contrast-agent 3.16.0 → 4.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c2172066d6736b55c6754bb6913ec9fb9962ac1b818a85b4faa7ef822bb5df97
-  data.tar.gz: 209286f4ef6ce8b688e3849a502ece6cfc914f795fae25b5cb417b3fa3998b50
+  metadata.gz: ce67e5e10275cf1425bc05d510e6a2b0b436f90c180027bfce2abfeccf11e86e
+  data.tar.gz: 5644a75c92b7502f285030c83f3469820c6efdf8c582eb32328d8aefe2f4821a
 SHA512:
-  metadata.gz: e6c19a309c1d7c7e2600d2f90d5da2664c315550be00475720165dde741d821d3ceb391282831aeb8ddcbe8e86b50b48d741d5c63d85c7a92c38ef0e54b7b0cd
-  data.tar.gz: f4c1a92e5272730285b467c63768e31b1d6d7cb4266cbd6133c6de312603fcabc9c3bc814bc7f20d48fa444651fb040713ed1438b70076e9be9be396dab6603b
+  metadata.gz: c777194316965c247ced91d30731f9d263db482975fe4702d20332f224ef17c1f23ed281066b07398a900b5f5561019fe15ef6bb882f64c38efb05a693100073
+  data.tar.gz: 6a3cf5245ba8448d4023b9e29e608058747dc66c7f1296265d1b2f589ee55bedabe192058eb638839667546acb14650397a35ae36127a0ce316d2a8c876be3a8

data/lib/contrast/agent.rb

@@ -23,7 +23,6 @@ require 'contrast/extension/protect'
 require 'contrast/extension/protect/kernel'
 
 require 'contrast/utils/object_share'
-require 'contrast/utils/boolean_util'
 require 'contrast/utils/string_utils'
 require 'contrast/utils/io_util'
 require 'contrast/utils/os'
@@ -88,8 +87,8 @@ require 'contrast/agent/assess'
 # protect rules
 require 'contrast/agent/protect/rule'
 
-# application libraries
-require 'contrast/utils/gemfile_reader'
+# application libraries and technologies
+require 'contrast/agent/inventory'
 
 # rack event monitoring
 require 'contrast/agent/middleware'

data/lib/contrast/agent/assess/policy/policy_scanner.rb

@@ -17,22 +17,33 @@ module Contrast
           access_component :analysis
 
           class << self
+            # Use the given trace_point, built from an :end event, to determine
+            # where the loaded code lives and scan that code for policy
+            # violations.
+            #
+            # @param trace_point [TracePoint] the TracePoint generated by an
+            #   :end event at the end of a Module definition.
             def scan trace_point
               return unless ASSESS.enabled?
               return unless ASSESS.require_scan?
 
+              provider_values = policy.providers.values
+              return if provider_values.all?(&:disabled?)
+
               return unless trace_point.path
               return if trace_point.path.start_with?(Gem.dir)
 
               mod = trace_point.self
               return if mod.cs__frozen? || mod.singleton_class?
 
-              # TODO: RUBY-1013 - get AST here instead of TP, so we only need
-              #   to make one per provider, instead of one per rule
-              policy.providers.each_value do |provider|
-                if RUBY_VERSION >= '2.6.0'
-                  provider.parse(trace_point)
-                else # TODO: RUBY-1014 - remove alternative
+              # TODO: RUBY-1014 - remove non-AST approach
+              if RUBY_VERSION >= '2.6.0'
+                ast = RubyVM::AbstractSyntaxTree.parse_file(trace_point.path)
+                provider_values.each do |provider|
+                  provider.parse(trace_point, ast)
+                end
+              else
+                provider_values.each do |provider|
                   provider.analyze(mod)
                 end
               end

data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb

@@ -85,10 +85,11 @@ module Contrast
             #
             # @param trace_point [TracePoint] the TracePoint event created on
             #   the :end of a Module being loaded
-            def parse trace_point
+            # @param ast [RubyVM::AbstractSyntaxTree::Node] the abstract syntax
+            #   tree of the Module defined in the TracePoint end event
+            def parse trace_point, ast
               return if disabled?
 
-              ast = RubyVM::AbstractSyntaxTree.parse_file(trace_point.path)
               parse_ast(trace_point.self, ast)
             rescue StandardError => e
               logger.error('Unable to parse AST for hardcoded keys', e, module: trace_point.self)

data/lib/contrast/agent/inventory.rb

@@ -0,0 +1,15 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    # Namespace used for inventory behavior
+    module Inventory
+    end
+  end
+end
+
+require 'contrast/agent/inventory/dependencies'
+require 'contrast/agent/inventory/gemfile_digest_cache'
+require 'contrast/agent/inventory/dependency_usage_analysis'
+require 'contrast/agent/inventory/dependency_analysis'

