fix(iast): avoid excessive filtering of stacktrace locations

[smola]

Current stacktrace filtering code returned no location if all frames are outside the current working directory or in site-packages. This often happens in the following scenarios:

• asyncio code: the full stacktrace may be in site-packages, outside app directory.
• running applications installed in site-packages.

In these cases, vulnerabilities were being dropped. The fix includes:

• First, the first frame that is not a frozen package (or <template> or anything starting with <), and not in the stdlib path (but potentially in the purelib path) is found and saved as a backup frame, if any. If none is found, no location is returned.
• From there, the first frame that is not a frozen package, not in the stdlib path, and not in the purelib path is checked. If found, that location is returned. Otherwise, the backup frame is returned.
• Code to relativize path to the vulnerability location is now extended to account for the fact that we can return paths within the purelib path.

In practice, this means that vulnerabilities found in site-packages, with no other relevant frame, will be reported.

APPSEC-57414

Checklist

• PR author has checked that all the criteria below are met
• The PR description includes an overview of the change
• The PR description articulates the motivation for the change
• The change includes tests OR the PR description describes a testing strategy
• The PR description notes risks associated with the change, if any
• Newly-added code is easy to change
• The change follows the library release note guidelines
• The change includes or references documentation updates if necessary
• Backport labels are set (if applicable)

Reviewer Checklist

• Reviewer has checked that all the criteria below are met
• Title is accurate
• All changes are related to the pull request's stated goal
• Avoids breaking API changes
• Testing strategy adequately addresses listed risks
• Newly-added code is easy to change
• Release note makes sense to a user of the library
• If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment
• Backport labels are set in a manner that is consistent with the release branch maintenance policy

[github-actions]

CODEOWNERS have been resolved as:

releasenotes/notes/fix-iast-stacktrace-filter-6afd6a9568f36d99.yaml     @DataDog/apm-python
ddtrace/appsec/_iast/_stacktrace.c                                      @DataDog/asm-python
ddtrace/appsec/_iast/_stacktrace.pyi                                    @DataDog/asm-python
ddtrace/appsec/_iast/taint_sinks/_base.py                               @DataDog/asm-python
tests/appsec/iast/taint_sinks/test_weak_hash.py                         @DataDog/asm-python
tests/appsec/iast_memcheck/fixtures/stacktrace.py                       @DataDog/asm-python
tests/appsec/iast_memcheck/test_iast_mem_check.py                       @DataDog/asm-python

[github-actions]

Bootstrap import analysis

Comparison of import times between this PR and base.

Summary

The average import time from this PR is: 232 ± 2 ms.

The average import time from base is: 234 ± 2 ms.

The import time difference between this PR and base is: -1.73 ± 0.1 ms.

Import time breakdown

The following import paths have shrunk:

ddtrace.auto 1.954 ms (0.84%)

ddtrace.bootstrap.sitecustomize 1.286 ms (0.55%)

ddtrace.bootstrap.preload 1.286 ms (0.55%)

ddtrace.internal.products 1.286 ms (0.55%)

ddtrace.internal.remoteconfig.client 0.641 ms (0.28%)

ddtrace 0.669 ms (0.29%)

[pr-commenter]

Benchmarks

Benchmark execution time: 2025-05-06 11:08:05

Comparing candidate commit f2c630e in PR branch smola/refine-stacktrace with baseline commit e55ca19 in branch main.

Found 0 performance improvements and 1 performance regressions! Performance is the same for 388 metrics, 5 unstable metrics.

scenario:iast_aspects-ospathnormcase_aspect

• 🟥 execution_time [+404.618ns; +481.316ns] or [+11.838%; +14.082%]

[smola]

Pushed a fix to avoid serializing empty location fields in IAST, in a commit here to validate it, and in a separate PR: #13333

[github-actions]

The backport to 2.21 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.21 2.21
# Navigate to the new working tree
cd .worktrees/backport-2.21
# Create a new branch
git switch --create backport-13272-to-2.21
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 20a96bb791aa98657ba85e77032f670a0ea1b028
# Push it to GitHub
git push --set-upstream origin backport-13272-to-2.21
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.21

Then, create a pull request where the base branch is 2.21 and the compare/head branch is backport-13272-to-2.21.