replace unused cargo-deny check with a new cargo-deny-licenses job (#13956)

* ci: remove the cargo-deny job

It's been broken and disabled for quite a while, and per internal
discussion there doesn't seem to be any interest in fixing it and
actually using the job output for anything.

* ci: add new cargo-deny-licenses job

It'll run on all PRs and fail if external dependencies with unsuitable
licenses are detected.

substrate/.gitlab-ci.yml

@@ -215,11 +215,6 @@ default:
 .zombienet-refs:
   extends: .build-refs
 
-.nightly-pipeline:
-  rules:
-    # this job runs only on nightly pipeline with the mentioned variable, against `master` branch
-    - if: $CI_COMMIT_REF_NAME == "master" && $CI_PIPELINE_SOURCE == "schedule" && $PIPELINE == "nightly"
-
 .crates-publishing-variables:
   variables:
     CRATESIO_CRATES_OWNER: parity-crate-owner

substrate/scripts/ci/deny.toml

@@ -1,87 +1,19 @@
-# This template contains all of the possible sections and their default values
-
-# Note that all fields that take a lint level have these possible values:
-# * deny - An error will be produced and the check will fail
-# * warn - A warning will be produced, but the check will not fail
-# * allow - No warning or error will be produced, though in some cases a note
-# will be
-
-# The values provided in this template are the default values that will be used
-# when any section or field is not specified in your own configuration
-
-# If 1 or more target triples (and optionally, target_features) are specified,
-# only the specified targets will be checked when running `cargo deny check`.
-# This means, if a particular package is only ever used as a target specific
-# dependency, such as, for example, the `nix` crate only being used via the
-# `target_family = "unix"` configuration, that only having windows targets in
-# this list would mean the nix crate, as well as any of its exclusive
-# dependencies not shared by any other crates, would be ignored, as the target
-# list here is effectively saying which targets you are building for.
-targets = [
-    # The triple can be any string, but only the target triples built in to
-    # rustc (as of 1.40) can be checked against actual config expressions
-    #{ triple = "x86_64-unknown-linux-musl" },
-    # You can also specify which target_features you promise are enabled for a
-    # particular target. target_features are currently not validated against
-    # the actual valid features supported by the target architecture.
-    #{ triple = "wasm32-unknown-unknown", features = ["atomics"] },
-]
-
-# This section is considered when running `cargo deny check advisories`
-# More documentation for the advisories section can be found here:
-# https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html
-[advisories]
-# The path where the advisory database is cloned/fetched into
-db-path = "~/.cargo/advisory-db"
-# The url of the advisory database to use
-db-url = "https://github.com/rustsec/advisory-db"
-# The lint level for security vulnerabilities
-vulnerability = "deny"
-# The lint level for unmaintained crates
-unmaintained = "warn"
-# The lint level for crates that have been yanked from their source registry
-yanked = "warn"
-# The lint level for crates with security notices. Note that as of
-# 2019-12-17 there are no security notice advisories in
-# https://github.com/rustsec/advisory-db
-notice = "warn"
-# A list of advisory IDs to ignore. Note that ignored advisories will still
-# output a note when they are encountered.
-ignore = [
-    #"RUSTSEC-0000-0000",
-]
-# Threshold for security vulnerabilities, any vulnerability with a CVSS score
-# lower than the range specified will be ignored. Note that ignored advisories
-# will still output a note when they are encountered.
-# * None - CVSS Score 0.0
-# * Low - CVSS Score 0.1 - 3.9
-# * Medium - CVSS Score 4.0 - 6.9
-# * High - CVSS Score 7.0 - 8.9
-# * Critical - CVSS Score 9.0 - 10.0
-#severity-threshold = 
-
-# This section is considered when running `cargo deny check licenses`
-# More documentation for the licenses section can be found here:
-# https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html
 [licenses]
 # The lint level for crates which do not have a detectable license
 unlicensed = "deny"
-# List of explictly allowed licenses
+# List of explicitly allowed licenses
 # See https://spdx.org/licenses/ for list of possible licenses
-# [possible values: any SPDX 3.7 short identifier (+ optional exception)].
+# [possible values: any SPDX 3.11 short identifier (+ optional exception)].
 allow = [
-    #"MIT",
-    #"Apache-2.0",
-    #"Apache-2.0 WITH LLVM-exception",
+    "MPL-2.0",
 ]
-# List of explictly disallowed licenses
+# List of explicitly disallowed licenses
 # See https://spdx.org/licenses/ for list of possible licenses
-# [possible values: any SPDX 3.7 short identifier (+ optional exception)].
+# [possible values: any SPDX 3.11 short identifier (+ optional exception)].
 deny = [
-    #"Nokia",
 ]
 # Lint level for licenses considered copyleft
-copyleft = "allow"
+copyleft = "deny"
 # Blanket approval or denial for OSI-approved or FSF Free/Libre licenses
 # * both - The license will be approved if it is both OSI-approved *AND* FSF
 # * either - The license will be approved if it is either OSI-approved *OR* FSF
@@ -98,13 +30,69 @@ default = "deny"
 # The higher the value, the more closely the license text must be to the
 # canonical license text of a valid SPDX license file.
 # [possible values: any between 0.0 and 1.0].
-confidence-threshold = 0.9
+confidence-threshold = 0.8
 # Allow 1 or more licenses on a per-crate basis, so that particular licenses
 # aren't accepted for every possible crate as with the normal allow list
 exceptions = [
-    # Each entry is the crate and version constraint, and its specific allow
-    # list
-    #{ allow = ["Zlib"], name = "adler32", version = "*" },
+    # Each entry is the crate and version constraint, and its specific allow list
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "chain-spec-builder" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "mmr-gadget" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "node-bench" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "node-cli" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "node-inspect" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "node-testing" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-authority-discovery" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-basic-authorship" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-block-builder" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-chain-spec" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-chain-spec-derive" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-cli" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-client-api" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-client-db" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-consensus" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-consensus-aura" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-consensus-babe" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-consensus-babe-rpc" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-consensus-beefy" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-consensus-beefy-rpc" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-consensus-epochs" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-consensus-grandpa" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-consensus-grandpa-rpc" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-consensus-manual-seal" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-consensus-pow" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-consensus-slots" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-executor" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-executor-common" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-executor-wasmi" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-executor-wasmtime" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-informant" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-keystore" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-network" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-network-bitswap" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-network-common" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-network-gossip" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-network-light" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-network-sync" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-network-test" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-network-transactions" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-offchain" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-peerset" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-proposer-metrics" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-rpc" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-rpc-api" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-rpc-server" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-rpc-spec-v2" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-runtime-test" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-service" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-service-test" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-state-db" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-storage-monitor" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-sysinfo" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-telemetry" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-tracing" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-transaction-pool" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "sc-transaction-pool-api" },
+    { allow = ["GPL-3.0 WITH Classpath-exception-2.0"], name = "subkey" },
 ]
 