data/lib/contrast/agent/inventory/dependencies.rb

@@ -0,0 +1,50 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Inventory
+      # this module is included in classes that need access to the applications dependencies
+      module Dependencies
+        CONTRAST_AGENT = 'contrast-agent'
+
+        # the #clone is necessary here, as a require in another thread could
+        # potentially result in adding a key to the loaded_specs hash during
+        # iteration.  (as in RUBY-330)
+        # this takes care of filtering out contrast-only dependencies
+        def loaded_specs
+          specs = Gem.loaded_specs.clone
+          specs.delete_if { |name, _v| contrast?(name) }
+        end
+
+        private
+
+        def contrast_gems
+          @_contrast_gems ||= find_contrast_gems
+        end
+
+        def contrast? name
+          contrast_gems.include?(name)
+        end
+
+        # Go through all dependents, given as a pair from the DependencyList: `dependency`
+        # is the dependency itself, filled with all its specs. `dependents` is the array of reverse
+        # dependencies for the aforementioned dependency. If the dependency is also in contrast_dep_set,
+        # then contrast depends on it. If its array of dependents is 1, then contrast is the
+        # only dependency in that list. Since only contrast depends on it, we should ignore it.
+        def find_contrast_gems
+          ignore = Set.new([CONTRAST_AGENT])
+          contrast_specs = Gem::DependencyList.from_specs.specs.find do |dependency|
+            dependency.name == CONTRAST_AGENT
+          end
+          contrast_dep_set = contrast_specs.dependencies.map(&:name).to_set
+
+          Gem::DependencyList.from_specs.spec_predecessors.each_pair do |dependency, dependents|
+            ignore.add(dependency.name) if contrast_dep_set.include?(dependency.name) && dependents.length == 1
+          end
+          ignore
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/inventory/dependency_analysis.rb

@@ -0,0 +1,37 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/inventory/dependencies'
+require 'contrast/components/interface'
+require 'contrast/utils/object_share'
+
+module Contrast
+  module Agent
+    module Inventory
+      # Used to collect dependencies of the application for reporting
+      class DependencyAnalysis
+        include Singleton
+        include Contrast::Agent::Inventory::Dependencies
+        include Contrast::Components::Interface
+
+        access_component :analysis
+
+        # Report the dependencies of this application
+        #
+        # @return [Array<Contrast::Api::Dtm::Library>] protobuf form of the
+        #   Gem::Specification that have been loaded for this application.
+        def library_pb_list
+          return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless INVENTORY.enabled?
+          return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless INVENTORY.analyze_libraries?
+
+          loaded_specs.each_with_object([]) do |(_name, spec), reported_lib_list|
+            next unless spec
+            next unless (digest = Contrast::Utils::Sha256Builder.instance.build_from_spec(spec))
+
+            reported_lib_list << Contrast::Api::Dtm::Library.build(digest, spec)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/inventory/dependency_usage_analysis.rb

@@ -0,0 +1,104 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/inventory/gemfile_digest_cache'
+require 'contrast/agent/inventory/dependencies'
+require 'contrast/components/interface'
+require 'contrast/utils/object_share'
+
+module Contrast
+  module Agent
+    module Inventory
+      # Used to analyze class usage for reporting
+      class DependencyUsageAnalysis
+        include Singleton
+        include Contrast::Components::Interface
+        include Contrast::Agent::Inventory::Dependencies
+
+        access_component :analysis, :config, :logging
+
+        def initialize
+          return unless enabled?
+
+          @gemdigest_cache = Contrast::Agent::Inventory::GemfileDigestCache.new
+        end
+
+        # This method is invoked once, along with the rest of our catchup code
+        # to report libraries and their associated files that have already been loaded pre-contrast
+        def catchup
+          return unless enabled?
+
+          loaded_specs.each do |_name, spec|
+            # Get a digest of the Gem file itself
+            next unless (digest = Contrast::Utils::Sha256Builder.instance.build_from_spec(spec))
+
+            @gemdigest_cache.use_cache(digest) do |existing_files|
+              loaded_files_from_gem = $LOADED_FEATURES.select { |f| f.start_with?(spec.full_gem_path) }
+              loaded_files_from_gem.each do |file_path|
+                logger.trace('Recording loaded file for inventory analysis', line: file_path)
+                existing_files << adjust_path_for_reporting(file_path, spec)
+              end
+            end
+          end
+        end
+
+        # This method is invoked once per TracePoint :end - to map a specific
+        # file being required to the gem it belongs to
+        #
+        # @param path [String] the result of TracePoint#path from the :end
+        #   event in which the Module was defined
+        def associate_file path
+          return unless enabled?
+
+          spec_lookup_path = adjust_path_for_spec_lookup(path)
+
+          spec = Gem::Specification.find_by_path(spec_lookup_path)
+          unless spec
+            logger.debug('Unable to resolve gem spec for path', path: path)
+            return
+          end
+
+          digest = Contrast::Utils::Sha256Builder.instance.build_from_spec(spec)
+          unless digest
+            logger.debug('Unable to resolve digest for gem spec', spec: spec.to_s)
+            return
+          end
+          report_path = adjust_path_for_reporting(path, spec)
+          @gemdigest_cache.get(digest) << report_path
+        rescue StandardError => e
+          logger.error('Unable to inventory file path', e, path: path)
+        end
+
+        # Populate the library_usages filed of the Activity message using the
+        # data stored in the @gemdigest_cache
+        #
+        # @param activity [Contrast::Api::Dtm::Activity] the message to which
+        #   to append the usage data
+        def generate_library_usage activity
+          return unless enabled?
+          return if @gemdigest_cache.empty?
+
+          @gemdigest_cache.generate_usage_data(activity)
+        end
+
+        private
+
+        def adjust_path_for_spec_lookup path
+          idx = path.index('/lib/')
+          path = path[(idx + 4)..-1] if idx
+          path
+        end
+
+        def adjust_path_for_reporting path, gem_spec
+          path.delete_prefix(gem_spec.full_gem_path)
+        end
+
+        # We only use this if inventory and library analysis are enabled
+        def enabled?
+          @_enabled = INVENTORY.enabled? && INVENTORY.analyze_libraries? if @_enabled.nil?
+          @_enabled
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/inventory/gemfile_digest_cache.rb

