fix(iast): cookie vulnerability cardinality issues

[avara1986]

New sink point setCookie.

Report all cookies vulnerabilities at the same time. Example

Request 1:

• You reach set_cookie in file 1, line 10:
  • Increment quota (1), compute location
  • Report httponly, insecure, and samesite (if all three apply at this point)
• You reach set_cookie in file 1, line 11:
  • Increment quota (2), compute location
  • Report httponly, insecure, and samesite (if all three apply at this point)
• You reach set_cookie in file 1, line 12:
  • Increment quota (3), No quota left

Request 2:

• You reach set_cookie in file 1, line 10:
  • Increment quota (1), compute location. Continues since it was already reported
• You reach set_cookie in file 1, line 11:
  • Increment quota (2), compute location
  • Report httponly, insecure, and samesite. Continues since it was already reported
• You reach set_cookie in file 1, line 12:
  • Increment quota (3), No quota left

Checklist

• PR author has checked that all the criteria below are met
• The PR description includes an overview of the change
• The PR description articulates the motivation for the change
• The change includes tests OR the PR description describes a testing strategy
• The PR description notes risks associated with the change, if any
• Newly-added code is easy to change
• The change follows the library release note guidelines
• The change includes or references documentation updates if necessary
• Backport labels are set (if applicable)

Reviewer Checklist

• Reviewer has checked that all the criteria below are met
• Title is accurate
• All changes are related to the pull request's stated goal
• Avoids breaking API changes
• Testing strategy adequately addresses listed risks
• Newly-added code is easy to change
• Release note makes sense to a user of the library
• If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment
• Backport labels are set in a manner that is consistent with the release branch maintenance policy

[github-actions]

CODEOWNERS have been resolved as:

releasenotes/notes/iast-fix-cookies-cardinality-f1fd2eb17f36e730.yaml   @DataDog/apm-python
ddtrace/appsec/_iast/_handlers.py                                       @DataDog/asm-python
ddtrace/appsec/_iast/_listener.py                                       @DataDog/asm-python
ddtrace/appsec/_iast/_overhead_control_engine.py                        @DataDog/asm-python
ddtrace/appsec/_iast/_patch_modules.py                                  @DataDog/asm-python
ddtrace/appsec/_iast/taint_sinks/_base.py                               @DataDog/asm-python
ddtrace/appsec/_iast/taint_sinks/insecure_cookie.py                     @DataDog/asm-python
docker-compose.yml                                                      @DataDog/apm-core-python
tests/appsec/iast/taint_sinks/test_insecure_cookie.py                   @DataDog/asm-python
tests/appsec/integrations/django_tests/django_app/views.py              @DataDog/asm-python
tests/appsec/integrations/django_tests/test_django_appsec_iast.py       @DataDog/asm-python
tests/appsec/integrations/fastapi_tests/test_fastapi_appsec_iast.py     @DataDog/asm-python
tests/appsec/integrations/flask_tests/test_iast_flask.py                @DataDog/asm-python
tests/appsec/integrations/pygoat_tests/test_pygoat.py                   @DataDog/asm-python

[pr-commenter]

Benchmarks

Benchmark execution time: 2025-02-20 17:44:57

Comparing candidate commit ae95ea4 in PR branch avara1986/APPSEC-56679-cookies_deduplication_2 with baseline commit 6bf9381 in branch main.

Found 1 performance improvements and 0 performance regressions! Performance is the same for 417 metrics, 2 unstable metrics.

scenario:iast_aspects-ospathsplitext_aspect

• 🟩 execution_time [-341.505ns; -287.290ns] or [-8.717%; -7.334%]

[datadog-dd-trace-py-rkomorn]

Datadog Report

Branch report: avara1986/APPSEC-56679-cookies_deduplication_2
Commit report: ae95ea4
Test service: dd-trace-py

✅ 0 Failed, 130 Passed, 1184 Skipped, 1m 36.82s Total Time