chore(asm): improve rasp call mechanism

[christophe-papazian]

Unless explicitly disabled by an environment variable, the WAF is used for each supported exploit prevention endpoint. This PR enhances this behaviour by leveraging the WAF's "known addresses" feature, which, as of version 1.19.0, skips disabled rules, to prevent calling the WAF if unnecessary.
Now, calls to the WAF will only occur if at least one specific rule for that endpoint has been enabled via remote configuration.

Also:

• add new Shell Injection address in the address list in appsec constants and corresponding property in appsec span processor
• add regression tests in the hatch threat test for exploit prevention to check that no call and no telemetry is generated for disabled rules

APPSEC-54272

Checklist

• PR author has checked that all the criteria below are met
• The PR description includes an overview of the change
• The PR description articulates the motivation for the change
• The change includes tests OR the PR description describes a testing strategy
• The PR description notes risks associated with the change, if any
• Newly-added code is easy to change
• The change follows the library release note guidelines
• The change includes or references documentation updates if necessary
• Backport labels are set (if applicable)

Reviewer Checklist

• Reviewer has checked that all the criteria below are met
• Title is accurate
• All changes are related to the pull request's stated goal
• Avoids breaking API changes
• Testing strategy adequately addresses listed risks
• Newly-added code is easy to change
• Release note makes sense to a user of the library
• If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment
• Backport labels are set in a manner that is consistent with the release branch maintenance policy

[github-actions]

CODEOWNERS have been resolved as:

releasenotes/notes/rasp_conditional_call-f700a122b82b4c4f.yaml          @DataDog/apm-python
tests/appsec/appsec/rules-rasp-disabled.json                            @DataDog/asm-python
ddtrace/appsec/_common_module_patches.py                                @DataDog/asm-python
ddtrace/appsec/_constants.py                                            @DataDog/asm-python
ddtrace/appsec/_processor.py                                            @DataDog/asm-python
tests/appsec/contrib_appsec/utils.py                                    @DataDog/asm-python
tests/appsec/rules.py                                                   @DataDog/asm-python

[datadog-dd-trace-py-rkomorn]

Datadog Report

Branch report: christophe-papazian/APPSEC-54272_improve_rasp_call_mechanism
Commit report: 637a4d6
Test service: dd-trace-py

✅ 0 Failed, 109880 Passed, 3927 Skipped, 6m 11.25s Total duration (3m 21.04s time saved)

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 92.30769% with 2 lines in your changes missing coverage. Please review.

Project coverage is 10.56%. Comparing base (3237351) to head (637a4d6).
Report is 3 commits behind head on main.

Files	Patch %	Lines
ddtrace/appsec/_constants.py	0.00%	1 Missing ⚠️
ddtrace/appsec/_processor.py	91.66%	1 Missing ⚠️

❗ There is a different number of reports uploaded between BASE (3237351) and HEAD (637a4d6). Click for more details.

HEAD has 1 upload less than BASE

Flag	BASE (3237351)	HEAD (637a4d6)
	2	1

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #9954       +/-   ##
===========================================
- Coverage   73.94%   10.56%   -63.38%     
===========================================
  Files        1402     1367       -35     
  Lines      130460   127989     -2471     
===========================================
- Hits        96465    13520    -82945     
- Misses      33995   114469    +80474     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[pr-commenter]

Benchmarks

Benchmark execution time: 2024-07-26 13:41:01

Comparing candidate commit 13ccfe4 in PR branch christophe-papazian/APPSEC-54272_improve_rasp_call_mechanism with baseline commit 91af6f6 in branch main.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 214 metrics, 2 unstable metrics.