Rust Licenses Noticer

Ensures the dependencies you declare in your THIRD_PARTY_NOTICES.md are in sync with the actual dependencies of your Rust project.

Installation

At the moment the project is not on crates.io. To install, having the Rust toolchain installed, you can run:

cargo install --git https://github.com/newrelic/rust-licenses-noticer.git

Getting Started

This project is mostly intended to be used in your CI/CD pipelines, to ensure that your attribution notices file is in sync with the actual dependencies of your project, so it requires a certain setup. You can use this project as a GitHub Action or as a stand-alone program. Read below for details.

Usage

As a GitHub Action

The usage as a GitHub action assumes that you have a certain file in the root of your Rust project directory called THIRD_PARTY_NOTICES.md. This file lists the name of your dependencies, the URL in which they are located, and the licenses they distribute under. See this project's own THIRD_PARTY_NOTICES.md as an example.

The action will take a path to a template of your choice as its template-file-path input. Provided the template is compatible with Tera, a file will be rendered as THIRD_PARTY_NOTICES.md by using both the template and the metadata retrieved about your Rust project's dependencies with cargo deny. See our own example template located at THIRD_PARTY_NOTICES.md.tmpl, which is used to generate our THIRD_PARTY_NOTICES.md, for an idea of expected outputs.

Then, just use it inside your workflows.

permissions:
  contents: read

on:
  push:
# See https://docs.github.com/en/actions/using-jobs/using-concurrency

concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true

name: ⚖ Third party licenses
jobs:
  check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: newrelic/rust-licenses-noticer@main
        with:
          template-file-path: third_party_licenses_templates
          project-root: my-rust-project-directory # Optional

If the file rendered by the action does not match with the contents of the previous file, the action will fail letting you know that you have to sync the file with your dependencies, which you can achieve by running rust-licenses-noticer, as a program, locally in your project.

Stand-alone program

Pre-requisites

You'll need to have installed cargo-deny. Once you have it, retrieve the metadata from the root your Rust project's dependencies with something like this:

cargo deny --all-features --log-level off --manifest-path ./Cargo.toml list -l crate -f json

This will output a JSON that you can use as the --dependencies command line arguments, as shown below.

$ rust-licenses-noticer --help
Arguments for the CLI

Usage: rust-licenses-noticer [OPTIONS] --dependencies <DEPENDENCIES> --template-file <TEMPLATE_FILE>

Options:
  -d, --dependencies <DEPENDENCIES>    JSON string with the dependencies data as output by `cargo deny list -l crate -f json`
  -t, --template-file <TEMPLATE_FILE>  Path to the template file
  -o, --output-file <OUTPUT_FILE>      Path to the output file [default: THIRD_PARTY_NOTICES.md]
  -h, --help                           Print help
  -V, --version                        Print version

Provide a template compatible with Tera for --template-file to build the file output by --output-file.

For an example of actual usage as a program, check the golden tests at tests/golden which contain a test that creates the command with the command line arguments and runs it.

Building

If you have the Rust toolchain installed, just cargo build --release will suffice.

Testing

If you have the Rust toolchain installed, just cargo test will run all.

Support

If you find any problems while using the library or have a doubt, please feel free to open an Issue, where the New Relic maintainers of this project will be able to help.

Contribute

We encourage your contributions to improve [project name]! Keep in mind that when you submit your pull request, you'll need to sign the CLA via the click-through using CLA-Assistant. You only have to sign the CLA one time per project.

If you have any questions, or to execute our corporate CLA (which is required if your contribution is on behalf of a company), drop us an email at opensource@newrelic.com.

A note about vulnerabilities

As noted in our security policy, New Relic is committed to the privacy and security of our customers and their data. We believe that providing coordinated disclosure by security researchers and engaging with the security community are important means to achieve our security goals.

If you believe you have found a security vulnerability in this project or any of New Relic's products or websites, we welcome and greatly appreciate you reporting it to New Relic through our bug bounty program.

If you would like to contribute to this project, review these guidelines.

To all contributors, we thank you! Without your contribution, this project would not be what it is today.

License

Rust Licenses Noticer is licensed under the Apache 2.0 License.

This project also uses source code from third-party libraries. You can find full details on which libraries are used and the terms under which they are licensed in the third-party notices document.