Make license exceptions additive

[Jake-Shadle]

This closes #276, I let it linger way too long, this just reimplements it.

Resolves: #135

[kim]

Unfortunately, this seems to have broken my build. I have an exception for ring to allow the OpenSSL license (it does not technically apply to the Rust code), like so:

exceptions = [
    { allow = ["ISC", "MIT", "OpenSSL"], name = "ring" }
]

Since cargo-deny also doesn't know how to interpret ring's license, I also have a clarify:

[[licenses.clarify]]
name = "ring"
expression = "ISC AND MIT AND OpenSSL"
license-file = [{ path = "LICENSE", hash = 0xbd0eed23 }]

This used to work, but since the latest release gives an error:

    │ expression = "ISC AND MIT AND OpenSSL"
    │               ^^^-----^^^-----^^^^^^^
    │               │       │       │
    │               │       │       rejected: explicitly denied
    │               │       accepted: license is explicitly allowed
    │               license expression retrieved via user override
    │               accepted: license is explicitly allowed via an exception

I understand that "make additive" means "in addition to the allow / deny lists", and indeed I can make the check pass if I remove "OpenSSL" from deny. I find this confusing though: I really don't want OpenSSL-licensed dependencies, so I should be able to express that, no?

What's the recommended way to deal with this? Invent a license identifier which only matches ring, and allow that? EDIT: sorry scap that, it needs to be a known SPDX identifier

[Jake-Shadle]

Oh, we never specifically deny licenses so I didn't see this issue, I'll just have to change the order licenses are checked tomorrow.

[kim]

Ah, so anything not explicitly allowed is denied? Somehow I didn't realise this, working from someone else's template. I guess that'd work for me, too.