contrast-agent 4.12.0 → 4.14.1

data/lib/contrast/utils/assess/trigger_method_utils.rb

@@ -0,0 +1,138 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    module Assess
+      # This module will include all methods for some internal validations/appliers in the TriggerMethod module
+      # and some other module methods from the same place, so we can ease the main module
+      module TriggerMethodUtils
+        # A request is reportable if it is not from ActionController::Live
+        #
+        # @param env [Hash] the env of the Request
+        # @return [Boolean]
+        def reportable? env
+          !(defined?(ActionController::Live) &&
+            env &&
+            env['action_controller.instance'].cs__class.included_modules.include?(ActionController::Live))
+        end
+
+        # Find the request for this finding. This assumes, for now, that if there is an active request, then that
+        # is the request to report. Otherwise, we'll use the first request found in the events of the
+        # source_object.
+        #
+        # @param source [Object,nil] some Object used as the source of a trigger event
+        # @return [Contrast::Agent::Request,nil] the request from which the dataflow on the request originated.
+        def find_request source
+          return Contrast::Agent::REQUEST_TRACKER.current.request if Contrast::Agent::REQUEST_TRACKER.current
+          return unless (properties = Contrast::Agent::Assess::Tracker.properties(source))
+
+          find_event_request(properties.event)
+        end
+
+        # Finds the first request along the left most tree of parent events
+        #
+        # @param event [Contrast::Agent::Assess::ContrastEvent|Contrast::Agent::Assess::Events::SourceEvent]
+        # @return [Contrast::Agent::Request, nil]
+        def find_event_request event
+          return event.request if event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
+
+          idx = 0
+          while idx <= event.parent_events.length
+            found = find_event_request(event.parent_events[idx])
+            return found if found
+
+            idx += 1
+            return event.request if event.request
+          end
+          return unless event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
+
+          event.request
+        end
+
+        # ===== APPLIERS =====
+        # This is our method that actually checks the taint on the object our trigger_node targets.
+        #
+        # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode] the node to direct applying this
+        #   trigger event
+        # @param source [Object] the source of the Trigger Event
+        # @param object [Object] the Object on which the method was invoked
+        # @param ret [Object] the Return of the invoked method
+        # @param args [Array<Object>] the Arguments with which the method was invoked
+        def apply_trigger trigger_node, source, object, ret, *args
+          return unless trigger_node
+          return if trigger_node.rule_disabled?
+          return if trigger_node.dataflow? && source.nil?
+
+          if trigger_node.regexp_rule?
+            apply_regexp_rule(trigger_node, source, object, ret, *args)
+          elsif trigger_node.custom_trigger?
+            trigger_node.apply_custom_trigger(trigger_node, source, object, ret, *args)
+          elsif trigger_node.dataflow?
+            apply_dataflow_rule(trigger_node, source, object, ret, *args)
+          else # trigger rule - just calling the method is dangerous
+            build_finding(trigger_node, source, object, ret, *args)
+          end
+        rescue StandardError => e
+          logger.warn('Unable to apply trigger', e, node_id: trigger_node.id)
+        end
+
+        # This is our method that actually checks the taint on the object our trigger_node targets for our Regexp
+        # based rules.
+        #
+        # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode] the node to direct applying this
+        #   trigger event
+        # @param source [Object] the source of the Trigger Event
+        # @param object [Object] the Object on which the method was invoked
+        # @param ret [Object] the Return of the invoked method
+        # @param args [Array<Object>] the Arguments with which the method was invoked
+        def apply_regexp_rule trigger_node, source, object, ret, *args
+          return unless source.is_a?(String)
+          return if trigger_node.good_value && source.match?(trigger_node.good_value)
+          return if trigger_node.bad_value && source !~ trigger_node.bad_value
+
+          build_finding(trigger_node, source, object, ret, *args)
+        end
+
+        # This is our method that actually checks the taint on the object our trigger_node targets for our Dataflow
+        # based rules.
+        #
+        # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode] the node to direct applying this
+        #   trigger event
+        # @param source [Object] the source of the Trigger Event
+        # @param object [Object] the Object on which the method was invoked
+        # @param ret [Object] the Return of the invoked method
+        # @param args [Array<Object>] the Arguments with which the method was invoked
+        def apply_dataflow_rule trigger_node, source, object, ret, *args # rubocop:disable Metrics/PerceivedComplexity
+          return unless source
+
+          if Contrast::Agent::Assess::Tracker.trackable?(source)
+            return unless Contrast::Agent::Assess::Tracker.tracked?(source)
+            return unless trigger_node.violated?(source)
+
+            build_finding(trigger_node, source, object, ret, *args)
+          elsif Contrast::Utils::DuckUtils.iterable_hash?(source)
+            return unless Contrast::Agent::Assess::Tracker.tracked?(source)
+
+            source.each_pair do |key, value|
+              apply_dataflow_rule(trigger_node, key, object, ret, *args)
+              apply_dataflow_rule(trigger_node, value, object, ret, *args)
+            end
+          elsif Contrast::Utils::DuckUtils.iterable_enumerable?(source)
+            return unless Contrast::Agent::Assess::Tracker.tracked?(source)
+
+            source.each do |value|
+              apply_dataflow_rule(trigger_node, value, object, ret, *args)
+            end
+          else
+            logger.debug('Trigger source is untrackable. Unable to inspect.',
+                         node_id: trigger_node.id,
+                         source_id: source.__id__,
+                         source_type: source.cs__class.cs__name,
+                         frozen: source.cs__frozen?)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/class_util.rb

