fix(iast): cookie vulnerability cardinality issues

[avara1986]

ookie vulnerabilities are hashed by cookie name. That means that for each cookie name and service, we create a unique vulnerability. In some customers, they use unique cookie names per request, generating a large number of unique vulnerabilities.

Solutions to this problem:

• If there is a relevant location, use hashing based on location, not cookie name.
• Otherwise, just filter out all cookie names for hashing, generating max 1 vuln of each type per service.
• Filter cookies by DD_IAST_COOKIE_FILTER_PATTERN

RFC

Checklist

• PR author has checked that all the criteria below are met
• The PR description includes an overview of the change
• The PR description articulates the motivation for the change
• The change includes tests OR the PR description describes a testing strategy
• The PR description notes risks associated with the change, if any
• Newly-added code is easy to change
• The change follows the library release note guidelines
• The change includes or references documentation updates if necessary
• Backport labels are set (if applicable)

Reviewer Checklist

• Reviewer has checked that all the criteria below are met
• Title is accurate
• All changes are related to the pull request's stated goal
• Avoids breaking API changes
• Testing strategy adequately addresses listed risks
• Newly-added code is easy to change
• Release note makes sense to a user of the library
• If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment
• Backport labels are set in a manner that is consistent with the release branch maintenance policy

[github-actions]

CODEOWNERS have been resolved as:

releasenotes/notes/iast-fix-cookies-cardinality-0acd4b176c91ac14.yaml   @DataDog/apm-python
ddtrace/appsec/_iast/_overhead_control_engine.py                        @DataDog/asm-python
ddtrace/appsec/_iast/taint_sinks/_base.py                               @DataDog/asm-python
ddtrace/appsec/_iast/taint_sinks/insecure_cookie.py                     @DataDog/asm-python
ddtrace/settings/asm.py                                                 @DataDog/asm-python
docker-compose.yml                                                      @DataDog/apm-core-python
docs/configuration.rst                                                  @DataDog/python-guild
docs/spelling_wordlist.txt                                              @DataDog/python-guild
tests/appsec/iast/taint_sinks/test_insecure_cookie.py                   @DataDog/asm-python
tests/telemetry/test_writer.py                                          @DataDog/apm-python

[datadog-dd-trace-py-rkomorn]

Datadog Report

Branch report: avara1986/APPSEC-56679-cookies_deduplication
Commit report: 189ba3a
Test service: dd-trace-py

✅ 0 Failed, 130 Passed, 1184 Skipped, 3m 18.89s Total duration (25m 7.79s time saved)

[pr-commenter]

Benchmarks

Benchmark execution time: 2025-02-05 12:54:06

Comparing candidate commit 189ba3a in PR branch avara1986/APPSEC-56679-cookies_deduplication with baseline commit e5055b7 in branch 3.x-staging.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 394 metrics, 2 unstable metrics.