contrast-agent 4.9.0 → 4.12.0

data/lib/contrast/agent/protect/rule/no_sqli.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/protect/rule/base_service'
+require 'contrast/agent/protect/rule/sql_sample_builder'
 
 module Contrast
   module Agent
@@ -9,6 +10,12 @@ module Contrast
       module Rule
         # The Ruby implementation of the Protect NoSQL Injection rule.
         class NoSqli < Contrast::Agent::Protect::Rule::BaseService
+          # Generate a sample for the No-SQL injection detection rule, allowing for reporting to and rendering
+          # by TeamServer
+          include SqlSampleBuilder::NoSqliSample
+          # Defining build_attack_with_match method
+          include SqlSampleBuilder::AttackBuilder
+
           NAME = 'nosql-injection'
           BLOCK_MESSAGE = 'NoSQLi rule triggered. Response blocked.'
 
@@ -31,40 +38,6 @@ module Contrast
             raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
           end
 
-          def build_attack_with_match context, input_analysis_result, result, query_string, **kwargs
-            if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
-                  mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
-
-              return result
-            end
-
-            attack_string = input_analysis_result.value
-            regexp = Regexp.new(Regexp.escape(attack_string), Regexp::IGNORECASE)
-            return unless query_string.match?(regexp)
-
-            scanner = select_scanner
-            ss = StringScanner.new(query_string)
-            length = attack_string.length
-            while ss.scan_until(regexp)
-              # the pos of StringScanner is at the end of the regexp (input string),
-              # we need the beginning
-              idx = ss.pos - attack_string.length
-              last_boundary, boundary = scanner.crosses_boundary(query_string, idx, input_analysis_result.value)
-              next unless last_boundary && boundary
-
-              kwargs[:start_idx] = idx
-              kwargs[:end_idx] = idx + length
-              kwargs[:boundary_overrun_idx] = boundary
-              kwargs[:input_boundary_idx] = last_boundary
-
-              result ||= build_attack_result(context)
-              update_successful_attack_response(context, input_analysis_result, result, query_string)
-              append_sample(context, input_analysis_result, result, query_string, **kwargs)
-            end
-
-            result
-          end
-
           protected
 
           def find_attacker context, potential_attack_string, **kwargs
@@ -79,25 +52,6 @@ module Contrast
             end
             super(context, potential_attack_string, **kwargs)
           end
-
-          def build_sample context, input_analysis_result, candidate_string, **kwargs
-            input = input_analysis_result.value
-
-            sample = build_base_sample(context, input_analysis_result)
-            sample.no_sqli = Contrast::Api::Dtm::NoSqlInjectionDetails.new
-            sample.no_sqli.query = Contrast::Utils::StringUtils.protobuf_safe_string(candidate_string)
-            sample.no_sqli.start_idx = sample.no_sqli.query.index(input).to_i
-            sample.no_sqli.boundary_overrun_idx = sample.no_sqli.start_idx + input.length
-            sample.no_sqli.input_boundary_idx = kwargs[:boundary].to_i
-            sample.no_sqli.input_boundary_idx = kwargs[:last_boundary].to_i
-            sample
-          end
-
-          private
-
-          def select_scanner
-            @_select_scanner ||= Contrast::Agent::Protect::Rule::NoSqli::MongoNoSqlScanner.new
-          end
         end
       end
     end

