Advisory format: affected only if a cargo feature is enabled

[kornelski]

The advisory format doesn't have ability to express that a crate may be vulnerable only if an optional Cargo feature is enabled (e.g. when cargo add halfbaddep is fine, but cargo add halfbaddep --features=with_reckless_abandon exposes a vulnerability). The functions key is usable only if the feature adds new public API, but not if the feature only changes behavior.

Such filter would be very helpful for cargo-audit and similar tools, because when a vulnerability is only in an unused optional feature, it can avoid reporting false positive vulnerability alerts.