@@ -0,0 +1,38 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Inventory
+      # Keeps a map of gem digest to files for reporting file usage
+      class GemfileDigestCache
+        extend Forwardable
+        def_delegator :@gem_spec_digest_to_files,
+                      :empty?
+
+        def initialize
+          @gem_spec_digest_to_files = {}
+        end
+
+        def generate_usage_data activity
+          return unless activity
+
+          @gem_spec_digest_to_files.each_pair do |digest, files|
+            usage = Contrast::Api::Dtm::LibraryUsageUpdate.build(digest, files)
+            activity.library_usages[usage.hash_code] = usage if activity
+          end
+          @gem_spec_digest_to_files.clear
+        end
+
+        def use_cache digest
+          yield get(digest)
+        end
+
+        def get digest
+          @gem_spec_digest_to_files[digest] = Set.new unless @gem_spec_digest_to_files.key?(digest)
+          @gem_spec_digest_to_files[digest]
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/middleware.rb

@@ -94,8 +94,7 @@ module Contrast
         if CONFIG.invalid?
           AGENT.disable!
           logger.error('!!! CONFIG FILE IS INVALID - DISABLING CONTRAST AGENT !!!')
-        elsif CONFIG.disabled?
-          AGENT.disable!
+        elsif AGENT.disabled?
           logger.warn('Contrast disabled by configuration. Continuing without instrumentation.')
         else
           AGENT.enable!

data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb

@@ -26,7 +26,7 @@ module Contrast
 
               action = properties['action']
               write_marker = write?(action, *args)
-              possible_write = write_marker && possible_write(write_marker)
+              possible_write = write_marker && possible_write?(write_marker)
               path_traversal_rule(path, possible_write, object, method)
 
               # If the action was copy, we need to handle the write half of it.
@@ -48,7 +48,7 @@ module Contrast
 
             private
 
-            def possible_write input
+            def possible_write? input
               input.cs__respond_to?(:to_s) &&
                   input.to_s.include?(Contrast::Utils::ObjectShare::WRITE_FLAG)
             end
@@ -62,7 +62,7 @@ module Contrast
               return true if action == WRITE
 
               write_marker = args.length > 1 ? args[1] : nil
-              write_marker && possible_write(write_marker)
+              write_marker && possible_write?(write_marker)
             end
 
             def path_traversal_rule path, possible_write, object, method
@@ -83,6 +83,7 @@ module Contrast
                   tmp = CS__SAFER_REL_PATHS.map { |r| "#{ pwd }/#{ r }" }
                   gems = ENV['GEM_PATH']
                   tmp += gems.split(Contrast::Utils::ObjectShare::COLON) if gems
+                  tmp.map!(&:downcase)
                   tmp
                 else
                   []

data/lib/contrast/agent/request_handler.rb

@@ -18,7 +18,7 @@ module Contrast
       end
 
       def send_activity_messages
-        Contrast::Utils::GemfileReader.instance.generate_library_usage(context.activity)
+        Contrast::Agent::Inventory::DependencyUsageAnalysis.instance.generate_library_usage(context.activity)
         [context.server_activity, context.activity, context.observed_route].each do |message|
           Contrast::Agent.messaging_queue.send_event_eventually(message)
         end

data/lib/contrast/agent/static_analysis.rb

@@ -2,7 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/components/interface'
-require 'contrast/utils/gemfile_reader'
+require 'contrast/agent/inventory'
 require 'contrast/api/decorators/application_update'
 
 module Contrast
@@ -18,7 +18,7 @@ module Contrast
         def catchup
           @_catchup ||= begin
             with_contrast_scope do
-              Contrast::Utils::GemfileReader.instance.map_loaded_classes
+              Contrast::Agent::Inventory::DependencyUsageAnalysis.instance.catchup
               send_inventory_message
               true
             end

data/lib/contrast/agent/tracepoint_hook.rb

@@ -35,7 +35,7 @@ module Contrast
             path = tracepoint_event.path
             return if path&.include?('contrast')
 
