen. For now we'll assume they don't.
462 let deps = node.deps.iter().filter(|node_dep| {
466 .any(|kind_info| kind_info.kind == cargo_metadata::DependencyKind::Normal)
469 normal_deps_of_r(resolve, &dep.pkg, result);