Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add version = 2 #611

Merged
merged 3 commits into from
Feb 23, 2024
Merged

Add version = 2 #611

merged 3 commits into from
Feb 23, 2024

Conversation

Jake-Shadle
Copy link
Member

@Jake-Shadle Jake-Shadle commented Feb 22, 2024

This is a follow up to #606 that actually provides a way to remove the deprecated fields and opt in to the new behavior until the fields are removed and the new behavior becomes the only behavior.

Basically, version = 2 can be added to the [advisories] and [licenses], which opts in to the new behavior, and means any of the deprecated keys no longer impact the results of the checks.

The new behavior is as follows:

[advisories]

  • vulnerability - deny
  • unmaintained - deny, old default = warn
  • unsound - deny, old default = warn
  • notice - deny, old default = warn
  • severity-threshold - CVSS severity no longer considered

Resolves: #449

[licenses]

unlicensed

New default of deny, old default was warn.

If a crate is unlicensed, a clarification can be used to assign a license based on one or more source files in the package

allow-osi-fsf-free

Old default was both, the new default is neither, ie, it doesn't matter if the license is osi and/or fsf free, only if it is in the allow (or exception) list.

copyleft

Old default was warn, the new default is deny, it only matters if the license is allowed in the allow or exception list.

Resolves: #602
Resolves: #354

default

Provided the default for a license not otherwise listed, now all licenses are deny unless explicitly in the allow or exception list.

deny

This list served no purpose, if the license is not in the allow or exception list, it is denied.

@Jake-Shadle Jake-Shadle merged commit c5721db into main Feb 23, 2024
9 checks passed
@Jake-Shadle Jake-Shadle deleted the cleanup-deprecations branch February 23, 2024 07:32
@ameknite
Copy link

I don't like that to fix bugs, features are being removed.

Maybe this could help someone:

To check if a license is osi or fsf-free, check the SPDX License List: https://spdx.org/licenses/

To check if a license is copyleft you can search for the "same license" column here: https://choosealicense.com/appendix/

@Jake-Shadle
Copy link
Member Author

I'll add this metadata to the output when a license has not been explicitly allowed, but the features that are being removed are just not useful and confusing to users.

Jake-Shadle added a commit that referenced this pull request Feb 28, 2024
With the new changes coming once #611 deprecations have been fully
removed, licenses will be rejected unless explicitly allowed. To help
users, rejected licenses will now have notes printed with the SPDX short
id, the full license name, and metadata for the license, eg.

```
= OpenSSL - OpenSSL License:
=   - FSF Free/Libre
= GPL-3.0 - GNU General Public License v3.0 only:
=  - **DEPRECATED**
=  - OSI approved
=  - FSF Free/Libre
=  - Copyleft
```

Additionally, the diagnostic for rejected expressions now only includes
the span information for rejected licenses, unless the log level is set
to info or higher via `-L info`.

Old:

```
error[rejected]: failed to satisfy license requirements
   ┌─ /home/jake/code/cargo-deny/deny.toml:71:15
   │
71 │ expression = "ISC AND MIT AND OpenSSL"
   │               ^^^-----^^^-----^^^^^^^
   │               │       │       │
   │               │       │       rejected: license was not explicitly allowed
   │               │       accepted: license is explicitly allowed
   │               license expression retrieved via user override
   │               accepted: license is explicitly allowed
   │
```

New:

```
error[rejected]: failed to satisfy license requirements
   ┌─ /home/jake/code/cargo-deny/deny.toml:71:31
   │
71 │ expression = "ISC AND MIT AND OpenSSL"
   │               ----------------^^^^^^^
   │               │               │
   │               │               rejected: license was not explicitly allowed
   │               license expression retrieved via user override
   │
```
github-merge-queue bot pushed a commit to bevyengine/bevy that referenced this pull request Mar 1, 2024
# Objective

