fix(iast): add some modules to the denylist [backport 2.15] (#11432)

github-actions[bot] · juanjux · web-flow · commit 01215f1c1a38 · 2024-11-18T16:47:51.000+01:00
Backport 343ba22 from #11418 to 2.15. ## Checklist - [X] PR author has checked that all the criteria below are met - The PR description includes an overview of the change - The PR description articulates the motivation for the change - The change includes tests OR the PR description describes a testing strategy - The PR description notes risks associated with the change, if any - Newly-added code is easy to change - The change follows the [library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) - The change includes or references documentation updates if necessary - Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) ## Reviewer Checklist - [x] Reviewer has checked that all the criteria below are met - Title is accurate - All changes are related to the pull request's stated goal - Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - Testing strategy adequately addresses listed risks - Newly-added code is easy to change - Release note makes sense to a user of the library - If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting) Co-authored-by: Juanjo Alvarez Martinez <juanjo.alvarezmartinez@datadoghq.com>
diff --git a/ddtrace/appsec/_iast/_ast/ast_patching.py b/ddtrace/appsec/_iast/_ast/ast_patching.py
@@ -302,6 +302,9 @@
     "httpcore.",
     "google.auth.",
     "googlecloudsdk.",
+    "umap.",
+    "pynndescent.",
+    "numba.",
 )
 
 
@@ -367,7 +370,6 @@ def visit_ast(
     module_name: Text = "",
 ) -> Optional[str]:
     parsed_ast = ast.parse(source_text, module_path)
-
     _VISITOR.update_location(filename=module_path, module_name=module_name)
     modified_ast = _VISITOR.visit(parsed_ast)
 
diff --git a/releasenotes/notes/umap-learn-denylist-b7c55f42f2408c24.yaml b/releasenotes/notes/umap-learn-denylist-b7c55f42f2408c24.yaml
@@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    Code Security: add umap, numba and pynndescent to the Code Security denylist.

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +fixes:
 +  - |
 +    Code Security: add umap, numba and pynndescent to the Code Security denylist.