Enable NuGet Audit

[halter73]

Working on #57560 lead me to NuGet/docs.microsoft.com-nuget#3336 which in turn pointed me to https://learn.microsoft.com/en-us/nuget/concepts/auditing-packages#audit-sources which talks about NuGet <auditSources>. This seems like it might be a better alternative to manually calling dotnet list package --vulnerable --include-transitive --source https://api.nuget.org/v3/index.json in projects created by our templates in an XUnit test like I'm doing in #57560.

@ViktorHofer I see that this is currently on your plate as part of dotnet/arcade#15019. Feel free to take this over if you want. I plan to add something like <WarningsNotAsErrors Condition="'$(OfficialBuildId)' != ''">$(WarningsNotAsErrors);NU1901;NU1902;NU1903;NU1904</WarningsNotAsErrors> to the Directory.Build.props before undrafting this, but first I want to see what fails in the normal PR builds.

[dotnet-policy-service]

Hey @dotnet/aspnet-build, looks like this PR is something you want to take a look at.

[ViktorHofer]

@halter73 I'm currently out for an extended period of time. While I'm tracking this effort (when I'm back) I try to not do the work in the repos but provide guidance.

I plan to add something like $(WarningsNotAsErrors);NU1901;NU1902;NU1903;NU1904 to the Directory.Build.props

I would recommend to use the following setting so that NuGet Audit warnings get promoted to errors only for official builds. This is essential to make sure that we don't ship assets (to consuming repos or customers) with vulnerability reports.

<WarningsNotAsErrors Condition="'$(OfficialBuild)' != 'true'">$(WarningsNotAsErrors);NU1901;NU1902;NU1903;NU1904</WarningsNotAsErrors>