Ability to disable checking of rustsec advisories and licenses #735
Labels
enhancement
New feature or request
Comments
|
Thanks. I expected these to be in the config. A config option would be useful, because other collaborators wouldn't need to be instructed to run with specific args, and wonder why the checks are failing in the default configuration. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I wanted to start using cargo-deny for only one feature: catching accidental uses of an unwanted crate. However, it seems that the functionality of cargo-deny is all-or-nothing, and set to very strict requirements, which makes it difficult and laborious to adopt.
I could not find a way to disable checking of rustsec advisories, and I couldn't find a way to downgrade "unmaintained" advisories to a warning. To me these advisories are not urgent, and don't justify stopping CI jobs for. I don't see a way to use
cargo-denywithout it failing checks, and requiring immediate action whenever some dependency gets marked as unmaintained.I also couldn't find a way to either disable or easily set up checking of licenses. The
cargo deny initcommand doesn't populatelicenses.allowwith the currently used licenses. I don't see any shortcut to allow all standard "permissive" licenses, so the setup requires copy'n'pasting a bunch of license names.The internal projects I work on have private git dependencies with missing license information (
license = ""), andcargo-denydoesn't like that. I don't see a good option to deal with this. There'slicenses.private.registries(not working?), but there isn't a similar list for git repos.license.clarfiyneeds to be set per crate, and requires an SPDX expression, which doesn't allow proprietary private-use-only licenses.The text was updated successfully, but these errors were encountered: