Review dependencies licences

[josecelano]

Hey @da2ce7, I'm trying to find a tool to detect potential licence incompatibilities. I've found only a cargo subcommand to list your dependencies licences so far:

$ cargo license
(Apache-2.0 OR MIT) AND BSD-3-Clause (1): encoding_rs
(MIT OR Apache-2.0) AND Unicode-DFS-2016 (1): unicode-ident
0BSD OR Apache-2.0 OR MIT (1): adler
AGPL-3.0 (5): torrust-tracker, torrust-tracker-configuration, torrust-tracker-located-error, torrust-tracker-primitives, torrust-tracker-test-helpers
Apache-2.0 (10): aquatic_udp_protocol, borsh-derive, borsh-derive-internal, borsh-schema-derive-internal, clang-sys, codespan-reporting, fragile, normalize-line-endings, openssl, sync_wrapper
Apache-2.0 OR Apache-2.0 WITH LLVM-exception OR MIT (5): io-lifetimes, linux-raw-sys, rustix, wasi, wasi
Apache-2.0 OR BSL-1.0 (1): ryu
Apache-2.0 OR ISC OR MIT (3): rustls, rustls-pemfile, sct
Apache-2.0 OR MIT (219): addr2line, ahash, ahash, android_system_properties, arc-swap, arrayvec, async-trait, autocfg, backtrace, base64, base64, bigdecimal, bip_bencode, bitflags, block-buffer, borsh, bufstream, bumpalo, cc, cexpr, cfg-if, chrono, cmake, config, core-foundation, core-foundation-sys, cpufeatures, crc32fast, crossbeam, crossbeam-channel, crossbeam-deque, crossbeam-epoch, crossbeam-queue, crossbeam-utils, crypto-common, cxx, cxx-build, cxxbridge-flags, cxxbridge-macro, derive_utils, digest, either, errno, error-chain, fallible-iterator, fallible-streaming-iterator, fastrand, flate2, fnv, foreign-types, foreign-types-shared, form_urlencoded, futures, futures-channel, futures-core, futures-executor, futures-io, futures-macro, futures-sink, futures-task, futures-util, getrandom, gimli, glob, hashbrown, hashbrown, hashlink, hermit-abi, hex, http, httparse, httpdate, hyper-tls, iana-time-zone, iana-time-zone-haiku, ident_case, idna, indexmap, io-enum, ipnet, itertools, itoa, js-sys, lazy_static, lazycell, lexical, lexical-core, lexical-parse-float, lexical-parse-integer, lexical-util, lexical-write-float, lexical-write-integer, libc, libz-sys, link-cplusplus, linked-hash-map, local-ip-address, lock_api, log, mime, minimal-lexical, mockall, mockall_derive, multimap, mysql, mysql_common, named_pipe, native-tls, num-bigint, num-integer, num-traits, num_cpus, object, once_cell, openssl-macros, openssl-probe, openssl-src, parking_lot, parking_lot_core, pathdiff, peeking_take_while, percent-encoding, pest, pest_derive, pest_generator, pest_meta, pin-project, pin-project-internal, pin-project-lite, pin-utils, pkg-config, ppv-lite86, predicates, predicates-core, predicates-tree, proc-macro-crate, proc-macro-hack, proc-macro2, quote, r2d2, rand, rand_chacha, rand_core, regex, regex-syntax, reqwest, ron, rustc-demangle, rustc-hash, rustc_version, rustversion, scheduled-thread-pool, scopeguard, scratch, security-framework, security-framework-sys, semver, serde, serde_bytes, serde_derive, serde_json, serde_path_to_error, serde_repr, serde_spanned, serde_urlencoded, serde_with, serde_with_macros, sha1, sha2, shlex, signal-hook-registry, simdutf8, smallvec, socket2, static_assertions, subprocess, syn, tempfile, thiserror, thiserror-impl, time, time, time-core, time-macros, tokio-rustls, toml, toml, toml_datetime, toml_edit, typenum, ucd-trie, unicode-bidi, unicode-normalization, unicode-width, url, uuid, vcpkg, version_check, wasm-bindgen, wasm-bindgen-backend, wasm-bindgen-futures, wasm-bindgen-macro, wasm-bindgen-macro-support, wasm-bindgen-shared, web-sys, winapi, winapi-i686-pc-windows-gnu, winapi-x86_64-pc-windows-gnu, windows-sys, windows-sys, windows-targets, windows_aarch64_gnullvm, windows_aarch64_msvc, windows_i686_gnu, windows_i686_msvc, windows_x86_64_gnu, windows_x86_64_gnullvm, windows_x86_64_msvc, yaml-rust
Apache-2.0 OR MIT OR Zlib (3): miniz_oxide, tinyvec, tinyvec_macros
BSD-3-Clause (3): bindgen, instant, neli
Custom License File (2): ring, webpki
ISC (4): forwarded-header-value, json5, libloading, untrusted
MIT (79): axum, axum-client-ip, axum-core, axum-server, binascii, bitvec, bytecheck, bytecheck_derive, bytes, convert_case, darling, darling_core, darling_macro, derive_more, difflib, dlv-list, downcast, errno-dragonfly, fern, float-cmp, frunk, frunk_core, frunk_derives, frunk_proc_macro_helpers, frunk_proc_macros, frunk_proc_macros_impl, funty, generic-array, h2, http-body, http-range-header, hyper, libsqlite3-sys, lru, matchit, memoffset, mio, nom, nonempty, openssl-sys, ordered-multimap, pem, ptr_meta, ptr_meta_derive, r2d2_mysql, r2d2_sqlite, radium, redox_syscall, rend, rkyv, rkyv_derive, rusqlite, rust-ini, rust_decimal, saturating, schannel, seahash, serde_bencode, slab, spin, strsim, tap, termtree, tokio, tokio-macros, tokio-native-tls, tokio-util, tower, tower-http, tower-layer, tower-service, tracing, tracing-core, try-lock, twox-hash, want, winnow, winreg, wyz
MIT OR Unlicense (5): aho-corasick, byteorder, memchr, termcolor, winapi-util

[alexohneander]

Hi @josecelano do you know: https://snyk.io/product/open-source-security-management/license-compliance/

[josecelano]

Hi @josecelano do you know: https://snyk.io/product/open-source-security-management/license-compliance/

Hi @alexohneander, I knew Snyk for checking the dockerfile vulnerabilities but I did not they have this feature to check licenses. That feature requires a payment subscription.