@@ -54,7 +54,7 @@ module Contrast
         # Once we move to 2.7+, we can combine the caches using ID b/c the memory location stops being the id
         #
         # @param object [Object, nil] the entity to convert to a String
-        # @return [String] the human readable form of the String, as defined by
+        # @return [String, Object] the human readable form of the String, as defined by
         #   https://bitbucket.org/contrastsecurity/assess-specifications/src/master/vulnerability/capture-snapshot.md
         def to_contrast_string object
           # Only treat object like a string if it actually is a string+ some subclasses of String override string
@@ -66,19 +66,23 @@ module Contrast
           else
             return @lru_cache[object.__id__] if @lru_cache.key? object.__id__
 
-            @lru_cache[object.__id__] = if object.nil?
-                                          Contrast::Utils::ObjectShare::NIL_STRING
-                                        elsif object.cs__is_a?(Symbol)
-                                          ":#{ object }"
-                                        elsif object.cs__is_a?(Module) || object.cs__is_a?(Class)
-                                          "#{ object.cs__name }@#{ object.__id__ }"
-                                        elsif object.cs__is_a?(Regexp)
-                                          object.source
-                                        elsif use_to_s?(object)
-                                          object.to_s
-                                        else
-                                          "#{ object.cs__class.cs__name }@#{ object.__id__ }"
-                                        end
+            @lru_cache[object.__id__] = convert_object object
+          end
+        end
+
+        def convert_object object
+          if object.nil?
+            Contrast::Utils::ObjectShare::NIL_STRING
+          elsif object.cs__is_a?(Symbol)
+            ":#{ object }"
+          elsif object.cs__is_a?(Module) || object.cs__is_a?(Class)
+            "#{ object.cs__name }@#{ object.__id__ }"
+          elsif object.cs__is_a?(Regexp)
+            object.source
+          elsif use_to_s?(object)
+            object.to_s
+          else
+            "#{ object.cs__class.cs__name }@#{ object.__id__ }"
           end
         end
 

data/lib/contrast/utils/exclude_key.rb

@@ -0,0 +1,20 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    # Determine if configuration keys is excluded from logging
+    module ExcludeKey
+      EXCLUDE_FROM_LOG = %w[api api_key url service_key user_name].cs__freeze
+      class << self
+        # Check if a config key can be logged or not
+        #
+        # @param key [String] key to check
+        # @return[Boolean] true | false
+        def excludable? key
+          EXCLUDE_FROM_LOG.any? { |exclude_key| key.include? exclude_key }
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/findings.rb

