1 //! Checks the licenses of third-party dependencies.
3 use cargo_metadata
::{DepKindInfo, Metadata, Package, PackageId}
;
4 use std
::collections
::HashSet
;
7 /// These are licenses that are allowed for all crates, including the runtime,
9 const LICENSES
: &[&str] = &[
16 "Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT", // wasi license
21 "0BSD OR MIT OR Apache-2.0", // adler license
22 "Zlib OR Apache-2.0 OR MIT", // tinyvec
23 "MIT OR Apache-2.0 OR Zlib", // tinyvec_macros
24 "MIT OR Zlib OR Apache-2.0", // miniz_oxide
25 "(MIT OR Apache-2.0) AND Unicode-DFS-2016", // unicode_ident
26 "Unicode-DFS-2016", // tinystr and icu4x
29 /// These are exceptions to Rust's permissive licensing policy, and
30 /// should be considered bugs. Exceptions are only allowed in Rust
31 /// tooling. It is _crucial_ that no exception crates be dependencies
32 /// of the Rust runtime (std/test).
33 const EXCEPTIONS
: &[(&str, &str)] = &[
34 ("ar_archive_writer", "Apache-2.0 WITH LLVM-exception"), // rustc
35 ("mdbook", "MPL-2.0"), // mdbook
36 ("openssl", "Apache-2.0"), // cargo, mdbook
37 ("colored", "MPL-2.0"), // rustfmt
38 ("ryu", "Apache-2.0 OR BSL-1.0"), // cargo/... (because of serde)
39 ("bytesize", "Apache-2.0"), // cargo
40 ("im-rc", "MPL-2.0+"), // cargo
41 ("sized-chunks", "MPL-2.0+"), // cargo via im-rc
42 ("bitmaps", "MPL-2.0+"), // cargo via im-rc
43 ("fiat-crypto", "MIT OR Apache-2.0 OR BSD-1-Clause"), // cargo via pasetors
44 ("subtle", "BSD-3-Clause"), // cargo via pasetors
45 ("instant", "BSD-3-Clause"), // rustc_driver/tracing-subscriber/parking_lot
46 ("snap", "BSD-3-Clause"), // rustc
47 ("fluent-langneg", "Apache-2.0"), // rustc (fluent translations)
48 ("self_cell", "Apache-2.0"), // rustc (fluent translations)
49 // FIXME: this dependency violates the documentation comment above:
50 ("fortanix-sgx-abi", "MPL-2.0"), // libstd but only for `sgx` target
51 ("dunce", "CC0-1.0"), // cargo (dev dependency)
52 ("similar", "Apache-2.0"), // cargo (dev dependency)
53 ("normalize-line-endings", "Apache-2.0"), // cargo (dev dependency)
54 ("dissimilar", "Apache-2.0"), // rustdoc, rustc_lexer (few tests) via expect-test, (dev deps)
57 const EXCEPTIONS_CRANELIFT
: &[(&str, &str)] = &[
58 ("cranelift-bforest", "Apache-2.0 WITH LLVM-exception"),
59 ("cranelift-codegen", "Apache-2.0 WITH LLVM-exception"),
60 ("cranelift-codegen-meta", "Apache-2.0 WITH LLVM-exception"),
61 ("cranelift-codegen-shared", "Apache-2.0 WITH LLVM-exception"),
62 ("cranelift-egraph", "Apache-2.0 WITH LLVM-exception"),
63 ("cranelift-entity", "Apache-2.0 WITH LLVM-exception"),
64 ("cranelift-frontend", "Apache-2.0 WITH LLVM-exception"),
65 ("cranelift-isle", "Apache-2.0 WITH LLVM-exception"),
66 ("cranelift-jit", "Apache-2.0 WITH LLVM-exception"),
67 ("cranelift-module", "Apache-2.0 WITH LLVM-exception"),
68 ("cranelift-native", "Apache-2.0 WITH LLVM-exception"),
69 ("cranelift-object", "Apache-2.0 WITH LLVM-exception"),
70 ("mach", "BSD-2-Clause"),
71 ("regalloc2", "Apache-2.0 WITH LLVM-exception"),
72 ("target-lexicon", "Apache-2.0 WITH LLVM-exception"),
73 ("wasmtime-jit-icache-coherence", "Apache-2.0 WITH LLVM-exception"),
76 const EXCEPTIONS_BOOTSTRAP
: &[(&str, &str)] = &[
77 ("ryu", "Apache-2.0 OR BSL-1.0"), // through serde
80 /// These are the root crates that are part of the runtime. The licenses for
81 /// these and all their dependencies *must not* be in the exception list.
