feat(sonar): add SonarQube Vulnerability Report integration

| `sonar-extra-args` / `DOTNET_SONAR_EXTRA_ARGS`      | Extra arguments used by the [SonarScanner](https://docs.sonarsource.com/sonarqube-server/analyzing-source-code/scanners/dotnet/using/#analysis-steps) | _none_ |

| `sonar-exclusions` / `DOTNET_SONAR_EXCLUSIONS` | Files and directories to be excluded from analysis, as a comma-separated list of paths. See [documentation](https://docs.sonarqube.org/latest/analysis/analysis-parameters/) for the format. | `**/bin/**,**/obj/**,**/packages/**,**/*.g.cs,**/*.g.i.cs,**/*.designer.cs,**/*AssemblyInfo.cs,.sonarqube` |

**Output artifacts:**

When the SonarQube [Quality Gate](https://docs.sonarsource.com/sonarqube-server/latest/quality-standards-administration/managing-quality-gates/introduction/) is enabled (using `sonar-quality-gate-enabled` / `SONAR_QUALITY_GATE_ENABLED`), this job produces a GitLab SAST report `dotnet-sonar.gitlab-sast.json`, generated from SonarQube as part of the [Vulnerability Reporting integration](https://docs.sonarsource.com/sonarqube-server/devops-platform-integration/gitlab-integration/setting-up-at-project-level#reporting-vulnerabilities), containing the detected security findings. Artifacts are retained for one day and are downloadable only by users with the Developer role or higher in GitLab.

The following reports are generated:

| Report         | Format                                                                       | Usage             |

| -------------- | ---------------------------------------------------------------------------- | ----------------- |

| `$DOTNET_PROJECT_DIR/reports/dotnet-sonar.gitlab-sast.json` | [Gitlab SAST](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/src/sast-report-format.json?ref_type=heads) report | [GitLab integration](https://docs.gitlab.com/ci/yaml/artifacts_reports/#artifactsreportssast) |

More info:

* [dotnet language support](https://docs.sonarsource.com/sonarqube-server/analyzing-source-code/test-coverage/dotnet-test-coverage/)

    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache

    GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task

  script:

    - dotnet_run_sonar

    - dotnet_run_sonar || exit_code=$?

    - |

      if [[ "$SONAR_QUALITY_GATE_ENABLED" == "true" ]]

      then

        log_info "Retrieve GitLab SAST report from SonarQube for project \\e[33;1m${SONAR_PROJECT_KEY}\\e[0m..."

        mkdir -p ./reports

        sonar_api_params="projectKey=$SONAR_PROJECT_KEY"

        if [ "${CI_MERGE_REQUEST_IID}" ]; then

          sonar_api_params="${sonar_api_params}&pullRequest=$CI_MERGE_REQUEST_IID"

        else

          sonar_api_params="${sonar_api_params}&branch=$CI_COMMIT_REF_NAME"

        fi

        curl -u "${SONAR_TOKEN}:" "${SONAR_HOST_URL}/api/issues/gitlab_sast_export?${sonar_api_params}" -o ./reports/dotnet-sonar.gitlab-sast.json # gitleaks:allow

      else

        log_info "ℹ️ If you wish to retrieve GitLab SAST report from SonarQube, please set SONAR_QUALITY_GATE_ENABLED to true"

      fi

      - exit $exit_code

  cache:

    key: "${CI_COMMIT_REF_SLUG}-sonar"

    fallback_keys:

      - '.sonar/cache'

      - $DOTNET_CLI_HOME/.local/share/NuGet/http-cache

      - $DOTNET_CLI_HOME/bin

  artifacts:

    name: "SonarQube analysis reports for Dotnet from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"

    expire_in: 1 day

    when: always

    reports:

      sast: '${DOTNET_PROJECT_DIR}/reports/dotnet-sonar.gitlab-sast.json'

    paths:

      - '${DOTNET_PROJECT_DIR}/reports/dotnet-sonar.gitlab-sast.json'

  rules:

    # exclude if $SONAR_HOST_URL $SONAR_TOKEN is not set

    - if: '$SONAR_HOST_URL == null || $SONAR_HOST_URL == "" || $SONAR_TOKEN == null || $SONAR_TOKEN == ""'