add a cataloger for binaries built with rust-audit

[tofay]

Fixes #1108

https://github.com/Shnatsel/rust-audit is a tool for embedding Rust dependency information into binaries for subsequent scanning/detection.
This PR adds support for detecting dependencies in binaries created with rust-audit. Per #1108 it's not enabled by default. (A motivation for syft integration is to get greater experience with rust-audit with a view to adding it to Rust itself).

The new cataloger is similar to the golang binary one - I modularized some of the golang binary cataloger code. Detection/parsing of the dependency information is done via https://github.com/microsoft/go-rustaudit, a go library for extracting Rust audit dependency information.

[spiffcs]

Thank you so much for the PR @tofay! I'll take a look this morning and see if we can get this into the next syft release.

[spiffcs]

PR looks good from a functionality perspective -

I just had a question when running it against binaries in the wild.

Is this the constraint that this cataloger will only work for static assets built with https://github.com/Shnatsel/rust-audit and with auditable_build::collect_dependency_list(); in a build script?

The integration test you added passed, but when I rant his against other binaries I found no packages being detected.

If this is the case can we rename the file binary_cataloger ==> audit_binary_cataloger just for keep it clear.

Thanks for updating the docs as well that points to this condition so we're not just advertising we can do static analysis for any binary!

I also noticed Getting some real-world experience with this before committing to a stable data format as a part of their roadmap for moving this into cargo.

Are there any competing projects or other contenders that we might have to flip to in the future?

[spiffcs]

cc @wagoodman for a 2nd review here

[spiffcs]

See above comments - waiting for second review

[tofay]

Thanks for looking at this. I appreciate it's not as straightforward as "add support for widely used language ecosystem X" type PRs :)

Is this the constraint that this cataloger will only work for static assets built with https://github.com/Shnatsel/rust-audit and with auditable_build::collect_dependency_list(); in a build script?

Correct. Would it help set expectations for this cataloger if the cataloger name was prefixed with experimental-? I can change the file name as you suggest.

I also noticed Getting some real-world experience with this before committing to a stable data format as a part of their roadmap for moving this into cargo. Are there any competing projects or other contenders that we might have to flip to in the future?

There aren't other competing projects that I'm aware of. In terms of data formats - I'm looking into language-agnostic options to embed dependency information into binaries. e.g ossf/wg-vulnerability-disclosures#76 and spdx/spdx-spec#739

[spiffcs]

Cool! No need for the experimental name change unless @wagoodman has opinions there.

I'm happy with its current state since it's not in the default path and is something we can toggle/experiment with. Approved and thanks again so much for the contribution.