82 const RUNTIME_CRATES
: &[&str] = &["std", "core", "alloc", "test", "panic_abort", "panic_unwind"];
84 /// Crates rustc is allowed to depend on. Avoid adding to the list if possible.
86 /// This list is here to provide a speed-bump to adding a new dependency to
87 /// rustc. Please check with the compiler team before adding an entry.
88 const PERMITTED_RUSTC_DEPENDENCIES
: &[&str] = &[
107 "convert_case", // dependency of derive_more
126 "fallible-iterator", // dependency of `thorin`
144 "icu_provider_adapters",
145 "icu_provider_macros",
174 "perf-event-open-sys",
215 "stable_deref_trait",
218 "subtle", // dependency of cargo (via pasetors)
233 "tracing-attributes",
236 "tracing-subscriber",
241 "unic-char-property",
247 "unic-langid-macros",
248 "unic-langid-macros-impl",
251 "unicode-normalization",
261 "winapi-i686-pc-windows-gnu",
263 "winapi-x86_64-pc-windows-gnu",
265 // this is a false-positive: it's only used by rustfmt, but because it's enabled through a
266 // feature, tidy thinks it's used by rustc as well.
276 const PERMITTED_CRANELIFT_DEPENDENCIES
: &[&str] = &[
287 "cranelift-codegen-meta",
288 "cranelift-codegen-shared",
291 "cranelift-frontend",
315 "stable_deref_trait",
319 "wasmtime-jit-icache-coherence",
321 "winapi-i686-pc-windows-gnu",
322 "winapi-x86_64-pc-windows-gnu",
324 "windows_aarch64_msvc",
327 "windows_x86_64_gnu",
328 "windows_x86_64_msvc",
331 const FORBIDDEN_TO_HAVE_DUPLICATES
: &[&str] = &[
332 // This crate takes quite a long time to build, so don't allow two versions of them
333 // to accidentally sneak into our dependency graph, in order to ensure we keep our CI times
338 /// Dependency checks.
340 /// `root` is path to the directory with the root `Cargo.toml` (for the workspace). `cargo` is path
341 /// to the cargo executable.
342 pub fn check(root
: &Path
, cargo
: &Path
, bad
: &mut bool
) {
343 let mut cmd
= cargo_metadata
::MetadataCommand
::new();
344 cmd
.cargo_path(cargo
)
345 .manifest_path(root
.join("Cargo.toml"))
346 .features(cargo_metadata
::CargoOpt
::AllFeatures
);
347 let metadata
= t
!(cmd
.exec());
348 let runtime_ids
= compute_runtime_crates(&metadata
);
349 check_license_exceptions(&metadata
, EXCEPTIONS
, runtime_ids
, bad
);
350 check_permitted_dependencies(
353 PERMITTED_RUSTC_DEPENDENCIES
,
354 &["rustc_driver", "rustc_codegen_llvm"],
357 check_crate_duplicate(&metadata
, FORBIDDEN_TO_HAVE_DUPLICATES
, bad
);
358 check_rustfix(&metadata
, bad
);
360 // Check rustc_codegen_cranelift independently as it has it's own workspace.
361 let mut cmd
= cargo_metadata
::MetadataCommand
::new();
362 cmd
.cargo_path(cargo
)
363 .manifest_path(root
.join("compiler/rustc_codegen_cranelift/Cargo.toml"))
364 .features(cargo_metadata
::CargoOpt
::AllFeatures
);
365 let metadata
= t
!(cmd
.exec());
366 let runtime_ids
= HashSet
::new();
367 check_license_exceptions(&metadata
, EXCEPTIONS_CRANELIFT
, runtime_ids
, bad
);
368 check_permitted_dependencies(
371 PERMITTED_CRANELIFT_DEPENDENCIES
,
372 &["rustc_codegen_cranelift"],
375 check_crate_duplicate(&metadata
, &[], bad
);
377 let mut cmd
= cargo_metadata
::MetadataCommand
::new();
378 cmd
.cargo_path(cargo
)
379 .manifest_path(root
.join("src/bootstrap/Cargo.toml"))
380 .features(cargo_metadata
::CargoOpt
::AllFeatures
);
381 let metadata
= t
!(cmd
.exec());
382 let runtime_ids
= HashSet
::new();
383 check_license_exceptions(&metadata
, EXCEPTIONS_BOOTSTRAP
, runtime_ids
, bad
);
386 /// Check that all licenses are in the valid list in `LICENSES`.
