docs: Explain how to instrument dependencies

Try to prevent misunderstandings such as in #14358 (comment)

Author: pitrou

docs/further-reading/fuzzer_environment.md

@@ -25,13 +25,19 @@ or built as part of
 are not available on the bot runtime environment (where the fuzz targets run).
 
 If you need these dependencies in the runtime environment, you can either:
+
 - Install the packages via Dockerfile
 ([example](https://github.com/google/oss-fuzz/blob/2d5e2ef84f281e6ab789055aa735606d3122fda9/projects/tor/Dockerfile#L19))
 and then link statically against them
 ([example](https://github.com/google/oss-fuzz/blob/2d5e2ef84f281e6ab789055aa735606d3122fda9/projects/tor/build.sh#L40)).
+**These dependencies will not be instrumented** and may prevent the fuzzer from finding
+bugs when they are involved in the execution of a fuzz target.
+
 - Or build the dependencies statically in
 [build.sh]({{ site.baseurl }}/getting-started/new-project-guide/#buildsh)
 ([example](https://github.com/google/oss-fuzz/blob/64f8b6593da141b97c98c7bc6f07df92c42ee010/projects/ffmpeg/build.sh#L26)).
+This is the preferred method for building dependencies, as it will instrument
+them for fuzzing and allow their execution to be followed by the fuzzer.
 
 All build artifacts needed during fuzz target execution should be inside the
 `$OUT` directory. Only those artifacts are archived and used on the bots.

docs/getting-started/new_project_guide.md

@@ -237,6 +237,10 @@ For an example, see
 [ecc-diff-fuzzer/Dockerfile](https://github.com/google/oss-fuzz/blob/master/projects/ecc-diff-fuzzer/Dockerfile).
 where we use `base-builder-rust`and install golang
 
+Runtime dependencies of your project, such as third-party static libraries, will
+not be instrumented if you build them in the Dockerfile. In most cases, you will
+want to build them in `build.sh` instead.
+
 ## build.sh {#buildsh}
 
 This file defines how to build binaries for [fuzz targets]({{ site.baseurl }}/reference/glossary/#fuzz-target) in your project.