Build binaries with `cargo auditable`

[Aloso]

This makes sure that all dependencies and their versions are embedded in the binary in a machine-readable format, and can be obtained with cargo audit bin. This allows auditing binaries for vulnerabilities that weren't yet known when the binaries were built.

[Shnatsel]

Hello! Author of cargo auditable here 👋

I'd love to see this integration and I'm happy to support it on my end!

There's precedent for transparently enabling this in Linux distros: Void Linux builds all their Cargo packages with cargo auditable, and Nix is canarying it on a few popular packages before rolling it out to the entire archive. So it's been tested pretty widely and is known to work with a wide variety of packages, and not break even in exotic configurations.

And it's not just cargo audit that consumes this data, Syft and Trivy can read it as well. That's how Microsoft uses it.

~~The only caveat I can think of is unsupported platforms - cargo auditable will refuse to build WASM because it doesn't know how to make it auditable. But I can just add an environment variable you can set to ignore unsupported platforms and that should ensure there's no breakage.~~ Unsupported platforms now build but emit a warning. WASM is also supported starting with v0.6.3.

[Gankra]

(will re-evaluate this when core stuff is more settled, thanks for the info!)

[simonsan]

Hey, just wanted to chime in to state, that I'm really looking forward to this! (: