sast-rules - Updating CWEs in accordance with MITRE guidelines

What does this MR do?

Updates rules that have CWEs marked as prohibited / deprecated / discouraged by MITRE and replaces those with allowed (and more specific, if possible) CWEs.

What are the relevant issue numbers?

https://gitlab.com/gitlab-org/gitlab/-/issues/482024

Does this MR meet the acceptance criteria?

• The test cases cover both positive and negative cases and have appropriate Semgrep annotations:
  • For positive cases: // ruleid: ...
  • For negative cases: // ok: ....
• Prefer ($X.servlet.http.HttpServletResponse $RESP).addCookie($C) over $RESPONSE.addCookie($C) to avoid False-Positives.
• Following metadata fields exist for the rule(s) added/updated in this MR:
  • owasp: with both 2017 and 2021 mappings
  • shortDescription: e.g: "Use of a broken or risky cryptographic algorithm NOT "Use of a Broken or Risky Cryptographic Algorithm"
  • security-severity: one of Info, Low, Medium, High or Critical
  • pattern: use multi-line patterns (with |) only when the actual search patterns spans more than a single line
• The message contains a secure code example and no insecure ones.
• The rule is placed in the correct rules/ subfolder based on its license, refering to the internal guidance.
• Relevant labels including workflow labels are appropriately selected.
• The MR is freshly rebased with main.