Cargo-deny has being updated and now some keys are being deprecated.
Fix these warnings:
<details>

```rs
warning[deprecated]: this key will be removed in a future update, see EmbarkStudios/cargo-deny#611 for details
  ┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:6:1
  │
6 │ vulnerability = "deny"
  │ ^^^^^^^^^^^^^

warning[deprecated]: this key will be removed in a future update, see EmbarkStudios/cargo-deny#611 for details
  ┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:7:1
  │
7 │ unmaintained = "deny"
  │ ^^^^^^^^^^^^

warning[deprecated]: this key will be removed in a future update, see EmbarkStudios/cargo-deny#611 for details
  ┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:9:1
  │
9 │ notice = "deny"
  │ ^^^^^^

warning[deprecated]: this key will be removed in a future update, see EmbarkStudios/cargo-deny#611 for details
   ┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:13:1
   │
13 │ unlicensed = "deny"
   │ ^^^^^^^^^^

warning[deprecated]: this key will be removed in a future update, see EmbarkStudios/cargo-deny#611 for details
   ┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:14:1
   │
14 │ copyleft = "deny"
   │ ^^^^^^^^

warning[deprecated]: this key will be removed in a future update, see EmbarkStudios/cargo-deny#611 for details
   ┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:15:1
   │
15 │ default = "deny"
   │ ^^^^^^^

warning[deprecated]: this key has been moved to [graph]
  ┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:1:1
  │
1 │ all-features = true
  │ ^^^^^^^^^^^^
```
</details>

This also fix ci by temporarily skipping the check for cpal
dependencies.
#11917 (comment)



## Solution

- Remove keys deprecated.
- Update the list of licenses allowed. (All these licenses are already
being use for some dependencies)
- Skip cpal dependencies to avoid falining in CI, while we wait for new
releases
#11917 (comment)
@LucasFA
Copy link

LucasFA commented Mar 2, 2024

unmaintained - deny, old default = warn

Cargo deny warns me that the configuration field will be removed. If I understand correctly that it will have no option to only warn when encountering unmaintained crates, it seems a bit aggresive, to me.

For context, I am collaborating on a project that depends on librespot, which while in development, has not seen a release in 2 years and thus depends on several unmaintained crates.

@Jake-Shadle
Copy link
Member Author

https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html#the-ignore-field-optional

spectria-limina pushed a commit to spectria-limina/bevy that referenced this pull request Mar 9, 2024
# Objective

Cargo-deny has being updated and now some keys are being deprecated.
Fix these warnings:
<details>

```rs
warning[deprecated]: this key will be removed in a future update, see EmbarkStudios/cargo-deny#611 for details
  ┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:6:1
  │
6 │ vulnerability = "deny"
  │ ^^^^^^^^^^^^^

warning[deprecated]: this key will be removed in a future update, see EmbarkStudios/cargo-deny#611 for details
  ┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:7:1
  │
7 │ unmaintained = "deny"
  │ ^^^^^^^^^^^^

warning[deprecated]: this key will be removed in a future update, see EmbarkStudios/cargo-deny#611 for details
  ┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:9:1
  │
9 │ notice = "deny"
  │ ^^^^^^

warning[deprecated]: this key will be removed in a future update, see EmbarkStudios/cargo-deny#611 for details
   ┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:13:1
   │
13 │ unlicensed = "deny"
   │ ^^^^^^^^^^

warning[deprecated]: this key will be removed in a future update, see EmbarkStudios/cargo-deny#611 for details
   ┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:14:1
   │
14 │ copyleft = "deny"
   │ ^^^^^^^^

warning[deprecated]: this key will be removed in a future update, see EmbarkStudios/cargo-deny#611 for details
   ┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:15:1
   │
15 │ default = "deny"
   │ ^^^^^^^

warning[deprecated]: this key has been moved to [graph]
  ┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:1:1
  │
1 │ all-features = true
  │ ^^^^^^^^^^^^
```
</details>

This also fix ci by temporarily skipping the check for cpal
dependencies.
bevyengine#11917 (comment)



## Solution

- Remove keys deprecated.
- Update the list of licenses allowed. (All these licenses are already
being use for some dependencies)
- Skip cpal dependencies to avoid falining in CI, while we wait for new
releases
bevyengine#11917 (comment)
QuantumDancer added a commit to ALU-Schumacher/AUDITOR that referenced this pull request Mar 11, 2024
This commit removes all deprecated config options and sets the new
version of the `[advisories]` and `[licenses]` sections explicitly,
see EmbarkStudios/cargo-deny#611 for details.

