Migrate MobSF rules to Semgrep-based analyzer

Proposal

Migrate MobSF rules to the Semgrep-based analyzer's ruleset (managed by GitLab) and deprecate MobSF.

As suggested by #444289 (comment 1800533977)

• do more of a “the old scan results are gone; going forward here is the new scanning” approach
• filter the ruleset at this point based on security value

Technical discovery for this issue was done in #329712 (closed)

This issues is related to #412060 (closed)

Implementation plan

• Import MobSF rules to sast-rules

  • follow PM's advice, check security value
  • Include rules
  • Include tests
  • Add mapping and ensure the IDs are the same as those generated in MobSF
  • Compare primary IDs to MobSF Primary IDs
  • Ensure long primary IDs don't affect the vulnerability report on Gitlab.com
  • The rules directory should be included in ci/testcase_presence_check.rb
  • Fix severity
  • Ensure LGPL license compliance
    • ensure the correct license is stored next to the rules
    • add comments about LGPL in each migrated rule

• Test 'takeover'

• Check rule quality, test FP

• Add the following glob patterns:

  • '**/*.swift'
  • '**/*.m'

  To the rules section in the semgrep-sast job of the following templates:

  • SAST.gitlab-ci.yml
  • SAST.latest.gitlab-ci.yml

• Deprecate the following mobsf-* jobs:

  • SAST.latest.gitlab-ci.yml
    • mobsf-android-sast
    • mobsf-ios-sast
  • SAST.gitlab-ci.yml
    • mobsf-android-sast
    • mobsf-ios-sast

• Update the supportedExt variable in semgrep to include .swift , .m

• Update semgrep with the new version of sast-rules

• Update semgrep and release

• Add deprecation notice to MobSF

MR: !518