Enforce metavariable equality between sources/sinks/sanitizers, and show metavariables in taint mode messages

[mmcqd]

We can now write rules that use the same metavariable across sources/sinks/sanitizers, and refer to these metavariables in match messages. Currently if a sink could be matched with multiple possible metavariable assignments it will be matched twice by semgrep-core, but semgrep will filter out all but one of these matches.

PR checklist:

• Documentation is up-to-date
• Changelog is up-to-date
• Change has no security implications (otherwise, ping security team)

[linear]

PA-313 Metavariable equality between sources, sanitizers and sink specifications

Right now each spec is independent, if you match $MVAR in a source and in a sink these are considered two different variables. We should require that all $MVAR matches are consistent.

[aryx]

I don't want the core to depends on analyzing. There has to be a way to avoid this dependency.
In fact in core/dune we should remove pfff-lang_GENERIC-analyze, it's not currently needed; not sure why it was there in the first place.

[aryx]

Maybe you can move Dataflow_tainting.ml in engine/, and add a note that it used to be in analyzing/, but with
metavariable checking the environment now depends on Pattern_match.t, which means it depends on semgrep-core/core.
Then say it can't be in analyzing/ because
we want analyzing/ to be independent of semgrep-core/core because it's used in other projects (e.g., codemap from aryx)

[aryx]

Asking for more comments mostly.

[IagoAbal]

I don't want the core to depends on analyzing. There has to be a way to avoid this dependency.

Sorry that I missed the initial context. @mmcqd was the core that depended on analyzing? Or analyzing that depended on core? I would only expect Dataflow_tainting to depend on Pattern_match.t.