chore(asm): keep trace without events if waf decides

[christophe-papazian]

The new version of libddwaf can decide to keep a trace even without security events.
This PR allows to do so.

Also: update system tests version with last commit and remove the agent build step that is now deprecated.

This new internal feature is already checked by new system tests.

APPSEC-58012

Checklist

• PR author has checked that all the criteria below are met
• The PR description includes an overview of the change
• The PR description articulates the motivation for the change
• The change includes tests OR the PR description describes a testing strategy
• The PR description notes risks associated with the change, if any
• Newly-added code is easy to change
• The change follows the library release note guidelines
• The change includes or references documentation updates if necessary
• Backport labels are set (if applicable)

Reviewer Checklist

• Reviewer has checked that all the criteria below are met
• Title is accurate
• All changes are related to the pull request's stated goal
• Avoids breaking API changes
• Testing strategy adequately addresses listed risks
• Newly-added code is easy to change
• Release note makes sense to a user of the library
• If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment
• Backport labels are set in a manner that is consistent with the release branch maintenance policy

[github-actions]

CODEOWNERS have been resolved as:

.github/workflows/system-tests.yml                                      @DataDog/python-guild @DataDog/apm-core-python
ddtrace/appsec/_processor.py                                            @DataDog/asm-python

[github-actions]

Bootstrap import analysis

Comparison of import times between this PR and base.

Summary

The average import time from this PR is: 273 ± 2 ms.

The average import time from base is: 275 ± 2 ms.

The import time difference between this PR and base is: -1.99 ± 0.08 ms.

Import time breakdown

The following import paths have shrunk:

ddtrace.auto 1.983 ms (0.73%)

ddtrace.bootstrap.sitecustomize 1.310 ms (0.48%)

ddtrace.bootstrap.preload 1.310 ms (0.48%)

ddtrace.internal.remoteconfig.client 0.632 ms (0.23%)

ddtrace 0.673 ms (0.25%)

ddtrace.internal._unpatched 0.031 ms (0.01%)

json 0.031 ms (0.01%)

json.decoder 0.031 ms (0.01%)

re 0.031 ms (0.01%)

enum 0.031 ms (0.01%)

types 0.031 ms (0.01%)

[pr-commenter]

Benchmarks

Benchmark execution time: 2025-06-17 09:05:29

Comparing candidate commit 2e1b555 in PR branch christophe-papazian/keep_trace_without_security_events with baseline commit d30bcd7 in branch main.

Found 0 performance improvements and 6 performance regressions! Performance is the same for 555 metrics, 3 unstable metrics.

scenario:iastaspects-format_map_aspect

• 🟥 execution_time [+452.736ns; +528.810ns] or [+14.128%; +16.502%]

scenario:iastaspects-lower_aspect

• 🟥 execution_time [+165.556ns; +205.703ns] or [+7.324%; +9.100%]

scenario:iastaspectsospath-ospathbasename_aspect

• 🟥 execution_time [+803.114ns; +907.737ns] or [+19.154%; +21.649%]

scenario:iastaspectsospath-ospathnormcase_aspect

• 🟥 execution_time [+352.988ns; +430.819ns] or [+10.175%; +12.419%]

scenario:iastaspectsospath-ospathsplitdrive_aspect

• 🟥 execution_time [+323.466ns; +388.347ns] or [+8.909%; +10.696%]

scenario:telemetryaddmetric-1-distribution-metric-1-times

• 🟥 execution_time [+359.825ns; +394.045ns] or [+12.427%; +13.609%]