licenses

The licenses check is used to verify that every crate you use has license terms you find acceptable. cargo-deny does this by evaluating the license requirements specified by each crate against the configuration you've specified, to determine if your project meets that crate's license requirements.

cargo deny check licenses

SPDX

cargo-deny uses SPDX license expressions as the source of truth for the license requirements of a crate. Note however, that cargo-deny does not (currently)exhaustively search the entirety of the source code of every crate to find every possible license that could be attributed to the crate, as there are a ton of edge cases to that approach.

cargo-deny rather assumes that each crate correctly defines its license requirements, but it provides a mechanism for manually specifying the license requirements for crates in the, from our experience, rare circumstance that they cannot be gathered automatically.

Expression Source Precedence

The source of the SPDX expression used to evaluate the crate by is obtained in the following order.

  1. If the crate in question has a Clarification applied to it, and the source file(s) in the crate's source still match, the expression from the clarification will be used.
  2. The license field from the crate's Cargo.toml manifest will be used if it exists.
  3. The license-file field, as well as all other LICENSE(-*)? files will be parsed to determine the SPDX license identifier, and then all of those identifiers will be joined with the AND operator, meaning that you must accept all of the licenses detected.

Evaluation Precedence

Currently, the precedence for determining whether a particular license is accepted or rejected is as follows:

  1. A license specified in the deny list is always rejected.
  2. A license specified in the allow list is always accepted.
  3. If the license is considered copyleft, the [licenses.copyleft] configuration determines its status
  4. If the license is OSI Approved or FSF Free/Libre, the [licenses.allow-osi-fsf-free] configuration determines its status, if it is neither the check continues
  5. If the license does not match any of the above criteria, the [licenses.default] configuration determines its status