fix(iast): incorrectly named as class_name (#13299)

IAST: Fix field naming for class in vulnerability location reporting

Fixed: The field representing the class name in IAST vulnerability
location reporting was previously incorrectly named as class_name in the
codebase, but serialized as class in the output dictionary. This PR
standardizes the naming and ensures that the correct field (class) is
used in the output, improving consistency and compatibility with
expected IAST report formats.

Impact: This change affects the structure of IAST vulnerability reports,
making them more accurate and aligned with the expected schema. There
are no breaking changes to the API, but consumers of the IAST report
output will now see the correct field name.

APPSEC-57497

## Checklist
- [x] PR author has checked that all the criteria below are met
- The PR description includes an overview of the change
- The PR description articulates the motivation for the change
- The change includes tests OR the PR description describes a testing
strategy
- The PR description notes risks associated with the change, if any
- Newly-added code is easy to change
- The change follows the [library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
- The change includes or references documentation updates if necessary
- Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist
- [x] Reviewer has checked that all the criteria below are met 
- Title is accurate
- All changes are related to the pull request's stated goal
- Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- Testing strategy adequately addresses listed risks
- Newly-added code is easy to change
- Release note makes sense to a user of the library
- If necessary, author has acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment
- Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

Author: avara1986

ddtrace/appsec/_iast/reporter.py

@@ -64,7 +64,7 @@ def __eq__(self, other):
 
 
 @dataclasses.dataclass(unsafe_hash=True)
-class Location(NotNoneDictable):
+class Location:
     spanId: int = dataclasses.field(compare=False, hash=False, repr=False)
     path: Optional[str] = None
     line: Optional[int] = None
@@ -74,9 +74,23 @@ class Location(NotNoneDictable):
     def __repr__(self):
         return f"Location(path='{self.path}', line={self.line})"
 
+    def _to_dict(self):
+        result = {}
+        if self.spanId is not None:
+            result["spanId"] = self.spanId
+        if self.path is not None:
+            result["path"] = self.path
+        if self.line is not None:
+            result["line"] = self.line
+        if self.method is not None:
+            result["method"] = self.method
+        if self.class_name is not None:
+            result["class"] = self.class_name
+        return result
+
 
 @dataclasses.dataclass(unsafe_hash=True)
-class Vulnerability(NotNoneDictable):
+class Vulnerability:
     type: str
     evidence: Evidence
     location: Location
@@ -97,6 +111,17 @@ def __post_init__(self):
     def __repr__(self):
         return f"Vulnerability(type='{self.type}', location={self.location})"
 
+    def _to_dict(self):
+        to_dict = {
+            "type": self.type,
+            "evidence": self.evidence._to_dict(),
+            "location": self.location._to_dict(),
+            "hash": self.hash,
+        }
+        if self.stackId:
+            to_dict["stackId"] = self.stackId
+        return to_dict
+
 
 @dataclasses.dataclass
 class Source(NotNoneDictable):

releasenotes/notes/iast-vulnerability-report-wrong-key-4940989d2328512d.yaml

@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Code Security: The field representing the class name in IAST vulnerability location reporting was previously 
+    incorrectly named as class_name. This fix standardizes the naming and ensures that the correct field (class).

tests/appsec/iast/taint_sinks/test_command_injection.py

@@ -56,7 +56,7 @@ def _assert_vulnerability(label, value_parts=None, source_name="", check_value=F
     assert vulnerability["location"]["path"] == FIXTURES_PATH
     assert vulnerability["location"]["line"] == line
     assert vulnerability["location"]["method"] == function_name
-    assert vulnerability["location"]["class_name"] == class_name
+    assert vulnerability["location"]["class"] == class_name
     assert vulnerability["hash"] == hash_value
 
 

tests/appsec/iast/taint_sinks/test_header_injection_redacted.py

@@ -41,7 +41,7 @@ def test_header_injection_redact_excluded(header_name, header_value, iast_contex
             {
                 "evidence": {"valueParts": [{"value": header_name + ": "}, {"source": 0, "value": header_value}]},
                 "hash": ANY,
-                "location": {"line": ANY, "path": "foobar.py", "spanId": ANY, "method": ANY, "class_name": ANY},
+                "location": {"line": ANY, "path": "foobar.py", "spanId": ANY, "method": ANY, "class": ANY},
                 "type": VULN_HEADER_INJECTION,
             }
         ],
@@ -85,7 +85,7 @@ def test_common_django_header_injection_redact(header_name, header_value, value_
             {
                 "evidence": {"valueParts": value_part},
                 "hash": ANY,
-                "location": {"line": ANY, "path": "foobar.py", "spanId": ANY, "method": ANY, "class_name": ANY},
+                "location": {"line": ANY, "path": "foobar.py", "spanId": ANY, "method": ANY, "class": ANY},
                 "type": VULN_HEADER_INJECTION,
             }
         ],

