Implement new rules to align with OWASP Top 10 Vulnerabilities

[nureka-rodrigo]

Description

This task involves implementing a set of new static code analysis rules to detect and prevent common security flaws identified in the OWASP Top 10 Vulnerabilities. The OWASP Top 10 is a widely recognized standard that highlights the most critical security risks to web applications.

The objective is to enhance the tool’s ability to identify potential security issues early in the development cycle and promote secure coding practices among Ballerina developers.

• Implement static analysis rule "Server-side requests should not be vulnerable to traversing attacks" in HTTP module ballerina-library#8175
• Implement static analysis rule "Environment variables should not be defined from untrusted input" in OS module ballerina-library#7990
• Implement static analysis rule "Counter Mode initialization vectors should not be reused" in Crypto module ballerina-library#8010
• Implement static analysis rule "JWT should be signed and verified with strong cipher algorithms" in JWT module ballerina-library#7918
• Implement static analysis rule "Encryption algorithms should be used with secure mode and padding scheme" in Crypto module ballerina-library#7940
• Implement static analysis rule "Server hostnames should be verified during SSL/TLS connections" in Email module ballerina-library#8255
• Implement static analysis rule "Passwords should not be stored in plaintext or with a fast hashing algorithm" in Crypto module ballerina-library#7950
• Implement static analysis rule "HTTP request redirections should not be open to forging attacks" in HTTP module ballerina-library#8254
• Implement static analysis rule "Deserialization should not be vulnerable to injection attacks" in HTTP module ballerina-library#8301
• Implement static analysis rule "Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks" in HTTP module ballerina-library#8248
• Implement static analysis rule "Avoid directly using database entity records as parameters in HTTP resource methods" in HTTP module ballerina-library#8302
• Implement static analysis rule "Secure random number generators should not output predictable values" in Crypto module ballerina-library#8258
• Enhance ballerinax/mysql static code analyzer rule to support positional and named password arguments ballerina-library#8103

Version

No response

[ThisaruGuruge]

We have merged and released the following packages (versions) with the above changes:

1. ballerina/os (1.10.1)
2. ballerina/jwt (2.15.1)
3. ballerina/email (2.12.1)

[nureka-rodrigo]

We have merged and released the following packages (versions) with the above changes:

1. ballerina/os (1.10.1)
2. ballerina/jwt (2.15.1)
3. ballerina/emal (2.12.1)

I'll update scan rules doc to reflect these.