data/lib/contrast/agent/protect/rule/sql_sample_builder.rb

@@ -0,0 +1,137 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/protect/rule/base'
+require 'contrast/agent/protect/rule/base_service'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        module SqlSampleBuilder
+          # Generate a sample for the SQL injection detection rule, allowing for reporting to and rendering
+          # by TeamServer
+          #
+          # @param context [Contrast::Agent::RequestContext] the context for the current request
+          # @param input_analysis_result [Contrast::Api::Dtm::AttackResult, nil] previous attack result for this rule,
+          #   if one exists, in the case of multiple inputs being found to violate the protection criteria
+          # @candidate_string [String] the value of the input which may be an attack
+          # @kwargs [Hash] key - value pairs of context individual rules need to build out details
+          #   to send to the Service to tell the story of the attack
+          # @return [Contrast::Api::Dtm::RaspRuleSample] the sample from this attack
+          module SqliSample
+            def build_sample context, input_analysis_result, candidate_string, **kwargs
+              sqli_sample = build_base_sample(context, input_analysis_result)
+              sqli_sample.sqli = Contrast::Api::Dtm::SqlInjectionDetails.new
+              sqli_sample.sqli.query = Contrast::Utils::StringUtils.protobuf_safe_string(candidate_string)
+              sqli_sample.sqli.start_idx = kwargs[:start_idx]
+              sqli_sample.sqli.end_idx = kwargs[:end_idx]
+              sqli_sample.sqli.boundary_overrun_idx = kwargs[:boundary_overrun_idx].to_i
+              sqli_sample.sqli.input_boundary_idx = kwargs[:input_boundary_idx].to_i
+              sqli_sample
+            end
+          end
+
+          # Generate a sample for the No-SQL injection detection rule, allowing for reporting to and rendering
+          # by TeamServer
+          #
+          # @param context [Contrast::Agent::RequestContext] the context for the current request
+          # @param input_analysis_result [Contrast::Api::Dtm::AttackResult, nil] previous attack result for this rule,
+          #   if one exists, in the case of multiple inputs being found to violate the protection criteria
+          # @candidate_string [String] the value of the input which may be an attack
+          # @kwargs [Hash] key - value pairs of context individual rules need to build out details
+          #   to send to the Service to tell the story of the attack
+          # @return [Contrast::Api::Dtm::RaspRuleSample] the sample from this attack
+          module NoSqliSample
+            def build_sample context, input_analysis_result, candidate_string, **kwargs
+              no_sqli_sample = build_base_sample(context, input_analysis_result)
+              no_sqli_sample.no_sqli = Contrast::Api::Dtm::NoSqlInjectionDetails.new
+              no_sqli_sample.no_sqli.query = Contrast::Utils::StringUtils.protobuf_safe_string(candidate_string)
+              no_sqli_sample.no_sqli.start_idx = kwargs[:start_idx].to_i
+              no_sqli_sample.no_sqli.end_idx = kwargs[:end_idx].to_i
+              no_sqli_sample.no_sqli.boundary_overrun_idx = kwargs[:boundary_overrun_idx].to_i
+              no_sqli_sample.no_sqli.input_boundary_idx = kwargs[:input_boundary_idx].to_i
+              no_sqli_sample
+            end
+          end
+
+          # This Module is how we apply the attack fo NoSQL and SQL Injection rule.
+          # It includes methods for building attack with match and database scanners
+          module AttackBuilder
+            # Set up an attack result and assigns Database scanner for the No-SQL and SQLI injection detection rules
+            #
+            # @param context [Contrast::Agent::RequestContext] the context for the current request
