Add cargo-auditable support for dependency SBOM embedding

Embeds cargo-auditable compatible dependency metadata (.dep-v0 section)
into Rust binaries and shared libraries. When enabled via
--@rules_rust//rust/settings:auditable=true, the build generates a JSON
dependency manifest, zlib-compresses it, and links it into the binary as
a .dep-v0 ELF section. This enables vulnerability scanning tools like
trivy/syft to extract dependency information from compiled binaries.

Key changes:
- New auditable_injector tool that generates platform-appropriate .dep-v0
  object files from JSON dependency manifests
- CrateInfo provider extended with pkg_name, version, and source fields
- New bool_flag //rust/settings:auditable to control the feature
- rust_binary and rust_shared_library gain an auditable_injector attribute
- Analysis tests verify action graph correctness

Author: Tamas Vajk

MODULE.bazel

@@ -20,6 +20,9 @@ bazel_dep(name = "apple_support", version = "1.24.1")
 internal_deps = use_extension("//rust/private:internal_extensions.bzl", "i")
 use_repo(
     internal_deps,
+    "rra",
+    "rra__miniz_oxide-0.9.1",
+    "rra__object-0.39.1",
     "rrra",
     "rrra__anyhow-1.0.102",
     "rrra__camino-1.2.2",

cargo/private/BUILD.bazel

@@ -1,6 +1,10 @@
 load("@bazel_skylib//:bzl_library.bzl", "bzl_library")
 load("@bazel_skylib//rules:copy_file.bzl", "copy_file")
-load("//rust:defs.bzl", "rust_binary")
+
+# Loads rust_binary directly from rust/private:rust.bzl (not //rust:defs.bzl)
+# to avoid a dependency cycle with the auditable_injector.
+# buildifier: disable=bzl-visibility
+load("//rust/private:rust.bzl", "rust_binary")
 
 rust_binary(
     name = "copy_file",

cargo/private/cargo_build_script_runner/BUILD.bazel

@@ -1,4 +1,9 @@
-load("//rust:defs.bzl", "rust_binary", "rust_library", "rust_test")
+load("//rust:defs.bzl", "rust_library", "rust_test")
+
+# Loads rust_binary directly from rust/private:rust.bzl (not //rust:defs.bzl)
+# to avoid a dependency cycle with the auditable_injector.
+# buildifier: disable=bzl-visibility
+load("//rust/private:rust.bzl", "rust_binary")
 
 rust_library(
     name = "cargo_build_script_runner",

cargo/private/cargo_build_script_wrapper.bzl

@@ -7,7 +7,11 @@ load(
     "name_to_pkg_name",
     _build_script_run = "cargo_build_script",
 )
-load("//rust:defs.bzl", "rust_binary")
+
+# Loads rust_binary directly from rust/private:rust.bzl (not //rust:defs.bzl)
+# to avoid a dependency cycle with the auditable_injector.
+# buildifier: disable=bzl-visibility
+load("//rust/private:rust.bzl", "rust_binary")
 
 def cargo_build_script(
         *,

cargo/private/cargo_toml_variable_extractor/BUILD.bazel

@@ -1,4 +1,7 @@
-load("//rust:defs.bzl", "rust_binary")
+# Loads rust_binary directly from rust/private:rust.bzl (not //rust:defs.bzl)
+# to avoid a dependency cycle with the auditable_injector.
+# buildifier: disable=bzl-visibility
+load("//rust/private:rust.bzl", "rust_binary")
 
 rust_binary(
     name = "cargo_toml_variable_extractor",

rust/defs.bzl

@@ -84,14 +84,23 @@ rust_library = _rust_library
 rust_static_library = _rust_static_library
 # See @rules_rust//rust/private:rust.bzl for a complete description.
 
-rust_shared_library = _rust_shared_library
-# See @rules_rust//rust/private:rust.bzl for a complete description.
+_AUDITABLE_INJECTOR_SELECT = select({
+    str(Label("//rust/settings:auditable_enabled")): str(Label("//tools/auditable:auditable_injector")),
+    "//conditions:default": None,
+})
+
+def rust_shared_library(name, **kwargs):
+    """Builds a Rust shared library. See @rules_rust//rust/private:rust.bzl for a complete description."""
+    kwargs.setdefault("auditable_injector", _AUDITABLE_INJECTOR_SELECT)
+    _rust_shared_library(name = name, **kwargs)
 
 rust_proc_macro = _rust_proc_macro
 # See @rules_rust//rust/private:rust.bzl for a complete description.
 
