pscanrules: Improve version detection in Server Header Info Leak rule (10036)

[LakshmiSHR]

Enhancement: Improve detection of version information in HTTP Server header

This PR is related to Issue zaproxy/zaproxy#9160 by enhancing the version-detection logic in ServerHeaderInfoLeakScanRule.

Key Improvements:

• Replaced weak version check (.*\d.*) with stricter regex: \d+\.\d+(?:\.\d+)?
  • Now accurately detects version-like patterns (e.g., 2.4, 1.8.0, 2.4.49)
• Changed matches() to find() to correctly identify versions inside strings such as:
  • Apache/2.4.49 (Unix)
  • nginx/1.21.6
• Preserved existing behavior:
  • At LOW threshold → still alerts for presence of Server header
  • Raises version-leak alert only when version information is present

---

Let me know if further expansion is needed (e.g., detecting more header types or enhancing severity levels).

Thank you!

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[LakshmiSHR]

i have read the CLA Document and I hereby sign the CLA

[kingthorin]

The CHANGELOG.md should also be updated. Add a bullet under the "Unreleased" header, you can check older entries for inspiration.

It might also be worth adding/updating unit tests.

[psiinon]

Checkmarx One – Scan Summary & Details – c1796428-7d3c-406a-9b78-d0409003def9

New Issues (3)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	Unpinned Actions Full Length Commit SHA	/codeql.yml: 31	details Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA help... ID: z89ONTXYaYdPcNUEzfFqPVDqGfU%3D
	Unpinned Actions Full Length Commit SHA	/codeql.yml: 35	details Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA help... ID: ivv4LqDvobLaIQBf4po7RJO0z9E%3D
	Unpinned Actions Full Length Commit SHA	/codeql.yml: 50	details Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA help... ID: D2MI8bkE1KfW3jWUtbTZgCIA7fE%3D

---

Use @Checkmarx to reach out to us for assistance.

Just send a PR comment with @Checkmarx followed by a natural language request.

Examples: @Checkmarx how are you able to help me? @Checkmarx rescan this PR

[LakshmiSHR]

@Checkmarx These scan issues are related to workflow configuration files (codeql.yml),
which I did not modify. My changes are only in the Java code and CHANGELOG.md.
Please let me know if any action is required from my side.

[kingthorin]

You can ignore the Checkmarx report. Thanks for your diligence though.