Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug: Missing license information still not allowed in crates from a private registry #736

Open
kornelski opened this issue Dec 7, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@kornelski
Copy link

Describe the bug

I've tried to configure it to ignore licenses from a private registry:

[licenses.private]
ignore = true
registries = [
 "http://private.example.com/"
#  "sparse+http://private.example.com/" # tried this too
]

but I'm still getting an error about crates not having a license:

error[unlicensed]: internal-only-crate = 1.1.1 is unlicensed
  ┌─ sparse+http://private.example.com/#[email protected]:2:9
  │
2 │ name = "internal-only-crate"
  │         ━━━━━━━━━━━ a valid license expression could not be retrieved for the crate
3 │ version = "1.1.1"
4 │ license = ""
  │            ─ license expression was not specified
  │
  ├ internal-only-crate v1.1.1

There is no license or license-file in Cargo.toml of that crate, on purpose. It's proprietary, and there's no SPDX identifier for that.

To reproduce

Publish a crate to a private registry (I've used freighter), use it in a workspace, and run cargo deny check.

cargo-deny version

cargo-deny 0.16.3

What OS were you running cargo-deny on?

MacOS

Additional context

No response

@jongiddy
Copy link
Contributor

The check for private licenses uses the matches_url method that has a bug fixed by #739

Does cargo-deny built from main fix this problem for you?

@kornelski
Copy link
Author

kornelski commented Dec 23, 2024

I've tried a build from the latest commit f6e40d8

ignore-sources = [
   "git+ssh://[email protected]/internal_package1.git"
]

worked for me to fix this case:

cargo deny check licenses
error[unlicensed]: internal_package1 = 0.1.0 is unlicensed
  ┌─ git+ssh://[email protected]/internal_package1.git?branch=main#[email protected]:2:9
  │
2 │ name = "internal_package1"
  │         ━━━━━━━━━━━━━ a valid license expression could not be retrieved for the crate
3 │ version = "0.1.0"
4 │ license = ""
  │            ─ license expression was not specified
  │

but I can't figure out how to allow private packages from the current workspace and a private registry. I've tried all the combinations of registry URLs in licenses.private.registries and licenses.private.ignore-sources.

error[unlicensed]: internal_package2 = 2024.12.5 is unlicensed
  ┌─ path+file:///Users/me/internal_package2#2024.12.5:2:9
  │
2 │ name = "internal_package2"
  │         ━━━━━ a valid license expression could not be retrieved for the crate
3 │ version = "2024.12.5"
4 │ license = ""
  │            ─ license expression was not specified
  │

error[unlicensed]: internal_package3 = 3.2.0 is unlicensed
  ┌─ sparse+https://internal.registry/index/#[email protected]:2:9
  │
2 │ name = "internal_package3"
  │         ━━━━━━━━━ a valid license expression could not be retrieved for the crate
3 │ version = "3.2.0"
4 │ license = ""
  │            ─ license expression was not specified
  │

BTW, the error shows license = "", but the license field is completely absent in Cargo.toml of these packages.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants