Add cargo-auditable support for dependency SBOM embedding

Embeds cargo-auditable compatible dependency metadata (.dep-v0 section)
into Rust binaries and shared libraries. When enabled via
--@rules_rust//rust/settings:auditable=true, the build generates a JSON
dependency manifest, zlib-compresses it, and links it into the binary as
a .dep-v0 ELF section. This enables vulnerability scanning tools like
trivy/syft to extract dependency information from compiled binaries.

Key changes:
- New auditable_injector tool that generates platform-appropriate .dep-v0
  object files from JSON dependency manifests
- CrateInfo provider extended with pkg_name, version, and source fields
- New bool_flag //rust/settings:auditable to control the feature
- rust_binary and rust_shared_library gain an auditable_injector attribute
- Analysis tests verify action graph correctness

Author: Tamas Vajk

MODULE.bazel

@@ -20,6 +20,9 @@ bazel_dep(name = "apple_support", version = "1.24.1", repo_name = "build_bazel_a
 internal_deps = use_extension("//rust/private:internal_extensions.bzl", "i")
 use_repo(
     internal_deps,
+    "rra",
+    "rra__miniz_oxide-0.9.1",
+    "rra__object-0.39.1",
     "rrra",
     "rrra__anyhow-1.0.102",
     "rrra__camino-1.2.2",

WORKSPACE.bazel

@@ -26,6 +26,10 @@ load("@rules_rust//tools/rust_analyzer:deps.bzl", "rust_analyzer_dependencies")
 
 rust_analyzer_dependencies()
 
+load("@rules_rust//tools/auditable:deps.bzl", "auditable_dependencies")
+
+auditable_dependencies()
+
 load("@bazel_skylib//:workspace.bzl", "bazel_skylib_workspace")
 
 bazel_skylib_workspace()

cargo/private/BUILD.bazel

@@ -1,6 +1,10 @@
 load("@bazel_skylib//:bzl_library.bzl", "bzl_library")
 load("@bazel_skylib//rules:copy_file.bzl", "copy_file")
-load("//rust:defs.bzl", "rust_binary")
+
+# Loads rust_binary directly from rust/private:rust.bzl (not //rust:defs.bzl)
+# to avoid a dependency cycle with the auditable_injector.
+# buildifier: disable=bzl-visibility
+load("//rust/private:rust.bzl", "rust_binary")
 
 rust_binary(
     name = "copy_file",

cargo/private/cargo_build_script_runner/BUILD.bazel

@@ -1,4 +1,9 @@
-load("//rust:defs.bzl", "rust_binary", "rust_library", "rust_test")
+load("//rust:defs.bzl", "rust_library", "rust_test")
+
+# Loads rust_binary directly from rust/private:rust.bzl (not //rust:defs.bzl)
+# to avoid a dependency cycle with the auditable_injector.
+# buildifier: disable=bzl-visibility
+load("//rust/private:rust.bzl", "rust_binary")
 
 rust_library(
     name = "cargo_build_script_runner",

cargo/private/cargo_build_script_wrapper.bzl

@@ -7,7 +7,11 @@ load(
     "name_to_pkg_name",
     _build_script_run = "cargo_build_script",
 )
-load("//rust:defs.bzl", "rust_binary")
+
+# Loads rust_binary directly from rust/private:rust.bzl (not //rust:defs.bzl)
+# to avoid a dependency cycle with the auditable_injector.
+# buildifier: disable=bzl-visibility
+load("//rust/private:rust.bzl", "rust_binary")
 
 def cargo_build_script(
         *,

cargo/private/cargo_toml_variable_extractor/BUILD.bazel

@@ -1,4 +1,7 @@
-load("//rust:defs.bzl", "rust_binary")
+# Loads rust_binary directly from rust/private:rust.bzl (not //rust:defs.bzl)
+# to avoid a dependency cycle with the auditable_injector.
+# buildifier: disable=bzl-visibility
+load("//rust/private:rust.bzl", "rust_binary")
 
 rust_binary(
     name = "cargo_toml_variable_extractor",

rust/defs.bzl

@@ -84,14 +84,23 @@ rust_library = _rust_library
 rust_static_library = _rust_static_library
 # See @rules_rust//rust/private:rust.bzl for a complete description.
 
