Support for go work

[sandhi18]

Description

This pull request updates CI workflow files to improve vulnerability counting, simplify BlackDuck SCA scan control, and add support for Go workspaces in SBOM generation. The most important changes are grouped below:

Security scanning improvements:

• The vulnerability count extraction in .github/workflows/ci-main-pull-request.yml now deduplicates vulnerabilities based on their ID, package, and version when using jq, providing more accurate counts for critical and high severity issues.

Workflow configuration simplification:

• The perform-blackduck-sca-scan input in .github/workflows/ci-main-pull-request.yml is now passed directly, removing the restriction that previously limited scans to only push events.

Go workspace and SBOM support:

• In .github/workflows/sbom.yml, steps were added to set up Go if a go.work file is present and to vendor Go workspace dependencies, ensuring dependencies are properly included for SBOM and scanning.
• The BlackDuck Detect arguments are updated to instruct the scanner to use the Go vendor directory when a Go workspace is detected, improving Go dependency scanning accuracy.

Related Issue

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Chore (non-breaking change that does not add functionality or fix an issue)

Checklist:

• I have read the CONTRIBUTING document.
• I have run the pre-merge tests locally and they pass.
• I have updated the documentation accordingly.
• I have added tests to cover my changes.
• If Gemfile.lock has changed, I have used --conservative to do it and included the full output in the Description above.
• All new and existing tests passed.
• All commits have been signed-off for the Developer Certificate of Origin.