+            # @param input_analysis_result [Contrast::Api::Dtm::AttackResult, nil] previous attack result for this rule,
+            #   if one exists, in the case of multiple inputs being found to violate the protection criteria
+            # @param result [Contrast::Api::Dtm::AttackResult, nil] previous attack result for this rule, if one exists,
+            #   in the case of multiple inputs being found to violate the protection criteria
+            # @query_string [string] he value of the input which may be an attack
+            # @kwargs [Hash] key - value pairs of context individual rules need to build out details to send
+            #   to the Service to tell the story of the attack
+            # @return [Contrast::Api::Dtm::AttackResult] the result from this attack
+            def build_attack_with_match context, input_analysis_result, result, query_string, **kwargs
+              if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
+                    mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
+
+                return result
+              end
+
+              attack_string = input_analysis_result.value
+              regexp = Regexp.new(Regexp.escape(attack_string), Regexp::IGNORECASE)
+
+              return unless query_string.match?(regexp)
+
+              database = kwargs[:database]
+              scanner = select_scanner(database)
+              ss = StringScanner.new(query_string)
+              length = attack_string.length
+              while ss.scan_until(regexp)
+                # the pos of StringScanner is at the end of the regexp (input string),
+                # we need the beginning
+                idx = ss.pos - attack_string.length
+                last_boundary, boundary = scanner.crosses_boundary(query_string, idx, input_analysis_result.value)
+                next unless last_boundary && boundary
+
+                result ||= build_attack_result(context)
+
+                record_match(idx, length, boundary, last_boundary, kwargs)
+                append_match(context, input_analysis_result, result, query_string, **kwargs)
+              end
+
+              result
+            end
+
+            def select_scanner database
+              @scanners ||= {
+                  Contrast::Agent::Protect::Policy::AppliesSqliRule::DATABASE_MYSQL =>
+                  Contrast::Agent::Protect::Rule::Sqli::MysqlSqlScanner.new,
+                  Contrast::Agent::Protect::Policy::AppliesSqliRule::DATABASE_PG =>
+                  Contrast::Agent::Protect::Rule::Sqli::PostgresSqlScanner.new,
+                  Contrast::Agent::Protect::Policy::AppliesSqliRule::DATABASE_SQLITE =>
+                  Contrast::Agent::Protect::Rule::Sqli::SqliteSqlScanner.new,
+                  Contrast::Agent::Protect::Policy::AppliesNoSqliRule::DATABASE_NOSQL =>
+                  Contrast::Agent::Protect::Rule::NoSqli::MongoNoSqlScanner.new
+              }.cs__freeze
+
+              @default_scanner ||= Contrast::Agent::Protect::Rule::Sqli::DefaultSqlScanner.new
+              @scanners[database.to_s] || @default_scanner
+            end
+
+            def record_match idx, length, boundary, last_boundary, kwargs
+              kwargs[:start_idx] = idx
+              kwargs[:end_idx] = idx + length
+              kwargs[:boundary_overrun_idx] = boundary
+              kwargs[:input_boundary_idx] = last_boundary
+            end
+
+            def append_match context, input_analysis_result, result, query_string, **kwargs
+              input_analysis_result.attack_count = input_analysis_result.attack_count + 1
+              update_successful_attack_response(context, input_analysis_result, result, query_string)
+              append_sample(context, input_analysis_result, result, query_string, **kwargs)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/sqli.rb

