Remove explicit vulnerabilities check

[jviau]

Issue describing the changes in this PR

resolves #issue_for_this_pr

Pull request checklist

IMPORTANT: Currently, changes must be backported to the in-proc branch to be included in Core Tools and non-Flex deployments.

• Backporting to the in-proc branch is not required
  • Otherwise: Link to backporting PR
• My changes do not require documentation changes
  • Otherwise: Documentation issue linked to PR
• My changes should not be added to the release notes for the next release
  • Otherwise: I've added my notes to release_notes.md
• My changes do not need to be backported to a previous version
  • Otherwise: Backport tracked by issue/PR #issue_or_pr
• My changes do not require diagnostic events changes
  • Otherwise: I have added/updated all related diagnostic events and their documentation (Documentation issue linked to PR)
• I have added all required tests (Unit tests, E2E tests)

Additional information

This is an alternative to #10037

Removes the explicit vulnerabilities check. Now that we use the .NET8 SDK this is no longer needed as there is a built in nuget audit as part of the restore phase.

IMPORTANT: There is a behavior difference (which is the goal here), we only fail on moderate and above now. In this case we have CVE GHSA-x674-v45j-fwxw which does not affect us, yet our current approach blocks the build. I could work on a way to integrate suppressions into the existing vuln check script, but when moving to 1ES we will be covered by component governance.

[FinVamp1]

Adding @fabiocav as well. We added this to break the build on checking packages. We should discuss how Component Governance can assist here.

[fabiocav]

Will this create a temporary gap? This check has already helped us identify issues prior to releases, and if we're removing, we want to make sure we don't end up with CVE impacted transitive dependencies as those will be flagged by other tools post-deployment/release.

[jviau]

@FinVamp1, component governance is the official way for Microsoft repos to manage security audits when using open-source software. It will cover transitive dependencies, set due dates, allow extensions and dismissing of not applicable incidents.

[jviau]

@fabiocav , @FinVamp1 - I updated the built in dotnet sdk nuget audit: scans transitive dependencies, only fails on a moderate and above.

[brettsam]

there's a few new refs here -- was that intentional?

[jviau]

Component governance flags these as vulnerable. Although it is not an issue at runtime since the WebHost has thse versions. Just adding them here to satisfy CG.