[APPSEC-11806] hardcoded secret detection

[iunanua]

What does this PR do?

Adds the LiteralVisitor to visit some AST expressions in search of literal strings. In this version, variable declarations, literal properties inside json objects and raw literals are visited. It's able to exclude certain literals from places where secrets are very unlikely to be found like in the require('ignored_literal') and new RegExp('ignored_literal') calls.

The literals search is enabled by default but it can be disabled setting literals: false in the RewriterConfig object when creating a new instance of the Rewriter.

Discovered literals are returned in the literalsResult property and it has the following interfaces

export interface LiteralsResult {
  file: string
  literals: Array<LiteralInfo>
}
export interface LiteralInfo {
  value: string
  locations: Array<LiteralLocation>
}
export interface LiteralLocation {
  ident?: string
  line: number
  column: number
}

NOTE: The literals found could have multiple location, i.e when the same literal is repeated in the same file.

NOTE 2: The Rewriter is capable to discover the identifier of the variable or json property name in some cases. The identifiers are needed in order to detect a group of vulnerabilities but for now this group is out of the scope of the first hardcoded secret detection version.

NOTE 3: At the moment literal column is not reported in LiteralLocation so in minified source files we will report probably incorrect vulnerability location

Motivation

Provide the tracer all the literals contained in a js file with their position and idents to be able to determine whether a js file contains a secret or not.

Additional Notes

Describe how to test your changes

Checklist

• [ ] The CHANGELOG.md has been updated
• [ ] Unit tests have been updated and pass
• [ ] If known, an appropriate milestone has been selected