RubyGems - contrast-agent - Versions diffs - 4.2.0 → 4.4.1 - Mend

contrast-agent 4.2.0 → 4.4.1

Files changed (140) hide show

checksums.yaml +4 -4
data/Rakefile +1 -0
data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +22 -10
data/ext/cs__assess_marshal_module/cs__assess_marshal_module.h +4 -3
data/lib/contrast/agent.rb +5 -1
data/lib/contrast/agent/assess.rb +0 -9
data/lib/contrast/agent/assess/contrast_event.rb +49 -132
data/lib/contrast/agent/assess/contrast_object.rb +54 -0
data/lib/contrast/agent/assess/events/source_event.rb +4 -9
data/lib/contrast/agent/assess/finalizers/hash.rb +7 -0
data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +17 -3
data/lib/contrast/agent/assess/policy/patcher.rb +4 -3
data/lib/contrast/agent/assess/policy/policy_node.rb +31 -59
data/lib/contrast/agent/assess/policy/preshift.rb +3 -3
data/lib/contrast/agent/assess/policy/propagation_method.rb +41 -32
data/lib/contrast/agent/assess/policy/propagation_node.rb +12 -24
data/lib/contrast/agent/assess/policy/propagator/append.rb +29 -15
data/lib/contrast/agent/assess/policy/propagator/center.rb +1 -2
data/lib/contrast/agent/assess/policy/propagator/custom.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/database_write.rb +21 -18
data/lib/contrast/agent/assess/policy/propagator/insert.rb +1 -2
data/lib/contrast/agent/assess/policy/propagator/keep.rb +1 -2
data/lib/contrast/agent/assess/policy/propagator/match_data.rb +3 -2
data/lib/contrast/agent/assess/policy/propagator/next.rb +1 -2
data/lib/contrast/agent/assess/policy/propagator/prepend.rb +1 -2
data/lib/contrast/agent/assess/policy/propagator/remove.rb +2 -4
data/lib/contrast/agent/assess/policy/propagator/replace.rb +1 -2
data/lib/contrast/agent/assess/policy/propagator/reverse.rb +1 -2
data/lib/contrast/agent/assess/policy/propagator/select.rb +3 -4
data/lib/contrast/agent/assess/policy/propagator/splat.rb +25 -17
data/lib/contrast/agent/assess/policy/propagator/split.rb +83 -120
data/lib/contrast/agent/assess/policy/propagator/substitution.rb +41 -25
data/lib/contrast/agent/assess/policy/propagator/trim.rb +3 -7
data/lib/contrast/agent/assess/policy/source_method.rb +2 -14
data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +5 -8
data/lib/contrast/agent/assess/policy/trigger/xpath.rb +1 -1
data/lib/contrast/agent/assess/policy/trigger_method.rb +13 -8
data/lib/contrast/agent/assess/policy/trigger_node.rb +28 -7
data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +59 -0
data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +2 -3
data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb +6 -4
data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +2 -4
data/lib/contrast/agent/assess/properties.rb +0 -2
data/lib/contrast/agent/assess/property/tagged.rb +56 -32
data/lib/contrast/agent/assess/tracker.rb +16 -18
data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +7 -0
data/lib/contrast/agent/middleware.rb +134 -55
data/lib/contrast/agent/patching/policy/after_load_patcher.rb +4 -0
data/lib/contrast/agent/patching/policy/method_policy.rb +1 -1
data/lib/contrast/agent/patching/policy/patch.rb +4 -4
data/lib/contrast/agent/patching/policy/patch_status.rb +1 -1
data/lib/contrast/agent/patching/policy/patcher.rb +51 -44
data/lib/contrast/agent/patching/policy/trigger_node.rb +5 -2
data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +47 -1
data/lib/contrast/agent/protect/policy/rule_applicator.rb +53 -0
data/lib/contrast/agent/protect/rule/base.rb +63 -14
data/lib/contrast/agent/protect/rule/cmd_injection.rb +3 -3
data/lib/contrast/agent/protect/rule/default_scanner.rb +1 -4
data/lib/contrast/agent/protect/rule/deserialization.rb +4 -1
data/lib/contrast/agent/protect/rule/no_sqli.rb +3 -3
data/lib/contrast/agent/protect/rule/sqli.rb +20 -14
data/lib/contrast/agent/protect/rule/xxe.rb +32 -11
data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +10 -6