@@ -0,0 +1,62 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/components/logger'
+
+module Contrast
+  module Utils
+    # Utility for saving raw findings for later
+    class Findings
+      include Contrast::Components::Logger::InstanceMethods
+
+      def initialize
+        @_collection = []
+      end
+
+      def collection
+        @_collection ||= []
+      end
+
+      def push trigger_node, source, object, ret, *args
+        return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless trigger_node.collectable?
+
+        @_collection << { trigger_node: trigger_node, source: source, object: object, ret: ret, args: args }
+      end
+
+      # Some rules requires response to be available before validating them correctly,
+      # so we check if trigger_node.rule_id is collectable and then save them for
+      # later report, when we have the response.
+      #
+      # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode] the node to direct applying this
+      # trigger event
+      # @param source [Object] the source of the Trigger Event
+      # @param object [Object] the Object on which the method was invoked
+      # @param ret [Object] the Return of the invoked method
+      # @param args [Array<Object>] the Arguments with which the method was invoked
+      def collect_finding trigger_node, source, object, ret, *args
+        push trigger_node, source, object, ret, args
+        logger.trace('Finding collected', node_id: trigger_node.id,
+                                          source_id: source.__id__,
+                                          rule: trigger_node.rule_id)
+      end
+
+      # Build and report all collected findings for the collectable rules.
+      #
+      # We make sure the content-type is present before reporting, because some
+      # findings do require it for validation.
+      def report_collected_findings
+        return if Contrast::Agent::REQUEST_TRACKER.current&.response&.content_type.nil?
+        return if @_collection.empty?
+
+        while @_collection.any?
+          finding = @_collection.pop
+          Contrast::Agent::Assess::Policy::TriggerMethod.build_finding finding[:trigger_node],
+                                                                       finding[:source],
+                                                                       finding[:object],
+                                                                       finding[:ret],
+                                                                       finding[:args]
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/hash_digest.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'digest'
+require 'contrast/utils/hash_digest_extend'
 
 module Contrast
   module Utils
@@ -13,6 +14,7 @@ module Contrast
     # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/vulnerability/preflight.md
     class HashDigest < Digest::Class
       include Digest::Instance
+      extend Contrast::Utils::HashDigestExtend
 
       CONTENT_LENGTH_HEADER = 'Content-Length'
       CRYPTO_RULES = %w[crypto-bad-ciphers crypto-bad-mac].cs__freeze
@@ -21,76 +23,6 @@ module Contrast
       CLASS_SOURCE_KEY = 'source'
       CLASS_CONSTANT_NAME_KEY = 'name'
       CLASS_LINE_NO_KEY = 'lineNo'
-      class << self
-        def generate_request_hash request
-          hash = new
-          hash.update(request.request_method)
-          hash.update(request.normalized_uri)
-          request.parameters.each_key do |name|
-            hash.update(name)
-          end
-          cl = request.headers[CONTENT_LENGTH_HEADER]
-          hash.update_on_content_length(cl) if cl
-          hash.finish
-        end
-
-        def generate_event_hash finding, source, request
-          return generate_dataflow_hash(finding, request) if finding.events.length.to_i > 1
-
-          id = finding.rule_id
-          return generate_crypto_hash(finding, source, request) if CRYPTO_RULES.include?(id)
-
-          generate_trigger_hash(finding, request)
-        end
-
-        def generate_config_hash finding
-          hash = new
-          hash.update(finding.rule_id)
-          path = finding.properties[CONFIG_PATH_KEY]
-          hash.update(path)
-          method = finding.properties[CONFIG_SESSION_ID_KEY]
-          hash.update(method)
-          hash.finish
-        end
-
-        def generate_class_scanning_hash finding
-          hash = new
-          hash.update(finding.rule_id)
-          module_name = finding.properties[CLASS_SOURCE_KEY]
-          hash.update(module_name)
-          # We're not currently collecting this. 30/7/19 HM
-          line_no = finding.properties[CLASS_LINE_NO_KEY]
-          hash.update(line_no)
-          field = finding.properties[CLASS_CONSTANT_NAME_KEY]
-          hash.update(field)
-          hash.finish
-        end
-
-        private
-
-        def generate_crypto_hash finding, algorithm, request
-          hash = new
-          hash.update(finding.rule_id)
-          hash.update(algorithm)
-          hash.update_on_request(finding, request)
-          hash.finish
-        end
-
-        def generate_dataflow_hash finding, request
-          hash = new
-          hash.update(finding.rule_id)
-          hash.update_on_sources(finding.events)
-          hash.update_on_request(finding, request)
-          hash.finish
-        end
-
-        def generate_trigger_hash finding, request
-          hash = new
-          hash.update(finding.rule_id)
-          hash.update_on_request(finding, request)
-          hash.finish
-        end
-      end
 
       def update_on_request finding, request
         if (route = finding.routes[0])
@@ -106,9 +38,14 @@ module Contrast
         return unless events&.any?
 