-rust_shared_library = _rust_shared_library
-# See @rules_rust//rust/private:rust.bzl for a complete description.
+_AUDITABLE_INJECTOR_SELECT = select({
+    str(Label("//rust/settings:auditable_enabled")): str(Label("//tools/auditable:auditable_injector")),
+    "//conditions:default": None,
+})
+
+def rust_shared_library(name, **kwargs):
+    """Builds a Rust shared library. See @rules_rust//rust/private:rust.bzl for a complete description."""
+    kwargs.setdefault("auditable_injector", _AUDITABLE_INJECTOR_SELECT)
+    _rust_shared_library(name = name, **kwargs)
 
 rust_proc_macro = _rust_proc_macro
 # See @rules_rust//rust/private:rust.bzl for a complete description.
 
-rust_binary = _rust_binary
-# See @rules_rust//rust/private:rust.bzl for a complete description.
+def rust_binary(name, **kwargs):
+    """Builds a Rust binary crate. See @rules_rust//rust/private:rust.bzl for a complete description."""
+    kwargs.setdefault("auditable_injector", _AUDITABLE_INJECTOR_SELECT)
+    _rust_binary(name = name, **kwargs)
 
 rust_library_group = _rust_library_group
 # See @rules_rust//rust/private:rust.bzl for a complete description.

rust/private/common.bzl

@@ -61,6 +61,12 @@ def _create_crate_info(**kwargs):
         kwargs.update({"rustc_env_files": []})
     if not "data" in kwargs:
         kwargs.update({"data": depset([])})
+    if not "pkg_name" in kwargs:
+        kwargs.update({"pkg_name": kwargs.get("name", "")})
+    if not "version" in kwargs:
+        kwargs.update({"version": "0.0.0"})
+    if not "source" in kwargs:
+        kwargs.update({"source": "Local"})
     return CrateInfo(**kwargs)
 
 rust_common = struct(

rust/private/internal_extensions.bzl

@@ -3,6 +3,7 @@
 load("@bazel_features//:features.bzl", "bazel_features")
 load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
 load("//rust/private:repository_utils.bzl", "TINYJSON_KWARGS")
+load("//tools/auditable:deps.bzl", "auditable_dependencies")
 load("//tools/rust_analyzer:deps.bzl", "rust_analyzer_dependencies")
 
 def _internal_deps_impl(module_ctx):
@@ -14,6 +15,7 @@ def _internal_deps_impl(module_ctx):
     direct_deps = [struct(repo = "rules_rust_tinyjson", is_dev_dep = False)]
     http_archive(**TINYJSON_KWARGS)
 
+    direct_deps.extend(auditable_dependencies())
     direct_deps.extend(rust_analyzer_dependencies())
 
     # is_dev_dep is ignored here. It's not relevant for internal_deps, as dev

rust/private/providers.bzl

@@ -34,18 +34,21 @@ CrateInfo = provider(
         "name": "str: The name of this crate.",
         "output": "File: The output File that will be produced, depends on crate type.",
         "owner": "Label: The label of the target that produced this CrateInfo",
+        "pkg_name": "str: The Cargo package name, which may differ from the Rust crate name (e.g. 'rustls-webpki' vs 'webpki').",
         "proc_macro_deps": "depset[DepVariantInfo]: This crate's rust proc_macro dependencies' providers.",
         "root": "File: The source File entrypoint to this crate, eg. lib.rs",
         "rustc_env": "Dict[String, String]: Additional `\"key\": \"value\"` environment variables to set for rustc.",
         "rustc_env_files": "[File]: Files containing additional environment variables to set for rustc.",
         "rustc_output": "File: The output from rustc from producing the output file. It is optional.",
         "rustc_rmeta_output": "File: The rmeta file produced for this crate. It is optional.",
+        "source": "str: The source of this crate (e.g. 'CratesIo', 'Git', 'Local', 'Registry').",
         "srcs": "depset[File]: All source Files that are part of the crate.",
         "std_dylib": "File: libstd.so file",
         "type": (
             "str: The type of this crate " +
             "(see [rustc --crate-type](https://doc.rust-lang.org/rustc/command-line-arguments.html#--crate-type-a-list-of-types-of-crates-for-the-compiler-to-emit))."
         ),
+        "version": "str: The semver version of this crate.",
         "wrapped_crate_type": (
             "str, optional: The original crate type for targets generated using a previously defined " +
             "crate (typically tests using the `rust_test::crate` attribute)"