fix(iast): avoid excessive filtering of stacktrace locations

[smola]

Current stacktrace filtering code returned no location if all frames are outside the current working directory or in site-packages. This often happens in the following scenarios:

• asyncio code: the full stacktrace may be in site-packages, outside app directory.
• running applications installed in site-packages.

In these cases, vulnerabilities were being dropped. The fix includes:

• First, the first frame that is not a frozen package (or <template> or anything starting with <), and not in the stdlib path (but potentially in the purelib path) is found and saved as a backup frame, if any. If none is found, no location is returned.
• From there, the first frame that is not a frozen package, not in the stdlib path, and not in the purelib path is checked. If found, that location is returned. Otherwise, the backup frame is returned.
• Code to relativize path to the vulnerability location is now extended to account for the fact that we can return paths within the purelib path.

In practice, this means that vulnerabilities found in site-packages, with no other relevant frame, will be reported.

APPSEC-57414

Checklist

• PR author has checked that all the criteria below are met
• The PR description includes an overview of the change
• The PR description articulates the motivation for the change
• The change includes tests OR the PR description describes a testing strategy
• The PR description notes risks associated with the change, if any
• Newly-added code is easy to change
• The change follows the library release note guidelines
• The change includes or references documentation updates if necessary
• Backport labels are set (if applicable)

Reviewer Checklist

• Reviewer has checked that all the criteria below are met
• Title is accurate
• All changes are related to the pull request's stated goal
• Avoids breaking API changes
• Testing strategy adequately addresses listed risks
• Newly-added code is easy to change
• Release note makes sense to a user of the library
• If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment
• Backport labels are set in a manner that is consistent with the release branch maintenance policy

[github-actions]

CODEOWNERS have been resolved as:

releasenotes/notes/fix-iast-stacktrace-filter-6afd6a9568f36d99.yaml     @DataDog/apm-python
ddtrace/appsec/_iast/_stacktrace.c                                      @DataDog/asm-python
ddtrace/appsec/_iast/_stacktrace.pyi                                    @DataDog/asm-python
ddtrace/appsec/_iast/taint_sinks/_base.py                               @DataDog/asm-python
tests/appsec/iast_memcheck/fixtures/stacktrace.py                       @DataDog/asm-python
tests/appsec/iast_memcheck/test_iast_mem_check.py                       @DataDog/asm-python

[github-actions]

Bootstrap import analysis

Comparison of import times between this PR and base.

Summary

The average import time from this PR is: 236 ± 4 ms.

The average import time from base is: 243 ± 4 ms.

The import time difference between this PR and base is: -6.8 ± 0.2 ms.

Import time breakdown

The following import paths have shrunk:

ddtrace.auto 2.610 ms (1.11%)

ddtrace.bootstrap.sitecustomize 1.765 ms (0.75%)

ddtrace.bootstrap.preload 1.765 ms (0.75%)

ddtrace.internal.products 1.765 ms (0.75%)

ddtrace.internal.remoteconfig.client 0.748 ms (0.32%)

ddtrace 0.845 ms (0.36%)

ddtrace._logger 0.111 ms (0.05%)

logging 0.111 ms (0.05%)

traceback 0.111 ms (0.05%)

contextlib 0.111 ms (0.05%)

ddtrace.trace 0.029 ms (0.01%)

ddtrace._trace.filters 0.029 ms (0.01%)

ddtrace._trace.processor 0.029 ms (0.01%)

ddtrace._trace.sampler 0.029 ms (0.01%)

ddtrace._trace.span 0.029 ms (0.01%)

ddtrace.internal._rand 0.029 ms (0.01%)

ddtrace.settings._config 0.019 ms (0.01%)

ddtrace.internal.schema 0.019 ms (0.01%)

[pr-commenter]

Benchmarks

Benchmark execution time: 2025-04-29 16:17:33

Comparing candidate commit 4eec4ef in PR branch smola/refine-stacktrace with baseline commit 5c7228a in branch main.

Found 0 performance improvements and 2 performance regressions! Performance is the same for 497 metrics, 9 unstable metrics.

scenario:iast_aspects-format_map_aspect

• 🟥 execution_time [+394.571ns; +478.657ns] or [+12.104%; +14.683%]

scenario:telemetryaddmetric-1-distribution-metric-1-times

• 🟥 execution_time [+263.893ns; +358.263ns] or [+8.838%; +11.999%]