-            Contrast::Utils::InventoryUtil.inventory_class(path) if path
+            Contrast::Agent::Inventory::DependencyUsageAnalysis.instance.associate_file(path) if path
             Contrast::Agent::Patching::Policy::Patcher.patch_specific_module(loaded_module)
             Contrast::Agent::Assess::Policy::RewriterPatch.rewrite_interpolation(loaded_module)
             Contrast::Agent::Assess::Policy::PolicyScanner.scan(tracepoint_event)

data/lib/contrast/agent/version.rb

@@ -3,6 +3,6 @@
 
 module Contrast
   module Agent
-    VERSION = '3.16.0'
+    VERSION = '4.0.0'
   end
 end

data/lib/contrast/api/decorators.rb

@@ -8,11 +8,14 @@ module Contrast
     end
   end
 end
+
 require 'contrast/api/decorators/message'
 require 'contrast/api/decorators/application_update'
 require 'contrast/api/decorators/input_analysis'
 require 'contrast/api/decorators/application_settings'
 require 'contrast/api/decorators/server_features'
+require 'contrast/api/decorators/library'
+require 'contrast/api/decorators/library_usage_update'
 require 'contrast/api/decorators/route_coverage'
 require 'contrast/api/decorators/trace_event_object'
 require 'contrast/api/decorators/trace_event_signature'

data/lib/contrast/api/decorators/address.rb

@@ -21,7 +21,6 @@ module Contrast
         module ClassMethods
           include Contrast::Components::Interface
           access_component :logging
-
           # receiver is memoized because it is the address/host/port of the server, once we
           # resolve this for the first time, it shouldn't change
           #

data/lib/contrast/api/decorators/application_update.rb

@@ -44,7 +44,7 @@ module Contrast
             msg = new
             msg.append_route_coverage_data(Contrast::Agent.framework_manager.find_route_discovery_data)
             msg.append_platform_version(Contrast::Agent.framework_manager.platform_version)
-            msg.append_library_update(Contrast::Utils::GemfileReader.instance.library_pb_list)
+            msg.append_library_update(Contrast::Agent::Inventory::DependencyAnalysis.instance.library_pb_list)
             msg
           end
         end

data/lib/contrast/api/decorators/library.rb

@@ -0,0 +1,53 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/string_utils'
+require 'contrast/utils/sha256_builder'
+require 'yaml'
+
+module Contrast
+  module Api
+    module Decorators
+      # Used to decorate the Library protobuf model to handle Gem::Specification translation
+      module Library
+        def self.included klass
+          klass.extend(ClassMethods)
+        end
+        # Used to add class methods to the Library class on inclusion of the decorator
+        module ClassMethods
+          def build digest, gem_specification
+            msg = new
+            msg.file_path = Contrast::Utils::StringUtils.force_utf8(gem_specification.name)
+            msg.hash_code   = Contrast::Utils::StringUtils.force_utf8(digest)
+            msg.version     = Contrast::Utils::StringUtils.force_utf8(gem_specification.version)
+            msg.manifest    = Contrast::Utils::StringUtils.force_utf8(build_manifest(gem_specification))
+            msg.external_ms = date_to_ms(gem_specification.date)
+            msg.internal_ms = msg.external_ms
+            msg.url         = Contrast::Utils::StringUtils.force_utf8(gem_specification.homepage)
+            msg.class_count = file_count(gem_specification.full_gem_path.to_s)
+            msg.used_class_count = 0
+            msg
+          end
+
+          # These are all the code files that are located in the Gem directory loaded
+          # by the current environment; this includes more than Ruby files
+          def file_count path
+            Contrast::Utils::Sha256Builder.instance.files(path).length
+          end
+
+          def build_manifest spec
+            Contrast::Utils::StringUtils.force_utf8(spec.to_yaml.to_s)
+          rescue StandardError
+            nil
+          end
+
+          def date_to_ms date
+            (date.to_f * 1000.0).to_i
+          end
+        end
+      end
+    end
+  end
+end
+
+Contrast::Api::Dtm::Library.include(Contrast::Api::Decorators::Library)

data/lib/contrast/api/decorators/library_usage_update.rb

@@ -0,0 +1,30 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/string_utils'
+
+module Contrast
+  module Api
+    module Decorators
+      # Used to decorate the LibraryUsageUpdate protobuf
+      module LibraryUsageUpdate
+        def self.included klass
+          klass.extend(ClassMethods)
+        end
+        # Used to add class methods to the LibraryUsageUpdate class on inclusion of the decorator
+        module ClassMethods
+          def build digest, files
+            msg = new
+            msg.hash_code = Contrast::Utils::StringUtils.force_utf8(digest)
+            files.each do |required_file|
+              msg.class_names[required_file] = true
+            end
+            msg
+          end
+        end
+      end
+    end
+  end
+end
+
+Contrast::Api::Dtm::LibraryUsageUpdate.include(Contrast::Api::Decorators::LibraryUsageUpdate)

