Combine ignored CVEs from both --config with --ignore flag

[TomNaessens]

Description

Current state

Currently, the --ignore flag overwrites the ignored CVEs from a config file (--config):

bundler-audit/lib/bundler/audit/scanner.rb

Lines 221 to 225 in d8af649

	ignore = if options[:ignore]
	Set.new(options[:ignore])
	else
	config.ignore
	end

With config.options coming from the passed configuration file:

bundler-audit/lib/bundler/audit/scanner.rb

Lines 91 to 95 in d8af649

	@config = if File.exist?(config_dot_file_full_path)
	Configuration.load(config_dot_file_full_path)
	else
	Configuration.new
	end

Why this would come in handy

In our CI pipelines, we have some template jobs that run bundle-audit across all projects. We also have a .bundler-audit.yml config file to ignore specific CVEs on a per-project basis. If we now want to ignore a CVE across all projects, we have to add the CVE to the ignore file in each project. If the CVEs from the "global" --ignore flag and the config file would be taken both into account, we could just add the CVEs to be ignored globally to the --ignore parameter.

Potential implementation

Naive(?) solution: merge the two sets instead of taking one or the other.