Add SpotBugs code scanning

[AdamVe]

This PR is to test whether uploading SARIF files generated by spotbugs applies found vulnerabilities in the Security/Code Scanning GitHub section. (No effect have been seen when this running in branch)

• SpotBugs related gradle code is moved to project-convention-spotbugs.gradle
• Produced SARIF files are uploaded to GitHub for analysis
• Produced HTML files are available to browse locally when using ./gradlew spotbugsMain spotbugsRelease --rerun-tasks

Note: the Fix Sarif step uses jq to update the sarif format to be closer to the GitHub specification but I did not see any effect if required parameters were present or not.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.