Add DevDiv required Roslyn analyzers to all projects and fix errors.

[jpobst]

As part of building secure software, DevDiv has a set of Roslyn anaylzers dealing with security that should be run on every managed assembly. This PR adds these analyzers and fixes errors they introduce.

Running Analyzers.

In order to run the Roslyn analyzers, the NuGet package Microsoft.CodeAnalysis.FxCopAnalyzers must be added to each project. Rather than do this manually now, and for each future project, we add this to the Directory.Build.props file, which automatically adds it to all projects.

By default, adding the NuGet package runs all included analyzers at each one's default severity level. At this time, we are only concerned with the prescribed security set, so we use .editorconfig to set those analyzers as error, and all other analyzers as none.

Projects that wish to opt out of running the analyzers can set <DisableRoslynAnalyzers>True</DisableRoslynAnalyzers>.

Fixing Errors

The only errors surfaced by these analyzers is CA3075: Insecure DTD Processing. These were fixed by adding new XmlReaderSettings { XmlResolver = null } which will not attempt to resolve and download any DTD files.

Other Notes

Updating the Java.Interop.dll to the latest analyzer NuGet version triggered some errors we had marked for that specific assembly which likely did not exist in the old analyzers and thus were not being surfaced as errors. They do not appear to be rules that we are actually concerned with, so they were disabled:

• CA1021 - Don't use out parameters
• CA1045 - Don't use reference parameters
• CA1822 - Mark methods static if they don't reference instance members
• CA1002 - Don't expose generic Lists

---

Moved NullableAttributes.cs to the src\utils directory.

This file was added to Java.Interop.Tools.JavaCallableWrappers.csproj from ..\Java.Interop\. However, because the file resided in the directory containing the strict .editorconfig for Java.Interop.dll, it was applying those .editorconfig rules to J.I.T.JavaCallableWrappers. Moving it to a neutral directory fixed this.

[jonpryor]

Don't item groups actually belong in Directory.Build.targets?

[jpobst]

I went with the guidance here: https://docs.microsoft.com/en-us/visualstudio/msbuild/customize-your-build?view=vs-2019#choose-between-adding-properties-to-a-props-or-targets-file.

Specifically:

Include items in .props files (conditioned on a property). All properties are considered before any 
item, so user-project property customizations get picked up, and this gives the user's project the 
opportunity to Remove or Update any item brought in by the import.

I added $(DisableRoslynAnalyzers) to allow opting out of running the analyzers.

[jonpryor]

Commit message for review:

As part of building secure software, Microsoft DevDiv has a set of
[Roslyn anaylzers][0] dealing with security that should be run on every
managed assembly.

Adds these analyzers and fix any errors they introduce.


~~ Running Analyzers ~~

In order to run the Roslyn analyzers, the NuGet package
[`Microsoft.CodeAnalysis.FxCopAnalyzers`][1] must be added to each
project.  Rather than do this manually now, and for each new project
in the future, we instead add this to the `Directory.Build.props` file,
which automatically adds it to all projects.

By default, adding the NuGet package runs all included analyzers at
each analyzer's default severity level.  At this time, we are only
concerned with the prescribed security set, so we use
`.editorconfig` to set those analyzers as `error`, and all other
analyzers as `none`.

Projects that wish to opt out of running the analyzers can set 
`<DisableRoslynAnalyzers>True</DisableRoslynAnalyzers>`.

~~ Fixing Errors ~~

The only errors surfaced by these analyzers is
[CA3075: Insecure DTD Processing][2].  These were fixed by using
`new XmlReaderSettings { XmlResolver = null }`, which will not attempt
to resolve and download any DTD files.


~~ Move `NullableAttributes.cs` ~~

`NullableAttributes.cs` is moved to the `src\utils` directory.  

This file was added to `Java.Interop.Tools.JavaCallableWrappers.csproj`
via `..\Java.Interop\`.  However, because the file resided in the
directory containing the strict `.editorconfig` for `Java.Interop.dll`,
it was applying those `.editorconfig` rules to
`Java.Interop.Tools.JavaCallableWrappers.dll`.


Moving it to a neutral directory fixed this.

~~ Other Notes ~~

Updating the `Java.Interop.dll` to the latest analyzer NuGet version
triggered some errors we had handled for that specific assembly, which
likely did not exist in the old analyzers and thus were not being
surfaced as errors.  They do not appear to be rules that we are
actually concerned with, so they were disabled:

  * CA1021 - Don't use out parameters
  * CA1045 - Don't use reference parameters
  * CA1822 - Mark methods static if they don't reference instance members
  * CA1002 - Don't expose generic Lists

[0]: https://github.com/dotnet/roslyn-analyzers
[1]: https://www.nuget.org/packages/Microsoft.CodeAnalysis.FxCopAnalyzers/
[2]: https://docs.microsoft.com/en-us/visualstudio/code-quality/ca3075?view=vs-2019