Nuget audit warnings don't apply NoWarn metadata transitively

[marcpopMSFT]

NuGet Product Used

dotnet.exe

Product Version

10.0.201

Worked before?

Unknown

Impact

I'm unable to use this version

Repro Steps & Context

Trying to build the 10.0.2xx branch of the VMR:
https://dev.azure.com/dnceng/internal/_build/results?buildId=2953507&view=results

It's flagging a bunch of nuget audit warnings. See dotnet/source-build#5544 as an example.

From what I can tell from investigating the source, there are a bunch of package references that are never meant to flag nuget audit:
https://dev.azure.com/dnceng/internal/_git/dotnet-dotnet?path=/eng/tools/tasks/Microsoft.DotNet.UnifiedBuild.MSBuildSdkResolver/Microsoft.DotNet.UnifiedBuild.MSBuildSdkResolver.csproj

    <!-- IncludeAssets=compile to treat these packages as targeting-packs only. The assemblies are available in the SDK. -->
    <PackageReference Include="Microsoft.Build.Tasks.Core" IncludeAssets="compile" NoWarn="NU1901;NU1902;NU1903;NU1904" />

From the comment, the intent is that Microsoft.Build and ALL transitive dependencies should ignore nuget audit. However, this doesn't appear to work and now we have to disable audit for the entire assembly rather than just those specific package references.

Verbose Logs

[nkolev92]

Worth figuring out the exact scenario.

I think:

P1 -> P2 -> RandomPackage (NoWarn)

P1 should not get the warnings for RandomPackage.

P1 -> P2 -> RandomPackage (NoWarn) -> TransitivePackageWithActualWarning

This won't work because RandomPackage's no warn does not propagate - That should be #5740.

@jebriede can you verify the scenario?