From 01215f1c1a380255a23ac0e63091b8a090a9e3e0 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Mon, 18 Nov 2024 16:47:51 +0100
Subject: [PATCH] fix(iast): add some modules to the denylist [backport 2.15]
 (#11432)

Backport 343ba22bbe4010edb9206950fca5dc21c35d3d58 from #11418 to 2.15.

## Checklist
- [X] PR author has checked that all the criteria below are met
- The PR description includes an overview of the change
- The PR description articulates the motivation for the change
- The change includes tests OR the PR description describes a testing
strategy
- The PR description notes risks associated with the change, if any
- Newly-added code is easy to change
- The change follows the [library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
- The change includes or references documentation updates if necessary
- Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist
- [x] Reviewer has checked that all the criteria below are met
- Title is accurate
- All changes are related to the pull request's stated goal
- Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- Testing strategy adequately addresses listed risks
- Newly-added code is easy to change
- Release note makes sense to a user of the library
- If necessary, author has acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment
- Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

Co-authored-by: Juanjo Alvarez Martinez <juanjo.alvarezmartinez@datadoghq.com>
---
 ddtrace/appsec/_iast/_ast/ast_patching.py                    | 4 +++-
 releasenotes/notes/umap-learn-denylist-b7c55f42f2408c24.yaml | 4 ++++
 2 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 releasenotes/notes/umap-learn-denylist-b7c55f42f2408c24.yaml

diff --git a/ddtrace/appsec/_iast/_ast/ast_patching.py b/ddtrace/appsec/_iast/_ast/ast_patching.py
index 257b32923f6..ec1b46afaa9 100644
--- a/ddtrace/appsec/_iast/_ast/ast_patching.py
+++ b/ddtrace/appsec/_iast/_ast/ast_patching.py
@@ -302,6 +302,9 @@
     "httpcore.",
     "google.auth.",
     "googlecloudsdk.",
+    "umap.",
+    "pynndescent.",
+    "numba.",
 )
 
 
@@ -367,7 +370,6 @@ def visit_ast(
     module_name: Text = "",
 ) -> Optional[str]:
     parsed_ast = ast.parse(source_text, module_path)
-
     _VISITOR.update_location(filename=module_path, module_name=module_name)
     modified_ast = _VISITOR.visit(parsed_ast)
 
diff --git a/releasenotes/notes/umap-learn-denylist-b7c55f42f2408c24.yaml b/releasenotes/notes/umap-learn-denylist-b7c55f42f2408c24.yaml
new file mode 100644
index 00000000000..5a31dfdcfd9
--- /dev/null
+++ b/releasenotes/notes/umap-learn-denylist-b7c55f42f2408c24.yaml
@@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    Code Security: add umap, numba and pynndescent to the Code Security denylist.