 # Some crates don't have (easily) machine readable licensing information,
@@ -113,10 +101,8 @@ exceptions = [
 [[licenses.clarify]]
 # The name of the crate the clarification applies to
 name = "ring"
-# THe optional version constraint for the crate
-#version = "*"
 # The SPDX expression for the license requirements of the crate
-expression = "OpenSSL"
+expression = "MIT AND ISC AND OpenSSL"
 # One or more files in the crate's source used as the "source of truth" for
 # the license expression. If the contents match, the clarification will be used
 # when running the license check, otherwise the clarification will be ignored
@@ -126,67 +112,3 @@ license-files = [
     # Each entry is a crate relative path, and the (opaque) hash of its contents
     { path = "LICENSE", hash = 0xbd0eed23 }
 ]
-[[licenses.clarify]]
-name = "webpki"
-expression = "ISC"
-license-files = [{ path = "LICENSE", hash = 0x001c7e6c }]
-
-[licenses.private]
-# If true, ignores workspace crates that aren't published, or are only
-# published to private registries
-ignore = false
-# One or more private registries that you might publish crates to, if a crate
-# is only published to private registries, and ignore is true, the crate will
-# not have its license(s) checked
-registries = [
-    #"https://sekretz.com/registry
-]
-
-# This section is considered when running `cargo deny check bans`.
-# More documentation about the 'bans' section can be found here:
-# https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html
-[bans]
-# Lint level for when multiple versions of the same crate are detected
-multiple-versions = "warn"
-# The graph highlighting used when creating dotgraphs for crates
-# with multiple versions
-# * lowest-version - The path to the lowest versioned duplicate is highlighted
-# * simplest-path - The path to the version with the fewest edges is highlighted
-# * all - Both lowest-version and simplest-path are used
-highlight = "lowest-version"
-# List of crates that are allowed. Use with care!
-allow = [
-    #{ name = "ansi_term", version = "=0.11.0" },
-]
-# List of crates to deny
-deny = [
-    # Each entry the name of a crate and a version range. If version is
-    # not specified, all versions will be matched.
-]
-# Certain crates/versions that will be skipped when doing duplicate detection.
-skip = [
-    #{ name = "ansi_term", version = "=0.11.0" },
-]
-# Similarly to `skip` allows you to skip certain crates during duplicate 
-# detection. Unlike skip, it also includes the entire tree of transitive 
-# dependencies starting at the specified crate, up to a certain depth, which is
-# by default infinite
-skip-tree = [
-    #{ name = "ansi_term", version = "=0.11.0", depth = 20 },
-]
-
-# This section is considered when running `cargo deny check sources`.
-# More documentation about the 'sources' section can be found here:
-# https://embarkstudios.github.io/cargo-deny/checks/sources/cfg.html
-[sources]
-# Lint level for what to happen when a crate from a crate registry that is not
-# in the allow list is encountered
-unknown-registry = "deny"
-# Lint level for what to happen when a crate from a git repository that is not
-# in the allow list is encountered
-unknown-git = "warn"
-# List of URLs for allowed crate registries. Defaults to the crates.io index
-# if not specified. If it is specified but empty, no registries are allowed.
-allow-registry = ["https://github.com/rust-lang/crates.io-index"]
-# List of URLs for allowed Git repositories
-allow-git = []

substrate/scripts/ci/gitlab/pipeline/test.yml

@@ -21,27 +21,27 @@ find-fail-ci-phrase:
       exit 0;
       fi
 
-cargo-deny:
+cargo-deny-licenses:
   stage: test
   extends:
     - .docker-env
-    - .nightly-pipeline
+    - .test-refs
+  variables:
+    CARGO_DENY_CMD: "cargo deny --all-features check licenses -c ./scripts/ci/deny.toml"
   script:
     - rusty-cachier snapshot create
-    - cargo deny check --hide-inclusion-graph -c ./scripts/ci/deny.toml
+    - $CARGO_DENY_CMD --hide-inclusion-graph
     - rusty-cachier cache upload
   after_script:
     - !reference [.rusty-cachier, after_script]
     - echo "___The complete log is in the artifacts___"
-    - cargo deny check -c ./scripts/ci/deny.toml 2> deny.log
+    - $CARGO_DENY_CMD 2> deny.log
   artifacts:
     name: $CI_COMMIT_SHORT_SHA
     expire_in: 3 days
     when: always
     paths:
       - deny.log
-  # FIXME: Temporarily allow to fail.
-  allow_failure: true
 
 cargo-fmt:
   stage: test