Denying Dependencies
Sometimes, you really don't want to accidentally include some GPL code (and suffer the viral consequences of the license). Or you may want to apply other licensing restrictions---depending upon your company's legal department.
The cargo deny tool can help with this. You can install it with cargo install cargo-deny.
Initial Setup
Setup with cargo deny init. This will make a (huge) deny.toml file that you can use to set your policies. Let's allow crates that didn't remember to specify a license (not a great idea), and specifically deny GPL:
[licenses]
# The lint level for crates which do not have a detectable license
unlicensed = "allow"
# List of explicitly allowed licenses
# See https://spdx.org/licenses/ for list of possible licenses
# [possible values: any SPDX 3.11 short identifier (+ optional exception)].
allow = [
#"MIT",
#"Apache-2.0",
#"Apache-2.0 WITH LLVM-exception",
]
# List of explicitly disallowed licenses
# See https://spdx.org/licenses/ for list of possible licenses
# [possible values: any SPDX 3.11 short identifier (+ optional exception)].
deny = [
#"Nokia",
"GPL-1.0",
"GPL-2.0",
]
# Lint level for licenses considered copyleft
copyleft = "warn"
Checking Licenses
cargo deny check licenses will scan your entire workspace for licenses. With any luck, you'll see licenses ok. Revert unlicensed to deny, and you'll discover that rustnr forgot to specify a license. Wait! That's me! I didn't specify a license in the top-level of this project. Generally, you want to include a license= clause for your project licenses---unless you don't want one.
Other Checks
Cargo Deny can also check:
- You can use
cargo deny check bansto check for features or dependencies you've decided to ban. cargo deny check advisorieswill duplicate the functionality ofcargo auditand check for CVEs. I do recommendcargo auditfor CI use, it's a lot slimmer.cargo deny check sourcesallows you to ban importing code from specific sources.