Add cargo-auditable support for dependency SBOM embedding

[tamasvajk]

Summary

Embeds cargo-auditable compatible dependency metadata (.dep-v0 section) into Rust binaries and shared libraries built with rules_rust.

When enabled via --@rules_rust//rust/settings:auditable=true, the build:

1. Collects dependency metadata (name, version, source) from the CrateInfo provider graph
2. Generates a JSON manifest in the cargo-auditable format
3. Zlib-compresses it and wraps it in a platform-appropriate object file (ELF, Mach-O, COFF, or WASM)
4. Links the object file into the final binary

This enables vulnerability scanning tools like cargo audit bin, trivy, and syft to extract dependency information from compiled binaries without access to source code or build manifests.

Changes

New build setting:

• //rust/settings:auditable — bool flag, defaults to false

CrateInfo provider extended with:

• pkg_name — Cargo package name (extracted from crate-name= tag added by crate_universe)
• version — semver version
• source — crate source (CratesIo, Git, Local, Registry)

New auditable_injector tool (tools/auditable/):

• Rust binary that generates .dep-v0 object files from JSON manifests
• Supports ELF (x86_64, aarch64, arm, i686, riscv, s390x, mips, powerpc, loongarch, sparc), Mach-O (Apple), COFF (Windows), and WASM targets
• Dependencies: miniz_oxide 0.9, object 0.39

Rule changes:

• rust_binary and rust_shared_library gain an auditable_injector attribute
• rust/defs.bzl wrappers auto-set the injector via select() on the auditable flag
• Cargo build script targets load rust_binary directly from rust/private:rust.bzl to avoid a dependency cycle

Testing

Analysis tests (test/unit/auditable/):

• RustAuditable action present/absent based on setting
• rust_library never gets auditable actions
• Linker flags correctly injected into Rustc action
• JSON manifest content validation (dependency names, versions, sources, root markers)

Injector unit tests (tools/auditable/main.rs, 16 tests):

• Round-trip tests for ELF (6 architectures), Mach-O, COFF, WASM
• Unsupported triple returns None
• Helper function tests (is_wasm, is_apple, is_windows, is_32bit, riscv_features, leb128)

End-to-end verification:

• Built a binary with real dependencies (serde, serde_json, tokio) using --@rules_rust//rust/settings:auditable=true
• cargo audit bin successfully reads the .dep-v0 section and identifies all 21 dependencies

---

Note: This PR was largely AI-generated using Claude Code, with human review and guidance throughout.

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.