Add notes to rejected licenses (#618)

With the new changes coming once #611 deprecations have been fully
removed, licenses will be rejected unless explicitly allowed. To help
users, rejected licenses will now have notes printed with the SPDX short
id, the full license name, and metadata for the license, eg.

```
= OpenSSL - OpenSSL License:
=   - FSF Free/Libre
= GPL-3.0 - GNU General Public License v3.0 only:
=  - **DEPRECATED**
=  - OSI approved
=  - FSF Free/Libre
=  - Copyleft
```

Additionally, the diagnostic for rejected expressions now only includes
the span information for rejected licenses, unless the log level is set
to info or higher via `-L info`.

Old:

```
error[rejected]: failed to satisfy license requirements
   ┌─ /home/jake/code/cargo-deny/deny.toml:71:15
   │
71 │ expression = "ISC AND MIT AND OpenSSL"
   │               ^^^-----^^^-----^^^^^^^
   │               │       │       │
   │               │       │       rejected: license was not explicitly allowed
   │               │       accepted: license is explicitly allowed
   │               license expression retrieved via user override
   │               accepted: license is explicitly allowed
   │
```

New:

```
error[rejected]: failed to satisfy license requirements
   ┌─ /home/jake/code/cargo-deny/deny.toml:71:31
   │
71 │ expression = "ISC AND MIT AND OpenSSL"
   │               ----------------^^^^^^^
   │               │               │
   │               │               rejected: license was not explicitly allowed
   │               license expression retrieved via user override
   │
```

deny.toml

@@ -52,15 +52,10 @@ allow = [
     "ISC",
 ]
 exceptions = [
-    { allow = [
-        "Zlib",
-    ], crate = "tinyvec" },
-    { allow = [
-        "Unicode-DFS-2016",
-    ], crate = "unicode-ident" },
-    { allow = [
-        "OpenSSL",
-    ], crate = "ring" },
+    # Use exceptions for these as they only have a single user
+    { allow = ["Zlib"], crate = "tinyvec" },
+    { allow = ["Unicode-DFS-2016"], crate = "unicode-ident" },
+    { allow = ["OpenSSL"], crate = "ring" },
 ]
 
 # Sigh

src/cargo-deny/check.rs

@@ -343,6 +343,8 @@ pub(crate) fn cmd(
     let colorize = log_ctx.format == crate::Format::Human
         && crate::common::should_colorize(log_ctx.color, std::io::stderr());
 
+    let log_level = log_ctx.log_level;
+
     rayon::scope(|s| {
         // Asynchronously displays messages sent from the checks
         s.spawn(|_| {
@@ -372,6 +374,7 @@ pub(crate) fn cmd(
                 krate_spans: &krate_spans,
                 serialize_extra,
                 colorize,
+                log_level,
             };
 
             s.spawn(move |_| {
@@ -421,6 +424,7 @@ pub(crate) fn cmd(
                 krate_spans: &krate_spans,
                 serialize_extra,
                 colorize,
+                log_level,
             };
 
             s.spawn(|_| {
@@ -444,6 +448,7 @@ pub(crate) fn cmd(
                 krate_spans: &krate_spans,
                 serialize_extra,
                 colorize,
+                log_level,
             };
 
             s.spawn(|_| {
@@ -467,6 +472,7 @@ pub(crate) fn cmd(
                 krate_spans: &krate_spans,
                 serialize_extra,
                 colorize,
+                log_level,
             };
 
             s.spawn(move |_| {

src/lib.rs

@@ -445,6 +445,9 @@ pub struct CheckCtx<'ctx, T> {
     pub serialize_extra: bool,
     /// Allows for ANSI colorization of diagnostic content
     pub colorize: bool,
+    /// Log level specified by the user, may be used by checks to determine what
+    /// information to emit in diagnostics
+    pub log_level: log::LevelFilter,
 }
 
 /// Checks if a version satisfies the specifies the specified version requirement.

src/licenses.rs

@@ -34,7 +34,7 @@ struct Hits {
 }
 
 fn evaluate_expression(
-    cfg: &cfg::ValidConfig,
+    ctx: &crate::CheckCtx<'_, cfg::ValidConfig>,
     krate_lic_nfo: &KrateLicense<'_>,
     expr: &spdx::Expression,
     nfo: &LicenseExprInfo,
@@ -73,6 +73,8 @@ fn evaluate_expression(
 
     let mut warnings = 0;
 
