Update all the things

Cargo.toml

@@ -24,21 +24,60 @@ name = "cargo-about"
 path = "src/cargo-about/main.rs"
 
 [dependencies]
+# Colorization
 ansi_term = "0.12"
+# Error facilities
 anyhow = "1.0"
+# License detection
 askalono = "0.4"
+# TTY detection
+atty = "0.2"
+# API helpers for api.clearlydefined.io
+cd = { version = "0.2", features = ["blocking", "rustls"] }
+# Datetime
 chrono = "0.4"
+# Diagnostic reporting
+codespan = "0.11"
+codespan-reporting = "0.11"
+# Logging helpers
 fern = "0.6"
+# Template engine for output
 handlebars = { version = "4.1", features = ["dir_source"] }
+# $HOME retrieval
+home = "0.5"
+# Directory walking
 ignore = "0.4"
-krates = "0.8"
-license = "1.1"
+# Dependency graphing
+krates = "0.9"
+# Logging macros
 log = "0.4"
+# Better heap allocator over system one (usually)
+mimalloc = "0.1"
+# Better locking primitives
+parking_lot = "0.11"
+# brrrr
 rayon = "1.5"
+# HTTP requests
+reqwest = { version = "0.11", default-features = false, features = [
+  "blocking",
+  "rustls-tls",
+] }
+# Checksum verification (already pulled in via rustls)
+ring = "0.16"
+# Oh gee what could it be
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
-smallvec = "1.6"
-spdx = "0.6"
+# Some vecs don't need to hit the heap
+smallvec = "1.7"
+# License expression parsing and evaluation
+spdx = { version = "0.6", features = ["text"] }
+# Command line parsing
 structopt = "0.3"
+# Configuration parsing
 toml = "0.5"
-mimalloc = "0.1.25"
+# Manipulation of cargo manifests for diagnostic purposes
+toml_edit = "0.6"
+# Hashing
+twox-hash = "1.6"
+# Url parsing
+url = "2.2"

about.toml

@@ -1,7 +1,4 @@
-accepted = [
-    "Apache-2.0",
-    "MIT",
-]
+accepted = ["Apache-2.0", "MIT"]
 targets = [
     "x86_64-unknown-linux-gnu",
     "x86_64-unknown-linux-musl",
@@ -10,3 +7,40 @@ targets = [
 ]
 ignore-build-dependencies = false
 ignore-dev-dependencies = false
+workarounds = [{ name = "ring" }, { name = "chrono" }, { name = "rustls" }]
+
+[codespan.clarify]
+license = "Apache-2.0"
+
+[[codespan.clarify.git]]
+path = "LICENSE"
+checksum = "c71d239df91726fc519c6eb72d318ec65820627232b2f796219e87dcf35d0ab4"
+
+[codespan-reporting.clarify]
+license = "Apache-2.0"
+
+[[codespan-reporting.clarify.git]]
+path = "LICENSE"
+checksum = "c71d239df91726fc519c6eb72d318ec65820627232b2f796219e87dcf35d0ab4"
+
+[failure_derive.clarify]
+license = "Apache-2.0 OR MIT"
+
+[[failure_derive.clarify.git]]
+path = "LICENSE"
+checksum = "c71d239df91726fc519c6eb72d318ec65820627232b2f796219e87dcf35d0ab4"
+
+[instant]
+accepted = ["BSD-3-Clause"]
+
+[ring]
+accepted = ["ISC", "OpenSSL"]
+
+[untrusted]
+accepted = ["ISC"]
+
+[webpki]
+accepted = ["ISC", "BSD-3-Clause"]
+
+[webpki-roots]
+accepted = ["MPL-2.0"]

deny.toml

@@ -13,6 +13,9 @@ ignore = [
     # failure is unsound and unmaintained, but is used by askalono
     "RUSTSEC-2020-0036",
     "RUSTSEC-2019-0036",
+    # chrono/time only used for datetime parsing
+    "RUSTSEC-2020-0159",
+    "RUSTSEC-2020-0071",
 ]
 
 [bans]
@@ -26,6 +29,8 @@ deny = [
 skip = [
     # clap uses old ansi-term
     { name = "ansi_term", version = "=0.11.0" },
+    # old itertools from really old zstd from askalono, build only
+    { name = "itertools", version = "=0.9.0" },
 ]
 
 [licenses]
@@ -34,7 +39,33 @@ allow-osi-fsf-free = "neither"
 copyleft = "deny"
 # We want really high confidence when inferring licenses from text
 confidence-threshold = 0.93
-allow = [
-    "Apache-2.0",
-    "MIT",
+allow = ["Apache-2.0", "MIT", "BSD-3-Clause", "ISC"]
+
+exceptions = [
+    # ring uses code from multiple libraries but all with permissive licenses
+    # https://tldrlegal.com/license/openssl-license-(openssl)
+    { allow = ["ISC", "MIT", "OpenSSL"], name = "ring" },
+
+    # MPL 2.0 is a copyleft license and we HAVE to disclose
+    # the source code of these specific libraries if we do changes to it.
+    # which we do through public forks of the repos if/when we do changes to it.
+    # https://tldrlegal.com/license/mozilla-public-license-2.0-(mpl-2)
+    { allow = ["MPL-2.0"], name = "webpki-roots" },
 ]
+
+[[licenses.clarify]]
+name = "ring"
+# SPDX considers OpenSSL to encompass both the OpenSSL and SSLeay licenses
+# https://spdx.org/licenses/OpenSSL.html
+# ISC - Both BoringSSL and ring use this for their new files
+# MIT - "Files in third_party/ have their own licenses, as described therein. The MIT
+# license, for third_party/fiat, which, unlike other third_party directories, is
+# compiled into non-test libraries, is included below."
+# OpenSSL - Obviously
+expression = "ISC AND MIT AND OpenSSL"
+license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }]
+
+[[licenses.clarify]]
+name = "webpki"
+expression = "ISC"
+license-files = [{ path = "LICENSE", hash = 0x001c7e6c }]