Enable NuGet audit on all builds

[paulmedynski]

Description

We are now performing implicit NuGet audits on all builds (developer, PR, CI, official, etc). Any vulnerabilities detected will fail the build.

I also removed our custom audit source, and we will now be using the CFS audit source from the same feed we get our dependencies from.

I left some comments in the main Directory.Build.props file about how to temporarily disable audit errors if they can't be addressed immediately.

[Copilot]

Pull Request Overview

This PR enables NuGet package vulnerability auditing on all builds by removing previous audit disabling configurations and establishing a consistent audit policy. Previously, auditing was disabled for official builds and test projects, but now all builds will fail if vulnerable dependencies are detected.

Key Changes:

• Removed all <NuGetAudit>false</NuGetAudit> settings that disabled auditing in test projects and tools
• Switched from custom nuget.org audit source to using the CFS audit source from the main package feed
• Added comprehensive documentation about NuGet audit settings and temporary workarounds for vulnerabilities

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File	Description
tools/GenAPI/Directory.Build.props	Removed audit disabling for GenAPI tool
src/Microsoft.Data.SqlClient/tests/Directory.Build.props	Removed audit disabling for test projects
src/Directory.Build.props	Centralized audit configuration with explicit enabling and documentation
NuGet.config	Removed custom audit source configuration to use default CFS source

[benrr101]

Looks good to me. Only request is to make sure to run an (un)official mds and akv pipeline (especially akv) in ADO before merging. The official pipelines use the onebranch template that has the restrictive network rules that necessitated the original changes to disable auditing in official builds. The issues didn't come up until I rewrote the akv pipelines, since the mds pipeline is grandfathered into allowing blocked connections to, eg, nuget.org.

[paulmedynski]

ADO.net project non-official builds are here (can't to official builds from a topic branch):

MDS: https://sqlclientdrivers.visualstudio.com/ADO.Net/_build/results?buildId=127989

AKV: https://sqlclientdrivers.visualstudio.com/ADO.Net/_build/results?buildId=127988

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 76.81%. Comparing base (37a9c99) to head (7e7d23e).
⚠️ Report is 9 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3713      +/-   ##
==========================================
- Coverage   77.35%   76.81%   -0.55%     
==========================================
  Files         271      272       +1     
  Lines       45123    45337     +214     
==========================================
- Hits        34907    34824      -83     
- Misses      10216    10513     +297     

Flag	Coverage Δ
addons	90.82% <ø> (ø)
netcore	76.72% <ø> (-0.62%)	⬇️
netfx	76.16% <ø> (-0.27%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.