fix(aap): disabling threats grpc monitoring [backport 3.14] (#14579)

Backport 5fe1c16 from #14563 to 3.14.

grpc threats monitoring is currently under tested, and could lead to
false positive (internal incident 42958).

This PR disable grpc auto instrumentation for threats.
It also skip one test (this test in an iast test suite is in fact a grpc
threat test)

Related PR: #9705

APPSEC-58876

## Checklist
- [x] PR author has checked that all the criteria below are met
- The PR description includes an overview of the change
- The PR description articulates the motivation for the change
- The change includes tests OR the PR description describes a testing
strategy
- The PR description notes risks associated with the change, if any
- Newly-added code is easy to change
- The change follows the [library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
- The change includes or references documentation updates if necessary
- Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist
- [x] Reviewer has checked that all the criteria below are met 
- Title is accurate
- All changes are related to the pull request's stated goal
- Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- Testing strategy adequately addresses listed risks
- Newly-added code is easy to change
- Release note makes sense to a user of the library
- If necessary, author has acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment
- Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

Co-authored-by: Christophe Papazian <[email protected]>

Author: dd-octo-sts[bot]

ddtrace/appsec/_handlers.py

@@ -427,8 +427,9 @@ def listen():
     core.on("aws_lambda.start_response", _on_lambda_start_response)
     core.on("aws_lambda.parse_body", _on_lambda_parse_body)
 
-    core.on("grpc.server.response.message", _on_grpc_server_response)
-    core.on("grpc.server.data", _on_grpc_server_data)
+    # disabling threats grpc listeners.
+    # core.on("grpc.server.response.message", _on_grpc_server_response)
+    # core.on("grpc.server.data", _on_grpc_server_data)
 
     core.on("wsgi.block.started", _wsgi_make_block_content, "status_headers_content")
     core.on("asgi.block.started", _asgi_make_block_content, "status_headers_content")

ddtrace/settings/asm.py

@@ -71,7 +71,7 @@ class ASMConfig(DDConfig):
     # prevent empty string
     if _asm_static_rule_file == "":
         _asm_static_rule_file = None
-    _asm_processed_span_types = {SpanTypes.WEB, SpanTypes.GRPC}
+    _asm_processed_span_types = {SpanTypes.WEB}
     _asm_http_span_types = {SpanTypes.WEB}
     _iast_enabled = tracer_config._from_endpoint.get("iast_enabled", DDConfig.var(bool, IAST.ENV, default=False))
     _iast_propagation_enabled = DDConfig.var(bool, IAST.ENV_PROPAGATION_ENABLED, default=True, private=True)

releasenotes/notes/disable_threats_grpc-f33dde76ef815787.yaml

@@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    AAP: This fix disables grpc threat monitoring, as it could generate false positives.

tests/appsec/iast/test_grpc_iast.py

@@ -145,6 +145,7 @@ class MyUserDict(UserDict):
 
             _custom_protobuf_getattribute(mutable_mapping, "data")
 
+    @pytest.mark.skip
     def test_address_server_data(self):
         with override_config("grpc", dict(service_name="myclientsvc")), override_config(
             "grpc_server", dict(service_name="myserversvc")