         events.each do |event|
-          event.event_sources.each do |source|
-            update(source.type)
-            update(source.name) # rubocop:disable Security/Module/Name -- API attribute.
+          if event.cs__is_a?(Contrast::Api::Dtm::TraceEvent)
+            event.event_sources&.each do |source|
+              update(source.type)
+              update(source.name) # rubocop:disable Security/Module/Name
+            end
+          elsif event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
+            update(event.source_type)
+            update(event.source_name)
           end
         end
       end

data/lib/contrast/utils/hash_digest_extend.rb

@@ -0,0 +1,86 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'digest'
+require 'contrast/utils/hash_digest'
+
+module Contrast
+  module Utils
+    # We use this class to provide hashes for our Request and Finding objects
+    # based upon our definitions of uniqueness.
+    # While the uniqueness of the request object is something internal to the
+    # Ruby agent, the uniqueness of the Finding hash is defined by a
+    # specification shared across all agent teams. The spec can be found here:
+    # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/vulnerability/preflight.md
+    module HashDigestExtend
+      def generate_request_hash request
+        hash = new
+        hash.update(request.request_method)
+        hash.update(request.normalized_uri)
+        request.parameters.each_key do |name|
+          hash.update(name)
+        end
+        cl = request.headers[Contrast::Utils::HashDigest::CONTENT_LENGTH_HEADER]
+        hash.update_on_content_length(cl) if cl
+        hash.finish
+      end
+
+      def generate_event_hash finding, source, request
+        return generate_dataflow_hash(finding, request) if finding.events.length.to_i > 1
+
+        id = finding.rule_id
+        return generate_crypto_hash(finding, source, request) if Contrast::Utils::HashDigest::CRYPTO_RULES.include?(id)
+
+        generate_trigger_hash(finding, request)
+      end
+
+      def generate_config_hash finding
+        hash = new
+        hash.update(finding.rule_id)
+        path = finding.properties[Contrast::Utils::HashDigest::CONFIG_PATH_KEY]
+        hash.update(path)
+        method = finding.properties[Contrast::Utils::HashDigest::CONFIG_SESSION_ID_KEY]
+        hash.update(method)
+        hash.finish
+      end
+
+      def generate_class_scanning_hash finding
+        hash = new
+        hash.update(finding.rule_id)
+        module_name = finding.properties[Contrast::Utils::HashDigest::CLASS_SOURCE_KEY]
+        hash.update(module_name)
+        # We're not currently collecting this. 30/7/19 HM
+        line_no = finding.properties[Contrast::Utils::HashDigest::CLASS_LINE_NO_KEY]
+        hash.update(line_no)
+        field = finding.properties[Contrast::Utils::HashDigest::CLASS_CONSTANT_NAME_KEY]
+        hash.update(field)
+        hash.finish
+      end
+
+      private
+
+      def generate_crypto_hash finding, algorithm, request
+        hash = new
+        hash.update(finding.rule_id)
+        hash.update(algorithm)
+        hash.update_on_request(finding, request)
+        hash.finish
+      end
+
+      def generate_dataflow_hash finding, request
+        hash = new
+        hash.update(finding.rule_id)
+        hash.update_on_sources(finding.events)
+        hash.update_on_request(finding, request)
+        hash.finish
+      end
+
+      def generate_trigger_hash finding, request
+        hash = new
+        hash.update(finding.rule_id)
+        hash.update_on_request(finding, request)
+        hash.finish
+      end
+    end
+  end
+end

