6 releases
0.3.0 | Feb 1, 2024 |
---|---|
0.2.1 | Sep 9, 2020 |
0.1.3 | Sep 3, 2020 |
#235 in Cargo plugins
38KB
584 lines
Check dependency data from clearlydefined.io
This is small extension to cargo
, to check your dependency tree against the database of
clearlydefined.io.
ClearlyDefined and our parent organization, the Open Source Initiative, are on a mission to help FOSS projects thrive by being, well, clearly defined.
Installation
cargo install cargo-clearlydefined
Usage
In the project you wan to check, execute the following command:
cargo clearlydefined
This will fetch dependencies metadata, and print out a report of the dependencies.
Getting help
To get some command line help, run:
cargo clearlydefined --help
Which should print out:
cargo-clearlydefined 0.2.1
USAGE:
cargo clearlydefined [OPTIONS]
OPTIONS:
-i, --input <input> Override the location of the input file (`Cargo.lock`)
-v, --verbose Verbose mode, repeat to increase verbosity
-s, --score <score> The score required to pass the test [default: 80]
-t, --score-type <score-type> Which score to test [default: effective] [possible values: Effective,
Licensed]
-f, --failed Show only failed dependencies
-x, --exclude <exclude>... List the dependencies to exclude completely
-n, --ignore <ignore>... List the dependencies to ignore when testing
-o, --output-format <output-format> Output format [default: text] [possible values: Text, CSV, Markdown]
-l, --link Add a link to clearly defined
-q, --quiet Don't show any results
--lax Lax parsing of SPDX expressions
--approve-all Approve all licenses
--approve-osi Pass if a dependency has at least one OSI approved license
-L, --approve <approved-licenses>... Pass if a dependency has at least one of the approved licenses (can be used
multiple times)
-h, --help Prints help information
-V, --version Prints version information
Setting the target score
The default target score is 80, but you can change that:
cargo clearlydefined --score 50
It is also possible to lower the score to 0
, which effectively disables this test.
Score type to test
Clearlydefined provides different types of scores. By default, the tool will check of the "effective", or "overall" score.
You can choose the score to test using -t
. Testing for the "licensed score" would require:
cargo clearlydefined --score 50 -t licensed
Adding a link
It is also possible to provide the argument --link
, which will add a link to the definition page
at clearlydefined.io. Not all output formats support this though.
cargo clearlydefined --link
Ignoring & Excluding
You can exclude dependencies completely from processing:
cargo clearlydefined -x my-test
Or simply ignore it from the target score test:
cargo clearlydefined -n my-test
For example:
$ cargo clearlydefined -n my-test
+------------------------------+---------+------------------------+---------+-------+
| Name | Version | Declared license | License | Score |
+------------------------------+---------+------------------------+---------+-------+
| ansi_term | 0.12.1 | MIT | ❌ | ✅ 88 |
| atty | 0.2.14 | MIT | ❌ | ✅ 88 |
| colored_json | 2.1.0 | EPL-2.0 | ❌ | ✅ 87 |
| hermit-abi | 0.1.15 | Apache-2.0 AND MIT | ❌ | ❌ 52 |
| itoa | 0.4.6 | Apache-2.0 AND MIT | ❌ | ✅ 87 |
| libc | 0.2.76 | Apache-2.0 AND MIT | ❌ | ✅ 87 |
| my-test | 0.1.0 | | 🙈 | 🙈 0 |
| ryu | 1.0.5 | Apache-2.0 AND BSL-1.0 | ❌ | ✅ 80 |
| serde | 1.0.115 | Apache-2.0 AND MIT | ❌ | ✅ 87 |
| serde_json | 1.0.57 | Apache-2.0 AND MIT | ❌ | ✅ 87 |
| winapi | 0.3.9 | Apache-2.0 AND MIT | ❌ | ✅ 87 |
| winapi-i686-pc-windows-gnu | 0.4.0 | MIT OR Apache-2.0 | ❌ | ❌ 37 |
| winapi-x86_64-pc-windows-gnu | 0.4.0 | MIT OR Apache-2.0 | ❌ | ❌ 37 |
+------------------------------+---------+------------------------+---------+-------+
SPDX parsing
The tool will parse the SPDX expression coming back from clearlydefined. Unfortunately, some dependencies have an invalid (according to the SPDX spec) expression.
You may use the --lax
option, to switch to a more lax parser for SPDX expressions. However, in some cases
this still isn't enough. The only choice at the moment is, to ignore or exclude such dependencies.
License testing
If a dependency has a valid SPDX license definition, it can be tested. If it doesnt', all checks based on the license will fail for this dependency.
All license tests are disabled by default.
In most cases, the module you are checking, is not registered with clearly defined, and thus cannot pass the
license tests. If that is a problem, then you can exclude the module using the -x
switch.