data/lib/contrast/agent/reaction_processor.rb +1 -1
data/lib/contrast/agent/request_context.rb +12 -0
data/lib/contrast/agent/response.rb +5 -5
data/lib/contrast/agent/rewriter.rb +3 -3
data/lib/contrast/agent/scope.rb +33 -13
data/lib/contrast/agent/static_analysis.rb +13 -7
data/lib/contrast/agent/thread.rb +1 -1
data/lib/contrast/agent/thread_watcher.rb +20 -5
data/lib/contrast/agent/version.rb +1 -1
data/lib/contrast/api/communication/messaging_queue.rb +18 -21
data/lib/contrast/api/communication/response_processor.rb +8 -1
data/lib/contrast/api/communication/socket_client.rb +22 -14
data/lib/contrast/api/decorators.rb +2 -0
data/lib/contrast/api/decorators/agent_startup.rb +58 -0
data/lib/contrast/api/decorators/application_startup.rb +51 -0
data/lib/contrast/api/decorators/library.rb +1 -0
data/lib/contrast/api/decorators/library_usage_update.rb +1 -0
data/lib/contrast/api/decorators/route_coverage.rb +15 -5
data/lib/contrast/api/decorators/trace_event.rb +58 -42
data/lib/contrast/api/decorators/trace_event_object.rb +11 -3
data/lib/contrast/api/decorators/trace_event_signature.rb +27 -5
data/lib/contrast/api/decorators/user_input.rb +2 -1
data/lib/contrast/common_agent_configuration.rb +1 -1
data/lib/contrast/components/agent.rb +2 -0
data/lib/contrast/components/app_context.rb +4 -22
data/lib/contrast/components/assess.rb +36 -0
data/lib/contrast/components/interface.rb +5 -3
data/lib/contrast/components/sampling.rb +48 -6
data/lib/contrast/components/scope.rb +23 -0
data/lib/contrast/components/settings.rb +8 -7
data/lib/contrast/config/assess_configuration.rb +2 -1
data/lib/contrast/extension/assess/array.rb +1 -2
data/lib/contrast/extension/assess/erb.rb +1 -3
data/lib/contrast/extension/assess/exec_trigger.rb +1 -1
data/lib/contrast/extension/assess/fiber.rb +2 -3
data/lib/contrast/extension/assess/hash.rb +4 -2
data/lib/contrast/extension/assess/kernel.rb +1 -2
data/lib/contrast/extension/assess/marshal.rb +34 -26
data/lib/contrast/extension/assess/regexp.rb +3 -8
data/lib/contrast/extension/assess/string.rb +1 -2
data/lib/contrast/framework/base_support.rb +51 -53
data/lib/contrast/framework/manager.rb +16 -14
data/lib/contrast/framework/rack/patch/session_cookie.rb +1 -1
data/lib/contrast/framework/rack/support.rb +2 -1
data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +1 -1
data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +1 -1
data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +1 -1
data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb +1 -1
data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +1 -1
data/lib/contrast/framework/rails/support.rb +44 -44
data/lib/contrast/framework/sinatra/support.rb +102 -42
data/lib/contrast/logger/application.rb +0 -3
data/lib/contrast/logger/log.rb +31 -15
data/lib/contrast/utils/class_util.rb +3 -1
data/lib/contrast/utils/duck_utils.rb +1 -1
data/lib/contrast/utils/heap_dump_util.rb +103 -87
data/lib/contrast/utils/invalid_configuration_util.rb +21 -12
data/lib/contrast/utils/object_share.rb +3 -3
data/lib/contrast/utils/preflight_util.rb +1 -1
data/lib/contrast/utils/resource_loader.rb +1 -1
data/lib/contrast/utils/sha256_builder.rb +2 -2
data/lib/contrast/utils/string_utils.rb +1 -1
data/lib/contrast/utils/tag_util.rb +9 -13
data/resources/assess/policy.json +12 -18
data/resources/deadzone/policy.json +150 -0
data/resources/protect/policy.json +12 -0
data/ruby-agent.gemspec +60 -19
data/service_executables/VERSION +1 -1
data/service_executables/linux/contrast-service +0 -0
data/service_executables/mac/contrast-service +0 -0
metadata +124 -112
data/lib/contrast/agent/assess/rule.rb +0 -18
data/lib/contrast/agent/assess/rule/base.rb +0 -52
data/lib/contrast/agent/assess/rule/redos.rb +0 -67
data/lib/contrast/framework/sinatra/patch/base.rb +0 -83
data/lib/contrast/framework/sinatra/patch/support.rb +0 -27
data/lib/contrast/utils/prevent_serialization.rb +0 -52

