chore(iast): check secure marks for SQLi

[avara1986]

Overview

This PR adds validation for secure marks in SQL-related functions to improve SQL Injection detection in IAST. The changes ensure that secure marks are properly checked when analyzing SQL queries for potential vulnerabilities.

Changes

• Added secure marks validation for SQL functions
• Enhanced SQL Injection detection accuracy
• Updated tests to cover secure marks validation scenarios

Testing Strategy

• Added test cases for secure marks validation
• Updated existing SQL Injection tests to include secure marks checks
• Verified detection accuracy with both secure and insecure SQL queries

APPSEC-56947

Checklist

• PR author has checked that all the criteria below are met
• The PR description includes an overview of the change
• The PR description articulates the motivation for the change
• The change includes tests OR the PR description describes a testing strategy
• The PR description notes risks associated with the change, if any
• Newly-added code is easy to change
• The change follows the library release note guidelines
• The change includes or references documentation updates if necessary
• Backport labels are set (if applicable)

Reviewer Checklist

• Reviewer has checked that all the criteria below are met
• Title is accurate
• All changes are related to the pull request's stated goal
• Avoids breaking API changes
• Testing strategy adequately addresses listed risks
• Newly-added code is easy to change
• Release note makes sense to a user of the library
• If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment
• Backport labels are set in a manner that is consistent with the release branch maintenance policy

[github-actions]

CODEOWNERS have been resolved as:

tests/appsec/iast/test_iast_dbs.py                                      @DataDog/asm-python
tests/appsec/integrations/fixtures/patch_dbs.py                         @DataDog/asm-python
ddtrace/appsec/_iast/_ast/iastpatch.c                                   @DataDog/asm-python
ddtrace/appsec/_iast/_patch_modules.py                                  @DataDog/asm-python
hatch.toml                                                              @DataDog/python-guild
tests/appsec/iast/db_utils.py                                           @DataDog/asm-python
tests/appsec/iast/fixtures/taint_sinks/sql_injection_psycopg2.py        @DataDog/asm-python
tests/appsec/iast/fixtures/taint_sinks/sql_injection_pymysql.py         @DataDog/asm-python
tests/appsec/iast/iast_utils.py                                         @DataDog/asm-python
tests/appsec/iast/test_telemetry.py                                     @DataDog/asm-python

[github-actions]

Bootstrap import analysis

Comparison of import times between this PR and base.

Summary

The average import time from this PR is: 230 ± 1 ms.

The average import time from base is: 232 ± 2 ms.

The import time difference between this PR and base is: -1.88 ± 0.07 ms.

Import time breakdown

The following import paths have shrunk:

ddtrace.auto 1.972 ms (0.86%)

ddtrace.bootstrap.sitecustomize 1.280 ms (0.56%)

ddtrace.bootstrap.preload 1.280 ms (0.56%)

ddtrace.internal.products 1.280 ms (0.56%)

ddtrace.internal.remoteconfig.client 0.612 ms (0.27%)

ddtrace 0.693 ms (0.30%)

ddtrace._logger 0.025 ms (0.01%)

logging 0.025 ms (0.01%)

traceback 0.025 ms (0.01%)

contextlib 0.025 ms (0.01%)

[pr-commenter]

Benchmarks

Benchmark execution time: 2025-04-23 07:36:01

Comparing candidate commit 8c49305 in PR branch avara1986/APPSEC-56947_securemarks_sqli with baseline commit 313fd41 in branch main.

Found 0 performance improvements and 2 performance regressions! Performance is the same for 498 metrics, 8 unstable metrics.

scenario:iast_aspects-ospathdirname_aspect

• 🟥 execution_time [+706.956ns; +918.066ns] or [+15.782%; +20.495%]

scenario:iast_aspects-ospathnormcase_aspect

• 🟥 execution_time [+378.947ns; +451.264ns] or [+10.991%; +13.089%]