Assess severity of Bandit rulesets translated to Semgrep

Context

Some customers have reported being surprised by the severity levels coming out of Bandit. In particular, findings that seem high-severity (such as those pointing toward data loss) are still assessed as low severity. One customer was alarmed to see B106: hardcoded password func arg at Low, and, while this particular rule may not warrant higher severity, we should be confident in the severity ratings for what we're shipping.

Possible cause: as of 2022-01-14 "confidence" is reported as "severity" in Bandit, Brakeman, and Flawfinder.

Raised during PI review 2022-04 (team members only).

Scope of work

Evaluate whether the Bandit ruleset translated to Semgrep reflects severity levels that are appropriate based on the content of what is being detected.