Exclude nimbus classes JCASupport and AESCBC using proGuard, Fixes AB#3042434

[p3dr0rv]

https://portal.microsofticm.com/imp/v5/incidents/details/543093195/summary
#2164
Couple of customers have reported vulnerabilities on the nimbus lib using MobSF.
The vulnerabilities are:

WE: CWE-649: Reliance on Obfuscation or
Encryption of Security-Relevant Inputs without
Integrity Checking
OWASP Top 10: M5: Insufficient Cryptography
OWASP MASVS: MSTG-CRYPTO-3

com/nimbusds/jose/crypto/AESCBC.java
com/nimbusds/jose/jca/JCASupport.java

Nimbus already fix the padding issue, see https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/516/insecure-encryption-mode-cbc-with-pkcs5
But they keep these libraries because the AES/CBC/HMAC mode is a current JOSE standard and as such it will be supported by the nimbus-jose-jwt lib, see https://datatracker.ietf.org/doc/html/rfc7519#section-8
So, they won't fix.

With this change we attempt to exclude these classes using ProGuard to exclude these classes.
Right now, we do not have MobSF setup to validate if this will work.
AB#3042434

[github-actions]

✅ Work item link check complete. Description contains link AB#3042434 to an Azure Boards work item.

[rpdome]

Should we

1. validate with MobSF ourselves before shipping/closing this
   or
2. Generate a private build for customer to validate

?