Disclaimer: If you didn't see my profile description. I am a biologist. I have some computer science background, but not coding. I am publishing some cargo crates and other little repos to (hopefully) meaningfully contribute to open-source projects (tactfully, I hope) and rust in general with any extra claude credits I have available. I am trying to ensure that any contributions I make are actually helpful so any criticism or feedback of my approach would be greatly appreciated.

cargo-license-verify

A cargo subcommand that cross-references actual LICENSE files in dependency source code against the SPDX license declared in each crate's Cargo.toml. Catches "license bait-and-switch" where the declared license doesn't match the actual license file.

Installation

cargo install cargo-license-verify

Usage

cargo license-verify

Run in any Cargo project. It will:

1. Read the license field from each dependency's Cargo.toml (SPDX expression like MIT OR Apache-2.0)
2. Find actual license files (LICENSE, LICENSE-MIT, LICENSE-APACHE, COPYING, etc.) in each dependency's source
3. Heuristically identify what license each file represents by scanning for key phrases
4. Compare declared vs actual and report mismatches

Output

Results are grouped by status, with mismatches shown first:

• MISMATCH - Declared license doesn't match detected license files
• NO-LICENSE-FILE - License declared in Cargo.toml but no license file found
• UNDETERMINED - License files found but couldn't identify the license type
• MATCH - Declared license matches detected license files

Exit Codes

• 0 - All dependencies match or are undetermined
• 1 - At least one mismatch found
• 2 - Error running the tool

Supported Licenses

Heuristic identification supports these common licenses:

• MIT
• Apache-2.0
• BSD-2-Clause, BSD-3-Clause
• GPL-2.0, GPL-3.0
• LGPL-2.1, LGPL-3.0
• AGPL-3.0
• MPL-2.0
• ISC
• Unlicense
• Zlib
• BSL-1.0 (Boost)
• CC0-1.0
• 0BSD

Limitations

• License identification is heuristic-based (keyword matching), not a full text comparison
• Only handles simple SPDX expressions (MIT, Apache-2.0, MIT OR Apache-2.0)
• Does not analyze license compatibility or transitive license propagation

License

Licensed under either of

• Apache License, Version 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
• MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)

at your option.