1 //! Checks the licenses of third-party dependencies.
3 use cargo_metadata
::{Metadata, Package, PackageId, Resolve}
;
4 use std
::collections
::{BTreeSet, HashSet}
;
7 /// These are licenses that are allowed for all crates, including the runtime,
9 const LICENSES
: &[&str] = &[
16 "Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT", // wasi license
21 "0BSD OR MIT OR Apache-2.0", // adler license
22 "Zlib OR Apache-2.0 OR MIT", // tinyvec
25 /// These are exceptions to Rust's permissive licensing policy, and
26 /// should be considered bugs. Exceptions are only allowed in Rust
27 /// tooling. It is _crucial_ that no exception crates be dependencies
28 /// of the Rust runtime (std/test).
29 const EXCEPTIONS
: &[(&str, &str)] = &[
30 ("mdbook", "MPL-2.0"), // mdbook
31 ("openssl", "Apache-2.0"), // cargo, mdbook
32 ("colored", "MPL-2.0"), // rustfmt
33 ("ordslice", "Apache-2.0"), // rls
34 ("ryu", "Apache-2.0 OR BSL-1.0"), // rls/cargo/... (because of serde)
35 ("bytesize", "Apache-2.0"), // cargo
36 ("im-rc", "MPL-2.0+"), // cargo
37 ("sized-chunks", "MPL-2.0+"), // cargo via im-rc
38 ("bitmaps", "MPL-2.0+"), // cargo via im-rc
39 ("instant", "BSD-3-Clause"), // rustc_driver/tracing-subscriber/parking_lot
40 ("snap", "BSD-3-Clause"), // rustc
41 // FIXME: this dependency violates the documentation comment above:
42 ("fortanix-sgx-abi", "MPL-2.0"), // libstd but only for `sgx` target
45 const EXCEPTIONS_CRANELIFT
: &[(&str, &str)] = &[
46 ("cranelift-bforest", "Apache-2.0 WITH LLVM-exception"),
47 ("cranelift-codegen", "Apache-2.0 WITH LLVM-exception"),
48 ("cranelift-codegen-meta", "Apache-2.0 WITH LLVM-exception"),
49 ("cranelift-codegen-shared", "Apache-2.0 WITH LLVM-exception"),
50 ("cranelift-entity", "Apache-2.0 WITH LLVM-exception"),
51 ("cranelift-frontend", "Apache-2.0 WITH LLVM-exception"),
52 ("cranelift-jit", "Apache-2.0 WITH LLVM-exception"),
53 ("cranelift-module", "Apache-2.0 WITH LLVM-exception"),
54 ("cranelift-native", "Apache-2.0 WITH LLVM-exception"),
55 ("cranelift-object", "Apache-2.0 WITH LLVM-exception"),
56 ("mach", "BSD-2-Clause"),
57 ("regalloc", "Apache-2.0 WITH LLVM-exception"),
58 ("target-lexicon", "Apache-2.0 WITH LLVM-exception"),
61 /// These are the root crates that are part of the runtime. The licenses for
62 /// these and all their dependencies *must not* be in the exception list.
63 const RUNTIME_CRATES
: &[&str] = &["std", "core", "alloc", "test", "panic_abort", "panic_unwind"];
65 /// Crates whose dependencies must be explicitly permitted.
66 const RESTRICTED_DEPENDENCY_CRATES
: &[&str] = &["rustc_driver", "rustc_codegen_llvm"];
68 /// Crates rustc is allowed to depend on. Avoid adding to the list if possible.
70 /// This list is here to provide a speed-bump to adding a new dependency to
71 /// rustc. Please check with the compiler team before adding an entry.
72 const PERMITTED_DEPENDENCIES
: &[&str] = &[
112 "fallible-iterator", // dependency of `thorin`
154 "perf-event-open-sys",
196 "stable_deref_trait",
208 "tracing-attributes",
211 "tracing-subscriber",
214 "unic-char-property",
219 "unicode-normalization",
228 "winapi-i686-pc-windows-gnu",
230 "winapi-x86_64-pc-windows-gnu",
231 // this is a false-positive: it's only used by rustfmt, but because it's enabled through a feature, tidy thinks it's used by rustc as well.
235 const PERMITTED_CRANELIFT_DEPENDENCIES
: &[&str] = &[
243 "cranelift-codegen-meta",
244 "cranelift-codegen-shared",
246 "cranelift-frontend",
268 "winapi-i686-pc-windows-gnu",
269 "winapi-x86_64-pc-windows-gnu",
272 const FORBIDDEN_TO_HAVE_DUPLICATES
: &[&str] = &[
273 // These two crates take quite a long time to build, so don't allow two versions of them
274 // to accidentally sneak into our dependency graph, in order to ensure we keep our CI times
279 /// Dependency checks.
281 /// `root` is path to the directory with the root `Cargo.toml` (for the workspace). `cargo` is path
282 /// to the cargo executable.
