fix(taint): prioritize call-graph over type-based source matching

[costela]

Summary

• Refactors isParameterTainted to check call-graph edges first and only fall back to type-based source matching (e.g. *http.Request) when the call graph cannot give a definitive answer (no visible callers or edge cap hit).
• Fixes invoke-mode index adjustment for interface method calls (IsInvoke), where the receiver is in Call.Value rather than Args.
• Adds G704 test cases for wrapper methods with hardcoded vs tainted URLs, and updates G701 interface implementation test to expect correct detection.

Motivation

Previously, type-based source matching ran before the call-graph check, causing false positives for wrapper methods that receive a source type (e.g. *http.Request) but whose callers only pass safe, hardcoded values.

Test plan

• go test ./taint/... — taint analyzer tests pass
• go test ./... — full test suite passes, including new G704 wrapper cases
• G701 interface implementation test now expects 1 finding (taint correctly flows through interface dispatch)
• G704 hardcoded-URL wrapper test expects 0 findings (no false positive)
• G704 tainted-URL wrapper test expects 2 findings (NewRequest + Do sink)

Fixes #1629

[codecov]

Codecov Report

❌ Patch coverage is 83.33333% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 81.12%. Comparing base (844b170) to head (d288b1b).
⚠️ Report is 2 commits behind head on master.

Files with missing lines	Patch %	Lines
taint/taint.go	83.33%	3 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #1628      +/-   ##
==========================================
+ Coverage   81.09%   81.12%   +0.02%     
==========================================
  Files         108      108              
  Lines       10093    10098       +5     
==========================================
+ Hits         8185     8192       +7     
- Misses       1423     1424       +1     
+ Partials      485      482       -3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[costela]

@ravisastryk AFAICT you're the main author for the taint engine, right? In that case, I'd really appreciate your take on this PR 🙏
I'm a newbie in gosec's codebase and have to admit I needed a lot of LLM help groking the taint analysis code 🙈

[ravisastryk]

Thank you @costela for the report and the quick PR! I have put up #1630 which takes a slightly different approach with a bit more test coverage - feel free to close this one in favour of that if it looks good to you.
@ccojocar Can you please review #1630 when you get a chance? Happy to incorporate any feedback. Thank you.

[costela]

@ravisastryk thanks for the quick feedback! Your PR seems less invasive 👍