Testing if the dependency has an OSI approved license
Using the option --require-osi-approved
you require that each dependency has at least one
OSI approved license.
Check for provided list
You can also provide a list of accepted licenses, and the tool will check for those:
cargo clearlydefined -L EPL-2.0 -L MIT
Output format
The default output format is "text", but you have some other options as well:
CSV
In order to get a comma separated output:
cargo clearlydefined -o csv
Example output:
$ cargo clearlydefined --approve-osi -o csv
Name,Version,Declared license,License,Score,Score check
ansi_term,0.12.1,MIT,+,88,+
atty,0.2.14,MIT,+,88,+
colored_json,2.1.0,EPL-2.0,+,87,+
hermit-abi,0.1.15,Apache-2.0 AND MIT,+,52,-
itoa,0.4.6,Apache-2.0 AND MIT,+,87,+
libc,0.2.76,Apache-2.0 AND MIT,+,87,+
my-test,0.1.0,,-,0,-
ryu,1.0.5,Apache-2.0 AND BSL-1.0,+,80,+
serde,1.0.115,Apache-2.0 AND MIT,+,87,+
serde_json,1.0.57,Apache-2.0 AND MIT,+,87,+
winapi,0.3.9,Apache-2.0 AND MIT,+,87,+
winapi-i686-pc-windows-gnu,0.4.0,MIT OR Apache-2.0,+,37,-
winapi-x86_64-pc-windows-gnu,0.4.0,MIT OR Apache-2.0,+,37,-
Markdown
To get a nice markdown result, use:
cargo clearlydefined -o markdown
This will create a markdown table, including a badge, that shows the outcome of the test, if you choose to display all dependencies.
Example output:
Name | Version | Declared license | License | Score |
---|---|---|---|---|
ansi_term | 0.12.1 | MIT | ✅ | ✅ 88 |
atty | 0.2.14 | MIT | ✅ | ✅ 88 |
colored_json | 2.1.0 | EPL-2.0 | ✅ | ✅ 87 |
hermit-abi | 0.1.15 | Apache-2.0 AND MIT | ✅ | ❌ 52 |
itoa | 0.4.6 | Apache-2.0 AND MIT | ✅ | ✅ 87 |
libc | 0.2.76 | Apache-2.0 AND MIT | ✅ | ✅ 87 |
my-test | 0.1.0 | ❌ | ❌ 0 | |
ryu | 1.0.5 | Apache-2.0 AND BSL-1.0 | ✅ | ✅ 80 |
serde | 1.0.115 | Apache-2.0 AND MIT | ✅ | ✅ 87 |
serde_json | 1.0.57 | Apache-2.0 AND MIT | ✅ | ✅ 87 |
winapi | 0.3.9 | Apache-2.0 AND MIT | ✅ | ✅ 87 |
winapi-i686-pc-windows-gnu | 0.4.0 | MIT OR Apache-2.0 | ✅ | ❌ 37 |
winapi-x86_64-pc-windows-gnu | 0.4.0 | MIT OR Apache-2.0 | ✅ | ❌ 37 |
Using the --link
option:
Text
And of course, there is plain text as well. The default:
$ cargo clearlydefined --approve-osi -o text
+------------------------------+---------+------------------------+---------+-------+
| Name | Version | Declared license | License | Score |
+------------------------------+---------+------------------------+---------+-------+
| ansi_term | 0.12.1 | MIT | ✅ | ✅ 88 |
| atty | 0.2.14 | MIT | ✅ | ✅ 88 |
| colored_json | 2.1.0 | EPL-2.0 | ✅ | ✅ 87 |
| hermit-abi | 0.1.15 | Apache-2.0 AND MIT | ✅ | ❌ 52 |
| itoa | 0.4.6 | Apache-2.0 AND MIT | ✅ | ✅ 87 |
| libc | 0.2.76 | Apache-2.0 AND MIT | ✅ | ✅ 87 |
| my-test | 0.1.0 | | ❌ | ❌ 0 |
| ryu | 1.0.5 | Apache-2.0 AND BSL-1.0 | ✅ | ✅ 80 |
| serde | 1.0.115 | Apache-2.0 AND MIT | ✅ | ✅ 87 |
| serde_json | 1.0.57 | Apache-2.0 AND MIT | ✅ | ✅ 87 |
| winapi | 0.3.9 | Apache-2.0 AND MIT | ✅ | ✅ 87 |
| winapi-i686-pc-windows-gnu | 0.4.0 | MIT OR Apache-2.0 | ✅ | ❌ 37 |
| winapi-x86_64-pc-windows-gnu | 0.4.0 | MIT OR Apache-2.0 | ✅ | ❌ 37 |
+------------------------------+---------+------------------------+---------+-------+
Dependencies
~12–25MB
~335K SLoC