Devise a strategy to deal with component governance alerts in SBRP

[MichaelSimons]

The SBRP repo has component governance (CG) alerts reported for reference packages it produces that have actual CVEs. The CG alerts against the reference packages are false positives given the packages do not contain any implementations.

If these packages are no longer referenced they will get removed by the periodic cleanup of unreferenced pack. It is possible however that references would remain. The scenario is SBRP A reference B (with CVE). Product repos reference A but explicitly reference a newer B to lift the version to address the CVE. In this scenario B could never be "cleaned up. This would not be a security issue because B is a reference only package.

Currently CGs in SBRP are being addressed by this process. This is a waste of resources for no benefit other than to check a box. The customizations made to "lift" references breaks our ability to easily regenerate the reference packages as improvements are made to the tooling - #3978.

Ideally CG would be configured in such a way to ignore the reference packages in SBRP. It should still scan the repo's infrastructure.

Related to #3559