data/lib/contrast/components/agent.rb

@@ -17,7 +17,8 @@ module Contrast
         access_component :analysis, :config, :settings
 
         def enabled?
-          !!@enabled
+          @_enabled = !false?(CONFIG.root.enable) if @_enabled.nil?
+          @_enabled
         end
 
         def disabled?
@@ -25,11 +26,11 @@ module Contrast
         end
 
         def enable!
-          @enabled = true
+          @_enabled = true
         end
 
         def disable!
-          @enabled = false
+          @_enabled = false
         end
 
         def ruleset
@@ -49,12 +50,12 @@ module Contrast
         end
 
         def patch_yield?
-          @_patch_yield = !Contrast::Utils::BooleanUtil.false?(CONFIG.root.agent.ruby.propagate_yield) if @_patch_yield.nil?
+          @_patch_yield = !false?(CONFIG.root.agent.ruby.propagate_yield) if @_patch_yield.nil?
           @_patch_yield
         end
 
         def interpolation_enabled?
-          @_interpolation_enabled = !Contrast::Utils::BooleanUtil.false?(CONFIG.root.agent.ruby.interpolate) if @_interpolation_enabled.nil?
+          @_interpolation_enabled = !false?(CONFIG.root.agent.ruby.interpolate) if @_interpolation_enabled.nil?
           @_interpolation_enabled
         end
 

data/lib/contrast/components/config.rb

@@ -1,9 +1,7 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/utils/boolean_util'
 require 'contrast/utils/env_configuration_item'
-require 'contrast/utils/object_share'
 require 'contrast/configuration'
 
 module Contrast
@@ -39,41 +37,9 @@ module Contrast
         end
         alias_method :rebuild, :build
 
-        # Prefer abstraction, but use #raw if you need.
-        # grep 'CONFIG.raw' for opportunities to refactor.
-        def raw
-          @config
-        end
-
+        # @return [Contrast::Config::RootConfiguration]
         def root
-          raw.root
-        end
-
-        def enabled?
-          @_enabled = !Contrast::Utils::BooleanUtil.false?(raw.enable) if @_enabled.nil?
-          @_enabled
-        end
-
-        def disabled?
-          !enabled?
-        end
-
-        def protect?
-          @_protect = Contrast::Utils::BooleanUtil.true?(raw.protect.enable) if @_protect.nil?
-          @_protect
-        end
-
-        def assess?
-          @_assess = Contrast::Utils::BooleanUtil.true?(raw.assess.enable) if @_assess.nil?
-          @_assess
-        end
-
-        def session_id
-          @_session_id ||= raw.application.session_id
-        end
-
-        def session_metadata
-          @_session_metadata ||= raw.application.session_metadata
+          @config.root
         end
 
         def valid?
@@ -84,6 +50,10 @@ module Contrast
           !valid?
         end
 
+        def loggable
+          @config.loggable
+        end
+
         private
 
         SESSION_VARIABLES = "Invalid configuration. Setting both application.session_id and application.session_metadata is not allowed.\n"
@@ -111,9 +81,31 @@ module Contrast
             next unless env_key.to_s.start_with?(CONTRAST_ENV_MARKER)
 
             config_item = Contrast::Utils::EnvConfigurationItem.new(env_key, env_value)
-            raw.assign_value_to_path_array(config_item.dot_path_array, config_item.value)
+            @config.assign_value_to_path_array(config_item.dot_path_array, config_item.value)
           end
         end
+
+        # Typically, this would be accessed through
+        # Contrast::Components::AppContext, but we're too early in the
+        # initialization of the Agent to use that mechanism, so we look it up
+        # directly for ourselves
+        #
+        # @return [String,nil] the value of the session id set in the
+        #   configuration, or nil if unset
+        def session_id
+          @config.application.session_id
+        end
+
+        # Typically, this would be accessed through
+        # Contrast::Components::AppContext, but we're too early in the
+        # initialization of the Agent to use that mechanism, so we look it up
+        # directly for ourselves
+        #
+        # @return [String,nil] the value of the session metadata set in the
+        #   configuration, or nil if unset
+        def session_metadata
+          @config.application.session_metadata
+        end
       end
 