data/lib/contrast/agent/protect/rule/cmd_injection.rb CHANGED Viewed

@@ -23,10 +23,10 @@ module Contrast
           end
           def infilter context, classname, method, command
-            return nil unless infilter?(context)
+            return unless infilter?(context)
             ia_results = gather_ia_results(context)
-            return nil if ia_results.empty?
+            return if ia_results.empty?
             if APP_CONTEXT.in_new_process?
               logger.trace('Running cmd-injection infilter within new process - creating new context')
@@ -36,7 +36,7 @@ module Contrast
             result = find_attacker_with_results(context, command, ia_results, **{ classname: classname, method: method })
             result ||= report_command_execution(context, command, **{ classname: classname, method: method })
-            return nil unless result
+            return unless result
             append_to_activity(context, result)
             return unless blocked?

data/lib/contrast/agent/protect/rule/default_scanner.rb CHANGED Viewed

@@ -123,10 +123,7 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
     elsif start_block_comment?(char, index, query)
       boundaries << index
       :STATE_INSIDE_BLOCK_COMMENT
-    elsif operator?(char)
-      boundaries << index
-      :STATE_EXPECTING_TOKEN
-    elsif char.match?(Contrast::Utils::ObjectShare::WHITE_SPACE_REGEXP)
+    elsif operator?(char) || char.match?(Contrast::Utils::ObjectShare::WHITE_SPACE_REGEXP)
       boundaries << index
       :STATE_EXPECTING_TOKEN
     else

data/lib/contrast/agent/protect/rule/deserialization.rb CHANGED Viewed

@@ -17,19 +17,22 @@ module Contrast
           BLOCK_MESSAGE = 'Untrusted Deserialization rule triggered. Deserialization blocked.'
           # Gadgets that map to ERB modules
-          ERB_GADGETS = %w[
+          ERB_GADGETS = %W[
             object:ERB
+            o:\bERB
           ].cs__freeze
           # Gadgets that map to ActionDispatch modules
           ACTION_DISPATCH_GADGETS = %w[
             object:ActionDispatch::Routing::RouteSet::NamedRouteCollection
+            o:\bActionDispatch::Routing::RouteSet::NamedRouteCollection
           ].cs__freeze
           # Gadgets that map to Arel Modules
           AREL_GADGETS = %w[
             string:Arel::Nodes::SqlLiteral
             object:Arel::Nodes
+            o:\bArel::Nodes
           ].cs__freeze
           # Used to indicate to TeamServer the gadget is an ERB module

data/lib/contrast/agent/protect/rule/no_sqli.rb CHANGED Viewed

@@ -21,10 +21,10 @@ module Contrast
           end
           def infilter context, database, query_string
-            return nil unless infilter?(context)
+            return unless infilter?(context)
             result = find_attacker(context, query_string, database: database)
-            return nil unless result
+            return unless result
             append_to_activity(context, result)
@@ -36,7 +36,7 @@ module Contrast
             attack_string = input_analysis_result.value
             regexp = Regexp.new(Regexp.escape(attack_string), Regexp::IGNORECASE)
-            return nil unless query_string.match?(regexp)
+            return unless query_string.match?(regexp)
             scanner = select_scanner
             ss = StringScanner.new(query_string)