-rust_binary = _rust_binary
-# See @rules_rust//rust/private:rust.bzl for a complete description.
+def rust_binary(name, **kwargs):
+    """Builds a Rust binary crate. See @rules_rust//rust/private:rust.bzl for a complete description."""
+    kwargs.setdefault("auditable_injector", _AUDITABLE_INJECTOR_SELECT)
+    _rust_binary(name = name, **kwargs)
 
 rust_library_group = _rust_library_group
 # See @rules_rust//rust/private:rust.bzl for a complete description.

rust/private/common.bzl

@@ -61,6 +61,12 @@ def _create_crate_info(**kwargs):
         kwargs.update({"rustc_env_files": []})
     if not "data" in kwargs:
         kwargs.update({"data": depset([])})
+    if not "pkg_name" in kwargs:
+        kwargs.update({"pkg_name": kwargs.get("name", "")})
+    if not "version" in kwargs:
+        kwargs.update({"version": "0.0.0"})
+    if not "source" in kwargs:
+        kwargs.update({"source": "Local"})
     return CrateInfo(**kwargs)
 
 rust_common = struct(

rust/private/internal_extensions.bzl

@@ -3,12 +3,14 @@
 load("@bazel_features//:features.bzl", "bazel_features")
 load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
 load("//rust/private:repository_utils.bzl", "TINYJSON_KWARGS")
+load("//tools/auditable/3rdparty/crates:crates.bzl", _auditable_crate_repositories = "crate_repositories")
 load("//tools/rust_analyzer/3rdparty/crates:crates.bzl", _rust_analyzer_crate_repositories = "crate_repositories")
 
 def _internal_deps_impl(module_ctx):
     direct_deps = [struct(repo = "rules_rust_tinyjson", is_dev_dep = False)]
     http_archive(**TINYJSON_KWARGS)
 
+    direct_deps.extend(_auditable_crate_repositories())
     direct_deps.extend(_rust_analyzer_crate_repositories())
 
     # is_dev_dep is ignored here. It's not relevant for internal_deps, as dev

rust/private/providers.bzl

@@ -34,18 +34,21 @@ CrateInfo = provider(
         "name": "str: The name of this crate.",
         "output": "File: The output File that will be produced, depends on crate type.",
         "owner": "Label: The label of the target that produced this CrateInfo",
+        "pkg_name": "str: The Cargo package name, which may differ from the Rust crate name (e.g. 'rustls-webpki' vs 'webpki').",
         "proc_macro_deps": "depset[DepVariantInfo]: This crate's rust proc_macro dependencies' providers.",
         "root": "File: The source File entrypoint to this crate, eg. lib.rs",
         "rustc_env": "Dict[String, String]: Additional `\"key\": \"value\"` environment variables to set for rustc.",
         "rustc_env_files": "[File]: Files containing additional environment variables to set for rustc.",
         "rustc_output": "File: The output from rustc from producing the output file. It is optional.",
         "rustc_rmeta_output": "File: The rmeta file produced for this crate. It is optional.",
+        "source": "str: The source of this crate (e.g. 'CratesIo', 'Git', 'Local', 'Registry').",
         "srcs": "depset[File]: All source Files that are part of the crate.",
         "std_dylib": "File: libstd.so file",
         "type": (
             "str: The type of this crate " +
             "(see [rustc --crate-type](https://doc.rust-lang.org/rustc/command-line-arguments.html#--crate-type-a-list-of-types-of-crates-for-the-compiler-to-emit))."
         ),
+        "version": "str: The semver version of this crate.",
         "wrapped_crate_type": (
             "str, optional: The original crate type for targets generated using a previously defined " +
             "crate (typically tests using the `rust_test::crate` attribute)"

rust/private/rust.bzl

@@ -57,6 +57,17 @@ load(
 
 # TODO(marco): Separate each rule into its own file.
 
+def _get_pkg_name(ctx):
+    """Extract the Cargo package name from a 'crate-name=...' tag.
+
+    crate_universe adds this tag to vendored crates. Returns empty string if
+    not found, in which case _create_crate_info defaults to the crate name.
+    """
+    for tag in getattr(ctx.attr, "tags", []):
+        if tag.startswith("crate-name="):
+            return tag[len("crate-name="):]
+    return ""
+
 def _assert_no_deprecated_attributes(_ctx):
     """Forces a failure if any deprecated attributes were specified
 
