Generate manifest file that includes meta-information about the rules

What does this MR do?

Generates a manifest file that includes the SHA-256 checksums for the rule files included in the sast-rules.zip file. It also includes the version number in the artifact names.

The manifest.txt file includes the individual rule file checksums as well as the combined checksums. Once this is integrated, we can update semgrep to validate the included rule checksums against the manifest file. Add a test or review step that explicitly check... (gitlab-org/gitlab#463607) • Julian Thome • 17.2 • At risk explains the approach in more detail

What are the relevant issue numbers?

gitlab-org/gitlab#463607

Does this MR meet the acceptance criteria?

• The test cases cover both positive and negative cases and have appropriate Semgrep annotations:
  • For positive cases: // ruleid: ...
  • For negative cases: // ok: ....
• Prefer ($X.servlet.http.HttpServletResponse $RESP).addCookie($C) over $RESPONSE.addCookie($C) to avoid False-Positives.
• Following metadata fields exist for the rule(s) added/updated in this MR:
  • owasp: with both 2017 and 2021 mappings
  • shortDescription: e.g: "Use of a broken or risky cryptographic algorithm NOT "Use of a Broken or Risky Cryptographic Algorithm"
  • security-severity: one of Info, Low, Medium, High or Critical
• The message contains a secure code example and no insecure ones.
• The rule is placed in the correct rules/ subfolder based on its license, refering to the internal guidance.
• Relevant labels including workflow labels are appropriately selected.
• The MR is freshly rebased with main.