Separate direct and indirect dependencies

[jayvdb]

Currently DEPENDENCIES_STR can have lots of dups in it, like

... windows-sys 0.32.0, windows-sys 0.36.1, windows-sys 0.42.0, windows_aarch64_gnullvm 0.42.0, windows_aarch64_msvc 0.32.0, windows_aarch64_msvc 0.36.1, windows_aarch64_msvc 0.42.0, windows_i686_gnu 0.32.0, windows_i686_gnu 0.36.1, windows_i686_gnu 0.42.0, windows_i686_msvc 0.32.0, windows_i686_msvc 0.36.1, windows_i686_msvc 0.42.0, windows_x86_64_gnu 0.32.0, windows_x86_64_gnu 0.36.1, windows_x86_64_gnu 0.42.0, windows_x86_64_gnullvm 0.42.0, windows_x86_64_msvc 0.32.0, windows_x86_64_msvc 0.36.1, windows_x86_64_msvc 0.42.0, winreg 0.10.1

c.f. https://stackoverflow.com/questions/51714866/is-it-documented-that-cargo-can-download-and-bundle-multiple-versions-of-the-sam for some context.

As DEPENDENCIES_STR and DEPENDENCIES already have both direct and indirect dependencies, IMO a new function should be used to make those only include direct or indirect dependencies. e.g. opts.set_direct_dependencies(true) and opts.set_indirect_dependencies(true). Or have an enum for DIRECT_ONLY, INCLUDE_INDIRECT (as I don't believe anyone is interested in "indirect only") and then something like opts.set_dependency_filter(DIRECT_ONLY).

[jayvdb]

Worth copying a mention from #5 , https://github.com/rust-secure-code/cargo-auditable provides a better way of storing the dependency tree.