data/lib/contrast/utils/head_dump_utils_extend.rb

@@ -0,0 +1,74 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    # this module extends HeadDumpUtil
+    module HeadDumpExtend
+      def log_enabled_warning
+        control = Contrast::Utils::HeapDumpUtil.control
+        dir    = control[:path]
+        window = control[:window]
+        count  = control[:count]
+        delay  = control[:delay]
+        clean  = control[:clean]
+
+        logger.info <<~WARNING
+          *****************************************************
+          ********      HEAP DUMP HAS BEEN ENABLED     ********
+          *** APPLICATION PROCESS WILL EXIT UPON COMPLETION ***
+          *****************************************************
+
+          Heap dump is a debugging tool that snapshots the entire
+          state of the Ruby VM. It is an exceptionally expensive
+          process, and should only be used to debug especially
+          pernicious errors.
+
+          It will write multiple memory snaphots, which are liable
+          to be multiple gigabytes in size.
+          They will be named "[unix timestamp]-heap.dump",
+          e.g.: 1020304050-heap.dump
+
+          It will then call Ruby `exit()`.
+
+          If this is not your specific intent, you can (and should)
+          disable this option in your Contrast config file.
+
+          HEAP DUMP PARAMETERS:
+          \t[write files to this directory]             dir:     #{ dir    }
+          \t[wait this many seconds in between dumps]   window:  #{ window }
+          \t[heap dump this many times]                 count:   #{ count  }
+          \t[wait this many seconds into app lifetime]  delay:   #{ delay  }
+          \t[perform gc pass before dump]               clean:   #{ clean  }
+
+          *****************************************************
+          ********        YOU HAVE BEEN WARNED         ********
+          *****************************************************
+        WARNING
+      end
+
+      def capture_heap_dump
+        control = Contrast::Utils::HeapDumpUtil.control
+        dir    = control[:path]
+        window = control[:window]
+        count  = control[:count]
+        clean  = control[:clean]
+        logger.info('HEAP DUMP MAIN LOOP')
+        ObjectSpace.trace_object_allocations_start
+        count.times do |i|
+          logger.info('STARTING HEAP DUMP PASS', current_pass: i, max: count)
+          snapshot_heap(dir, clean)
+          logger.info('FINISHING HEAP DUMP PASS', current_pass: i, max: count)
+          sleep(window)
+        end
+      ensure
+        ObjectSpace.trace_object_allocations_stop
+        logger.info('*****************************************************')
+        logger.info('********        HEAP DUMP HAS CONCLUDED      ********')
+        logger.info('***     APPLICATION PROCESS WILL EXIT SHORTLY     ***')
+        logger.info('*****************************************************')
+        exit # rubocop:disable Rails/Exit We weren't kidding!
+      end
+    end
+  end
+end

data/lib/contrast/utils/heap_dump_util.rb

@@ -5,6 +5,7 @@ require 'objspace'
 require 'singleton'
 require 'contrast/components/heap_dump'
 require 'contrast/components/logger'
+require 'contrast/utils/head_dump_utils_extend'
 
 module Contrast
   module Utils
@@ -13,6 +14,7 @@ module Contrast
       extend Contrast::Components::Logger::InstanceMethods
       include Contrast::Components::Logger::InstanceMethods
       extend Contrast::Components::HeapDump::InstanceMethods
+      include Contrast::Utils::HeadDumpExtend
 
       LOG_ERROR_DUMPS = 'Unable to generate heap dumps'
       FILE_WRITE_FLAGS = 'w'
@@ -47,71 +49,6 @@ module Contrast
         nil
       end
 
