chore(iast): fix api version to send metastruct data if appsec is disabled (#13465)

###  Description

This PR addresses an issue in the Interactive Application Security
Testing (IAST) module where metastruct data was not being sent if
Application Security (AppSec) was disabled.

**Key Changes:**

* Updated the API version handling to ensure metastruct data is
transmitted regardless of the AppSec enablement status.
* Refactored the metastruct data sending logic to decouple it from
AppSec's state.
* Added tests to validate the correct behavior when AppSec is disabled.

These changes ensure that IAST continues to function correctly and send
necessary data even when AppSec is turned off.

## Checklist
- [x] PR author has checked that all the criteria below are met
- The PR description includes an overview of the change
- The PR description articulates the motivation for the change
- The change includes tests OR the PR description describes a testing
strategy
- The PR description notes risks associated with the change, if any
- Newly-added code is easy to change
- The change follows the [library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
- The change includes or references documentation updates if necessary
- Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist
- [x] Reviewer has checked that all the criteria below are met 
- Title is accurate
- All changes are related to the pull request's stated goal
- Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- Testing strategy adequately addresses listed risks
- Newly-added code is easy to change
- Release note makes sense to a user of the library
- If necessary, author has acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment
- Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

Author: avara1986

ddtrace/appsec/_iast/taint_sinks/code_injection.py

@@ -49,7 +49,7 @@ def unpatch():
 
 
 def _iast_coi(wrapped, instance, args, kwargs):
-    if len(args) >= 1 and asm_config.is_iast_request_enabled:
+    if len(args) >= 1:
         _iast_report_code_injection(args[0])
 
     caller_frame = None

ddtrace/internal/writer/writer.py

@@ -479,7 +479,13 @@ def __init__(
         is_windows = sys.platform.startswith("win") or sys.platform.startswith("cygwin")
 
         default_api_version = "v0.5"
-        if is_windows or in_gcp_function() or in_azure_function() or asm_config._asm_enabled:
+        if (
+            is_windows
+            or in_gcp_function()
+            or in_azure_function()
+            or asm_config._asm_enabled
+            or asm_config._iast_enabled
+        ):
             default_api_version = "v0.4"
 
         self._api_version = api_version or config._trace_api or default_api_version

tests/appsec/app.py

@@ -217,6 +217,15 @@ def iast_header_injection_vulnerability():
     return resp
 
 
+@app.route("/iast-code-injection", methods=["GET"])
+def iast_code_injection_vulnerability():
+    filename = request.args.get("filename")
+    a = ""  # noqa: F841
+    c = eval("a + '" + filename + "'")
+    resp = Response(f"OK:{tracer._span_aggregator.writer._api_version}:{c}")
+    return resp
+
+
 @app.route("/shutdown", methods=["GET"])
 def shutdown_view():
     tracer._span_aggregator.writer.flush_queue()

tests/appsec/appsec_utils.py

@@ -44,7 +44,7 @@ def gunicorn_server(
 @contextmanager
 def flask_server(
     python_cmd="python",
-    appsec_enabled="true",
+    appsec_enabled="false",
     remote_configuration_enabled="true",
     iast_enabled="false",
     tracer_enabled="true",

tests/appsec/integrations/django_tests/conftest.py

@@ -67,9 +67,17 @@ def tracer():
 
 @pytest.fixture
 def test_spans(tracer):
+    container = TracerSpanContainer(tracer)
+    yield container
+    container.reset()
+
+
+@pytest.fixture
+def iast_span(tracer):
     with override_global_config(
         dict(
             _iast_enabled=True,
+            _appsec_enabled=False,
             _iast_deduplication_enabled=False,
             _iast_request_sampling=100.0,
         )