Improve C# insecure deserialization rule

Context

A customer reported a false-positive in the insecure deserialization rule for C#. Specifically, the rule flagged a call to the ReadObject method on an instance of DataContractSerializer as insecure. However, according to Microsoft's deserialization guide, this serializer is not considered insecure.

Improvement

The rule is transformed into a taint tracking rule. This change enables a more precise definition of data sources that could potentially be under user control, as well as precise sink definitions that exclusively detect insecure serializers. When user-controlled data sources flow into insecure sinks, it significantly increases the likelihood of detecting true positives.

It's important to note that this enhanced precision does come at a cost. The new rule may be less effective at detecting inter-procedural or inter-functional issues compared to the previous one. However, the decision was made to prioritize increased detection precision.

Semgrep Playground

https://semgrep.dev/playground/s/51ll

Closes https://gitlab.com/gitlab-org/gitlab/-/issues/429235+