       COMPONENT_INTERFACE = Interface.new

data/lib/contrast/components/interface.rb

@@ -3,7 +3,7 @@
 
 require 'delegate'
 require 'contrast/extension/module'
-require 'contrast/utils/boolean_util'
+require 'contrast/utils/object_share'
 
 module Contrast
   # This is the base module for our components classes. It is intended to
@@ -49,12 +49,34 @@ module Contrast
       end
 
       module Methods # :nodoc:
+        # use this to determine if the configuration value is literally boolean
+        # false or some form of the word `false`, regardless of case. It should
+        # be used for those values which default to `true` as they should only
+        # treat a value explicitly set to `false` as such.
+        #
+        # @param config_param [Boolean,String] the value to check
+        # @return [Boolean] should the value be treated as `false`
         def false? config_param
-          Contrast::Utils::BooleanUtil.false?(config_param)
+          return false if config_param == true
+          return true if config_param == false
+          return false unless config_param.cs__is_a?(String)
+
+          Contrast::Utils::ObjectShare::FALSE.casecmp?(config_param)
         end
 
+        # use this to determine if the configuration value is literally boolean
+        # true or some form of the word `true`, regardless of case. It should
+        # be used for those values which default to `false` as they should only
+        # treat a value explicitly set to `true` as such.
+        #
+        # @param config_param [Boolean,String] the value to check
+        # @return [Boolean] should the value be treated as `true`
         def true? config_param
-          Contrast::Utils::BooleanUtil.true?(config_param)
+          return false if config_param == false
+          return true if config_param == true
+          return false unless config_param.cs__is_a?(String)
+
+          Contrast::Utils::ObjectShare::TRUE.casecmp?(config_param)
         end
       end
     end

data/lib/contrast/components/inventory.rb

@@ -13,12 +13,17 @@ module Contrast
         include Contrast::Components::ComponentBase
         include Contrast::Components::Interface
 
-        access_component :config
+        access_component :config, :settings
 
         def enabled?
           @_enabled = !false?(CONFIG.root.inventory.enable) if @_enabled.nil?
           @_enabled
         end
+
+        def analyze_libraries?
+          @_analyze_libraries = !false?(CONFIG.root.inventory.analyze_libraries) if @_analyze_libraries.nil?
+          @_analyze_libraries
+        end
       end
 
       COMPONENT_INTERFACE = Interface.new

data/lib/contrast/config/inventory_configuration.rb

@@ -7,8 +7,8 @@ module Contrast
     # inventory functionality of the Agent.
     class InventoryConfiguration < BaseConfiguration
       KEYS = {
-          enable: EMPTY_VALUE,
-          record_used_classes: EMPTY_VALUE,
+          enable: Contrast::Config::DefaultValue.new(true),
+          analyze_libraries: Contrast::Config::DefaultValue.new(true),
           tags: EMPTY_VALUE
       }.cs__freeze
 

data/lib/contrast/framework/rails/support.rb

@@ -45,6 +45,9 @@ module Contrast
             find_all_routes(::Rails.application, [])
           end
 
+          # Find the current route, based on the provided Request wrapper
+          # @param request[Contrast::Agent::Request]
+          # @return [Contrast::Api::Dtm::RouteCoverage]
           def current_route request
             return unless ::Rails.cs__respond_to?(:application)
 

data/lib/contrast/logger/application.rb

@@ -33,7 +33,7 @@ module Contrast
       def application_configuration
         return unless info?
 
-        loggable = CONFIG.raw.loggable
+        loggable = CONFIG.loggable
         info('Current configuration', configuration: loggable)
         env_keys = ENV.keys.select { |env_key| env_key&.to_s&.start_with?(Contrast::Components::Config::CONTRAST_ENV_MARKER) }
         env_items = env_keys.map { |env_key| Contrast::Utils::EnvConfigurationItem.new(env_key, nil) }

data/lib/contrast/utils/inventory_util.rb

@@ -3,7 +3,6 @@
 
 require 'contrast/utils/timer'
 require 'contrast/utils/object_share'
-require 'contrast/utils/gemfile_reader'
 require 'contrast/components/interface'
 
 module Contrast
@@ -25,12 +24,6 @@ module Contrast
       DEFAULT = 'default'
       LOCALHOST = 'localhost'
 
-      def self.inventory_class class_path
-        Contrast::Utils::GemfileReader.instance.map_class(class_path)
-      rescue StandardError => e
-        logger.error('Unable to inventory module', e, path: class_path)
-      end
-
       def self.active_record_config
         return @_active_record_config if instance_variable_defined?(:@_active_record_config)
 

data/lib/contrast/utils/sha256_builder.rb

@@ -52,18 +52,6 @@ module Contrast
         parent_dir = File.dirname(gems_dir)
         File.join(parent_dir, Contrast::Utils::ObjectShare::CACHE)
       end
-
-      def self.files path
-        instance.files(path)
-      end
-
-      def self.sha256 path
-        instance.sha256(path)
-      end
-
-      def self.build_from_spec spec
-        instance.build_from_spec(spec)
-      end
     end
   end
 end

