analyze: allow a custom policy to skip a check with weight=0

In some cases an offline analysis should ignore some fields, for example
a portable service in an image will never list RootImage/RootDirectory, as
they are added at runtime, and thus can be skipped.

man/systemd-analyze.xml

@@ -1081,7 +1081,8 @@ Service b@0.service not loaded, b.socket cannot be started.
           normalized to the 1…100 range, and used to determine the overall exposure level of the unit.
           By allowing users to manipulate these fields, the 'security' verb gives them the option to
           decide for themself which ids are more important and hence should have a greater effect on
-          the exposure level.</para>
+          the exposure level. A weight of <literal>0</literal> means the setting will not be
+          checked.</para>
 
           <programlisting>
           {

src/analyze/analyze-security.c

@@ -1764,6 +1764,11 @@ static int assess(const SecurityInfo *info,
                         d = strdup("Service runs in special boot phase, option is not appropriate");
                         if (!d)
                                 return log_oom();
+                } else if (weight == 0) {
+                        badness = UINT64_MAX;
+                        d = strdup("Option excluded by policy, skipping");
+                        if (!d)
+                                return log_oom();
                 } else {
                         r = a->assess(a, info, data, &badness, &d);
                         if (r < 0)

test/units/testsuite-65.sh

@@ -108,7 +108,7 @@ systemd-analyze security --threshold=90 --offline=true --root=/tmp/img/ testfile
 cat <<EOF >/tmp/testfile.json
 {"UserOrDynamicUser":
     {"description_bad": "Service runs as root user",
-    "weight": 2000,
+    "weight": 0,
     "range": 10
     },
 "SupplementaryGroups":