It also moves the `targets` option into the `[graph]` section.
xv-ian-c added a commit to expressvpn/wolfssl-rs that referenced this pull request Mar 12, 2024
Several fields were deprecated and causing warnings, out settings match the new
default behaviour anyway.

See EmbarkStudios/cargo-deny#611 for more.
nicolasavru added a commit to wayland-transpositor/wprs that referenced this pull request Mar 20, 2024
nicolasavru added a commit to wayland-transpositor/wprs that referenced this pull request Mar 20, 2024
nicolasavru added a commit to wayland-transpositor/wprs that referenced this pull request Mar 20, 2024
Enselic added a commit to cargo-public-api/cargo-public-api that referenced this pull request Mar 21, 2024
ammernico added a commit to ammernico/butido that referenced this pull request Aug 14, 2024
Since we decided to update the current `deny.toml` instead of using the
template, I looked up where the template originated to check what had
changed since the `deny.toml` was introduced.

The `deny.toml` was created by commit:
1aae75b
on:
Fri Dec 4 14:27:08 2020 +0100

When looking for the last change in the `deny.toml` template in the repo
(https://github.com/EmbarkStudios/cargo-deny)
({repo_url}/commits/main/deny.template.toml)

The last commit was:
98946c8732f09f4e1cce3eae766d248d3afa7ef4
on:
Nov 9, 2020

The following comment describes the new default behavior in detail:
EmbarkStudios/cargo-deny#611
> This is a follow-up to #606 that actually provides a way to remove the
deprecated fields and opt in to the new behavior until the fields are
removed and the new behavior becomes the only behavior.

New default behavior for removed fields:
- `unlicensed = "deny"`
  New default: `deny`
- `copyleft = "deny"`
  New default: `deny`
- `allow-osi-fsf-free = "either"`
  New default: `neither`

> It doesn't matter if the license is OSI and/or FSF free, only if it is
in the allow (or exception) list.
ammernico added a commit to ammernico/butido that referenced this pull request Aug 14, 2024
Since we decided to update the current `deny.toml` instead of using the
template, I looked up where the template originated to check what had
changed since the `deny.toml` was introduced.

The `deny.toml` was created by commit:
1aae75b
on:
Fri Dec 4 14:27:08 2020 +0100

When looking for the last change in the `deny.toml` template in the repo
(https://github.com/EmbarkStudios/cargo-deny)
({repo_url}/commits/main/deny.template.toml)

The last commit was:
98946c8732f09f4e1cce3eae766d248d3afa7ef4
on:
Nov 9, 2020

The following comment describes the new default behavior in detail:
EmbarkStudios/cargo-deny#611
> This is a follow-up to #606 that actually provides a way to remove the
deprecated fields and opt in to the new behavior until the fields are
removed and the new behavior becomes the only behavior.

New default behavior for removed fields:
- `unlicensed = "deny"`
  New default: `deny`
- `copyleft = "deny"`
  New default: `deny`
- `allow-osi-fsf-free = "either"`
  New default: `neither`
> It doesn't matter if the license is OSI and/or FSF free, only if it is
in the allow (or exception) list.
ammernico added a commit to ammernico/butido that referenced this pull request Aug 14, 2024
Since we decided to update the current `deny.toml` instead of using the
template, I looked up where the template originated to check what had
changed since the `deny.toml` was introduced.