data/service_executables/VERSION

@@ -1 +1 @@
-2.14.3
+2.14.4

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: contrast-agent
 version: !ruby/object:Gem::Version
-  version: 3.16.0
+  version: 4.0.0
 platform: ruby
 authors:
 - galen.palmer@contrastsecurity.com
@@ -12,7 +12,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-10-26 00:00:00.000000000 Z
+date: 2020-11-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: amazing_print
@@ -770,6 +770,11 @@ files:
 - lib/contrast/agent/deadzone/policy/policy.rb
 - lib/contrast/agent/disable_reaction.rb
 - lib/contrast/agent/exclusion_matcher.rb
+- lib/contrast/agent/inventory.rb
+- lib/contrast/agent/inventory/dependencies.rb
+- lib/contrast/agent/inventory/dependency_analysis.rb
+- lib/contrast/agent/inventory/dependency_usage_analysis.rb
+- lib/contrast/agent/inventory/gemfile_digest_cache.rb
 - lib/contrast/agent/inventory/policy/datastores.rb
 - lib/contrast/agent/inventory/policy/policy.rb
 - lib/contrast/agent/inventory/policy/trigger_node.rb
@@ -847,6 +852,8 @@ files:
 - lib/contrast/api/decorators/application_update.rb
 - lib/contrast/api/decorators/http_request.rb
 - lib/contrast/api/decorators/input_analysis.rb
+- lib/contrast/api/decorators/library.rb
+- lib/contrast/api/decorators/library_usage_update.rb
 - lib/contrast/api/decorators/message.rb
 - lib/contrast/api/decorators/rasp_rule_sample.rb
 - lib/contrast/api/decorators/route_coverage.rb
@@ -941,11 +948,9 @@ files:
 - lib/contrast/tasks/service.rb
 - lib/contrast/utils/assess/sampling_util.rb
 - lib/contrast/utils/assess/tracking_util.rb
-- lib/contrast/utils/boolean_util.rb
 - lib/contrast/utils/class_util.rb
 - lib/contrast/utils/duck_utils.rb
 - lib/contrast/utils/env_configuration_item.rb
-- lib/contrast/utils/gemfile_reader.rb
 - lib/contrast/utils/hash_digest.rb
 - lib/contrast/utils/heap_dump_util.rb
 - lib/contrast/utils/invalid_configuration_util.rb

data/lib/contrast/utils/boolean_util.rb

@@ -1,30 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-require 'contrast/utils/object_share'
-
-module Contrast
-  module Utils
-    # Utility methods for asserting truthy or falsy state of a value expected
-    # to equate to a boolean
-    class BooleanUtil
-      class << self
-        def false? config
-          return false if config == true
-          return true if config == false
-          return false unless config.cs__is_a?(String)
-
-          Contrast::Utils::ObjectShare::FALSE.casecmp?(config)
-        end
-
-        def true? config
-          return false if config == false
-          return true if config == true
-          return false unless config.cs__is_a?(String)
-
-          Contrast::Utils::ObjectShare::TRUE.casecmp?(config)
-        end
-      end
-    end
-  end
-end

