fix(iast): add more modules to the IAST patching denylist to improve startup time [backport 2.18] (#11909)

Backport 30e3b76 from #11907 to 2.18.

## Description

Adds a bunch of image handling, scientific/numerical computing, linting
and other modules where propagation doesn't matter to the IAST denylist.

## Checklist
- [X] PR author has checked that all the criteria below are met
- The PR description includes an overview of the change
- The PR description articulates the motivation for the change
- The change includes tests OR the PR description describes a testing
strategy
- The PR description notes risks associated with the change, if any
- Newly-added code is easy to change
- The change follows the [library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
- The change includes or references documentation updates if necessary
- Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist
- [x] Reviewer has checked that all the criteria below are met 
- Title is accurate
- All changes are related to the pull request's stated goal
- Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- Testing strategy adequately addresses listed risks
- Newly-added code is easy to change
- Release note makes sense to a user of the library
- If necessary, author has acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment
- Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

---------

Co-authored-by: Juanjo Alvarez Martinez <[email protected]>
Co-authored-by: Federico Mon <[email protected]>

Author: 3 people

ddtrace/appsec/_iast/_ast/ast_patching.py

@@ -28,6 +28,47 @@
 # Prefixes for modules where IAST patching is allowed
 IAST_ALLOWLIST: Tuple[Text, ...] = ("tests.appsec.iast.",)
 IAST_DENYLIST: Tuple[Text, ...] = (
+    "altgraph.",
+    "dipy.",
+    "black.",
+    "mypy.",
+    "mypy_extensions.",
+    "autopep8.",
+    "pycodestyle.",
+    "pydicom.",
+    "pyinstaller.",
+    "pystray.",
+    "contourpy.",
+    "cx_logging.",
+    "dateutil.",
+    "pytz.",
+    "wcwidth.",
+    "win32ctypes.",
+    "xlib.",
+    "cycler.",
+    "cython.",
+    "dnspython.",
+    "elasticdeform.",
+    "numpy.",
+    "matplotlib.",
+    "skbase.",
+    "scipy.",
+    "networkx.",
+    "imageio.",
+    "fonttools.",
+    "nibabel.",
+    "nilearn.",
+    "gprof2dot.",
+    "h5py.",
+    "kiwisolver.",
+    "pandas.",
+    "pdf2image.",
+    "pefile.",
+    "pil.",
+    "threadpoolctl.",
+    "tifffile.",
+    "tqdm.",
+    "trx.",
     "flask.",
     "werkzeug.",
     "aiohttp._helpers.",
@@ -111,6 +152,7 @@
     "difflib.",
     "dill.info.",
     "dill.settings.",
+    "silk.",  # django-silk package
     "django.apps.config.",
     "django.apps.registry.",
     "django.conf.",

releasenotes/notes/denylist-extend-more-f0d96917c50d43cf.yaml

@@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    Add more modules to the IAST patching denylist to improve startup time