388 /// Packages listed in `exceptions` are allowed for tools.
389 fn check_license_exceptions(
391 exceptions
: &[(&str, &str)],
392 runtime_ids
: HashSet
<&PackageId
>,
395 // Validate the EXCEPTIONS list hasn't changed.
396 for (name
, license
) in exceptions
{
397 // Check that the package actually exists.
398 if !metadata
.packages
.iter().any(|p
| p
.name
== *name
) {
401 "could not find exception package `{}`\n\
402 Remove from EXCEPTIONS list if it is no longer used.",
406 // Check that the license hasn't changed.
407 for pkg
in metadata
.packages
.iter().filter(|p
| p
.name
== *name
) {
412 "dependency exception `{}` does not declare a license expression",
416 Some(pkg_license
) => {
417 if pkg_license
.as_str() != *license
{
418 println
!("dependency exception `{name}` license has changed");
419 println
!(" previously `{license}` now `{pkg_license}`");
420 println
!(" update EXCEPTIONS for the new license");
428 let exception_names
: Vec
<_
> = exceptions
.iter().map(|(name
, _license
)| *name
).collect();
430 // Check if any package does not have a valid license.
431 for pkg
in &metadata
.packages
{
432 if pkg
.source
.is_none() {
433 // No need to check local packages.
436 if !runtime_ids
.contains(&pkg
.id
) && exception_names
.contains(&pkg
.name
.as_str()) {
439 let license
= match &pkg
.license
{
440 Some(license
) => license
,
442 tidy_error
!(bad
, "dependency `{}` does not define a license expression", pkg
.id
);
446 if !LICENSES
.contains(&license
.as_str()) {
447 if pkg
.name
== "fortanix-sgx-abi" {
448 // This is a specific exception because SGX is considered
449 // "third party". See
450 // https://github.com/rust-lang/rust/issues/62620 for more. In
451 // general, these should never be added.
454 tidy_error
!(bad
, "invalid license `{}` in `{}`", license
, pkg
.id
);
459 /// Checks the dependency of `restricted_dependency_crates` at the given path. Changes `bad` to
460 /// `true` if a check failed.
462 /// Specifically, this checks that the dependencies are on the `permitted_dependencies`.
463 fn check_permitted_dependencies(
466 permitted_dependencies
: &[&'
static str],
467 restricted_dependency_crates
: &[&'
static str],
470 let mut deps
= HashSet
::new();
471 for to_check
in restricted_dependency_crates
{
472 let to_check
= pkg_from_name(metadata
, to_check
);
473 use cargo_platform
::Cfg
;
474 use std
::str::FromStr
;
475 // We don't expect the compiler to ever run on wasm32, so strip
476 // out those dependencies to avoid polluting the permitted list.
477 deps_of_filtered(metadata
, &to_check
.id
, &mut deps
, &|dep_kinds
| {
478 dep_kinds
.iter().any(|dep_kind
| {
484 "wasm32-unknown-unknown",
486 Cfg
::from_str("target_arch=\"wasm32\"").unwrap(),
487 Cfg
::from_str("target_os=\"unknown\"").unwrap(),
496 // Check that the PERMITTED_DEPENDENCIES does not have unused entries.
497 for permitted
in permitted_dependencies
{
498 if !deps
.iter().any(|dep_id
| &pkg_from_id(metadata
, dep_id
).name
== permitted
) {
501 "could not find allowed package `{permitted}`\n\
502 Remove from PERMITTED_DEPENDENCIES list if it is no longer used.",
507 // Get in a convenient form.
508 let permitted_dependencies
: HashSet
<_
> = permitted_dependencies
.iter().cloned().collect();
511 let dep
= pkg_from_id(metadata
, dep
);
512 // If this path is in-tree, we don't require it to be explicitly permitted.