data/lib/contrast/utils/gemfile_reader.rb

@@ -1,193 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-require 'set'
-require 'contrast/utils/sha256_builder'
-require 'contrast/utils/string_utils'
-require 'contrast/components/interface'
-require 'contrast/api'
-
-module Contrast
-  module Utils
-    # GemfileReader has methods for extracting information from gem specs
-    # it also has a cache of library file digests to the lines of code found.
-    class GemfileReader
-      include Singleton
-      include Contrast::Components::Interface
-
-      access_component :config, :logging
-
-      CONTRAST_AGENT = 'contrast-agent'
-
-      def initialize
-        # Map of a Gem's Spec Digest to all loaded files from that Gem
-        @spec_to_files = {}
-      end
-
-      # the #clone is necessary here, as a require in another thread could
-      # potentially result in adding a key to the loaded_specs hash during
-      # iteration.  (as in RUBY-330)
-      def loaded_specs
-        Gem.loaded_specs.clone
-      end
-
-      # indicates if there's been an update to library information, allowing us
-      # to only serialize this information on change.
-      def updated?
-        @updated
-      end
-
-      def updated!
-        @updated = true
-      end
-
-      # Once we're Contrasted, we intercept require calls to do inventory.
-      # In order to catch up, we do a one-time manual catchup, & inventory
-      # all the already-loaded gems.
-      def map_loaded_classes
-        loaded_specs.each do |name, spec|
-          # Don't count Contrast gems
-          next if contrast_gems.include? name
-
-          # Get a digest of the Gem file itself
-          next unless (digest = Contrast::Utils::Sha256Builder.build_from_spec(spec))
-
-          paths = get_by_digest(digest)
-          path = spec.full_gem_path
-          $LOADED_FEATURES.each do |line|
-            next unless line.cs__is_a?(String)
-            next unless line.start_with?(path)
-
-            logger.trace('Recording loaded gem for inventory analysis', line: line)
-            updated!
-            paths << adjust_lib(line)
-          end
-        end
-      end
-
-      def map_class path
-        path = adjust_lib(path)
-
-        return unless (spec   = Gem::Specification.find_by_path(path))
-        return unless (digest = Contrast::Utils::Sha256Builder.build_from_spec(spec))
-
-        updated!
-        get_by_digest(digest) << path
-      end
-
-      def library_pb_list
-        loaded_specs.each_with_object([]) do |(name, spec), arr|
-          next if contrast_gems.include? name
-          next unless spec
-          next unless (digest = Contrast::Utils::Sha256Builder.build_from_spec(spec))
-
-          arr << build_library_pb(digest, spec)
-        end
-      end
-
-      def generate_library_usage activity = nil
-        return unless updated?
-
-        @spec_to_files.each_pair do |digest, files|
-          usage = Contrast::Api::Dtm::LibraryUsageUpdate.new
-          usage.hash_code = Contrast::Utils::StringUtils.force_utf8(digest)
-          activity.library_usages[usage.hash_code] = usage if activity
-          # TODO: RUBY-882 once TS switches to take filenames, remove the count setter and
-          #   send the class names in usage.class_names
-          usage.count = files.size
-        end
-        # TODO: RUBY-882 once TS switches to take filenames, clear this and remove the
-        #   @updated variable
-
-        # @spec_to_files.clear
-        @updated = false
-      end
-
-      private
-
-      # marker for the lib dir in an absolute file path. purposefully includes
-      # the trailing '/'
-      LIB = '/lib/'
-
-      # Kernel#load uses the absolute path, but Gems / Specs use the path after
-      # `/lib`. This method accounts for that and trims out the `/lib/` section
-      # and starts with the first `/` after and the trailing file extension, if
-      # present.
-      #
-      # @param path [String] the path to parse
-      # @return [String] the relative path of the file, after the lib directory
-      def adjust_lib path
-        idx = path.index(LIB)
-        path = path[(idx + 4)..-1] if idx
-        idx = path.rindex(Contrast::Utils::ObjectShare::PERIOD)
-        path = path[0..idx] if idx
-        path
-      end
-
-      def get_by_digest digest
-        @spec_to_files[digest] = Set.new unless @spec_to_files.key?(digest)
-        @spec_to_files[digest]
-      end
-
-      def build_library_pb digest, spec
-        lib             = Contrast::Api::Dtm::Library.new
-        lib.file_path   = Contrast::Utils::StringUtils.force_utf8(spec.name)
-        lib.hash_code   = Contrast::Utils::StringUtils.force_utf8(digest)
-        lib.version     = Contrast::Utils::StringUtils.force_utf8(spec.version)
-        lib.manifest    = Contrast::Utils::StringUtils.force_utf8(build_manifest(spec))
-        lib.external_ms = date_to_ms(spec.date)
-        lib.internal_ms = lib.external_ms
-        lib.url         = Contrast::Utils::StringUtils.force_utf8(spec.homepage)
-        # Library tags are appended in the ApplicationUpdate delegator
-        update_class_counts(lib, digest, spec)
-        lib
-      end
-
-      def date_to_ms date
-        (date.to_f * 1000.0).to_i
-      end
-
-      def update_class_counts lib, digest, spec
-        # Updating the class counts
-        path = spec.full_gem_path.to_s
-        lib.class_count = all_files(path).length
-        lib.used_class_count = @spec_to_files.key?(digest) ? get_by_digest(digest).size : 0
-        lib
-      end
-
-      def build_manifest spec
-        Contrast::Utils::StringUtils.force_utf8(spec.to_yaml.to_s) if defined?(YAML)
-      rescue StandardError
-        nil
-      end
-
-      # These are all the code files that are located in the Gem directory loaded
-      # by the current environment; this includes more than Ruby files
-      def all_files path
-        Contrast::Utils::Sha256Builder.instance.files(path)
-      end
-
-      # Go through all dependents, given as a pair from the DependencyList: `dependency`
-      # is the dependency itself, filled with all its specs. `dependents` is the array of reverse
-      # dependencies for the aforementioned dependency. If the dependency is also in contrast_dep_set,
-      # then contrast depends on it. If its array of dependents is 1, then contrast is the
-      # only dependency in that list. Since only contrast depends on it, we should ignore it.
-      def contrast_gems
-        @_contrast_gems ||= find_contrast_gems
-      end
-
-      def find_contrast_gems
-        ignore = Set.new([CONTRAST_AGENT])
-        contrast_specs = Gem::DependencyList.from_specs.specs.find do |dependency|
-          dependency.name == CONTRAST_AGENT
-        end
-        contrast_dep_set = contrast_specs.dependencies.map(&:name).to_set
-
-        Gem::DependencyList.from_specs.spec_predecessors.each_pair do |dependency, dependents|
-          ignore.add(dependency.name) if contrast_dep_set.include?(dependency.name) && dependents.length == 1
-        end
-        ignore
-      end
-    end
-  end
-end