-      def log_enabled_warning
-        control = Contrast::Utils::HeapDumpUtil.control
-        dir    = control[:path]
-        window = control[:window]
-        count  = control[:count]
-        delay  = control[:delay]
-        clean  = control[:clean]
-
-        logger.info <<~WARNING
-          *****************************************************
-          ********      HEAP DUMP HAS BEEN ENABLED     ********
-          *** APPLICATION PROCESS WILL EXIT UPON COMPLETION ***
-          *****************************************************
-
-          Heap dump is a debugging tool that snapshots the entire
-          state of the Ruby VM. It is an exceptionally expensive
-          process, and should only be used to debug especially
-          pernicious errors.
-
-          It will write multiple memory snaphots, which are liable
-          to be multiple gigabytes in size.
-          They will be named "[unix timestamp]-heap.dump",
-          e.g.: 1020304050-heap.dump
-
-          It will then call Ruby `exit()`.
-
-          If this is not your specific intent, you can (and should)
-          disable this option in your Contrast config file.
-
-          HEAP DUMP PARAMETERS:
-          \t[write files to this directory]             dir:     #{ dir    }
-          \t[wait this many seconds in between dumps]   window:  #{ window }
-          \t[heap dump this many times]                 count:   #{ count  }
-          \t[wait this many seconds into app lifetime]  delay:   #{ delay  }
-          \t[perform gc pass before dump]               clean:   #{ clean  }
-
-          *****************************************************
-          ********        YOU HAVE BEEN WARNED         ********
-          *****************************************************
-        WARNING
-      end
-
-      def capture_heap_dump
-        control = Contrast::Utils::HeapDumpUtil.control
-        dir    = control[:path]
-        window = control[:window]
-        count  = control[:count]
-        clean  = control[:clean]
-        logger.info('HEAP DUMP MAIN LOOP')
-        ObjectSpace.trace_object_allocations_start
-        count.times do |i|
-          logger.info('STARTING HEAP DUMP PASS', current_pass: i, max: count)
-          snapshot_heap(dir, clean)
-          logger.info('FINISHING HEAP DUMP PASS', current_pass: i, max: count)
-          sleep(window)
-        end
-      ensure
-        ObjectSpace.trace_object_allocations_stop
-        logger.info('*****************************************************')
-        logger.info('********        HEAP DUMP HAS CONCLUDED      ********')
-        logger.info('***     APPLICATION PROCESS WILL EXIT SHORTLY     ***')
-        logger.info('*****************************************************')
-        exit # rubocop:disable Rails/Exit We weren't kidding!
-      end
-
       def snapshot_heap dir, clean
         output = "#{ Time.now.to_f }-heap.dump"
         output = File.join(dir, output)

data/lib/contrast/utils/invalid_configuration_util.rb

@@ -34,11 +34,28 @@ module Contrast
           finding.hash_code = Contrast::Utils::StringUtils.force_utf8(hash)
           finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
           Contrast::Agent::Assess::Policy::TriggerMethod.report_finding(finding)
+          if Contrast::Agent::Reporter.enabled?
+            cs__report_new_finding hash, rule_id, user_provided_options, call_location
+          end
         end
       rescue StandardError => e
         logger.error('Unable to build a finding', e, rule: rule_id)
       end
 
+      def cs__report_new_finding hash_code, rule_id, user_provided_options, call_location
+        new_preflight = Contrast::Agent::Reporting::Preflight.new
+        new_preflight_message = Contrast::Agent::Reporting::PreflightMessage.new
+        new_preflight_message.hash_code = hash_code
+        new_preflight_message.data = "#{ rule_id },#{ hash_code }"
+        new_preflight.messages << new_preflight_message
+
+        ruby_finding = Contrast::Agent::Reporting::Finding.new rule_id
+        ruby_finding.hash_code = hash_code
+        set_new_finding_properties(ruby_finding, user_provided_options, call_location)
+        Contrast::Agent.reporter_queue.send_event_immediately(new_preflight)
+        Contrast::Agent::Reporting::ReportingStorage[hash_code] = ruby_finding
+      end
+
       private
 
       # Set the properties needed to report and subsequently render this finding on the finding given.
@@ -76,6 +93,18 @@ module Contrast
         end
         call_location&.label&.dup
       end
+
+      def set_new_finding_properties finding, user_provided_options, call_location
+        path = call_location.path
+        # just get the file name, not the full path
+        path = path.split(Contrast::Utils::ObjectShare::SLASH).last
+        session_id = user_provided_options[:key].to_s if user_provided_options
+        finding.properties[CS__SESSION_ID] = session_id
+        finding.properties[CS__PATH] = path
+        file_path = call_location.absolute_path
+        snippet = file_snippet(file_path, call_location)
+        finding.properties[CS__SNIPPET] = snippet
+      end
     end
   end
 end