Add YAML rules and tests for insecure JWT usage detection (#182)

* removed missing-secure-java

* httponly-false-csharp

* use-of-md5-digest-utils-java

* removing use-of-md5-digest-utils and httponly-false-csharp

* jwt-scala-hardcode-scala

* jwt-go-none-algorithm-go

* changing folder location for jwt-go-none-algorithm-go

* jwt-hardcode-kotlin

* scala-jwt-hardcoded-secret-scala

---------

Co-authored-by: Sakshis <sakshil@abc.com>

Author: 2 people

rules/go/security/jwt-go-none-algorithm-go.yml

@@ -0,0 +1,43 @@
+id: jwt-go-none-algorithm-go
+language: go
+severity: warning
+message: >-
+  Detected use of the 'none' algorithm in a JWT token. The 'none'
+  algorithm assumes the integrity of the token has already been verified.
+  This would allow a malicious actor to forge a JWT token that will
+  automatically be verified. Do not explicitly use the 'none' algorithm.
+  Instead, use an algorithm such as 'HS256'.
+note: >-
+  [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm
+  [OWASP A03:2017]: Sensitive Data Exposure
+  [OWASP A02:2021]: Cryptographic Failures
+  [REFERENCES]
+       https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+
+ast-grep-essentials: true
+
+utils:
+  after_declaration:
+    inside:
+      stopBy: end
+      follows:
+        stopBy: end
+        kind: import_declaration
+        has:
+          stopBy: end
+          kind: import_spec
+          has:
+            kind: interpreted_string_literal
+            has:
+              kind: interpreted_string_literal_content
+              regex: ^(github.com/dgrijalva/jwt-go|github.com/golang-jwt/jwt)$
+
+rule:
+  kind: selector_expression
+  all:
+    - pattern: $JWT_FUNC
+    - matches: after_declaration
+
+constraints:
+  JWT_FUNC:
+    regex: (jwt.SigningMethodNone|jwt.UnsafeAllowNoneSignatureType)