chore(asm): iast fix vulnerability report hash (#5530)

IAST: Change the vulnerability hash field to use a simpler algorithm
that will return the same result among different executions.

## Checklist
- [x] Change(s) are motivated and described in the PR description.
- [x] Testing strategy is described if automated tests are not included
in the PR.
- [x] Risk is outlined (performance impact, potential for breakage,
maintainability, etc).
- [x] Change is maintainable (easy to change, telemetry, documentation).
- [x] [Library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/contributing.html#Release-Note-Guidelines)
are followed.
- [x] Documentation is included (in-code, generated user docs, [public
corp docs](https://github.com/DataDog/documentation/)).
- [x] PR description includes explicit acknowledgement/acceptance of the
performance implications of this PR as reported in the benchmarks PR
comment.

## Reviewer Checklist

- [ ] Title is accurate.
- [ ] No unnecessary changes are introduced.
- [ ] Description motivates each change.
- [ ] Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes unless absolutely necessary.
- [ ] Testing strategy adequately addresses listed risk(s).
- [ ] Change is maintainable (easy to change, telemetry, documentation).
- [ ] Release note makes sense to a user of the library.
- [ ] Reviewer has explicitly acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment.

Author: gnufede

ddtrace/appsec/iast/reporter.py

@@ -1,7 +1,10 @@
 from typing import Set
+import zlib
 
 import attr
 
+from ddtrace.internal.compat import PY2
+
 
 @attr.s(eq=True, hash=True)
 class Evidence(object):
@@ -13,22 +16,20 @@ class Evidence(object):
 class Location(object):
     path = attr.ib(type=str)
     line = attr.ib(type=int)
-    spanId = attr.ib(type=int, eq=False, hash=False)
+    spanId = attr.ib(type=int, eq=False, hash=False, repr=False)
 
 
 @attr.s(eq=True, hash=True)
 class Vulnerability(object):
     type = attr.ib(type=str)
-    evidence = attr.ib(type=Evidence)
+    evidence = attr.ib(type=Evidence, repr=False)
     location = attr.ib(type=Location)
-    hash = attr.ib(init=False, eq=False, hash=False)
+    hash = attr.ib(init=False, eq=False, hash=False, repr=False)
 
     def __attrs_post_init__(self):
-        if self.evidence.value is not None:
-            self.hash = hash(self.type) ^ hash(self.evidence) ^ hash(self.location)
-        else:
-            valueparts = (vp["value"] for vp in self.evidence.valueParts)
-            self.hash = hash(self.type) ^ hash(valueparts) ^ hash(self.location)
+        self.hash = zlib.crc32(repr(self).encode())
+        if PY2 and self.hash < 0:
+            self.hash += 1 << 32
 
 
 @attr.s(eq=True, hash=True)

tests/appsec/iast/test_weak_hash.py

@@ -25,6 +25,7 @@ def test_weak_hash_hashlib(iast_span_defaults, hash_func, method):
     assert list(span_report.vulnerabilities)[0].location.path == WEAK_ALGOS_FIXTURES_PATH
     assert list(span_report.vulnerabilities)[0].location.line == 14 if sys.version_info > (3, 0, 0) else 11
     assert list(span_report.vulnerabilities)[0].evidence.value == hash_func
+    assert list(span_report.vulnerabilities)[0].hash == 2491892610 if sys.version_info > (3, 0, 0) else 2454487401
 
 
 @pytest.mark.skipif(sys.version_info < (3, 0, 0), reason="Digest is wrapped in Python 3")
@@ -60,6 +61,7 @@ def test_weak_hash_new(iast_span_defaults):
     assert list(span_report.vulnerabilities)[0].location.path == WEAK_ALGOS_FIXTURES_PATH
     assert list(span_report.vulnerabilities)[0].location.line == 23 if sys.version_info > (3, 0, 0) else 20
     assert list(span_report.vulnerabilities)[0].evidence.value == "md5"
+    assert list(span_report.vulnerabilities)[0].hash == 2206071529 if sys.version_info > (3, 0, 0) else 2168145072
 
