Improve Diagnostic reporting

[PurelyApplied]

At present, reporting of Diagnostics is a generic a source has reached a sink message with source and sink positions included. This can be useful in simple cases, but can be opaque in the event that a source has reached a sink via taint through many propagating steps.

While a full trace of propagation steps may be unnecessary, diagnostic reporting should be improved to the point that a developer reading a diagnostic does not need familiarity with SSA, taint propagation, or go-flow-levee to remediate the failure. For instance, a more general "<source name and position> has exceeded its data boundary by reaching <sink name and position>. Arguments to <sink name> must be sanitized."

[mlevesquedion]

This idea may be a little "far out" but I think it could be interesting to have an option to produce colored output showing what values are sources and what values are tainted (perhaps in a different color from sources, to avoid any confusion). This would be easy to implement and it would likely make it very easy for developers to see how the taint propagated from the source to reach a sink. (For color-blind developers, we could use variations in brightness instead).

[PurelyApplied]

I've worked on plenty of machines where terminal escape sequences don't get rendered. That could be a nice bit of gilding down the road, though.

[mlevesquedion]

I think we might even want the report to be configurable to some extent. E.g. by default we could end the report with Arguments to sinks must be sanitized., but users may want to use a different message, e.g. they might want to specify what sanitizer to use so developers don't have to go look it up.