Assign Severity values to Security Code Scan findings

Problem

The Security Code Scan analyzer (for .NET/C#) currently outputs all findings with a severity level of Unknown.

Impacts include:

• It's harder for security and development teams to understand which findings need to be addressed.
• Customers can't implement merge request approvals and other controls based on finding severity.

Anticipated solution

Adopt a similar approach to other analyzers where we provide a severity based on our analysis of associated CWEs, likely following the approach outlined on &4004.

ℹ This issue is promoted from previous discussions in other contexts, including on the parent epic.