contrast-agent 4.14.1 → 5.0.0

data/lib/contrast/agent/reporting/settings/protect.rb

@@ -0,0 +1,89 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+
+module Contrast
+  module Agent
+    module Reporting
+      # This module will hold all the settings from the TS responce
+      module Settings
+        # Application level settings for the Protect featureset
+        class Protect
+          # block at perimeter needs to be check against the blockAtEntry boolean value
+          PROTECT_RULES_MODE = %w[OFF BLOCKING MONITORING].cs__freeze
+          # The settings for each protect rule for this application
+          #
+          # @return protection_rules [Array<protectRule>] protectRule: {
+          #   blockAtEntry [Boolean] If in block mode, to block at perimeter or not.
+          #   id           [String] The id of a rule in Contrast.
+          #   mode         [String] The mode that this rule should run in. [OFF, MONITORING, BLOCKING] }
+          def protection_rules
+            @_protection_rules ||= []
+          end
+
+          # Set the protection_rules array
+          #
+          # @param protection_rules [Array<protectRule>] protectRule: {
+          #   blockAtEntry [Boolean] If in block mode, to block at perimeter or not.
+          #   id           [String] The id of a rule in Contrast.
+          #   mode         [String] The mode that this rule should run in. [OFF, MONITORING, BLOCKING] }
+          # @return protection_rules [Array<protectRule>] protectRule: {
+          #   blockAtEntry [Boolean] If in block mode, to block at perimeter or not.
+          #   id           [String] The id of a rule in Contrast.
+          #   mode         [String] The mode that this rule should run in. [OFF, MONITORING, BLOCKING] }
+          def protection_rules= protection_rules
+            @_protection_rules = protection_rules if protection_rules.is_a? Array
+          end
+
+          # The virtual patches to apply for this application
+          #
+          # @return virtual_patches [Array<VirtualPatch>] Array of VirtualPatch: {
+          #   name       [String] The name of the Virtual Patch
+          #   headers    [Array] The headers that must be present in the request to result in the request being blocked
+          #   parameters [Array] The parameters that must be present in the request
+          #                       to result in the request being blocked.
+          #   urls       [Array] The urls that must be present in the request to result in the request being blocked.
+          #   uuids      [String] The UUID of the Virtual Patch }
+          def virtual_patches
+            @_virtual_patches ||= []
+          end
+
+          # Set the virtual patches array
+          #
+          # @param virtual_patches [Array<VirtualPatch>] Array of VirtualPatch: {
+          #   name       [String] The name of the Virtual Patch
+          #   headers    [Array] The headers that must be present in the request to result in the request being blocked
+          #   parameters [Array] The parameters that must be present in the request
+          #                       to result in the request being blocked.
+          #   urls       [Array] The urls that must be present in the request to result in the request being blocked.
+          #   uuids      [String] The UUID of the Virtual Patch }
+          # @return virtual_patches [Array<VirtualPatch>] Array of VirtualPatch: {
+          #   name       [String] The name of the Virtual Patch
+          #   headers    [Array] The headers that must be present in the request to result in the request being blocked
+          #   parameters [Array] The parameters that must be present in the request
+          #                       to result in the request being blocked.
+          #   urls       [Array] The urls that must be present in the request to result in the request being blocked.
+          #   uuids      [String] The UUID of the Virtual Patch }
+          def virtual_patches= virtual_patches
+            @_virtual_patches = virtual_patches if virtual_patches.is_a? Array
+          end
+
+          # Converts settings into Agent Settings understandable hash {RULE_ID => MODE}
+          #
+          # @return rules [Hash<RULE_ID => MODE>, nil] Hash with rule_id as key and mode as value
+          def protection_rules_to_settings_hash
+            return if protection_rules.empty?
+
+            modes_by_id = {}
+            protection_rules.each do |rule|
+              PROTECT_RULES_MODE.include? rule[:mode]
+              modes_by_id[rule[:id]] = rule[:mode]
+            end
+            modes_by_id
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/settings/protect_server_feature.rb

