refactor(appsec): extract rel_path and get_caller_frame_info to _patch_utils

Move rel_path() and the frame-walking logic (_compute_file_line) from
VulnerabilityBase in _iast/taint_sinks/_base.py to shared functions in
_patch_utils.py so both IAST and SCA can reuse them without depending
on IAST internals.

Split out from #17156 to keep PRs incremental and reviewable.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: avara1986

ddtrace/appsec/_iast/taint_sinks/_base.py

@@ -1,5 +1,3 @@
-import os
-import sysconfig
 from typing import Optional
 from typing import Union
 
@@ -8,7 +6,7 @@
 from ddtrace.appsec._iast._taint_tracking import get_ranges
 from ddtrace.appsec._iast.sampling.vulnerability_detection import rollback_quota
 from ddtrace.appsec._iast.sampling.vulnerability_detection import should_process_vulnerability
-from ddtrace.appsec._shared._stacktrace import get_info_frame
+from ddtrace.appsec._patch_utils import get_caller_frame_info
 from ddtrace.appsec._trace_utils import _asm_manual_keep
 from ddtrace.internal import core
 from ddtrace.internal.logger import get_logger
@@ -28,13 +26,8 @@
 
 log = get_logger(__name__)
 
-CWD = os.path.abspath(os.getcwd())
-
 TEXT_TYPES = Union[str, bytes, bytearray]
 
-PURELIB_PATH = sysconfig.get_path("purelib")
-STDLIB_PATH = sysconfig.get_path("stdlib")
-
 
 class taint_sink_deduplication(deduplication):
     def _check_deduplication(self):
@@ -111,40 +104,6 @@ def _prepare_report(
 
         return True
 
-    @classmethod
-    def _compute_file_line(cls) -> tuple[Optional[str], Optional[int], Optional[str], Optional[str]]:
-        file_name = line_number = function_name = class_name = None
-        frame_info = get_info_frame()
-        if not frame_info or frame_info[0] in ("", -1):
-            return file_name, line_number, function_name, class_name
-
-        file_name, line_number, function_name, class_name = frame_info
-        if not file_name:
-            return None, None, None, None
-
-        file_name = cls._rel_path(file_name)
-        if not file_name:
-            log.debug("Could not relativize vulnerability location path: %s", frame_info[0])
-            return None, None, None, None
-
-        return file_name, line_number, function_name, class_name
-
-    @staticmethod
-    def _rel_path(file_name: str) -> str:
-        file_name_norm = file_name.replace("\\", "/")
-        if file_name_norm.startswith(PURELIB_PATH):
-            return os.path.relpath(file_name_norm, start=PURELIB_PATH)
-
-        if file_name_norm.startswith(STDLIB_PATH):
-            return os.path.relpath(file_name_norm, start=STDLIB_PATH)
-        if file_name_norm.startswith(CWD):
-            return os.path.relpath(file_name_norm, start=CWD)
-        # If the path contains site-packages anywhere, return 'site-packages/<rest>'
-        # Normalize separators to forward slashes for consistency
-        if (idx := file_name_norm.find("/site-packages/")) != -1:
-            return file_name_norm[idx:]
-        return ""
-
     @classmethod
     def _create_evidence_and_report(
         cls,
@@ -177,7 +136,7 @@ def report(cls, evidence_value: TEXT_TYPES = "", dialect: Optional[str] = None)
             file_name = line_number = function_name = class_name = None
 
             if not getattr(cls, "skip_location", False):
-                file_name, line_number, function_name, class_name = cls._compute_file_line()
+                file_name, line_number, function_name, class_name = get_caller_frame_info()
                 if file_name is None:
                     rollback_quota(cls.vulnerability_type)
                     return result

ddtrace/appsec/_patch_utils.py

@@ -1,4 +1,6 @@
 import ctypes
+import os
+import sysconfig
 from typing import Any
 from typing import Callable
 from typing import Optional
@@ -12,6 +14,64 @@
 
 
 log = get_logger(__name__)
+
+# Cached paths for relativizing file paths (computed once at import time).
+_CWD = os.path.abspath(os.getcwd())
+_PURELIB_PATH = sysconfig.get_path("purelib") or ""
+_STDLIB_PATH = sysconfig.get_path("stdlib") or ""
+
+
+def rel_path(file_name: str) -> str:
+    """Relativize an absolute file path for vulnerability/reachability reporting.
+
+    Used by both IAST and SCA to produce short, readable paths in telemetry
+    payloads.  Tries purelib first, then stdlib, then CWD-relative, then
+    site-packages.  Returns empty string if the path cannot be relativized.
+    """
+    file_name_norm = file_name.replace("\\", "/")
+    if file_name_norm.startswith(_PURELIB_PATH):
+        return os.path.relpath(file_name_norm, start=_PURELIB_PATH)
+
+    if file_name_norm.startswith(_STDLIB_PATH):
+        return os.path.relpath(file_name_norm, start=_STDLIB_PATH)
+    if file_name_norm.startswith(_CWD):
+        return os.path.relpath(file_name_norm, start=_CWD)
+    # If the path contains site-packages anywhere, return 'site-packages/<rest>'
+    # Normalize separators to forward slashes for consistency
+    if (idx := file_name_norm.find("/site-packages/")) != -1:
+        return file_name_norm[idx:]
+    return ""
+
+
+def get_caller_frame_info() -> tuple:
+    """Walk the stack and return (file_name, line_number, function_name, class_name).
+
+    Uses the native C get_info_frame() to skip ddtrace, stdlib, and special
+    frames, then relativizes the path.  Shared by IAST vulnerability
+    reporting and SCA reachability detection.
+
+    Returns (None, None, None, None) when no relevant frame is found.
+    """
+    try:
+        from ddtrace.appsec._shared._stacktrace import get_info_frame
+    except ImportError:
+        return None, None, None, None
+
+    frame_info = get_info_frame()
+    if not frame_info or frame_info[0] in ("", -1, None):
+        return None, None, None, None
+
+    file_name, line_number, function_name, class_name = frame_info
+    if not file_name:
+        return None, None, None, None
+
+    file_name = rel_path(file_name)
+    if not file_name:
+        return None, None, None, None
+
+    return file_name, line_number, function_name, class_name
+
+
 _DD_ORIGINAL_ATTRIBUTES: dict[Any, Any] = {}