Add G123 analyzer for tls.VerifyPeerCertificate resumption bypass risk

[ccojocar]

Add a new SSA-based analyzer, G123, to detect risky TLS configurations where VerifyPeerCertificate is set, VerifyConnection is not set, and session resumption may still be enabled.

The analyzer inspects tls.Config field assignments and also follows configurations returned from GetConfigForClient callbacks so callback-based setup paths are covered as well. This change wires G123 into analyzer registration, maps it to CWE-295, updates the README rule list, and adds dedicated vulnerable/safe sample coverage in analyzer tests.

It also includes a targeted #nosec G101 suppression on the analyzer message string to prevent a known false positive from the linter (message text only, no credential handling impact).

[codecov]

Codecov Report

❌ Patch coverage is 57.07547% with 91 lines in your changes missing coverage. Please review.
✅ Project coverage is 79.19%. Comparing base (b568aa1) to head (621d37f).
⚠️ Report is 1 commits behind head on master.

Files with missing lines	Patch %	Lines
analyzers/tls_resumption_verifypeer.go	57.07%	68 Missing and 23 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #1534      +/-   ##
==========================================
- Coverage   79.69%   79.19%   -0.51%     
==========================================
  Files         102      103       +1     
  Lines        9379     9591     +212     
==========================================
+ Hits         7475     7596     +121     
- Misses       1442     1510      +68     
- Partials      462      485      +23     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.