data/lib/contrast/agent/protect/rule/sqli.rb CHANGED Viewed

@@ -22,10 +22,10 @@ module Contrast
           end
           def infilter context, database, query_string
-            return nil unless infilter?(context)
+            return unless infilter?(context)
             result = find_attacker(context, query_string, database: database)
-            return nil unless result
+            return unless result
             append_to_activity(context, result)
@@ -36,7 +36,7 @@ module Contrast
             attack_string = input_analysis_result.value
             regexp = Regexp.new(Regexp.escape(attack_string), Regexp::IGNORECASE)
-            return nil unless query_string.match?(regexp)
+            return unless query_string.match?(regexp)
             database = kwargs[:database]
             scanner = select_scanner(database)
@@ -50,16 +50,9 @@ module Contrast
               last_boundary, boundary = scanner.crosses_boundary(query_string, idx, input_analysis_result.value)
               next unless last_boundary && boundary
-              input_analysis_result.attack_count = input_analysis_result.attack_count + 1
-              kwargs[:start_idx] = idx
-              kwargs[:end_idx] = idx + length
-              kwargs[:boundary_overrun_idx] = boundary
-              kwargs[:input_boundary_idx] = last_boundary
               result ||= build_attack_result(context)
-              update_successful_attack_response(context, input_analysis_result, result, query_string)
-              append_sample(context, input_analysis_result, result, query_string, **kwargs)
+              record_match(idx, length, boundary, last_boundary, kwargs)
+              append_match(context, input_analysis_result, result, query_string, kwargs)
             end
             result
@@ -75,13 +68,26 @@ module Contrast
             sample.sqli.query = Contrast::Utils::StringUtils.protobuf_safe_string(candidate_string)
             sample.sqli.start_idx = sample.sqli.query.index(input).to_i
             sample.sqli.end_idx = sample.sqli.start_idx + input.length
-            sample.sqli.boundary_overrun_idx = kwargs[:boundary].to_i
-            sample.sqli.input_boundary_idx = kwargs[:last_boundary].to_i
+            sample.sqli.boundary_overrun_idx = kwargs[:boundary_overrun_idx].to_i
+            sample.sqli.input_boundary_idx = kwargs[:input_boundary_idx].to_i
             sample
           end
           private
+          def record_match idx, length, boundary, last_boundary, kwargs
+            kwargs[:start_idx] = idx
+            kwargs[:end_idx] = idx + length
+            kwargs[:boundary_overrun_idx] = boundary
+            kwargs[:input_boundary_idx] = last_boundary
+          end
+          def append_match context, input_analysis_result, result, query_string, **kwargs
+            input_analysis_result.attack_count = input_analysis_result.attack_count + 1
+            update_successful_attack_response(context, input_analysis_result, result, query_string)
+            append_sample(context, input_analysis_result, result, query_string, **kwargs)
+          end
           def select_scanner database
             @sql_scanners ||= {
                 Contrast::Agent::Protect::Policy::AppliesSqliRule::DATABASE_MYSQL =>

data/lib/contrast/agent/protect/rule/xxe.rb CHANGED Viewed

@@ -19,7 +19,9 @@ module Contrast
             NAME
           end
-          # Given an xml, evaluate it for an XXE attack.
+          # Given an xml, evaluate it for an XXE attack. There's no return here
+          # as this method handles appending the evaluation to the request
+          # context, connecting it to the reporting mechanism at request end.
           #
           # @param context [Contrast::Agent::RequestContext] the context of the
           #   request in which this input is evaluated.
@@ -29,7 +31,7 @@ module Contrast
           #   attack is found and the rule is in block mode.
           def infilter context, framework, xml
             result = find_attacker(context, xml, framework: framework)
-            return nil unless result
+            return unless result
             append_to_activity(context, result)
             return unless blocked?
@@ -39,16 +41,23 @@ module Contrast
           protected
+          # Given an XML, find any externally resolved entities and create an
+          # Attack Result for them
+          #
+          # @param context [Contrast::Agent::RequestContext] the context of the
+          #   request in which this input is evaluated.
+          # @param xml [String] the literal value of the XML being checked for
+          #   external entity resolution
+          # @param _kwargs [Hash]
+          # @return [Contrast::Api::Dtm::AttackResult, nil] the determination
+          #   as to whether or not this XML has an XXE attack in it.
           def find_attacker context, xml, **_kwargs
-            return nil unless xml
-            return nil if protect_excluded_by_code?
+            return unless xml
+            return if protect_excluded_by_code?
-            xxe_details, last_idx = build_details(xml)
-            return nil unless xxe_details
+            xxe_details = build_details(xml)
+            return unless xxe_details
-            # For our definition, the prolog goes from the start of the XML
-            # string to the end of the last entity declaration.
-            xxe_details.xml = Contrast::Utils::StringUtils.protobuf_safe_string(xml[0, last_idx])
             ia_result = build_evaluation(xxe_details.xml)
             build_attack_with_match(
                 context,
@@ -58,7 +67,15 @@ module Contrast
                 details: xxe_details)
           end
-          def build_details xml, _evaluation = nil
+          # Given an XML determined to be unsafe, build out the details of the
+          # attack. The details will include a substring of the given XML up to
+          # the end of the prolog, where the external entities are declared.
+          #
+          # @param xml [String] the literal value of the XML being checked for
+          #   external entity resolution
+          # @return [Contrast::Api::Dtm::XxeDetails] The details of
+          #   the XXE attack and the index of the last entity discovered
+          def build_details xml
             last_idx = 0
             ss = StringScanner.new(xml)
             while ss.scan_until(EXTERNAL_ENTITY_PATTERN)
@@ -70,7 +87,11 @@ module Contrast
               xxe_details.declared_entities << build_match(ss)
               xxe_details.entities_resolved << build_wrapper(entity_wrapper)
             end
-            [xxe_details, last_idx]
+            # For our definition, the prolog goes from the start of the XML
+            # string to the end of the last entity declaration.
+            xxe_details.xml = Contrast::Utils::StringUtils.protobuf_safe_string(xml[0, last_idx]) if xxe_details
+            xxe_details
           end
           def build_sample context, ia_result, _url, **kwargs