@@ -3,6 +3,7 @@
 
 require 'contrast/agent/protect/rule/base_service'
 require 'contrast/agent/protect/policy/applies_sqli_rule'
+require 'contrast/agent/protect/rule/sql_sample_builder'
 
 module Contrast
   module Agent
@@ -10,6 +11,12 @@ module Contrast
       module Rule
         # The Ruby implementation of the Protect SQL Injection rule.
         class Sqli < Contrast::Agent::Protect::Rule::BaseService
+          # Generate a sample for the SQLI injection detection rule, allowing for reporting to and rendering
+          # by TeamServer
+          include SqlSampleBuilder::SqliSample
+          # Defining build_attack_with_match method
+          include SqlSampleBuilder::AttackBuilder
+
           NAME = 'sql-injection'
           BLOCK_MESSAGE = 'SQLi rule triggered. Response blocked.'
 
@@ -31,76 +38,6 @@ module Contrast
 
             raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
           end
-
-          def build_attack_with_match context, input_analysis_result, result, query_string, **kwargs
-            attack_string = input_analysis_result.value
-            regexp = Regexp.new(Regexp.escape(attack_string), Regexp::IGNORECASE)
-
-            return unless query_string.match?(regexp)
-
-            database = kwargs[:database]
-            scanner = select_scanner(database)
-
-            ss = StringScanner.new(query_string)
-            length = attack_string.length
-            while ss.scan_until(regexp)
-              # the pos of StringScanner is at the end of the regexp (input string),
-              # we need the beginning
-              idx = ss.pos - attack_string.length
-              last_boundary, boundary = scanner.crosses_boundary(query_string, idx, input_analysis_result.value)
-              next unless last_boundary && boundary
-
-              result ||= build_attack_result(context)
-              record_match(idx, length, boundary, last_boundary, kwargs)
-              append_match(context, input_analysis_result, result, query_string, **kwargs)
-            end
-
-            result
-          end
-
-          protected
-
-          def build_sample context, input_analysis_result, candidate_string, **kwargs
-            input = input_analysis_result.value
-
-            sample = build_base_sample(context, input_analysis_result)
-            sample.sqli = Contrast::Api::Dtm::SqlInjectionDetails.new
-            sample.sqli.query = Contrast::Utils::StringUtils.protobuf_safe_string(candidate_string)
-            sample.sqli.start_idx = sample.sqli.query.index(input).to_i
-            sample.sqli.end_idx = sample.sqli.start_idx + input.length
-            sample.sqli.boundary_overrun_idx = kwargs[:boundary_overrun_idx].to_i
-            sample.sqli.input_boundary_idx = kwargs[:input_boundary_idx].to_i
-            sample
-          end
-
-          private
-
-          def record_match idx, length, boundary, last_boundary, kwargs
-            kwargs[:start_idx] = idx
-            kwargs[:end_idx] = idx + length
-            kwargs[:boundary_overrun_idx] = boundary
-            kwargs[:input_boundary_idx] = last_boundary
-          end
-
-          def append_match context, input_analysis_result, result, query_string, **kwargs
-            input_analysis_result.attack_count = input_analysis_result.attack_count + 1
-            update_successful_attack_response(context, input_analysis_result, result, query_string)
-            append_sample(context, input_analysis_result, result, query_string, **kwargs)
-          end
-
-          def select_scanner database
-            @sql_scanners ||= {
-                Contrast::Agent::Protect::Policy::AppliesSqliRule::DATABASE_MYSQL =>
-                    Contrast::Agent::Protect::Rule::Sqli::MysqlSqlScanner.new,
-                Contrast::Agent::Protect::Policy::AppliesSqliRule::DATABASE_PG =>
-                    Contrast::Agent::Protect::Rule::Sqli::PostgresSqlScanner.new,
-                Contrast::Agent::Protect::Policy::AppliesSqliRule::DATABASE_SQLITE =>
-                    Contrast::Agent::Protect::Rule::Sqli::SqliteSqlScanner.new
-            }.cs__freeze
-
-            @default_sql_scanner ||= Contrast::Agent::Protect::Rule::Sqli::DefaultSqlScanner.new
-            @sql_scanners[database.to_s] || @default_sql_scanner
-          end
         end
       end
     end

data/lib/contrast/agent/reaction_processor.rb

@@ -9,7 +9,7 @@ module Contrast
     # Because communication between the Agent/Service and TeamServer can only be initiated by outbound connections
     # from the Agent/Service, we must provide a mechanism for the TeamServer to direct the Agent to take a specific
     # action. This action is referred to as a Reaction. This class is how we handle those Reaction messages.
-    class ReactionProcessor
+    module ReactionProcessor
       extend Contrast::Components::Logger::InstanceMethods
 
       # Process the given Reactions from the application settings based on what

data/lib/contrast/agent/request.rb

@@ -92,10 +92,12 @@ module Contrast
                 defined?(Rack::Multipart::UploadedFile) &&
                 body.is_a?(Rack::Multipart::UploadedFile)
 
-            logger.trace("not parsing uploaded file body :: #{ body.original_filename }::#{ body.content_type }")
+            logger.trace('not parsing uploaded file body',
+                         file_name: body.original_filename,
+                         content_type: body.content_type)
             @_body = nil
           else
-            logger.trace("parsing body from request :: #{ body.cs__class.cs__name }")
+            logger.trace('parsing body from request', body_type: body.cs__class.cs__name)
             @_body = Contrast::Utils::StringUtils.force_utf8(read_body(body))
           end
 
@@ -183,8 +185,11 @@ module Contrast
           res[prefix] = Contrast::Utils::ObjectShare::EMPTY_STRING if prefix
           res
         when Enumerable
-          res = val.each_with_index.each_with_object({}) do |(v, i), hash|
-            hash.merge! normalize_params(v, prefix: "#{ prefix }[#{ i }]")
+          idx = 0
+          res = {}
+          while idx < val.length
+            res.merge! normalize_params(val[idx], prefix: "#{ prefix }[#{ idx }]")
+            idx += 1
           end
           res[prefix] = Contrast::Utils::ObjectShare::EMPTY_STRING if prefix
           res

