CG alerts for SBRP

[mthalman]

While working on the 1ES templates, I got CG errors because the SBRP repo defines packages for two vulnerable packages in the 7.0 branch:

• System.Drawing.Common.4.7.0
• System.Security.Cryptography.Xml.4.7.0

System.Drawing.Common.4.7.0 also applies to the 6.0 branch.

These should be upgraded or removed as appropriate.

[ellahathaway]

We decided to dismiss the alerts for 7.0 given its upcoming EOL. I'm currently working on the fix for 6.0 but having issues with SBRP building System.Windows.Extensions (which depends on System.Drawing.Common) in the tarball build.

[ellahathaway]

Pretty sure the error is caused by the System.Windows.Extensions referencing the online nuget feed. It seems to be similar to what's described in dotnet/source-build-reference-packages#859.

The infra is quite a bit different for 6.0, so it's not as simple as adding the property to the build arg. I'm trying to see if I can copy the output for the dependent projects to CurrentRepoSourceBuiltNupkgCache in addition to the CurrentRepoSourceBuiltNupkgCacheDir, which would be the correct package-cache directory.