Bug: google-cloud-auth has a false-positive `jsonwebtoken` edge, which triggers a security advisory

[Aaron1011]

Describe the bug

The google-cloud-auth crate has an unusual cfg dependency:

[target.'cfg(google_cloud_unstable_id_token)'.dependencies]
jsonwebtoken = { workspace = true, features = ["rust_crypto"] }

I don't have the custom google_cloud_unstable_id_token cfg enabled, so I would expect cargo deny to not create a google-cloud-auth -> jsonwebtoken edge. However, cargo deny advisories incorrectly prints that rsa is being used (which results in an error due to the advisory https://rustsec.org/advisories/RUSTSEC-2023-0071).

To reproduce

cargo init test-rsa
cd test-rsa
cargo add google-cloud-auth@1.2.0
cargo deny check advisories

prints:

error[vulnerability]: Marvin Attack: potential key recovery through timing sidechannels
    ┌─ /home/aaron/repos/test-rsa/Cargo.lock:116:1
    │
116 │ rsa 0.9.9 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
    │
    ├ ID: RUSTSEC-2023-0071
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2023-0071
    ├ ### Impact
      Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key.
      
      ### Patches
      No patch is yet available, however work is underway to migrate to a fully constant-time implementation.
      
      ### Workarounds
      The only currently available workaround is to avoid using the `rsa` crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer is fine.
      
      ### References
      This vulnerability was discovered as part of the "[Marvin Attack]", which revealed several implementations of RSA including OpenSSL had not properly mitigated timing sidechannel attacks.
      
      [Marvin Attack]: https://people.redhat.com/~hkario/marvin/
    ├ Announcement: https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643
    ├ Solution: No safe upgrade is available!
    ├ rsa v0.9.9
      └── jsonwebtoken v10.2.0
          └── google-cloud-auth v1.2.0
              └── test-rsa v0.1.0

advisories FAILED

However, cargo tree -i rsa shows 'warning: nothing to print'

cargo-deny version

cargo-deny 0.18.5

What OS were you running cargo-deny on?

Linux

Additional context

Adding a target (cargo deny -t x86_64-unknown-linux-gnu check advisories) removes the false jsonwebtoken edge, and passes. I suspect that this is related to this code in krates, which doesn't attempt to evaluate cfg() expressions in dependencies when include_all_targets is enabled.
However, this workaround requires manually running cargo deny for every target which users of my project might happen to use.