283 pub fn check(root
: &Path
, cargo
: &Path
, bad
: &mut bool
) {
284 let mut cmd
= cargo_metadata
::MetadataCommand
::new();
285 cmd
.cargo_path(cargo
)
286 .manifest_path(root
.join("Cargo.toml"))
287 .features(cargo_metadata
::CargoOpt
::AllFeatures
);
288 let metadata
= t
!(cmd
.exec());
289 let runtime_ids
= compute_runtime_crates(&metadata
);
290 check_exceptions(&metadata
, EXCEPTIONS
, runtime_ids
, bad
);
291 check_dependencies(&metadata
, PERMITTED_DEPENDENCIES
, RESTRICTED_DEPENDENCY_CRATES
, bad
);
292 check_crate_duplicate(&metadata
, FORBIDDEN_TO_HAVE_DUPLICATES
, bad
);
293 check_rustfix(&metadata
, bad
);
295 // Check rustc_codegen_cranelift independently as it has it's own workspace.
296 let mut cmd
= cargo_metadata
::MetadataCommand
::new();
297 cmd
.cargo_path(cargo
)
298 .manifest_path(root
.join("compiler/rustc_codegen_cranelift/Cargo.toml"))
299 .features(cargo_metadata
::CargoOpt
::AllFeatures
);
300 let metadata
= t
!(cmd
.exec());
301 let runtime_ids
= HashSet
::new();
302 check_exceptions(&metadata
, EXCEPTIONS_CRANELIFT
, runtime_ids
, bad
);
305 PERMITTED_CRANELIFT_DEPENDENCIES
,
306 &["rustc_codegen_cranelift"],
309 check_crate_duplicate(&metadata
, &[], bad
);
312 /// Check that all licenses are in the valid list in `LICENSES`.
314 /// Packages listed in `EXCEPTIONS` are allowed for tools.
317 exceptions
: &[(&str, &str)],
318 runtime_ids
: HashSet
<&PackageId
>,
321 // Validate the EXCEPTIONS list hasn't changed.
322 for (name
, license
) in exceptions
{
323 // Check that the package actually exists.
324 if !metadata
.packages
.iter().any(|p
| p
.name
== *name
) {
327 "could not find exception package `{}`\n\
328 Remove from EXCEPTIONS list if it is no longer used.",
332 // Check that the license hasn't changed.
333 for pkg
in metadata
.packages
.iter().filter(|p
| p
.name
== *name
) {
338 "dependency exception `{}` does not declare a license expression",
342 Some(pkg_license
) => {
343 if pkg_license
.as_str() != *license
{
344 println
!("dependency exception `{name}` license has changed");
345 println
!(" previously `{license}` now `{pkg_license}`");
346 println
!(" update EXCEPTIONS for the new license");
354 let exception_names
: Vec
<_
> = exceptions
.iter().map(|(name
, _license
)| *name
).collect();
356 // Check if any package does not have a valid license.
357 for pkg
in &metadata
.packages
{
358 if pkg
.source
.is_none() {
359 // No need to check local packages.
362 if !runtime_ids
.contains(&pkg
.id
) && exception_names
.contains(&pkg
.name
.as_str()) {
365 let license
= match &pkg
.license
{
366 Some(license
) => license
,
368 tidy_error
!(bad
, "dependency `{}` does not define a license expression", pkg
.id
);
372 if !LICENSES
.contains(&license
.as_str()) {
373 if pkg
.name
== "fortanix-sgx-abi" {
374 // This is a specific exception because SGX is considered
375 // "third party". See
376 // https://github.com/rust-lang/rust/issues/62620 for more. In
377 // general, these should never be added.
380 tidy_error
!(bad
, "invalid license `{}` in `{}`", license
, pkg
.id
);
385 /// Checks the dependency of `RESTRICTED_DEPENDENCY_CRATES` at the given path. Changes `bad` to
386 /// `true` if a check failed.
388 /// Specifically, this checks that the dependencies are on the `PERMITTED_DEPENDENCIES`.
389 fn check_dependencies(
391 permitted_dependencies
: &[&'
static str],
392 restricted_dependency_crates
: &[&'
static str],
395 // Check that the PERMITTED_DEPENDENCIES does not have unused entries.
396 for name
in permitted_dependencies
{
397 if !metadata
.packages
.iter().any(|p
| p
.name
== *name
) {
400 "could not find allowed package `{}`\n\
401 Remove from PERMITTED_DEPENDENCIES list if it is no longer used.",
406 // Get the list in a convenient form.
407 let permitted_dependencies
: HashSet
<_
> = permitted_dependencies
.iter().cloned().collect();
409 // Check dependencies.
410 let mut visited
= BTreeSet
::new();
411 let mut unapproved
= BTreeSet
::new();
412 for &krate
in restricted_dependency_crates
.iter() {
413 let pkg
= pkg_from_name(metadata
, krate
);
415 check_crate_dependencies(&permitted_dependencies
, metadata
, &mut visited
, pkg
);
416 unapproved
.append(&mut bad
);
419 if !unapproved
.is_empty() {
420 tidy_error
!(bad
, "Dependencies not explicitly permitted:");
421 for dep
in unapproved
{
427 /// Checks the dependencies of the given crate from the given cargo metadata to see if they are on
428 /// the list of permitted dependencies. Returns a list of disallowed dependencies.
