fix: avoid early and potentially unneeded iast import [backport 1.18] (#6722)

github-actions[bot] · juanjux · web-flow · commit 112f8f064def · 2023-08-22T19:08:39.000+02:00
Backport edc7a42 from #6721 to 1.18. ## Checklist - [X] Change(s) are motivated and described in the PR description. - [X] Testing strategy is described if automated tests are not included in the PR. - [X] Risk is outlined (performance impact, potential for breakage, maintainability, etc). - [X] Change is maintainable (easy to change, telemetry, documentation). - [X] [Library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) are followed. If no release note is required, add label `changelog/no-changelog`. - [X] Documentation is included (in-code, generated user docs, [public corp docs](https://github.com/DataDog/documentation/)). - [X] Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) ## Reviewer Checklist - [x] Title is accurate. - [x] No unnecessary changes are introduced. - [x] Description motivates each change. - [x] Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes unless absolutely necessary. - [x] Testing strategy adequately addresses listed risk(s). - [x] Change is maintainable (easy to change, telemetry, documentation). - [x] Release note makes sense to a user of the library. - [x] Reviewer has explicitly acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment. - [x] Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting) Co-authored-by: Juanjo Alvarez Martinez <juanjo.alvarezmartinez@datadoghq.com>
diff --git a/ddtrace/contrib/subprocess/patch.py b/ddtrace/contrib/subprocess/patch.py
@@ -17,7 +17,6 @@
 
 from ddtrace import Pin
 from ddtrace import config
-from ddtrace.appsec.iast.taint_sinks.command_injection import CommandInjection
 from ddtrace.contrib import trace_utils
 from ddtrace.contrib.subprocess.constants import COMMANDS
 from ddtrace.ext import SpanTypes
@@ -197,6 +196,8 @@ def __init__(self, shell_args, shell=False):
         )
 
         if report_cmdi:
+            from ddtrace.appsec.iast.taint_sinks.command_injection import CommandInjection
+
             CommandInjection.report(evidence_value=report_cmdi)
 
     def scrub_env_vars(self, tokens):
diff --git a/releasenotes/notes/asm-avoid-subprocess-iast-import-2e4b354d5880de40.yaml b/releasenotes/notes/asm-avoid-subprocess-iast-import-2e4b354d5880de40.yaml
@@ -0,0 +1,3 @@
+fixes:
+  - |
+    ASM: avoid potentially unneeded import of the IAST native module.

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+fixes:`
	`2`	`+ - \|`
	`3`	`+ ASM: avoid potentially unneeded import of the IAST native module.`