feat: `CdkNagValidationFailure` should use failing rule's `ruleId` as `findingId`

[cgatt]

Description

In order to allow fine-grained suppression of CdkNagValidationFailure annotations via appliesTo in NagSuppressions, CdkNagValidationFailure should treat the rule on which the error occurred as the findingId for the message and suppression evaluation.
Further, if a suppression that has no appliesTo is already in place for the rule , the CdkNagValidationFailure should also be suppressed .

Use Case

Error suppression should be scoped as tightly as possible to avoid accidentally suppressing unexpected errors.
As an example, I have an AwsCustomResource construct, which uses Fn::FindInMap to find the latest node runtime by region. As a result, rule AwsSolutions-L1 throws an error during validation, despite being suppressed for the custom resource.
Hence I want to suppress CdkNagValidationFailure for this known and expected exception, but do not want to suppress any other validation failures on the same resource.

Proposed Solution

Modify CdkNagValidationFailure to treat the ruleId as other rules treat findingId, allowing fine-grained suppression of CdkNagValidationFailure like so:

NagSuppressions.addResourceSuppressions(
  awsCustomResource,
  [{ id: 'CdkNagValidationFailure', reason: 'lorem ipsum', appliesTo: ['AwsSolutions-L1'] }],
  true,
);

Even better, if I already have the following suppression then validation failures for that rule on the given resource would be suppressed automatically:

NagSuppressions.addResourceSuppressions(
  awsCustomResource,
  [{ id: 'AwsSolutions-L1', reason: 'lorem ipsum' }],
  true,
);

Other information

No response

Acknowledge

• I may be able to implement this feature request
• This feature might incur a breaking change

[dontirun]

Good idea! Looking forward to the PR