The `deny.toml` was created by commit:
1aae75b
on:
Fri Dec 4 14:27:08 2020 +0100

When looking for the last change in the `deny.toml` template in the repo
(https://github.com/EmbarkStudios/cargo-deny)
({repo_url}/commits/main/deny.template.toml)

The last commit was:
98946c8732f09f4e1cce3eae766d248d3afa7ef4
on:
Nov 9, 2020

The following comment describes the new default behavior in detail:
EmbarkStudios/cargo-deny#611
> This is a follow-up to #606 that actually provides a way to remove the
deprecated fields and opt in to the new behavior until the fields are
removed and the new behavior becomes the only behavior.

New default behavior for removed fields:
- `unlicensed = "deny"`
  New default: `deny`
- `copyleft = "deny"`
  New default: `deny`
- `allow-osi-fsf-free = "either"`
  New default: `neither`
> It doesn't matter if the license is OSI and/or FSF free, only if it is
in the allow (or exception) list.

Signed-off-by: Nico Steinle <nico.steinle@eviden.com>
inorick pushed a commit to eclipse-heimlig/heimlig that referenced this pull request Aug 20, 2024
SCingolani pushed a commit to eclipse-heimlig/heimlig that referenced this pull request Aug 21, 2024
* Do not require #![feature(offset_of)] as it was merged to stable

Set MSRV to 1.77

* Fix clippy warnings

* Update heapless dependency to 0.7.16

* Update deny.toml to new format

See
EmbarkStudios/cargo-deny#611
for details.

---------

Co-authored-by: Norbert Fabritius <norbert.fabritius@accenture.com>
@davidv1992
Copy link

I am running into errors that refer to this for migration instructions, but am unclear on the migration path from the licenses keys. What should these be replaced with?

@Jake-Shadle
Copy link
Member Author

All licenses are implicitly denied unless added to accept or exceptions

@aidanhs
Copy link

aidanhs commented Aug 23, 2024

This change effectively blocks contributors to my project if an advisory has been issued since the last CI build. I'm fine with this for vulnerabilities as it gives me a heads up to fix it myself, but I don't really care if something has become unmaintained - I had previously set it to warn (as a nudge when I run CI checks locally).

Looks like I need to skip all advisory checks in CI now and have a separate checking script for local flow...which is a bit disappointing.

bitwizeshift added a commit to bitwizeshift/alloy-rs that referenced this pull request Aug 24, 2024
`cargo-deny` updates its specification in EmbarkStudios/cargo-deny#611
to remove a lot of existing keys that were previously allowed. This was
causing license failures that should have otherwise succeeded.

This updates the underlying configuration to fit the new v2 scheme so
that it will pass.
bitwizeshift added a commit to bitwizeshift/alloy-rs that referenced this pull request Aug 24, 2024
`cargo-deny` updates its specification in EmbarkStudios/cargo-deny#611
to remove a lot of existing keys that were previously allowed. This was
causing license failures that should have otherwise succeeded.

This updates the underlying configuration to fit the new v2 scheme so
that it will pass.
ammernico added a commit to ammernico/butido that referenced this pull request Aug 28, 2024
Since we decided to update the current `deny.toml` instead of using the
template, I looked up where the template originated to check what had
changed since the `deny.toml` was introduced.

The `deny.toml` was created by commit:
1aae75b
on:
Fri Dec 4 14:27:08 2020 +0100

When looking for the last change in the `deny.toml` template in the repo
(https://github.com/EmbarkStudios/cargo-deny)
({repo_url}/commits/main/deny.template.toml)

The last commit was:
98946c8732f09f4e1cce3eae766d248d3afa7ef4
on:
Nov 9, 2020

The following comment describes the new default behavior in detail:
EmbarkStudios/cargo-deny#611
> This is a follow-up to #606 that actually provides a way to remove the
deprecated fields and opt in to the new behavior until the fields are
removed and the new behavior becomes the only behavior.

New default behavior for removed fields:
- `unlicensed = "deny"`
  New default: `deny`
- `copyleft = "deny"`
  New default: `deny`
- `allow-osi-fsf-free = "either"`
  New default: `neither`
> It doesn't matter if the license is OSI and/or FSF free, only if it is
in the allow (or exception) list.

