Originally filed as #598, split into more focused component issues.

GitHub Advanced Security's code scanning feature recognises precision levels, currently read from the properties bag of a SARIF reportingDescriptor object, and sorts alerts by them. GitHub CodeQL populates this property in its SARIF output, and the property is recognised for other code scanning tools.

Docs: https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#reportingdescriptor-object

Using the property bag was a pragmatic measure to provide this functionality without requiring a SARIF spec change. For SARIF 2.2 I propose we make precision an accepted property on a reportingDescriptor or a result, with the same accepted values that GitHub consumes today: very-high, high, medium, low, or omitted entirely. SARIF producer tools can use this property to indicate the tool's own confidence in the precision of the result, or for a rule, how often the results indicated by this rule are true.

cc @michaelcfanning