tests/appsec/iast/taint_sinks/test_path_traversal.py

@@ -129,7 +129,7 @@ def test_path_traversal(module, function, iast_context_defaults):
     assert vulnerability["location"]["path"] == FIXTURES_PATH
     assert vulnerability["location"]["line"] == line
     assert vulnerability["location"]["method"] == path
-    assert vulnerability["location"]["class_name"] == ""
+    assert vulnerability["location"]["class"] == ""
     assert vulnerability["hash"] == hash_value
     assert vulnerability["evidence"]["valueParts"] == [{"source": 0, "value": file_path}]
     assert "value" not in vulnerability["evidence"].keys()

tests/appsec/iast/taint_sinks/test_path_traversal_redacted.py

@@ -51,7 +51,7 @@ def test_path_traversal_redact_exclude(file_path, iast_context_defaults):
             {
                 "evidence": {"valueParts": [{"source": 0, "value": file_path}]},
                 "hash": ANY,
-                "location": {"line": ANY, "path": "foobar.py", "spanId": ANY, "method": ANY, "class_name": ANY},
+                "location": {"line": ANY, "path": "foobar.py", "spanId": ANY, "method": ANY, "class": ANY},
                 "type": VULN_PATH_TRAVERSAL,
             }
         ],
@@ -103,7 +103,7 @@ def test_path_traversal_redact_rel_paths(file_path, iast_context_defaults):
             {
                 "evidence": {"valueParts": [{"source": 0, "value": file_path}]},
                 "hash": ANY,
-                "location": {"line": ANY, "path": "foobar.py", "spanId": ANY, "method": ANY, "class_name": ANY},
+                "location": {"line": ANY, "path": "foobar.py", "spanId": ANY, "method": ANY, "class": ANY},
                 "type": VULN_PATH_TRAVERSAL,
             }
         ],
@@ -126,7 +126,7 @@ def test_path_traversal_redact_abs_paths(iast_context_defaults):
             {
                 "evidence": {"valueParts": [{"source": 0, "value": file_path}]},
                 "hash": ANY,
-                "location": {"line": ANY, "path": "foobar.py", "spanId": ANY, "method": ANY, "class_name": ANY},
+                "location": {"line": ANY, "path": "foobar.py", "spanId": ANY, "method": ANY, "class": ANY},
                 "type": VULN_PATH_TRAVERSAL,
             }
         ],

tests/appsec/iast/taint_sinks/test_ssrf.py

@@ -54,7 +54,7 @@ def _check_report(tainted_path, label):
     assert vulnerability["location"]["path"] == FIXTURES_PATH
     assert vulnerability["location"]["line"] == line
     assert vulnerability["location"]["method"] == label
-    assert vulnerability["location"]["class_name"] == ""
+    assert vulnerability["location"]["class"] == ""
     assert vulnerability["hash"] == hash_value
 
 

tests/appsec/iast/test_iast_propagation_path.py

@@ -25,7 +25,7 @@ def _assert_vulnerability(data, value_parts, file_line_label):
     assert vulnerability["location"]["path"] == FIXTURES_PATH
     assert vulnerability["location"]["line"] == line
     assert vulnerability["location"]["method"] == file_line_label
-    assert vulnerability["location"]["class_name"] == ""
+    assert vulnerability["location"]["class"] == ""
     assert vulnerability["hash"] == hash_value
 
 

tests/appsec/integrations/django_tests/test_django_appsec_iast.py

@@ -610,7 +610,7 @@ def test_django_sqli_http_cookies_name(client, test_spans, tracer):
     assert vulnerability["location"]["path"] == TEST_FILE
     assert vulnerability["location"]["line"] == line
     assert vulnerability["location"]["method"] == "sqli_http_request_cookie_name"
-    assert vulnerability["location"]["class_name"] == ""
+    assert vulnerability["location"]["class"] == ""
     assert vulnerability["hash"] == hash_value
 
 
@@ -669,7 +669,7 @@ def test_django_sqli_http_cookies_value(client, test_spans, tracer):
     assert vulnerability["location"]["line"] == line
     assert vulnerability["location"]["path"] == TEST_FILE
     assert vulnerability["location"]["method"] == "sqli_http_request_cookie_value"
-    assert vulnerability["location"]["class_name"] == ""
+    assert vulnerability["location"]["class"] == ""
     assert vulnerability["hash"] == hash_value
 
 

tests/appsec/integrations/fastapi_tests/test_fastapi_appsec_iast.py

@@ -684,7 +684,7 @@ async def test_route(param_str):
         assert vulnerability["location"]["line"] == line
         assert vulnerability["location"]["path"] == TEST_FILE_PATH
         assert vulnerability["location"]["method"] == "test_route"
-        assert vulnerability["location"]["class_name"] == ""
+        assert vulnerability["location"]["class"] == ""
         assert vulnerability["hash"] == hash_value
 
 
@@ -946,7 +946,7 @@ async def header_injection(request: Request):
         assert vulnerability["location"]["line"] == line
         assert vulnerability["location"]["path"] == TEST_FILE_PATH
         assert vulnerability["location"]["method"] == "header_injection"
-        assert vulnerability["location"]["class_name"] == ""
+        assert vulnerability["location"]["class"] == ""
         assert vulnerability["location"]["spanId"]