+    let cfg = &ctx.cfg;
+
     // Check to see if the crate matches an exception, which is additional to
     // the general allow list
     let exception_ind = cfg
@@ -228,7 +230,37 @@ fn evaluate_expression(
         ),
     );
 
-    for (reason, failed_req) in reasons.into_iter().zip(expr.requirements()) {
+    let mut notes = Vec::new();
+
+    for ((reason, accepted), failed_req) in reasons.into_iter().zip(expr.requirements()) {
+        if accepted && ctx.log_level < log::LevelFilter::Info {
+            continue;
+        }
+
+        if severity == Severity::Error {
+            if let Some(id) = failed_req.req.license.id() {
+                notes.push(format!("{} - {}:", id.name, id.full_name));
+
+                if id.is_deprecated() {
+                    notes.push("  - **DEPRECATED**".into());
+                }
+
+                if id.is_osi_approved() {
+                    notes.push("  - OSI approved".into());
+                }
+
+                if id.is_fsf_free_libre() {
+                    notes.push("  - FSF Free/Libre".into());
+                }
+
+                if id.is_copyleft() {
+                    notes.push("  - Copyleft".into());
+                }
+            } else {
+                notes.push(format!("{} is not an SPDX license", failed_req.req));
+            }
+        }
+
         labels.push(
             Label::primary(
                 nfo.file_id,
@@ -237,8 +269,8 @@ fn evaluate_expression(
             )
             .with_message(format!(
                 "{}: {}",
-                if reason.1 { "accepted" } else { "rejected" },
-                match reason.0 {
+                if accepted { "accepted" } else { "rejected" },
+                match reason {
                     Reason::Denied => "explicitly denied",
                     Reason::IsFsfFree =>
                         "license is FSF approved https://www.gnu.org/licenses/license-list.en.html",
@@ -273,6 +305,7 @@ fn evaluate_expression(
             diags::Code::Rejected
         })
         .with_labels(labels)
+        .with_notes(notes)
 }
 
 pub fn check(
@@ -317,7 +350,7 @@ pub fn check(
         match &krate_lic_nfo.lic_info {
             LicenseInfo::SpdxExpression { expr, nfo } => {
                 pack.push(evaluate_expression(
-                    &ctx.cfg,
+                    &ctx,
                     &krate_lic_nfo,
                     expr,
                     nfo,

src/test_utils.rs

@@ -276,6 +276,7 @@ where
                 cfg,
                 serialize_extra: true,
                 colorize: false,
+                log_level: log::LevelFilter::Info,
             };
             runner(ctx, newmap, tx, &mut files);
         },

tests/snapshots/licenses__accepts_exceptions.snap

@@ -81,6 +81,17 @@ expression: diags
         }
       ],
       "message": "failed to satisfy license requirements",
+      "notes": [
+        "Zlib - zlib License:",
+        "  - OSI approved",
+        "  - FSF Free/Libre",
+        "Apache-2.0 - Apache License 2.0:",
+        "  - OSI approved",
+        "  - FSF Free/Libre",
+        "MIT - MIT License:",
+        "  - OSI approved",
+        "  - FSF Free/Libre"
+      ],
       "severity": "error"
     },
     "type": "diagnostic"

tests/snapshots/licenses__handles_dev_dependencies.snap

@@ -46,6 +46,11 @@ expression: diags
         }
       ],
       "message": "failed to satisfy license requirements",
+      "notes": [
+        "MIT - MIT License:",
+        "  - OSI approved",
+        "  - FSF Free/Libre"
+      ],
       "severity": "error"
     },
     "type": "diagnostic"
@@ -85,6 +90,13 @@ expression: diags
         }
       ],
       "message": "failed to satisfy license requirements",
+      "notes": [
+        "GPL-3.0 - GNU General Public License v3.0 only:",
+        "  - **DEPRECATED**",
+        "  - OSI approved",
+        "  - FSF Free/Libre",
+        "  - Copyleft"
+      ],
       "severity": "error"
     },
     "type": "diagnostic"