Track C libraries somehow

[Shnatsel]

Cargo's JSON output includes information on the libraries being linked: alilleybrinker/cargo-spdx#11 (comment)

This should let us reliably (?) determine if a C library is being statically linked or not, and the version of the -sys or -src crate.

[maxammann]

To be honest I don't think this must be fully automatic. If you link a static library through e.g. a build.rs file I think it might be enough to emit information from the build.rs that lands in the binary.

There are infinite ways to link stuff so I think the manual way is the baseline.

This project seems also interesting: https://github.com/owasp-dep-scan/blint

[Shnatsel]

The links field in Cargo.toml may be of use here, at least as a starting point.

[bjorn3]

The links key doesn't have to have any relationship with a particular C library. It can also be used when multiple versions of the same crate can't be used together for whatever reason.