tests/appsec/iast_packages/test_packages.py

@@ -402,16 +402,17 @@ def uninstall(self, python_cmd):
         import_module_to_validate="multidict._multidict_py",
         test_propagation=True,
     ),
+    ## Skip due to numpy added to the denylist
     # Python 3.12 fails in all steps with "import error" when import numpy
-    PackageForTesting(
-        "numpy",
-        "1.24.4",
-        "9 8 7 6 5 4 3",
-        [3, 4, 5, 6, 7, 8, 9],
-        5,
-        skip_python_version=[(3, 12)],
-        import_module_to_validate="numpy.core._internal",
-    ),
+    # PackageForTesting(
+    #     "numpy",
+    #     "1.24.4",
+    #     "9 8 7 6 5 4 3",
+    #     [3, 4, 5, 6, 7, 8, 9],
+    #     5,
+    #     skip_python_version=[(3, 12)],
+    #     import_module_to_validate="numpy.core._internal",
+    # ),
     PackageForTesting(
         "oauthlib",
         "3.2.2",
@@ -430,8 +431,9 @@ def uninstall(self, python_cmd):
         {"is_version_valid": True, "requirement": "example-package>=1.0.0", "specifier": ">=1.0.0", "version": "1.2.3"},
         "",
     ),
+    ## Skip due to pandas added to the denylist
     # Pandas dropped Python 3.8 support in pandas>2.0.3
-    PackageForTesting("pandas", "2.2.2", "foobar", "Written value: foobar", "", skip_python_version=[(3, 8)]),
+    # PackageForTesting("pandas", "2.2.2", "foobar", "Written value: foobar", "", skip_python_version=[(3, 8)]),
     PackageForTesting(
         "platformdirs",
         "4.2.2",
@@ -479,15 +481,16 @@ def uninstall(self, python_cmd):
     ),
     # # TODO: patching Pytest fails: ImportError: cannot import name 'Dir' from '_pytest.main'
     # PackageForTesting("pytest", "8.2.1", "", "", "", test_e2e=False),
-    PackageForTesting(
-        "python-dateutil",
-        "2.8.2",
-        "Sat Oct 11 17:13:46 UTC 2003",
-        "Sat, 11 Oct 2003 17:13:46 GMT",
-        "And the Easter of that year is: 2004-04-11",
-        import_name="dateutil",
-        import_module_to_validate="dateutil.relativedelta",
-    ),
+    ## Skip due to python-dateutil added to the denylist
+    # PackageForTesting(
+    #     "python-dateutil",
+    #     "2.8.2",
+    #     "Sat Oct 11 17:13:46 UTC 2003",
+    #     "Sat, 11 Oct 2003 17:13:46 GMT",
+    #     "And the Easter of that year is: 2004-04-11",
+    #     import_name="dateutil",
+    #     import_module_to_validate="dateutil.relativedelta",
+    # ),
     PackageForTesting(
         "python-multipart",
         "0.0.5",  # this version validates APPSEC-55240 issue, don't upgrade it
@@ -499,13 +502,14 @@ def uninstall(self, python_cmd):
         test_import=False,
         test_propagation=True,
     ),
-    PackageForTesting(
-        "pytz",
-        "2024.1",
-        "America/New_York",
-        "Current time in America/New_York: replaced_time",
-        "",
-    ),
+    ## Skip due to pytz added to the denylist
+    # PackageForTesting(
+    #     "pytz",
+    #     "2024.1",
+    #     "America/New_York",
+    #     "Current time in America/New_York: replaced_time",
+    #     "",
+    # ),
     PackageForTesting(
         "PyYAML",
         "6.0.1",
@@ -584,7 +588,8 @@ def uninstall(self, python_cmd):
         "",
         import_module_to_validate="tomlkit.items",
     ),
-    PackageForTesting("tqdm", "4.66.4", "", "", "", test_e2e=False, import_module_to_validate="tqdm.std"),
+    ## Skip due to tqdm added to the denylist
+    # PackageForTesting("tqdm", "4.66.4", "", "", "", test_e2e=False, import_module_to_validate="tqdm.std"),
     # Python 3.8 and 3.9 fail with ImportError: cannot import name 'get_host' from 'urllib3.util.url'
     PackageForTesting(
         "urllib3",
@@ -663,15 +668,16 @@ def uninstall(self, python_cmd):
         "",
         skip_python_version=[(3, 6), (3, 7), (3, 8)],
     ),
-    PackageForTesting(
-        "pillow",
-        "10.3.0",
-        "Hello, Pillow!",
-        "Image correctly generated",
-        "",
-        import_name="PIL.Image",
-        skip_python_version=[(3, 6), (3, 7), (3, 8)],
-    ),
+    ## Skip due to pillow added to the denylist
+    # PackageForTesting(
+    #     "pillow",
+    #     "10.3.0",
+    #     "Hello, Pillow!",
+    #     "Image correctly generated",
+    #     "",
+    #     import_name="PIL.Image",
+    #     skip_python_version=[(3, 6), (3, 7), (3, 8)],
+    # ),
     PackageForTesting(
         "aiobotocore", "2.13.0", "", "", "", test_e2e=False, test_import=False, import_name="aiobotocore.session"
     ),
@@ -745,16 +751,17 @@ def uninstall(self, python_cmd):
         "",
         test_e2e=False,
     ),
-    # scipy dropped Python 3.8 support in scipy > 1.10.1
-    PackageForTesting(
-        "scipy",
-        "1.13.0",
-        "1,2,3,4,5",
-        "Mean: 3.0, Standard Deviation: 1.581",
-        "",
-        import_name="scipy.special",
-        skip_python_version=[(3, 8)],
-    ),
+    ## Skip due to scipy added to the denylist
+    # # scipy dropped Python 3.8 support in scipy > 1.10.1
+    # PackageForTesting(
+    #     "scipy",
+    #     "1.13.0",
+    #     "1,2,3,4,5",
+    #     "Mean: 3.0, Standard Deviation: 1.581",
+    #     "",
+    #     import_name="scipy.special",
+    #     skip_python_version=[(3, 8)],
+    # ),
     PackageForTesting(
         "iniconfig",
         "2.0.0",