From ec8c507a5d19f7040fb4e1b8f85592caf5048881 Mon Sep 17 00:00:00 2001 From: Juanjo Alvarez Martinez Date: Mon, 13 Jan 2025 15:42:00 +0100 Subject: [PATCH] fix(iast): add more modules to the IAST patching denylist to improve startup time (#11907) ## Description Adds a bunch of image handling, scientific/numerical computing, linting and other modules where propagation doesn't matter to the IAST denylist. ## Checklist - [X] PR author has checked that all the criteria below are met - The PR description includes an overview of the change - The PR description articulates the motivation for the change - The change includes tests OR the PR description describes a testing strategy - The PR description notes risks associated with the change, if any - Newly-added code is easy to change - The change follows the [library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) - The change includes or references documentation updates if necessary - Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) ## Reviewer Checklist - [x] Reviewer has checked that all the criteria below are met - Title is accurate - All changes are related to the pull request's stated goal - Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - Testing strategy adequately addresses listed risks - Newly-added code is easy to change - Release note makes sense to a user of the library - If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting) --------- Signed-off-by: Juanjo Alvarez (cherry picked from commit 30e3b765715db2c4aa6a7b412bd6672f5ea381fa) --- ddtrace/appsec/_iast/_ast/ast_patching.py | 41 +++++++++++++++++++ ...denylist-extend-more-f0d96917c50d43cf.yaml | 4 ++ 2 files changed, 45 insertions(+) create mode 100644 releasenotes/notes/denylist-extend-more-f0d96917c50d43cf.yaml diff --git a/ddtrace/appsec/_iast/_ast/ast_patching.py b/ddtrace/appsec/_iast/_ast/ast_patching.py index 7e2258bd556..4c9f0dccaec 100644 --- a/ddtrace/appsec/_iast/_ast/ast_patching.py +++ b/ddtrace/appsec/_iast/_ast/ast_patching.py @@ -27,6 +27,46 @@ # Prefixes for modules where IAST patching is allowed IAST_ALLOWLIST: Tuple[Text, ...] = ("tests.appsec.iast.",) IAST_DENYLIST: Tuple[Text, ...] = ( + "altgraph.", + "dipy.", + "black.", + "mypy.", + "mypy_extensions.", + "autopep8.", + "pycodestyle.", + "pydicom.", + "pyinstaller.", + "pystray.", + "contourpy.", + "cx_logging.", + "dateutil.", + "pytz.", + "wcwidth.", + "win32ctypes.", + "xlib.", + "cycler.", + "cython.", + "dnspython.", + "elasticdeform." "numpy.", + "matplotlib.", + "skbase.", + "scipy.", + "networkx.", + "imageio.", + "fonttools.", + "nibabel.", + "nilearn.", + "gprof2dot.", + "h5py.", + "kiwisolver.", + "pandas.", + "pdf2image.", + "pefile.", + "pil.", + "threadpoolctl.", + "tifffile.", + "tqdm.", + "trx.", "flask.", "werkzeug.", "aiohttp._helpers.", @@ -110,6 +150,7 @@ "difflib.", "dill.info.", "dill.settings.", + "silk.", # django-silk package "django.apps.config.", "django.apps.registry.", "django.conf.", diff --git a/releasenotes/notes/denylist-extend-more-f0d96917c50d43cf.yaml b/releasenotes/notes/denylist-extend-more-f0d96917c50d43cf.yaml new file mode 100644 index 00000000000..b0c378dadaa --- /dev/null +++ b/releasenotes/notes/denylist-extend-more-f0d96917c50d43cf.yaml @@ -0,0 +1,4 @@ +--- +fixes: + - | + Add more modules to the IAST patching denylist to improve startup time