Signed-off-by: Nico Steinle <nico.steinle@eviden.com>
ammernico added a commit to ammernico/butido that referenced this pull request Aug 28, 2024
The fields got deprecated in version 0.14.12. The new default
behavior for the fields are:

- `unlicensed = "deny"`
  New default: `deny`
- `copyleft = "deny"`
  New default: `deny`
- `allow-osi-fsf-free = "either"`
  New default: `neither`
> It doesn't matter if the license is OSI and/or FSF free, only if it is
in the allow (or exception) list.

Link to the changelog:
https://github.com/EmbarkStudios/cargo-deny/blob/main/CHANGELOG.md#01412---2024-02-23

This pull requests describes the changes and new default behavior in
more detail:
EmbarkStudios/cargo-deny#611
> This is a follow-up to #606 that actually provides a way to remove the
deprecated fields and opt in to the new behavior until the fields are
removed and the new behavior becomes the only behavior.

Since version 0.16.0 having these fields errors out.
https://github.com/EmbarkStudios/cargo-deny/blob/main/CHANGELOG.md#0160---2024-08-02
> ... making the usage of the deprecated fields into errors.

The diff in the comments are changes from the current cargo deny
template.

Signed-off-by: Nico Steinle <nico.steinle@eviden.com>
ammernico added a commit to ammernico/butido that referenced this pull request Aug 28, 2024
The fields were deprecated in version 0.14.12. The new default
behavior for the fields are:

- `unlicensed = "deny"`
  New default: `deny`
- `copyleft = "deny"`
  New default: `deny`
- `allow-osi-fsf-free = "either"`
  New default: `neither`
> It doesn't matter if the license is OSI and/or FSF free, only if it is
in the allow (or exception) list.

Link to the 0.14.12 changelog:
https://github.com/EmbarkStudios/cargo-deny/blob/main/CHANGELOG.md#01412---2024-02-23

This pull request describes the changes and new default behavior in
more detail:
EmbarkStudios/cargo-deny#611
> This is a follow-up to #606 that actually provides a way to remove the
deprecated fields and opt in to the new behavior until the fields are
removed and the new behavior becomes the only behavior.

Since version 0.16.0 having these fields errors out.
https://github.com/EmbarkStudios/cargo-deny/blob/main/CHANGELOG.md#0160---2024-08-02
> ... making the usage of the deprecated fields into errors.

The diff in the comments are changes from the current cargo deny
template.

Signed-off-by: Nico Steinle <nico.steinle@eviden.com>
davidben pushed a commit to google/boringssl that referenced this pull request Sep 16, 2024
See EmbarkStudios/cargo-deny#611

- Instead of using the template from deny.template.toml, just specify
  the fields that we need to be changed
- Added back comments on bans.allow, but the bssl-sys and bssl-crypto
  crates are not added to the allowlist because they are now allowed
  with `licenses.allow = ["ISC"]`.

Change-Id: I9e693780d902671444bf90b4d158d6e099e87ccb
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/70147
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
martin-g added a commit to apache/avro-rs that referenced this pull request Sep 23, 2024
New https://embarkstudios.github.io/cargo-deny/index.html release emits
errors if the settings match the default ones ...

See EmbarkStudios/cargo-deny#611

Signed-off-by: Martin Tzvetanov Grigorov <mgrigorov@apache.org>
@kornelski
Copy link

Could cargo deny do the migration automatically? (preserving old meaning wherever possible)

I have hundreds of internal crates to update, and I'd rather not do that in a manual error-prone way.

@torokati44
Copy link

torokati44 commented Sep 25, 2024

(I hate to say this, but this sounds like a perfect task to automate with an LLM. Show it an example before-after, and it should be able to rewrite the rest accordingly. Yes, still error-prone of course, but it's easier to just check than to do by hand. I think.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
9 participants