data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb CHANGED Viewed

@@ -18,12 +18,16 @@ module Contrast
             end
             def external_entity?
-              @_external_entity ||= begin
-                return external_id?(@system_id) if @system_id
-                return external_id?(@public_id) if @public_id
-                false
+              if @_external_entity.nil?
+                @_external_entity ||= if @system_id
+                                        external_id?(@system_id)
+                                      elsif @public_id
+                                        external_id?(@public_id)
+                                      else
+                                        false
+                                      end
               end
+              @_external_entity
             end
             # <!ENTITY name SYSTEM "URI">
@@ -48,7 +52,7 @@ module Contrast
             UP_DIR_LINUX = '../'
             UP_DIR_WIN =   '..\\'
             # we only use this against lowercase strings, removed A-Z for speed
-            FILE_PATTERN_WINDOWS = /^[\\\\]*[a-z]{1,3}:.*/.cs__freeze
+            FILE_PATTERN_WINDOWS = /^\\*[a-z]{1,3}:.*/.cs__freeze
             def external_id? entity_id
               return false unless entity_id

data/lib/contrast/agent/reaction_processor.rb CHANGED Viewed

@@ -22,7 +22,7 @@ module Contrast
       # @param application_settings [Contrast::Api::Settings::ApplicationSettings]
       #   those settings which the Service has relayed from TeamServer.
       def self.process application_settings
-        return nil unless application_settings&.reactions&.any?
+        return unless application_settings&.reactions&.any?
         application_settings.reactions.each do |reaction|
           # the enums are all uppercase, we need to downcase them before attempting to log

data/lib/contrast/agent/request_context.rb CHANGED Viewed

@@ -12,6 +12,18 @@ module Contrast
     # This class acts to encapsulate information about the currently executed
     # request, making it available to the Agent for the duration of the request
     # in a standardized and normalized format which the Agent understands.
+    #
+    # @attr_reader timer [Contrast::Utils::Timer] when the context was created
+    # @attr_reader logging_hash [Hash] context used to log the request
+    # @attr_reader speedracer_input_analysis [Contrast::Api::Settings::InputAnalysis] the protect input analysis of
+    #   sources on this request
+    # @attr_reader request [Contrast::Agent::Request] our wrapper around the Rack::Request for this context
+    # @attr_reader response [Contrast::Agent::Response] our wrapper aroudn the Rack::Response or Array for this context,
+    #   only available after the application has finished its processing
+    # @attr_reader activity [Contrast::Api::Dtm::Activity] the application activity found in this request
+    # @attr_reader server_activity [Contrast::Api::Dtm::ServerActivity] the server activity found in this request
+    # @attr_reader route [Contrast::Api::Dtm::RouteCoverage] the route, used for findings, of this request
+    # @attr_reader observed_route [Contrast::Api::Dtm::ObservedRoute] the route, used for coverage, of this request
     class RequestContext
       include Contrast::Components::Interface
       access_component :agent, :analysis, :logging, :scope

data/lib/contrast/agent/response.rb CHANGED Viewed

@@ -118,16 +118,16 @@ module Contrast
       #   holds, wraps, or is the body of the Response
       # @return [nil, String] the content of the body
       def extract_body body
-        return nil unless body
+        return unless body
         if defined?(Rack::File) && body.is_a?(Rack::File)
           # not sure what to do in this situation, so don't do anything.
           nil
         elsif body.is_a?(Rack::BodyProxy)
           handle_rack_body_proxy(body)
-        elsif defined?(ActionDispatch::Response::RackBody) && body.is_a?(ActionDispatch::Response::RackBody)
-          extract_body(body.body)
-        elsif body.is_a?(Rack::Response)
+        elsif (defined?(ActionDispatch::Response::RackBody) && body.is_a?(ActionDispatch::Response::RackBody)) ||
+              body.is_a?(Rack::Response)
           extract_body(body.body)
         elsif Contrast::Utils::DuckUtils.quacks_to?(body, :each)
           acc = []
@@ -152,7 +152,7 @@ module Contrast
       end
       def read_or_string obj
-        return nil unless obj
+        return unless obj
         if Contrast::Utils::DuckUtils.quacks_to?(obj, :read)
           tmp = obj.read