429 fn check_crate_dependencies
<'a
>(
430 permitted_dependencies
: &'a HashSet
<&'
static str>,
431 metadata
: &'a Metadata
,
432 visited
: &mut BTreeSet
<&'a PackageId
>,
434 ) -> BTreeSet
<&'a PackageId
> {
435 // This will contain bad deps.
436 let mut unapproved
= BTreeSet
::new();
438 // Check if we have already visited this crate.
439 if visited
.contains(&krate
.id
) {
443 visited
.insert(&krate
.id
);
445 // If this path is in-tree, we don't require it to be explicitly permitted.
446 if krate
.source
.is_some() {
447 // If this dependency is not on `PERMITTED_DEPENDENCIES`, add to bad set.
448 if !permitted_dependencies
.contains(krate
.name
.as_str()) {
449 unapproved
.insert(&krate
.id
);
453 // Do a DFS in the crate graph.
454 let to_check
= deps_of(metadata
, &krate
.id
);
456 for dep
in to_check
{
457 let mut bad
= check_crate_dependencies(permitted_dependencies
, metadata
, visited
, dep
);
458 unapproved
.append(&mut bad
);
464 /// Prevents multiple versions of some expensive crates.
465 fn check_crate_duplicate(
467 forbidden_to_have_duplicates
: &[&str],
470 for &name
in forbidden_to_have_duplicates
{
471 let matches
: Vec
<_
> = metadata
.packages
.iter().filter(|pkg
| pkg
.name
== name
).collect();
472 match matches
.len() {
476 "crate `{}` is missing, update `check_crate_duplicate` \
477 if it is no longer used",
485 "crate `{}` is duplicated in `Cargo.lock`, \
486 it is too expensive to build multiple times, \
487 so make sure only one version appears across all dependencies",
491 println
!(" * {}", pkg
.id
);
498 /// Returns a list of dependencies for the given package.
499 fn deps_of
<'a
>(metadata
: &'a Metadata
, pkg_id
: &'a PackageId
) -> Vec
<&'a Package
> {
500 let resolve
= metadata
.resolve
.as_ref().unwrap();
504 .find(|n
| &n
.id
== pkg_id
)
505 .unwrap_or_else(|| panic
!("could not find `{pkg_id}` in resolve"));
509 metadata
.packages
.iter().find(|pkg
| pkg
.id
== dep
.pkg
).unwrap_or_else(|| {
510 panic
!("could not find dep `{}` for pkg `{}` in resolve", dep
.pkg
, pkg_id
)
516 /// Finds a package with the given name.
517 fn pkg_from_name
<'a
>(metadata
: &'a Metadata
, name
: &'
static str) -> &'a Package
{
518 let mut i
= metadata
.packages
.iter().filter(|p
| p
.name
== name
);
520 i
.next().unwrap_or_else(|| panic
!("could not find package `{name}` in package list"));
521 assert
!(i
.next().is_none(), "more than one package found for `{name}`");
525 /// Finds all the packages that are in the rust runtime.
526 fn compute_runtime_crates
<'a
>(metadata
: &'a Metadata
) -> HashSet
<&'a PackageId
> {
527 let resolve
= metadata
.resolve
.as_ref().unwrap();
528 let mut result
= HashSet
::new();
529 for name
in RUNTIME_CRATES
{
530 let id
= &pkg_from_name(metadata
, name
).id
;
531 normal_deps_of_r(resolve
, id
, &mut result
);
536 /// Recursively find all normal dependencies.
537 fn normal_deps_of_r
<'a
>(
538 resolve
: &'a Resolve
,
539 pkg_id
: &'a PackageId
,
540 result
: &mut HashSet
<&'a PackageId
>,
542 if !result
.insert(pkg_id
) {
548 .find(|n
| &n
.id
== pkg_id
)
549 .unwrap_or_else(|| panic
!("could not find `{pkg_id}` in resolve"));
550 for dep
in &node
.deps
{
551 normal_deps_of_r(resolve
, &dep
.pkg
, result
);
555 fn check_rustfix(metadata
: &Metadata
, bad
: &mut bool
) {
556 let cargo
= pkg_from_name(metadata
, "cargo");
557 let compiletest
= pkg_from_name(metadata
, "compiletest");
558 let cargo_deps
= deps_of(metadata
, &cargo
.id
);
559 let compiletest_deps
= deps_of(metadata
, &compiletest
.id
);
560 let cargo_rustfix
= cargo_deps
.iter().find(|p
| p
.name
== "rustfix").unwrap();
561 let compiletest_rustfix
= compiletest_deps
.iter().find(|p
| p
.name
== "rustfix").unwrap();
562 if cargo_rustfix
.version
!= compiletest_rustfix
.version
{
565 "cargo's rustfix version {} does not match compiletest's rustfix version {}\n\
566 rustfix should be kept in sync, update the cargo side first, and then update \
567 compiletest along with cargo.",
568 cargo_rustfix
.version
,
569 compiletest_rustfix
.version