Inspect MS-authored NuGet packages while excluding the SDK bundled ones

[Trivivium]

The inspection tool should inspect NuGet packages that have Mircosoft as the author, while still excluding any assemblies/packages from the SDK. An example is Microsoft.Extensions.Logging should be inspected, while Microsoft.CSharp should not. Another example is the System.Reflection.MetadataLoadContext package, which is as far I can tell loaded exclusively as a NuGet package.

The implementation needs to take different types of SDKs into consideration. The default SDK is named Microsoft.Sdk.NET, while the SDK used by ASPNET Core is Microsoft.Sdk.NET.Web. The latter extends the list of bundled packages. If a project uses the web SDK the Microsoft.Extensions.Logging packages from the example above becomes bundled.

[Trivivium]

The commit fb3e88f0a7328b0db7228a58e5756c7e6aeb67c8 prototyped an implementation where a combination of the AssemblyMetadata and ReferenceAssembly attributes on a project is detected. If the former has a value of .NETFrameworkAssembly and the latter exists the assembly reference was considered from the SDK.

However, further tests indicate this leads to false positives. The example Microsoft.Extensions.Logging.Abstractions has the former attribute. However, it is not bundled with the base SDK as far as I can tell. It should also be noted that project references are considered a reference assembly along with many of the actual SDK assemblies. Thus, the combination is insufficient to filter by.