Cargo dependency checker for clearlydefined.io

This is small extension to cargo, to check your dependency tree against the database of clearlydefined.io.

ClearlyDefined and our parent organization, the Open Source Initiative, are on a mission to help FOSS projects thrive by being, well, clearly defined.

Installation

cargo install cargo-clearlydefined

Usage

In the project you wan to check, execute the following command:

cargo clearlydefined

This will fetch dependencies metadata, and print out a report of the dependencies that have a score below 80.

Getting help

To get some command line help, run:

cargo clearlydefined --help

Which should print out:

~~~ cargo-clearlydefined 0.1.0

USAGE: cargo clearlydefined [OPTIONS]

OPTIONS: -i, --input Override the location of the input file (Cargo.lock) -v, --verbose Verbose mode, repeat to increase verbosity -s, --score The score requires to pass the test [default: 80] -a, --all Show all dependencies, failed or not -x, --exclude ... List the dependencies to ignore when testing -o, --output-format Output format [default: text] [possible values: Text, CSV, Markdown] -l, --link Add a link to clearly defined -q, --quiet Don't show any results -h, --help Prints help information -V, --version Prints version information ~~~

Setting the target score

You can set the target score:

cargo clearlydefined --score 50

It is also possible to lower the score to 0.

Showing all dependencies

By default, only the "failed" dependencies are shown. You can however get a report of all dependencies:

cargo clearlydefined --all

Ignoring & Excluding

You can exclude dependencies completly from processing:

cargo clearlydefined -x wasi

Or simply ignore it from the target score test:

cargo clearlydefined -n wasi

Output format

The default output format is "text", but you have some other options as well:

CSV

In order to get a comma separated output:

cargo clearlydefined -o csv

If you choose to show all dependencies, an additional column will be added, that contains the result of the test.

Example, failures only

~~~ Name,Version,Declared license,Score hermit-abi,0.1.15,Apache-2.0 AND MIT,52 my-test,0.1.0,,0 winapi-i686-pc-windows-gnu,0.4.0,MIT OR Apache-2.0,37 winapi-x86_64-pc-windows-gnu,0.4.0,MIT OR Apache-2.0,37 ~~~

Example, all

~~~ Name,Version,Declared license,Score,Check ansiterm,0.12.1,MIT,88,+ atty,0.2.14,MIT,88,+ coloredjson,2.1.0,EPL-2.0,87,+ hermit-abi,0.1.15,Apache-2.0 AND MIT,52,- itoa,0.4.6,Apache-2.0 AND MIT,87,+ libc,0.2.76,Apache-2.0 AND MIT,87,+ my-test,0.1.0,,0,- ryu,1.0.5,Apache-2.0 AND BSL-1.0,80,+ serde,1.0.115,Apache-2.0 AND MIT,87,+ serdejson,1.0.57,Apache-2.0 AND MIT,87,+ winapi,0.3.9,Apache-2.0 AND MIT,87,+ winapi-i686-pc-windows-gnu,0.4.0,MIT OR Apache-2.0,37,- winapi-x8664-pc-windows-gnu,0.4.0,MIT OR Apache-2.0,37,- ~~~

Markdown

To get a nice markdown result, use:

cargo clearlydefined -o markdown

This will create a markdown table, including a badge, that shows the outcome of the test, if you choose to display all dependencies.

It is also possible to provide the argument --link, which will always add a link to clearlydefined.io in the score column.

Example, failures only

Using the --link option.

| Name | Version | Declared license | Score | |------------------------------|---------|--------------------|-------------------------------------------------------------------------------------------------| | hermit-abi | 0.1.15 | Apache-2.0 AND MIT | 52 | | my-test | 0.1.0 | | 0 | | winapi-i686-pc-windows-gnu | 0.4.0 | MIT OR Apache-2.0 | 37 | | winapi-x86_64-pc-windows-gnu | 0.4.0 | MIT OR Apache-2.0 | 37 |

Example, all

Using the --link option.

| Name | Version | Declared license | Score | |------------------------------|---------|------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | ansiterm | 0.12.1 | MIT | | | atty | 0.2.14 | MIT | | | coloredjson | 2.1.0 | EPL-2.0 | | | hermit-abi | 0.1.15 | Apache-2.0 AND MIT | | | itoa | 0.4.6 | Apache-2.0 AND MIT | | | libc | 0.2.76 | Apache-2.0 AND MIT | | | my-test | 0.1.0 | | | | ryu | 1.0.5 | Apache-2.0 AND BSL-1.0 | | | serde | 1.0.115 | Apache-2.0 AND MIT | | | serdejson | 1.0.57 | Apache-2.0 AND MIT | | | winapi | 0.3.9 | Apache-2.0 AND MIT | | | winapi-i686-pc-windows-gnu | 0.4.0 | MIT OR Apache-2.0 | | | winapi-x8664-pc-windows-gnu | 0.4.0 | MIT OR Apache-2.0 | |

Text

And of course, there is plain text as well. The default.

Example, failures only

~~~ +------------------------------+---------+--------------------+-------+ | Name | Version | Declared license | Score | +------------------------------+---------+--------------------+-------+ | hermit-abi | 0.1.15 | Apache-2.0 AND MIT | 52 | | my-test | 0.1.0 | | 0 | | winapi-i686-pc-windows-gnu | 0.4.0 | MIT OR Apache-2.0 | 37 | | winapi-x86_64-pc-windows-gnu | 0.4.0 | MIT OR Apache-2.0 | 37 | +------------------------------+---------+--------------------+-------+ ~~~

Example, all

~~~ +------------------------------+---------+------------------------+-------+ | Name | Version | Declared license | Score | +------------------------------+---------+------------------------+-------+ | ansiterm | 0.12.1 | MIT | 88 ✅ | | atty | 0.2.14 | MIT | 88 ✅ | | coloredjson | 2.1.0 | EPL-2.0 | 87 ✅ | | hermit-abi | 0.1.15 | Apache-2.0 AND MIT | 52 ❌ | | itoa | 0.4.6 | Apache-2.0 AND MIT | 87 ✅ | | libc | 0.2.76 | Apache-2.0 AND MIT | 87 ✅ | | my-test | 0.1.0 | | 0 ❌ | | ryu | 1.0.5 | Apache-2.0 AND BSL-1.0 | 80 ✅ | | serde | 1.0.115 | Apache-2.0 AND MIT | 87 ✅ | | serdejson | 1.0.57 | Apache-2.0 AND MIT | 87 ✅ | | winapi | 0.3.9 | Apache-2.0 AND MIT | 87 ✅ | | winapi-i686-pc-windows-gnu | 0.4.0 | MIT OR Apache-2.0 | 37 ❌ | | winapi-x8664-pc-windows-gnu | 0.4.0 | MIT OR Apache-2.0 | 37 ❌ | +------------------------------+---------+------------------------+-------+ ~~~