Skip to main content

Cargo Deny

cargo-deny is a cargo plugin that lets you lint your project's dependency graph to ensure all your dependencies conform to your expectations and requirements.It helps you enforce license policies, detect and prevent insecure or unwanted dependencies, and maintain code quality in your Rust projects.

Quickstart

To use cargo-deny, you need to install it first. You can do this by running the following command in your terminal:

cargo install --locked cargo-deny

initializes your project with a default configuration, then runs all of the checks against your project.

cargo-deny && cargo deny init && cargo deny check

Command Line Interface

The init command(cargo deny init)

cargo-deny's configuration is a little bit complicated, so we provide the init command to create a configuration file from a template for you to give you a starting point for configuring how you want cargo-deny to lint your project.

The init command can take a path as an argument to use as path of the config instead of the default which is cwd/deny.toml.

cargo deny init

or

cargo deny init path/to/deny.toml

The check command(cargo deny check)

The check command is the primary subcommand of cargo-deny as it is what actually runs through all of the crates in your project and checks them against your configuration.

Usage: cargo-deny check [OPTIONS] [WHICH]...

Arguments

advisories

The advisories check is used to detect issues for crates by looking in an advisory database.

cargo deny check advisories

bans

The bans check is used to deny (or allow) specific crates, as well as detect and handle multiple versions of the same crate.

cargo deny check bans

licenses

The licenses check is used to verify that every crate you use has license terms you find acceptable. cargo-deny does this by evaluating the license requirements specified by each crate against the configuration you've specified, to determine if your project meets that crate's license requirements.

cargo deny check licenses

sources

The sources check ensures crates only come from sources you trust.

cargo deny check sources

Options

-A, --allow

Set lint allowed

--audit-compatible-output To ease transition from cargo-audit to cargo-deny, this flag will tell cargo-deny to output the exact same output as cargo-audit would, to stdout instead of stderr, just as with cargo-audit.

Note that this flag only applies when the output format is JSON, and note that since cargo-deny supports multiple advisory databases, instead of a single JSON object, there will be 1 for each unique advisory database.

-c, --config Path to the config to use

Defaults to cwd/deny.toml if not specified

-d, --disable-fetch Disable fetching of the advisory database

When running the advisories check, the configured advisory database will be fetched and opened. If this flag is passed, the database won't be fetched, but an error will occur if it doesn't already exist locally.

This option is also set if the --offline flag is used in the global options.

--exclude-dev If set to true, all dev-dependencies, even one for workspace crates, are not included in the crate graph used for any of the checks.

-D, --deny Set lint denied

--feature-depth Specifies the depth at which feature edges are added in inclusion graphs

-g, --graph Path to graph_output root directory

If set, a dotviz graph will be created for whenever multiple versions of the same crate are detected.

--hide-inclusion-graph Hides the inclusion graph when printing out info for a crate

By default, if a diagnostic message pertains to a specific crate, cargo-deny will append an inverse dependency graph to the diagnostic to show you how that crate was pulled into your project.

some diagnostic message

the-crate
├── a-crate
└── b-crate
    └── c-crate

-s, --show-stats Show stats for all the checks, regardless of the log-level

-W, --warn Set lint warnings

FAQ

Allow accepting any license of a package

  • Question one: a valid license expression could not be retrieved for the crate. error info:
error[L003]: ring = 0.16.20 is unlicensed
  ┌─ ring 0.16.20 (registry+https://github.com/rust-lang/crates.io-index):2:9

2 │ name = "ring"
  │         ^^^^ a valid license expression could not be retrieved for the crate
3 │ version = "0.16.20"
4 │ license = ""
  │            - license expression was not specified
5 │ license-files = [
6 │     { path = "LICENSE", hash = 0xbd0eed23, score = 0.67, license = "OpenSSL" },

How to resolve it? In the deny.toml file, add the following information:

[[licenses.clarify]]
name = "ring"
# SPDX considers OpenSSL to encompass both the OpenSSL and SSLeay licenses
# https://spdx.org/licenses/OpenSSL.html
# ISC - Both BoringSSL and ring use this for their new files
# MIT - "Files in third_party/ have their own licenses, as described therein. The MIT
# license, for third_party/fiat, which, unlike other third_party directories, is
# compiled into non-test libraries, is included below."
# OpenSSL - Obviously
expression = "ISC AND MIT AND OpenSSL"
license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }]