Add G408: SSH PublicKeyCallback Authentication Bypass Analyzer

[ccojocar]

Implements a new SSA-based security analyzer (G408) that detects stateful misuse of ssh.PublicKeyCallback in SSH server configurations. This vulnerability can lead to authentication bypass where a server authenticates one SSH key but performs authorization checks on a different key.

This addresses a critical security vulnerability (CVE-2024-45337, CVSS 9.1) that has affected production systems including Kubernetes and other SSH-based services. The vulnerability occurs when developers incorrectly capture and modify state within PublicKeyCallback closures, enabling attackers to authenticate with one key while the server operates on another key's credentials.

[codecov]

Codecov Report

❌ Patch coverage is 67.83626% with 55 lines in your changes missing coverage. Please review.
✅ Project coverage is 77.64%. Comparing base (4f1f362) to head (01d6c19).
⚠️ Report is 1 commits behind head on master.

Files with missing lines	Patch %	Lines
analyzers/ssh_callback.go	67.83%	40 Missing and 15 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #1513      +/-   ##
==========================================
- Coverage   77.87%   77.64%   -0.23%     
==========================================
  Files          94       95       +1     
  Lines        7444     7615     +171     
==========================================
+ Hits         5797     5913     +116     
- Misses       1399     1439      +40     
- Partials      248      263      +15     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.