This is small extension to cargo, to check your dependency tree against the database of
clearlydefined.io.
ClearlyDefined and our parent organization, the Open Source Initiative, are on a mission to help FOSS projects thrive by being, well, clearly defined.
cargo install cargo-clearlydefined
In the project you wan to check, execute the following command:
cargo clearlydefined
This will fetch dependencies metadata, and print out a report of the dependencies.
To get some command line help, run:
cargo clearlydefined --help
Which should print out:
~~~ cargo-clearlydefined 0.2.1
USAGE: cargo clearlydefined [OPTIONS]
OPTIONS:
-i, --input Override the location of the input file (Cargo.lock)
-v, --verbose Verbose mode, repeat to increase verbosity
-s, --score
The default target score is 80, but you can change that:
cargo clearlydefined --score 50
It is also possible to lower the score to 0, which effectively disables this test.
Clearlydefined provides different types of scores. By default, the tool will check of the "effective", or "overall" score.
You can choose the score to test using -t. Testing for the "licensed score" would require:
cargo clearlydefined --score 50 -t licensed
By default, only the "failed" dependencies are shown. You can however get a report of all dependencies:
cargo clearlydefined --all
You can exclude dependencies completely from processing:
cargo clearlydefined -x my-test
Or simply ignore it from the target score test:
cargo clearlydefined -n my-test
For example:
~~~ $ cargo clearlydefined -n my-test +------------------------------+---------+------------------------+---------+-------+ | Name | Version | Declared license | License | Score | +------------------------------+---------+------------------------+---------+-------+ | ansiterm | 0.12.1 | MIT | ❌ | ✅ 88 | | atty | 0.2.14 | MIT | ❌ | ✅ 88 | | coloredjson | 2.1.0 | EPL-2.0 | ❌ | ✅ 87 | | hermit-abi | 0.1.15 | Apache-2.0 AND MIT | ❌ | ❌ 52 | | itoa | 0.4.6 | Apache-2.0 AND MIT | ❌ | ✅ 87 | | libc | 0.2.76 | Apache-2.0 AND MIT | ❌ | ✅ 87 | | my-test | 0.1.0 | | 🙈 | 🙈 0 | | ryu | 1.0.5 | Apache-2.0 AND BSL-1.0 | ❌ | ✅ 80 | | serde | 1.0.115 | Apache-2.0 AND MIT | ❌ | ✅ 87 | | serdejson | 1.0.57 | Apache-2.0 AND MIT | ❌ | ✅ 87 | | winapi | 0.3.9 | Apache-2.0 AND MIT | ❌ | ✅ 87 | | winapi-i686-pc-windows-gnu | 0.4.0 | MIT OR Apache-2.0 | ❌ | ❌ 37 | | winapi-x8664-pc-windows-gnu | 0.4.0 | MIT OR Apache-2.0 | ❌ | ❌ 37 | +------------------------------+---------+------------------------+---------+-------+ ~~~
The tool will parse the SPDX expression coming back from clearlydefined. Unfortunately, some dependencies have an invalid (according to the SPDX spec) expression.
You may use the --lax option, to switch to a more lax parser for SPDX expressions. However, in some cases
this still isn't enough. The only choice at the moment is, to ignore or exclude such dependencies.
If a dependency has a valid SPDX license definition, it can be tested. If it doesnt', all checks based on the license will fail for this dependency.
All license tests are disabled by default.
In most cases, the module you are checking, is not registered with clearly defined, and thus cannot pass the
license tests. If that is a problem, then you can exclude the module using the -x switch.
Using the option --require-osi-approved you require that each dependency has at least one
OSI approved license.
