Cargo: check license is valid SPDX license expression #5974
Description
What it does
If a license field is defined in Cargo.toml, checks the contents to be a valid SPDX 2.1 license expression.
https://doc.rust-lang.org/cargo/reference/manifest.html#the-license-and-license-file-fields
https://spdx.org/spdx-specification-21-web-version#h.jxpfx0ykyb60 (Appendix IV: SPDX License Expressions)
https://github.com/spdx/license-list-data/tree/v3.6
idstring = 1*(ALPHA / DIGIT / “-” / “.” )
license-id = <short form license identifier in Appendix I.1>
license-exception-id = <short form license exception identifier in Appendix I.2>
license-ref = [“DocumentRef-“1*(idstring)”:”]”LicenseRef-“1*(idstring)
simple-expression = license-id / license-id”+” / license-ref
compound-expression = 1*1(simple-expression /
simple-expression “WITH” license-exception-id /
compound-expression “AND” compound-expression /
compound-expression “OR” compound-expression ) /
“(“ compound-expression “)“ )
license-expression = 1*1(simple-expression / compound-expression)
Categories (optional)
- Kind:
clippy::cargo
I'm not actually sure, it might be that crates.io check the license field to be a valid expression. Even if that's the case, then it would still be nice to catch this sort of mistake earlier.
The lint should probably also deny specifying multiple licenses with /, which according to the documentation (see link above) is still accepted but not recommended:
Previously multiple licenses could be separated with a /, but that usage is deprecated.
Drawbacks
None that I can think of.
Example
E.g. MIT OR XD would be denied, since the XD license is not known. MIT/Apache-2.0 would get denied due to the deprecated slash syntax. An empty string would also get denied.