513 if dep
.source
.is_some() {
514 if !permitted_dependencies
.contains(dep
.name
.as_str()) {
515 tidy_error
!(bad
, "Dependency for {descr} not explicitly permitted: {}", dep
.id
);
521 /// Prevents multiple versions of some expensive crates.
522 fn check_crate_duplicate(
524 forbidden_to_have_duplicates
: &[&str],
527 for &name
in forbidden_to_have_duplicates
{
528 let matches
: Vec
<_
> = metadata
.packages
.iter().filter(|pkg
| pkg
.name
== name
).collect();
529 match matches
.len() {
533 "crate `{}` is missing, update `check_crate_duplicate` \
534 if it is no longer used",
542 "crate `{}` is duplicated in `Cargo.lock`, \
543 it is too expensive to build multiple times, \
544 so make sure only one version appears across all dependencies",
548 println
!(" * {}", pkg
.id
);
555 /// Finds a package with the given name.
556 fn pkg_from_name
<'a
>(metadata
: &'a Metadata
, name
: &'
static str) -> &'a Package
{
557 let mut i
= metadata
.packages
.iter().filter(|p
| p
.name
== name
);
559 i
.next().unwrap_or_else(|| panic
!("could not find package `{name}` in package list"));
560 assert
!(i
.next().is_none(), "more than one package found for `{name}`");
564 fn pkg_from_id
<'a
>(metadata
: &'a Metadata
, id
: &PackageId
) -> &'a Package
{
565 metadata
.packages
.iter().find(|p
| &p
.id
== id
).unwrap()
568 /// Finds all the packages that are in the rust runtime.
569 fn compute_runtime_crates
<'a
>(metadata
: &'a Metadata
) -> HashSet
<&'a PackageId
> {
570 let mut result
= HashSet
::new();
571 for name
in RUNTIME_CRATES
{
572 let id
= &pkg_from_name(metadata
, name
).id
;
573 deps_of_filtered(metadata
, id
, &mut result
, &|_
| true);
578 /// Recursively find all dependencies.
579 fn deps_of_filtered
<'a
>(
580 metadata
: &'a Metadata
,
581 pkg_id
: &'a PackageId
,
582 result
: &mut HashSet
<&'a PackageId
>,
583 filter
: &dyn Fn(&[DepKindInfo
]) -> bool
,
585 if !result
.insert(pkg_id
) {
594 .find(|n
| &n
.id
== pkg_id
)
595 .unwrap_or_else(|| panic
!("could not find `{pkg_id}` in resolve"));
596 for dep
in &node
.deps
{
597 if !filter(&dep
.dep_kinds
) {
600 deps_of_filtered(metadata
, &dep
.pkg
, result
, filter
);
604 fn direct_deps_of
<'a
>(metadata
: &'a Metadata
, pkg_id
: &'a PackageId
) -> Vec
<&'a Package
> {
605 let resolve
= metadata
.resolve
.as_ref().unwrap();
606 let node
= resolve
.nodes
.iter().find(|n
| &n
.id
== pkg_id
).unwrap();
607 node
.deps
.iter().map(|dep
| pkg_from_id(metadata
, &dep
.pkg
)).collect()
610 fn check_rustfix(metadata
: &Metadata
, bad
: &mut bool
) {
611 let cargo
= pkg_from_name(metadata
, "cargo");
612 let compiletest
= pkg_from_name(metadata
, "compiletest");
613 let cargo_deps
= direct_deps_of(metadata
, &cargo
.id
);
614 let compiletest_deps
= direct_deps_of(metadata
, &compiletest
.id
);
615 let cargo_rustfix
= cargo_deps
.iter().find(|p
| p
.name
== "rustfix").unwrap();
616 let compiletest_rustfix
= compiletest_deps
.iter().find(|p
| p
.name
== "rustfix").unwrap();
617 if cargo_rustfix
.version
!= compiletest_rustfix
.version
{
620 "cargo's rustfix version {} does not match compiletest's rustfix version {}\n\
621 rustfix should be kept in sync, update the cargo side first, and then update \
622 compiletest along with cargo.",
623 cargo_rustfix
.version
,
624 compiletest_rustfix
.version