 
 def test_weak_hash_new_with_child_span(tracer, iast_span_defaults):
@@ -72,10 +74,12 @@ def test_weak_hash_new_with_child_span(tracer, iast_span_defaults):
     assert list(span_report1.vulnerabilities)[0].type == VULN_INSECURE_HASHING_TYPE
     assert list(span_report1.vulnerabilities)[0].location.path == WEAK_ALGOS_FIXTURES_PATH
     assert list(span_report1.vulnerabilities)[0].evidence.value == "md5"
+    assert list(span_report1.vulnerabilities)[0].hash == 2206071529 if sys.version_info > (3, 0, 0) else 2168145072
 
     assert list(span_report2.vulnerabilities)[0].type == VULN_INSECURE_HASHING_TYPE
     assert list(span_report2.vulnerabilities)[0].location.path == WEAK_ALGOS_FIXTURES_PATH
     assert list(span_report2.vulnerabilities)[0].evidence.value == "md5"
+    assert list(span_report2.vulnerabilities)[0].hash == 2206071529 if sys.version_info > (3, 0, 0) else 2168145072
 
 
 @pytest.mark.skipif(sys.version_info < (3, 0, 0), reason="_md5 works only in Python 3")
@@ -105,6 +109,7 @@ def test_weak_hash_md5_builtin_py3_md5_and_sha1_configured(iast_span_defaults):
     assert list(span_report.vulnerabilities)[0].type == VULN_INSECURE_HASHING_TYPE
     assert list(span_report.vulnerabilities)[0].location.path == WEAK_HASH_FIXTURES_PATH
     assert list(span_report.vulnerabilities)[0].evidence.value == "md5"
+    assert list(span_report.vulnerabilities)[0].hash == 2972079025
 
 
 @pytest.mark.skipif(sys.version_info < (3, 0, 0), reason="_md5 works only in Python 3")
@@ -133,6 +138,7 @@ def test_weak_hash_md5_builtin_py3_only_md5_configured(iast_span_only_md5):
     assert list(span_report.vulnerabilities)[0].type == VULN_INSECURE_HASHING_TYPE
     assert list(span_report.vulnerabilities)[0].location.path == WEAK_HASH_FIXTURES_PATH
     assert list(span_report.vulnerabilities)[0].evidence.value == "md5"
+    assert list(span_report.vulnerabilities)[0].hash == 2715107846
 
 
 @pytest.mark.skipif(sys.version_info < (3, 0, 0), reason="_md5 works only in Python 3")
@@ -173,6 +179,7 @@ def test_weak_hash_pycryptodome_hashes_md5(iast_span_defaults):
     assert list(span_report.vulnerabilities)[0].type == VULN_INSECURE_HASHING_TYPE
     assert list(span_report.vulnerabilities)[0].location.path == WEAK_HASH_FIXTURES_PATH
     assert list(span_report.vulnerabilities)[0].evidence.value == "md5"
+    assert list(span_report.vulnerabilities)[0].hash == 758317375
 
 
 def test_weak_hash_pycryptodome_hashes_sha1_defaults(iast_span_defaults):
@@ -187,6 +194,7 @@ def test_weak_hash_pycryptodome_hashes_sha1_defaults(iast_span_defaults):
     assert list(span_report.vulnerabilities)[0].type == VULN_INSECURE_HASHING_TYPE
     assert list(span_report.vulnerabilities)[0].location.path == WEAK_HASH_FIXTURES_PATH
     assert list(span_report.vulnerabilities)[0].evidence.value == "sha1"
+    assert list(span_report.vulnerabilities)[0].hash == 3378580158
 
 
 def test_weak_hash_pycryptodome_hashes_sha1_only_md5_configured(iast_span_only_md5):
@@ -212,7 +220,9 @@ def test_weak_hash_pycryptodome_hashes_sha1_only_sha1_configured(iast_span_only_
 
     assert list(span_report.vulnerabilities)[0].type == VULN_INSECURE_HASHING_TYPE
     assert list(span_report.vulnerabilities)[0].location.path == WEAK_HASH_FIXTURES_PATH
+    assert list(span_report.vulnerabilities)[0].location.line == 218
     assert list(span_report.vulnerabilities)[0].evidence.value == "sha1"
+    assert list(span_report.vulnerabilities)[0].hash == 1151623950
 
 
 def test_weak_check_repeated(iast_span_defaults):