@@ -0,0 +1,243 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+
+module Contrast
+  module Agent
+    module Reporting
+      # This module will hold all the settings from the TS responce
+      module Settings
+        # Application level settings for the Protect featureset.
+        # Used for the FeatureSet TS response
+        class ProtectServerFeature
+          # Indicate if the protect feature set is enabled for this server or not.
+          #
+          # @return enabled [Boolean]
+          def enabled?
+            @_enabled
+          end
+
+          # Set the enabled
+          #
+          # @param enabled [Boolean]
+          # @return enabled [Boolean]
+          def enabled= enabled
+            @_enabled = enabled if !!enabled == enabled
+          end
+
+          # Indicate if the bot protection feature set is enabled for this server or not.
+          #
+          # @return bot_blocker [Boolean]
+          def bot_blocker
+            @_bot_blocker
+          end
+
+          # set bot_blocker
+          #
+          # @param bot_blocker [Boolean]
+          # @return bot_blocker [Boolean]
+          def bot_blocker= bot_blocker
+            @_bot_blocker = bot_blocker if !!bot_blocker == bot_blocker
+          end
+
+          # The IP addresses for which to disable protection.
+          #
+          # @return ip_allowlist [Array<IpFilter>]
+          #   expires [Integer] The time after which the filter is no longer valid.
+          #   ip      [String] The IP or range of IPs to which this message pertains.
+          #   name    [String] The user defined name of the filter.
+          #   uuid    [String] The identifier of the filter as defined by TeamServer.
+          def ip_allowlist
+            @_ip_allowlist ||= []
+          end
+
+          # set ip_allowlist
+          #
+          # @param allowlist [array<IpFilter>] of IpFilter: {
+          #   expires [Integer] The time after which the filter is no longer valid.
+          #   ip      [String] The IP or range of IPs to which this message pertains.
+          #   name    [String] The user defined name of the filter.
+          #   uuid    [String] The identifier of the filter as defined by TeamServer.
+          # }
+          # @return ip_allowlist [Array<IpFilter>]
+          #   expires [Integer] The time after which the filter is no longer valid.
+          #   ip      [String] The IP or range of IPs to which this message pertains.
+          #   name    [String] The user defined name of the filter.
+          #   uuid    [String] The identifier of the filter as defined by TeamServer.
+          def ip_allowlist= allowlist
+            @_ip_allowlist = allowlist if allowlist.is_a? Array
+          end
+
+          # The IP addresses for which to disable protection.
+          #
+          # @return ip_denylist [Array<IpFilter>]
+          #                     expires [Integer] The time after which the filter is no longer valid.
+          #                     ip      [String] The IP or range of IPs to which this message pertains.
+          #                     name    [String] The user defined name of the filter.
+          #                     uuid    [String] The identifier of the filter as defined by TeamServer.
+          def ip_denylist
+            @_ip_denylist ||= []
+          end
+
+          # set ip_denylist
+          #
+          # @param denylist [array] of IpFilter: {
+          #   expires [Integer] The time after which the filter is no longer valid.
+          #   ip      [String] The IP or range of IPs to which this message pertains.
+          #   name    [String] The user defined name of the filter.
+          #   uuid    [String] The identifier of the filter as defined by TeamServer.
+          # }
+          # @return ip_denylist [Array<IpFilter>]
+          #                     expires [Integer] The time after which the filter is no longer valid.
+          #                     ip      [String] The IP or range of IPs to which this message pertains.
+          #                     name    [String] The user defined name of the filter.
+          #                     uuid    [String] The identifier of the filter as defined by TeamServer.
+          def ip_denylist= denylist
+            @_ip_denylist = denylist if denylist.is_a? Array
+          end
+
+          # All of the apis to add new logging calls to the application at runtime.
+          #
+          # @return log_enchancers [Array<LogEnchancers>]
+          #    api     [String]  The method signature to instrument, as understood by the agent.
+          #    format  [String]  The format of the message to log.
+          #    id      [Integer] The identifier of the enhancer as defined by TeamServer.
+          #    level   [String] The level at which to log this message. Trace as 0 and Error as 4.
+          #                     [ TRACE, DEBUG, INFO, WARN, ERROR ]
+          #    name    [String] The user defined name of the enhancer.
+          #    type    [String] The type of log message to tenerate. Audit as 0, Security as 2.
+          #                     [ AUDIT, ERROR, SECURITY ]
+          def log_enchancers
+            @_log_enchancers ||= []
+          end
+
+          # All of the apis to add new logging calls to the application at runtime.
+          #
+          # @param log_enchancers [Array<LogEnchancers>] of LogEnchancers: {
+          #    api     [String]  The method signature to instrument, as understood by the agent.
+          #    format  [String]  The format of the message to log.
+          #    id      [Integer] The identifier of the enhancer as defined by TeamServer.
+          #    level   [String] The level at which to log this message. Trace as 0 and Error as 4.
+          #                     [ TRACE, DEBUG, INFO, WARN, ERROR ]
+          #    name    [String] The user defined name of the enhancer.
+          #    type    [String] The type of log message to tenerate. Audit as 0, Security as 2.
+          #                     [ AUDIT, ERROR, SECURITY ]
+          # }
+          # @return log_enchancers [Array<LogEnchancers>]