You can also provide a list of accepted licenses, and the tool will check for those:
cargo clearlydefined -L EPL-2.0 -L MIT
The default output format is "text", but you have some other options as well:
In order to get a comma separated output:
cargo clearlydefined -o csv
Example output:
~~~ $ cargo clearlydefined --approve-osi -o csv Name,Version,Declared license,License,Score,Score check ansiterm,0.12.1,MIT,+,88,+ atty,0.2.14,MIT,+,88,+ coloredjson,2.1.0,EPL-2.0,+,87,+ hermit-abi,0.1.15,Apache-2.0 AND MIT,+,52,- itoa,0.4.6,Apache-2.0 AND MIT,+,87,+ libc,0.2.76,Apache-2.0 AND MIT,+,87,+ my-test,0.1.0,,-,0,- ryu,1.0.5,Apache-2.0 AND BSL-1.0,+,80,+ serde,1.0.115,Apache-2.0 AND MIT,+,87,+ serdejson,1.0.57,Apache-2.0 AND MIT,+,87,+ winapi,0.3.9,Apache-2.0 AND MIT,+,87,+ winapi-i686-pc-windows-gnu,0.4.0,MIT OR Apache-2.0,+,37,- winapi-x8664-pc-windows-gnu,0.4.0,MIT OR Apache-2.0,+,37,- ~~~
To get a nice markdown result, use:
cargo clearlydefined -o markdown
This will create a markdown table, including a badge, that shows the outcome of the test, if you choose to display all dependencies.
It is also possible to provide the argument --link, which will always add a link to clearlydefined.io
in the score column.
Example output:
| Name | Version | Declared license | License | Score | |------------------------------|---------|------------------------|---------|-------| | ansiterm | 0.12.1 | MIT | ✅ | ✅ 88 | | atty | 0.2.14 | MIT | ✅ | ✅ 88 | | coloredjson | 2.1.0 | EPL-2.0 | ✅ | ✅ 87 | | hermit-abi | 0.1.15 | Apache-2.0 AND MIT | ✅ | ❌ 52 | | itoa | 0.4.6 | Apache-2.0 AND MIT | ✅ | ✅ 87 | | libc | 0.2.76 | Apache-2.0 AND MIT | ✅ | ✅ 87 | | my-test | 0.1.0 | | ❌ | ❌ 0 | | ryu | 1.0.5 | Apache-2.0 AND BSL-1.0 | ✅ | ✅ 80 | | serde | 1.0.115 | Apache-2.0 AND MIT | ✅ | ✅ 87 | | serdejson | 1.0.57 | Apache-2.0 AND MIT | ✅ | ✅ 87 | | winapi | 0.3.9 | Apache-2.0 AND MIT | ✅ | ✅ 87 | | winapi-i686-pc-windows-gnu | 0.4.0 | MIT OR Apache-2.0 | ✅ | ❌ 37 | | winapi-x8664-pc-windows-gnu | 0.4.0 | MIT OR Apache-2.0 | ✅ | ❌ 37 |
Using the --link option:
| Name | Version | Declared license | License | Score |
|------------------------------|---------|------------------------|---------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| ansiterm | 0.12.1 | MIT | ✅ | 
And of course, there is plain text as well. The default:
~~~ $ cargo clearlydefined --approve-osi -o text +------------------------------+---------+------------------------+---------+-------+ | Name | Version | Declared license | License | Score | +------------------------------+---------+------------------------+---------+-------+ | ansiterm | 0.12.1 | MIT | ✅ | ✅ 88 | | atty | 0.2.14 | MIT | ✅ | ✅ 88 | | coloredjson | 2.1.0 | EPL-2.0 | ✅ | ✅ 87 | | hermit-abi | 0.1.15 | Apache-2.0 AND MIT | ✅ | ❌ 52 | | itoa | 0.4.6 | Apache-2.0 AND MIT | ✅ | ✅ 87 | | libc | 0.2.76 | Apache-2.0 AND MIT | ✅ | ✅ 87 | | my-test | 0.1.0 | | ❌ | ❌ 0 | | ryu | 1.0.5 | Apache-2.0 AND BSL-1.0 | ✅ | ✅ 80 | | serde | 1.0.115 | Apache-2.0 AND MIT | ✅ | ✅ 87 | | serdejson | 1.0.57 | Apache-2.0 AND MIT | ✅ | ✅ 87 | | winapi | 0.3.9 | Apache-2.0 AND MIT | ✅ | ✅ 87 | | winapi-i686-pc-windows-gnu | 0.4.0 | MIT OR Apache-2.0 | ✅ | ❌ 37 | | winapi-x8664-pc-windows-gnu | 0.4.0 | MIT OR Apache-2.0 | ✅ | ❌ 37 | +------------------------------+---------+------------------------+---------+-------+ ~~~