Fix TSA #2816217: suppress Flawfinder false positive on Cython JoinPyUnicode memcpy (#2029)

* Fix TSA #2816217: suppress Flawfinder false positive on Cython JoinPyUnicode memcpy

Flawfinder's buffer/memcpy rule (CWE-120) fires on any memcpy() call by
default. The flagged call sits inside the Cython 3.x string-join helper
__Pyx_PyUnicode_Join:

    memcpy((char *)result_udata + (char_pos << kind_shift),
           udata,
           (size_t) (ulength << kind_shift));

It is provably safe:
* result_uval was just allocated via PyUnicode_New(result_ulength, max_char)
  and result_udata = PyUnicode_DATA(result_uval) points into that buffer.
* The immediately preceding check
      (PY_SSIZE_T_MAX >> kind_shift) - ulength < char_pos
  guards against char_pos+ulength overflow before the memcpy executes.
* result_ulength is computed by the caller as the sum of input lengths,
  so char_pos + ulength <= result_ulength after each iteration. The byte
  count `ulength << kind_shift` is bounded by the allocated buffer.

Add an inline /* Flawfinder: ignore */ annotation on the flagged line in
the Cython-generated _pydevd_sys_monitoring_cython.c and extend the
existing post-processing block in setup_pydevd_cython.py so the annotation
is re-applied automatically whenever Cython regenerates the .c files.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Fix SyntaxError: add missing closing paren on JoinPyUnicode .replace() call

The merge from main inadvertently dropped the closing ')' of the new

JoinPyUnicode '.replace(...)' call, so the subsequent 'read<end'

'.replace(...)' block was being parsed as continued arguments. Add the

missing ')' (and a blank line) to separate the two calls cleanly.

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: StellaHuang95

src/debugpy/_vendored/pydevd/_pydevd_sys_monitoring/_pydevd_sys_monitoring_cython.c

@@ -177,6 +177,17 @@ def build_extension(dir_name, extension_name, target_pydevd_name, force_cython,
                 c_file_contents = c_file_contents.replace(r"_pydevd_bundle\\pydevd_cython.pxd", "_pydevd_bundle/pydevd_cython.pxd")
                 c_file_contents = c_file_contents.replace(r"_pydevd_bundle\\pydevd_cython.pyx", "_pydevd_bundle/pydevd_cython.pyx")
 
+                # Suppress Flawfinder false positive (CWE-120) in the Cython 3.x
+                # `__Pyx_PyUnicode_Join` boilerplate: the destination `result_uval` was just
+                # allocated via `PyUnicode_New(result_ulength, max_char)`, and the immediately
+                # preceding `(PY_SSIZE_T_MAX >> kind_shift) - ulength < char_pos` check guards
+                # against char_pos+ulength overflow before the memcpy. The size argument is
+                # `ulength << kind_shift` which is bounded by the pre-allocated buffer length.
+                c_file_contents = c_file_contents.replace(
+                    "            memcpy((char *)result_udata + (char_pos << kind_shift), udata, (size_t) (ulength << kind_shift));\n",
+                    "            memcpy((char *)result_udata + (char_pos << kind_shift), udata, (size_t) (ulength << kind_shift)); /* Flawfinder: ignore */\n",
+                )
+
                 # Suppress Flawfinder false positive (CWE-120) in the Cython 3.x
                 # CIntToPyUnicode boilerplate (`__Pyx____Pyx_PyUnicode_From_int`): the destination
                 # `dpos` is a stack buffer of size `sizeof(int)*3+2`, and `dpos -= 2` immediately