…ernals (#13936)

[main] Update dependencies from dotnet/arcade dotnet/source-build-externals

…pendencies (#13935)

* Avoid alerting CG when an intermediate nupkg contains "vulnerable" dependencies.
This change resolves dotnet/source-build#3559.

When a repo restores the source build intermediates and places them in the package cache, it's essentially populating a local nuget feed. This feed should as a set of packages that _may_ be used, but are not necessarily used. When a package is restored from this feed, it is extracted and appears in the package root. Component Detection, unfortunately, picks up any .nupkg file that exists under the source or artifacts directories, which picks up the local package cache, even if those packages are not used by the repo. This tends to generate noise for repos because of SBRP's contents.

To fix this issue, we apply two changes:
- Delete the intermediate nupkg's extracted location after populating cache - The PackageReferences used to obtain the source build intermediates populate the nuget package root. We then copy the nupkg contents (nupkgs themselves) into the package cache. At this point, the original extracted nupkg is of no use. Deleting it removes one location where CG may detect .nupkgs that are available, but not necessarily used, by the repo.
- Use an explicit CG scanning step that excludes the package cache - Alter the source-build template to exclude the package cache (local feed).

This leaves the nuget package root "cleaner" as it should contain only .nupkg files that are actually utilized by the repo, and detection will include only the packages that are actually used by the repo.

* Attempt to remove one location where the nuget package cache path is constructed