+          #    api     [String]  The method signature to instrument, as understood by the agent.
+          #    format  [String]  The format of the message to log.
+          #    id      [Integer] The identifier of the enhancer as defined by TeamServer.
+          #    level   [String] The level at which to log this message. Trace as 0 and Error as 4.
+          #                     [ TRACE, DEBUG, INFO, WARN, ERROR ]
+          #    name    [String] The user defined name of the enhancer.
+          #    type    [String] The type of log message to tenerate. Audit as 0, Security as 2.
+          #                     [ AUDIT, ERROR, SECURITY ]
+          def log_enchancers= log_enchancers
+            @_log_enchancers = log_enchancers if log_enchancers.is_a? Array
+          end
+
+          # The keywords and patterns required for the input analysis of each rule with that capability.
+          #
+          # @return rule_defenition_list [Array<RuleDefinition>]
+          #   keywords [Array] The words to search for in input that indicate an attack.{
+          #                     caseSensitive [Boolean]
+          #                     id            [String]
+          #                     score         [Integer] The impact of matching this entry; higher meaning more
+          #                                             likely to be an attack
+          #                     value         [String] }
+          #   name   [String] 	AssessRuleID
+          #   patterns [Array] A word or pattern whose presence in an input represents an attack {
+          #                     caseSensitive [Boolean]
+          #                     id            [String]
+          #                    score          [Integer] The impact of matching this entry; higher meaning more
+          #                                            likely to be an attack
+          #                    value          [String] }
+          # }
+          def rule_definition_list
+            @_rule_definition_list ||= []
+          end
+
+          # The keywords and patterns required for the input analysis of each rule with that capability.
+          #
+          # @param list [Array<RuleDefinition>] Array of RuleDefinition: {
+          #   keywords [Array] The words to search for in input that indicate an attack.{
+          #                     caseSensitive [Boolean]
+          #                     id            [String]
+          #                     score         [Integer] The impact of matching this entry; higher meaning more
+          #                                             likely to be an attack
+          #                     value         [String] }
+          #   name   [String] 	AssessRuleID
+          #   patterns [Array] A word or pattern whose presence in an input represents an attack {
+          #                     caseSensitive [Boolean]
+          #                     id            [String]
+          #                    score          [Integer] The impact of matching this entry; higher meaning more
+          #                                            likely to be an attack
+          #                    value          [String] }
+          # }
+          # @return rule_defenition_list [Array<RuleDefinition>]  Array of RuleDefinition: {
+          #   keywords [Array] The words to search for in input that indicate an attack.{
+          #                     caseSensitive [Boolean]
+          #                     id            [String]
+          #                     score         [Integer] The impact of matching this entry; higher meaning more
+          #                                             likely to be an attack
+          #                     value         [String] }
+          #   name   [String] 	AssessRuleID
+          #   patterns [Array] A word or pattern whose presence in an input represents an attack {
+          #                     caseSensitive [Boolean]
+          #                     id            [String]
+          #                    score          [Integer] The impact of matching this entry; higher meaning more
+          #                                            likely to be an attack
+          #                    value          [String] }
+          # }
+          def rule_definition_list= list
+            @_rule_definition_list = list.is_a? Array
+          end
+
+          # Controls for the syslogging feature in the agent.
+          #
+          # @return syslog [Hash<logsSettings>]
+          #   syslogConnectionType    [String]
+          #   syslogEnabled           [Integer]
+          #   syslogFacilityCode      [Integer]
+          #   syslogIpAddress         [String]
+          #   syslogPortNumber        [Integer]
+          #   syslogProtocol          [String]
+          #   syslogSeverityExploited [String]
+          #   syslogSeverityProbed    [String]
+          #   syslogSeveritySuspicous [String]
+          def syslog
+            @_syslog ||= {}
+          end
+
+          # Controls for the syslogging feature in the agent.
+          #
+          # @param log [Hash<logsSettings>] {
+          #   syslogConnectionType    [String]
+          #   syslogEnabled           [Integer]
+          #   syslogFacilityCode      [Integer]
+          #   syslogIpAddress         [String]
+          #   syslogPortNumber        [Integer]
+          #   syslogProtocol          [String]
+          #   syslogSeverityExploited [String]
+          #   syslogSeverityProbed    [String]
+          #   syslogSeveritySuspicous [String]
+          # }
+          # @return syslog [Hash<logsSettings>]
+          #   syslogConnectionType    [String]
+          #   syslogEnabled           [Integer]
+          #   syslogFacilityCode      [Integer]
+          #   syslogIpAddress         [String]
+          #   syslogPortNumber        [Integer]
+          #   syslogProtocol          [String]
+          #   syslogSeverityExploited [String]
+          #   syslogSeverityProbed    [String]
+          #   syslogSeveritySuspicous [String]
+          def syslog= log
+            @_syslog = log if log.is_a? Hash
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/settings/reaction.rb