data/lib/contrast/agent/rewriter.rb CHANGED Viewed

@@ -96,11 +96,11 @@ module Contrast
           return unless method_exists?(clazz, method_name, type)
           method_instance = method_instance(clazz, method_name, type)
-          return nil if method_instance.nil?
+          return if method_instance.nil?
           location = method_instance.source_location
-          return nil unless location_available?(location)
-          return nil if opener.written_from_location?(location)
+          return unless location_available?(location)
+          return if opener.written_from_location?(location)
           opener.written_from_location!(location)
           opener.source_code(location, method_name)

data/lib/contrast/agent/scope.rb CHANGED Viewed

@@ -15,29 +15,40 @@ module Contrast
     # Instead, we should say "If I'm already doing Contrast things, don't track
     # this"
     class Scope
-      SCOPE_LIST = %i[contrast deserialization].cs__freeze
+      SCOPE_LIST = %i[contrast deserialization split].cs__freeze
       def initialize
-        instance_variable_set(:@contrast_scope, 0)
-        instance_variable_set(:@deserialization_scope, 0)
+        @contrast_scope = 0
+        @deserialization_scope = 0
+        @split_scope = 0
       end
       def in_contrast_scope?
-        instance_variable_get(:@contrast_scope).positive?
+        @contrast_scope.positive?
       end
       def in_deserialization_scope?
-        instance_variable_get(:@deserialization_scope).positive?
+        @deserialization_scope.positive?
+      end
+      def in_split_scope?
+        @split_scope.positive?
       end
       def enter_contrast_scope!
-        level = instance_variable_get(:@contrast_scope)
-        instance_variable_set(:@contrast_scope, level + 1)
+        @contrast_scope += 1
       end
       def enter_deserialization_scope!
-        level = instance_variable_get(:@deserialization_scope)
-        instance_variable_set(:@deserialization_scope, level + 1)
+        @deserialization_scope += 1
+      end
+      def enter_split_scope!
+        @split_scope += 1
+      end
+      def split_scope_depth
+        @split_scope
       end
       # Scope Exits...
@@ -61,13 +72,15 @@ module Contrast
       #   exit  =  1
       #   scope =  1
       def exit_contrast_scope!
-        level = instance_variable_get(:@contrast_scope)
-        instance_variable_set(:@contrast_scope, level - 1)
+        @contrast_scope -= 1
       end
       def exit_deserialization_scope!
-        level = instance_variable_get(:@deserialization_scope)
-        instance_variable_set(:@deserialization_scope, level - 1)
+        @deserialization_scope -= 1
+      end
+      def exit_split_scope!
+        @split_scope -= 1
       end
       def with_contrast_scope
@@ -84,6 +97,13 @@ module Contrast
         exit_deserialization_scope!
       end
+      def with_split_scope
+        enter_split_scope!
+        yield
+      ensure
+        exit_split_scope!
+      end
       # Dynamic versions of the above.
       # These are equivalent, but they're slower and riskier.
       # Prefer the static methods if you know what scope you need at the call site.

data/lib/contrast/agent/static_analysis.rb CHANGED Viewed

@@ -17,14 +17,9 @@ module Contrast
         # report the already-loaded gems.
         def catchup
           @_catchup ||= begin
-            with_contrast_scope do
-              Contrast::Agent::Inventory::DependencyUsageAnalysis.instance.catchup
-              send_inventory_message
-              true
-            end
+            threaded_analysis!
+            true
           end
-        rescue StandardError => e
-          logger.warn('Unable to run post-initialization static analysis', e)
         end
         def send_inventory_message
@@ -35,6 +30,17 @@ module Contrast
           Contrast::Utils::InventoryUtil.append_db_config(app_update_msg)
           Contrast::Agent.messaging_queue.send_event_eventually(app_update_msg)
         end
+        private
+        def threaded_analysis!
+          Contrast::Agent::Thread.new do
+            Contrast::Agent::Inventory::DependencyUsageAnalysis.instance.catchup
+            send_inventory_message
+          rescue StandardError => e
+            logger.warn('Unable to run post-initialization static analysis', e)
+          end
+        end
       end
     end
   end