@@ -245,6 +256,9 @@ def _rust_library_common(ctx, crate_type):
             compile_data = depset(compile_data),
             compile_data_targets = depset(ctx.attr.compile_data),
             owner = ctx.label,
+            version = getattr(ctx.attr, "version", "0.0.0"),
+            source = getattr(ctx.attr, "source", "Local"),
+            pkg_name = _get_pkg_name(ctx),
             cfgs = _collect_cfgs(ctx, toolchain, crate_root, crate_type, crate_is_test = False),
         ),
     )
@@ -309,6 +323,9 @@ def _rust_binary_impl(ctx):
             compile_data = depset(compile_data),
             compile_data_targets = depset(ctx.attr.compile_data),
             owner = ctx.label,
+            version = getattr(ctx.attr, "version", "0.0.0"),
+            source = getattr(ctx.attr, "source", "Local"),
+            pkg_name = _get_pkg_name(ctx),
             cfgs = _collect_cfgs(ctx, toolchain, crate_root, ctx.attr.crate_type, crate_is_test = False),
         ),
     )
@@ -431,6 +448,9 @@ def _rust_test_impl(ctx):
             compile_data_targets = compile_data_targets,
             wrapped_crate_type = crate.type,
             owner = ctx.label,
+            version = getattr(ctx.attr, "version", "0.0.0"),
+            source = getattr(ctx.attr, "source", "Local"),
+            pkg_name = _get_pkg_name(ctx),
             cfgs = _collect_cfgs(ctx, toolchain, crate.root, crate_type, crate_is_test = True),
         )
     else:
@@ -487,6 +507,9 @@ def _rust_test_impl(ctx):
             compile_data = depset(compile_data),
             compile_data_targets = depset(ctx.attr.compile_data),
             owner = ctx.label,
+            version = getattr(ctx.attr, "version", "0.0.0"),
+            source = getattr(ctx.attr, "source", "Local"),
+            pkg_name = _get_pkg_name(ctx),
             cfgs = _collect_cfgs(ctx, toolchain, crate_root, crate_type, crate_is_test = True),
         )
 
@@ -605,6 +628,9 @@ RUSTC_ATTRS = {
     "_always_enable_metadata_output_groups": attr.label(
         default = Label("//rust/settings:always_enable_metadata_output_groups"),
     ),
+    "_auditable": attr.label(
+        default = Label("//rust/settings:auditable"),
+    ),
     "_error_format": attr.label(
         default = Label("//rust/settings:error_format"),
     ),
@@ -791,6 +817,10 @@ _COMMON_ATTRS = {
     # "name": attr.string(
     #     doc = "This name will also be used as the name of the crate built by this rule.",
     # `),
+    "source": attr.string(
+        doc = "The source of this crate (e.g. 'crates.io', 'git', 'local', 'registry'). Used for cargo-auditable dependency tracking.",
+        default = "Local",
+    ),
     "srcs": attr.label_list(
         doc = dedent("""\
             List of Rust `.rs` source files used to build the library.
@@ -1082,9 +1112,17 @@ _rust_shared_library_transition = transition(
     ],
 )
 
+_AUDITABLE_INJECTOR_ATTR = {
+    "auditable_injector": attr.label(
+        doc = "The auditable_injector tool for embedding cargo-auditable metadata. " +
+              "Set to @rules_rust//tools/auditable:auditable_injector to enable.",
+        cfg = "exec",
+    ),
+}
+
 rust_shared_library = rule(
     implementation = _rust_shared_library_impl,
-    attrs = _COMMON_ATTRS | _PLATFORM_ATTRS | _EXPERIMENTAL_USE_CC_COMMON_LINK_ATTRS,
+    attrs = _COMMON_ATTRS | _PLATFORM_ATTRS | _EXPERIMENTAL_USE_CC_COMMON_LINK_ATTRS | _AUDITABLE_INJECTOR_ATTR,
     fragments = ["cpp"],
     cfg = _rust_shared_library_transition,
     toolchains = [
@@ -1207,7 +1245,7 @@ _rust_binary_transition = transition(
 rust_binary = rule(
     implementation = _rust_binary_impl,
     provides = COMMON_PROVIDERS,
-    attrs = _COMMON_ATTRS | _RUST_BINARY_ATTRS | _PLATFORM_ATTRS,
+    attrs = _COMMON_ATTRS | _RUST_BINARY_ATTRS | _PLATFORM_ATTRS | _AUDITABLE_INJECTOR_ATTR,
     executable = True,
     fragments = ["cpp"],
     cfg = _rust_binary_transition,