@@ -0,0 +1,30 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Reporting
+      module Settings
+        # Reaction the agent should take based on a state in TS.
+        class Reaction
+          attr_accessor :level, :operation, :message
+
+          # used to check the parameters and also before reactions settings update
+          LEVELS = %w[ERROR WARN INFO DEBUG TRACE].cs__freeze
+          OPERATIONS = %w[NOOP DISABLE].cs__freeze
+
+          # Reaction the agent should take based on a state in TS.
+          #
+          # @param level [String] The level at which the agent should log this reaction[ERROR, WARN, INFO, DEBUG, TRACE]
+          # @param message [String] A message to log when receiving this reaction.
+          # @param operation [String] What to do in response to this reaction.[NOOP, DISABLE]
+          def initialize level, operation, message
+            @level = level if LEVELS.include? level
+            @operation = operation if OPERATIONS.include? operation
+            @message = message if message.is_a? String
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/settings/server_features.rb

@@ -0,0 +1,78 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/agent/reporting/settings/assess_server_feature'
+require 'contrast/agent/reporting/settings/protect_server_feature'
+
+module Contrast
+  module Agent
+    module Reporting
+      # This module will hold all the settings from the TS responce
+      module Settings
+        # All of the settings from TeamServer that apply at the server level.
+        # At least one, but not necessarily all, setting will differ from the agent's current set.
+        # agents are able to replace all server settings with those in this message.
+        class ServerFeatures
+          # The level at which the agent should log. Overridden by agent.logger.level
+          # if set in a local configuration
+          #
+          # @return log_level [String] [ ERROR, WARN, INFO, DEBUG, TRACE ]
+          def log_level
+            @_log_level ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+          end
+
+          # set the log level
+          #
+          # @param log_level [String]
+          # @return log_level [String] [ ERROR, WARN, INFO, DEBUG, TRACE ]
+          def log_level= log_level
+            @_log_level = log_level if log_level.is_a? String
+          end
+
+          # Where to log the agent's log file, if set by the user. Overridden by agent.logger.path
+          # if set in a local configuration.
+          #
+          # @return log_file [String] path
+          def log_file
+            @_log_file ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+          end
+
+          # Set the log file
+          #
+          # @param log_file [String] path
+          # @return log_file [String] path
+          def log_file= log_file
+            @_log_file = log_file if log_file.is_a? String
+          end
+
+          # Controls for the reporting of telemetry events from the agent to TeamServer.
+          # This is NOT for the agent telemetry feature collecting metrics sent to other services.
+          #
+          # @return telemetry [Boolean]
+          def telemetry
+            @_telemetry
+          end
+
+          # sets the telemetry value
+          #
+          # @param telemetry [Boolean]
+          # @return telemetry [Boolean]
+          def telemetry= telemetry
+            @_telemetry = telemetry if !!telemetry == telemetry
+          end
+
+          # @return assess [Contrast::Agent::Reporting::Settings::AssessServerFeature]
+          def assess
+            @_assess ||= Contrast::Agent::Reporting::Settings::AssessServerFeature.new
+          end
+
+          # @return protect [Contrast::Agent::Reporting::Settings::ProtectServerFeature]
+          def protect
+            @_protect ||= Contrast::Agent::Reporting::Settings::ProtectServerFeature.new
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/request.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'resolv'
@@ -17,6 +17,12 @@ module Contrast
     # provides access to the original Rack::Request object as well as extracts
     # data in a format that the Agent expects, caching those transformations in
     # order to avoid repeatedly creating Strings & thrashing GC.
+    #
+    # @attr_reader rack_request [Rack::Request] The passed to the Agent RackRequest to be wrapped.
+    # @attr_accessor route [Contrast::Api::Dtm::RouteCoverage] the route, used for findings, of this request
+    # @attr_accessor observed_route [Contrast::Api::Dtm::ObservedRoute] the route, used for coverage of this request
+    # @attr_accessor new_observed_route [Contrast::Agent::Reporting::ObservedRoute] the route, used for coverage, of
+    # this request
     class Request
       include Contrast::Utils::RequestUtils
       include Contrast::Components::Logger::InstanceMethods
@@ -30,16 +36,31 @@ module Contrast
       LAST_NUMBER_MARKER = '/{n}'
 
