Add SARIF 2.1.0 security report parser

What does this MR do and why?

Implements a SARIF 2.1.0 parser that ingests SARIF reports as GitLab security findings. This is the second MR for #452042 and depends on !227968 (merged) being merged first.

Changes:

• Add JSON schema validator for SARIF 2.1.0
• Add Gitlab::Security::Parsers::Sarif parser with full finding extraction
• Add Gitlab::Ci::Reports::Security::Locations::Sarif location model
• Add per-run scanner registry to Security::Report

Field mapping notes:

• Severity priority: (In order of priority) result.rank > security-severity extension > result/rule level (error → high, not critical)
• Primary identifier: (In order of priority) sarif-rule-id > secondary CWE/CVE tags from rule.properties.tags
• Suppressed results (those with suppressions where none are underReview or rejected) are skipped
• Findings without a ruleId are rejected — required for stable tracking across runs
• Miscellanious mappings (too many to name but this comment and this table give an overview)

Testing notes:

• Unit specs cover the parser, schema validator, and location class
• End-to-end testing is not possible until !227968 (merged) merges and sarif is registered in the parser registry — see the PoC MR !225747 for a full working example

MR acceptance checklist

• I have evaluated the MR acceptance checklist for this MR.