fix(iast): report cookie name [backport 1.20] (#7930)

Backport ccfc0ab from #7927 to 1.20.

## Description
Ensure that Cookies vulnerabilities report only the cookie name

## Checklist

- [x] Change(s) are motivated and described in the PR description.
- [x] Testing strategy is described if automated tests are not included
in the PR.
- [x] Risk is outlined (performance impact, potential for breakage,
maintainability, etc).
- [x] Change is maintainable (easy to change, telemetry, documentation).
- [x] [Library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
are followed. If no release note is required, add label
`changelog/no-changelog`.
- [x] Documentation is included (in-code, generated user docs, [public
corp docs](https://github.com/DataDog/documentation/)).
- [x] Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist

- [x] Title is accurate.
- [x] No unnecessary changes are introduced.
- [x] Description motivates each change.
- [x] Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes unless absolutely necessary.
- [x] Testing strategy adequately addresses listed risk(s).
- [x] Change is maintainable (easy to change, telemetry, documentation).
- [x] Release note makes sense to a user of the library.
- [x] Reviewer has explicitly acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment.
- [x] Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)
- [x] If this PR touches code that signs or publishes builds or
packages, or handles credentials of any kind, I've requested a review
from `@DataDog/security-design-and-guidance`.
- [x] This PR doesn't touch any of that.

Author: avara1986

ddtrace/appsec/iast/taint_sinks/insecure_cookie.py

@@ -43,13 +43,12 @@ def asm_check_cookies(cookies):  # type: (Optional[Dict[str, str]]) -> None
 
     for cookie_key, cookie_value in six.iteritems(cookies):
         lvalue = cookie_value.lower().replace(" ", "")
-        evidence = "%s=%s" % (cookie_key, cookie_value)
 
         if ";secure" not in lvalue:
-            InsecureCookie.report(evidence_value=evidence)
+            InsecureCookie.report(evidence_value=cookie_key)
 
         if ";httponly" not in lvalue:
-            NoHttpOnlyCookie.report(evidence_value=evidence)
+            NoHttpOnlyCookie.report(evidence_value=cookie_key)
 
         if ";samesite=" in lvalue:
             ss_tokens = lvalue.split(";samesite=")
@@ -63,4 +62,4 @@ def asm_check_cookies(cookies):  # type: (Optional[Dict[str, str]]) -> None
             report_samesite = True
 
         if report_samesite:
-            NoSameSite.report(evidence_value=evidence)
+            NoSameSite.report(evidence_value=cookie_key)

releasenotes/notes/iast-fix-cookies-name-report-d5c3381d8c951bab.yaml

@@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    Vulnerability Management for Code-level (IAST): Ensure that Cookies vulnerabilities report only the cookie name.

riotfile.py

@@ -2800,7 +2800,8 @@ def select_pys(min_version=MIN_PYTHON_VERSION, max_version=MAX_PYTHON_VERSION):
                         # confluent-kafka dropped official wheels for Python 2.7 in 1.8.2
                         Venv(pys="2.7", pkgs={"confluent-kafka": "~=1.7.0"}),
                         # confluent-kafka>=1.7 has issues building on linux with Python 3.5
-                        Venv(pys="3.5", pkgs={"confluent-kafka": "~=1.5.0"}),
+                        # TODO: skip 3.5
+                        # Venv(pys="3.5", pkgs={"confluent-kafka": "~=1.5.0"}),
                         Venv(
                             pys=select_pys(min_version="3.6", max_version="3.10"),
                             pkgs={"confluent-kafka": ["~=1.9.2", latest]},

tests/appsec/iast/taint_sinks/test_insecure_cookie.py

@@ -21,9 +21,9 @@ def test_insecure_cookies(iast_span_defaults):
     assert VULN_INSECURE_COOKIE in vulnerabilities_types
     assert VULN_NO_SAMESITE_COOKIE in vulnerabilities_types
 
-    assert vulnerabilities[0].evidence.value == "foo=bar"
-    assert vulnerabilities[1].evidence.value == "foo=bar"
-    assert vulnerabilities[2].evidence.value == "foo=bar"
+    assert vulnerabilities[0].evidence.value == "foo"
+    assert vulnerabilities[1].evidence.value == "foo"
+    assert vulnerabilities[2].evidence.value == "foo"
 
     assert vulnerabilities[0].location.line is None
     assert vulnerabilities[0].location.path is None
@@ -41,8 +41,8 @@ def test_nohttponly_cookies(iast_span_defaults):
     assert VULN_NO_HTTPONLY_COOKIE in vulnerabilities_types
     assert VULN_NO_SAMESITE_COOKIE in vulnerabilities_types
 
-    assert vulnerabilities[0].evidence.value == "foo=bar;secure"
-    assert vulnerabilities[1].evidence.value == "foo=bar;secure"
+    assert vulnerabilities[0].evidence.value == "foo"
+    assert vulnerabilities[1].evidence.value == "foo"
 
     assert vulnerabilities[0].location.line is None
     assert vulnerabilities[0].location.path is None
@@ -63,7 +63,7 @@ def test_nosamesite_cookies_missing(iast_span_defaults):
 
     assert len(vulnerabilities) == 1
     assert vulnerabilities[0].type == VULN_NO_SAMESITE_COOKIE
-    assert vulnerabilities[0].evidence.value == "foo=bar;secure;httponly"
+    assert vulnerabilities[0].evidence.value == "foo"
 
 
 def test_nosamesite_cookies_none(iast_span_defaults):
@@ -76,7 +76,7 @@ def test_nosamesite_cookies_none(iast_span_defaults):
     assert len(vulnerabilities) == 1
 
     assert vulnerabilities[0].type == VULN_NO_SAMESITE_COOKIE
-    assert vulnerabilities[0].evidence.value == "foo=bar;secure;httponly;samesite=none"
+    assert vulnerabilities[0].evidence.value == "foo"
 
 
 def test_nosamesite_cookies_other(iast_span_defaults):
@@ -89,7 +89,7 @@ def test_nosamesite_cookies_other(iast_span_defaults):
     assert len(vulnerabilities) == 1
 
     assert vulnerabilities[0].type == VULN_NO_SAMESITE_COOKIE
-    assert vulnerabilities[0].evidence.value == "foo=bar;secure;httponly;samesite=none"
+    assert vulnerabilities[0].evidence.value == "foo"
 
 
 def test_nosamesite_cookies_lax_no_error(iast_span_defaults):