       attr_reader :rack_request
-      attr_accessor :route, :observed_route
+      attr_accessor :route, :observed_route, :new_observed_route
 
       # Delegate calls to the following methods to the attribute @rack_request
       def_delegators :@rack_request, :base_url, :content_type, :cookies, :env, :ip, :path, :port, :query_string,
                      :request_method, :scheme, :url, :user_agent
 
+      # Initialize new Contrast Request
+      #
+      # @param rack_request [Rack::Request] The passed to the Agent RackRequest to be wrapped.
       def initialize rack_request
         @rack_request = rack_request
       end
 
+      # The HTTP version of this request
+      # @return [String]
+      def version
+        env = rack_request.env
+        return '1.1' unless env
+
+        version = env['HTTP_VERSION']
+        return '1.1' unless version
+
+        version.split('/')[-1]
+      end
+
       # Returns a normalized form of the URI. In "normal" URIs
       # this will return an unchanged String, but in REST-y
       # URIs this will normalize the digit path tokens, e.g.:
@@ -49,9 +70,11 @@ module Contrast
       # /accounts/{n}/view
       #
       # Should also handle the ;jsessionid.
+      #
+      # @return uri [String]
       def normalized_uri
         @_normalized_uri ||= begin
-          path = rack_request.path
+          path = rack_request.path_info
           uri = path.split(Contrast::Utils::ObjectShare::SEMICOLON)[0]    # remove ;jsessionid
           uri = uri.split(Contrast::Utils::ObjectShare::QUESTION_MARK)[0] # remove ?query_string=
           uri.gsub(INNER_REST_TOKEN, INNER_NUMBER_MARKER)                 # replace interior tokens
@@ -59,6 +82,9 @@ module Contrast
         end
       end
 
+      # Returns the request file type
+      #
+      # @return type [Symbol<:XML, :JSON, :NORMAL>]
       def document_type
         @_document_type ||= if /xml/i.match?(content_type) || body&.start_with?('<?xml')
                               :XML
@@ -70,6 +96,8 @@ module Contrast
       end
 
       # Header keys upcased and any underscores replaced with dashes
+      #
+      # @return headers [Hash]
       def headers
         @_headers ||= with_contrast_scope do
           hash = {}
@@ -85,6 +113,10 @@ module Contrast
         end
       end
 
+      # Try and read the body and return memorized object of the body.
+      # If body contains file, do not parse it, otherwiseBody might be nil
+      #
+      # @return @_body [String, nil] The body of the Rack::Request
       def body
         # Memoize a flag indicating whether we've tried to read the body or not
         # (can't use body because it might be nil)
@@ -121,10 +153,16 @@ module Contrast
         @_dtm ||= Contrast::Api::Dtm::HttpRequest.build(self)
       end
 
