Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

license-files -> license-file (cannot find proper license file despite it existing) #385

Closed
gajop opened this issue Dec 11, 2021 · 4 comments
Closed

license-files -> license-file (cannot find proper license file despite it existing) #385

gajop opened this issue Dec 11, 2021 · 4 comments
Labels
bug Something isn't working

Comments

@gajop
Copy link

gajop commented Dec 11, 2021

I'm trying to run cargo-deny on Bevy, and it's giving me what I think is a false positive - it cannot parse a license file of a package that should have it.

Output:

error[L003]: stretch = 0.3.2 is unlicensed
  ┌─ stretch 0.3.2 (registry+https://github.com/rust-lang/crates.io-index):2:9
  │
2 │ name = "stretch"
  │         ^^^^^^^ a valid license expression could not be retrieved for the crate
3 │ version = "0.3.2"
4 │ license = ""
  │            - license expression was not specified
5 │ license-files = [
6 │     { path = "LICENSE", err = "No such file or directory (os error 2)" },
  │                                -------------------------------------- unable to read license file
  │
  = stretch v0.3.2
    └── bevy_ui v0.5.0
        └── bevy_internal v0.5.0
            └── bevy v0.5.0

In particular this stands out:

5 │ license-files = [
6 │     { path = "LICENSE", err = "No such file or directory (os error 2)" },
  │                                -------------------------------------- unable to read license file

It mentions license-files , but Cargo manifest clearly states this should be license-file (without the s): https://doc.rust-lang.org/cargo/reference/manifest.html#the-license-and-license-file-fields . Perhaps I'm misunderstanding the output.

The actual package has the license-file: https://github.com/vislyhq/stretch/blob/master/Cargo.toml#L12 and has had it since 0.3.2 : https://github.com/vislyhq/stretch/blob/0.3.2/Cargo.toml#L12
@gajop gajop added the bug Something isn't working label Dec 11, 2021
@Jake-Shadle
Copy link
Member

The Cargo.toml that you seen in the error message is synthesized for error reporting purposes, it's not the actual manifest. The issue is that that package says it has a license-file, but it doesn't actually include it in the crate. You'll need to either override the license with a clarification, or you'll need to make a PR to ensure the license file is actually part of the package, and get a new release published. But considering that repo has not had any activity in over 2 years that might never get another release?

% tar -tvf stretch.tar.gz
-rw-r--r-- 501/20          866 2019-07-05 16:37 stretch-0.3.2/Cargo.toml.orig
-rw-r--r-- 0/0            1378 1970-01-01 01:00 stretch-0.3.2/Cargo.toml
-rw-r--r-- 501/20        62976 2019-07-05 09:58 stretch-0.3.2/src/algo.rs
-rw-r--r-- 501/20         5499 2019-07-05 13:42 stretch-0.3.2/src/forest.rs
-rw-r--r-- 501/20         4271 2019-03-28 23:10 stretch-0.3.2/src/geometry.rs
-rw-r--r-- 501/20          811 2019-07-05 09:58 stretch-0.3.2/src/id.rs
-rw-r--r-- 501/20         1012 2019-07-05 09:58 stretch-0.3.2/src/lib.rs
-rw-r--r-- 501/20         7055 2019-07-05 16:36 stretch-0.3.2/src/node.rs
-rw-r--r-- 501/20         5271 2019-03-28 23:10 stretch-0.3.2/src/number.rs
-rw-r--r-- 501/20          653 2019-07-05 09:58 stretch-0.3.2/src/result.rs
-rw-r--r-- 501/20         8658 2019-04-08 14:28 stretch-0.3.2/src/style.rs

@rickyhosfelt
Copy link

rickyhosfelt commented Jan 7, 2022
edited
Loading

👋 I'm seeing this same issue with **ring**, where the LICENSE file is indeed included

Here's a minimal Cargo.toml and deny.toml to reproduce:

[package]
name = "license_test"
version = "0.1.0"
edition = "2021"
license = "MIT"

[dependencies]
ring = "0.17.0-alpha.11"
[licenses]
allow = [
    "Apache-2.0",
    "ISC",
    "MIT",
]

[[licenses.clarify]]
name = "ring"
expression = "LicenseRef-Ring"
license-files = [
    { path = "LICENSE", hash = 0xbd0eed23 },
]

The error I'm getting is the same as OP hence the comment on this issue:

❯ cargo deny check
error[L003]: ring = 0.17.0-alpha.11 is unlicensed
  ┌─ ring 0.17.0-alpha.11 (registry+https://github.com/rust-lang/crates.io-index):2:9
  │
2 │ name = "ring"
  │         ^^^^ a valid license expression could not be retrieved for the crate
3 │ version = "0.17.0-alpha.11"
4 │ license = ""
  │            - license expression was not specified
5 │ license-files = [
6 │     { path = "LICENSE", hash = 0xbd0eed23, score = 0.67, license = "OpenSSL" },
  │                                                    ---- low confidence in the license text
  │
  = ring v0.17.0-alpha.11
    └── licnese_test v0.1.0

advisories ok, bans ok, licenses FAILED, sources ok

@Jake-Shadle Jake-Shadle mentioned this issue Jan 10, 2022
Closed
@Jake-Shadle
Copy link
Member

@rickyhosfelt this is due to you using a pre-release semver, which has non-intuitive complications with wildcard matching, which is tracked in #371. To get around this you can specify the full version in the clarification's version field until #371 is addressed.

@rickyhosfelt
Copy link

Thanks @Jake-Shadle this works for us!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gajop @Jake-Shadle @rickyhosfelt