+      # flattened hash of request params
+      #
+      # @return parameters [Hash]
       def parameters
         @_parameters ||= with_contrast_scope { normalize_params(rack_request.params) }
       end
 
+      # returns multipart filenames
+      #
+      # @return file_names [Hash]
       def file_names
         @_file_names ||= begin
           names = {}
@@ -136,6 +174,9 @@ module Contrast
         end
       end
 
+      # returns or fenerates the hash checksum for the request
+      #
+      # @return @_hash_id [String] Contrast::Utils::HashDigest generated string checksum
       def hash_id
         @_hash_id ||= Contrast::Utils::HashDigest.generate_request_hash(self)
       end

data/lib/contrast/agent/request_context.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/utils/timer'
@@ -9,6 +9,7 @@ require 'contrast/components/logger'
 require 'contrast/components/scope'
 require 'contrast/utils/request_utils'
 require 'contrast/agent/request_context_extend'
+require 'contrast/agent/reporting/reporting_events/observed_route'
 
 module Contrast
   module Agent
@@ -26,6 +27,8 @@ module Contrast
     # @attr_reader server_activity [Contrast::Api::Dtm::ServerActivity] the server activity found in this request
     # @attr_reader route [Contrast::Api::Dtm::RouteCoverage] the route, used for findings, of this request
     # @attr_reader observed_route [Contrast::Api::Dtm::ObservedRoute] the route, used for coverage, of this request
+    # @attr_reader new_observed_route [Contrast::Agent::Reporting::ObservedRoute] the route, used for coverage, of this
+    # request
     class RequestContext
       include Contrast::Components::Logger::InstanceMethods
       include Contrast::Components::Scope::InstanceMethods
@@ -34,8 +37,8 @@ module Contrast
 
       EMPTY_INPUT_ANALYSIS_PB = Contrast::Api::Settings::InputAnalysis.new
 
-      attr_reader :activity, :logging_hash, :observed_route, :request, :response, :route, :speedracer_input_analysis,
-                  :server_activity, :timer
+      attr_reader :activity, :logging_hash, :observed_route, :new_observed_route, :request, :response, :route,
+                  :speedracer_input_analysis, :server_activity, :timer
 
       def initialize rack_request, app_loaded = true
         with_contrast_scope do
@@ -51,8 +54,6 @@ module Contrast
 
           @server_activity = Contrast::Api::Dtm::ServerActivity.new
 
-          @observed_route = Contrast::Api::Dtm::ObservedRoute.new
-
           # build analyzer
           @do_not_track = false
           @speedracer_input_analysis = EMPTY_INPUT_ANALYSIS_PB
@@ -68,7 +69,7 @@ module Contrast
             @sample_req, @sample_res = Contrast::Utils::Assess::SamplingUtil.instance.sample?(@request)
           end
 
-          append_route_coverage(Contrast::Agent.framework_manager.get_route_dtm(@request))
+          handle_routes
         end
       end
 
@@ -115,7 +116,19 @@ module Contrast
       def reset_activity
         @activity = Contrast::Api::Dtm::Activity.new(http_request: request.dtm)
         @server_activity = Contrast::Api::Dtm::ServerActivity.new
-        @observed_route = Contrast::Api::Dtm::ObservedRoute.new
+        @observed_route = Contrast::Api::Dtm::ObservedRoute.new # TODO: RUBY-1438 -- remove
+        @new_observed_route = Contrast::Agent::Reporting::ObservedRoute.new
+      end
+
+      private
+
+      def handle_routes
+        @observed_route = Contrast::Api::Dtm::ObservedRoute.new # TODO: RUBY-1438 -- remove
+        @new_observed_route = Contrast::Agent::Reporting::ObservedRoute.new
+        route_dtm = Contrast::Agent.framework_manager.get_route_dtm(@request)
+        new_route_coverage_dtm = Contrast::Agent.framework_manager.get_route_information(@request)
+        append_route_coverage(route_dtm)
+        append_to_new_observed_route(new_route_coverage_dtm)
       end
     end
   end