data/lib/contrast/agent/request_context.rb

@@ -4,15 +4,14 @@
 require 'contrast/utils/timer'
 require 'contrast/agent/request'
 require 'contrast/agent/response'
-require 'contrast/utils/inventory_util'
+require 'contrast/agent/inventory/database_config'
 require 'contrast/components/logger'
 require 'contrast/components/scope'
 
 module Contrast
   module Agent
-    # This class acts to encapsulate information about the currently executed
-    # request, making it available to the Agent for the duration of the request
-    # in a standardized and normalized format which the Agent understands.
+    # This class acts to encapsulate information about the currently executed request, making it available to the Agent
+    # for the duration of the request in a standardized and normalized format which the Agent understands.
     #
     # @attr_reader timer [Contrast::Utils::Timer] when the context was created
     # @attr_reader logging_hash [Hash] context used to log the request
@@ -61,14 +60,10 @@ module Contrast
           # generic holder for properties that can be set throughout this request
           @_properties = {}
 
-          @sample = true
-
           if ::Contrast::ASSESS.enabled?
-            @sample_request, @sample_response = Contrast::Utils::Assess::SamplingUtil.instance.sample?(@request)
+            @sample_req, @sample_res = Contrast::Utils::Assess::SamplingUtil.instance.sample?(@request)
           end
 
-          @sample_response &&= ::Contrast::ASSESS.scan_response?
-
           append_route_coverage(Contrast::Agent.framework_manager.get_route_dtm(@request))
         end
       end
@@ -78,16 +73,38 @@ module Contrast
       end
 
       def analyze_request?
-        @sample_request
+        analyze_request_assess? || analyze_req_res_protect?
       end
 
       def analyze_response?
-        @sample_response
+        analyze_response_assess? || analyze_req_res_protect?
+      end
+
+      def analyze_req_res_protect?
+        ::Contrast::PROTECT.enabled?
       end
 
-      # Convert the discovered route for this request to appropriate forms and
-      # disseminate it to those locations where it is necessary for our route
-      # coverage and finding vulnerability discovery features to function.
+      def analyze_request_assess?
+        return false unless analyze_req_res_assess?
+
+        @sample_req
+      end
+
+      def analyze_response_assess?
+        return false unless analyze_req_res_assess?
+
+        @sample_res &&= ::Contrast::ASSESS.scan_response?
+      end
+
+      def analyze_req_res_assess?
+        ::Contrast::ASSESS.enabled?
+      end
+
+      # Convert the discovered route for this request to appropriate forms and disseminate it to those locations
+      # where it is necessary for our route coverage and finding vulnerability discovery features to function.
+      #
+      # @param route [Contrast::Api::Dtm::RouteCoverage, nil] the route of the current request, as determined from the
+      #   framework
       def append_route_coverage route
         return unless route
 
@@ -108,8 +125,8 @@ module Contrast
       # Collect the results for the given rule with the given action
       #
       # @param rule [String] the id of the rule to which the results apply
-      # @param response_type [Symbol] the result of the response, matching a
-      #   value of Contrast::Api::Dtm::AttackResult::ResponseType
+      # @param response_type [Symbol] the result of the response, matching a value of
+      #   Contrast::Api::Dtm::AttackResult::ResponseType
       # @return [Array<Contrast::Api::Dtm::AttackResult>]
       def results_for rule, response_type = nil
         if response_type.nil?
@@ -130,8 +147,10 @@ module Contrast
         handle_protect_state(service_response)
         ia = service_response.input_analysis
         if ia
-          logger.trace("Analysis from Contrast Service: evaluations=#{ ia.results.length }")
-          logger.trace('Results', input_analysis: ia.inspect)
+          if logger.trace?
+            logger.trace('Analysis from Contrast Service', evaluations: ia.results.length)
+            logger.trace('Results', input_analysis: ia.inspect)
+          end
           @speedracer_input_analysis = ia
           speedracer_input_analysis.request = request
         else
@@ -145,10 +164,9 @@ module Contrast
         false
       end
 
-      # NOTE: this method is only used as a backstop if Speedracer sends Input Evaluations
-      # when the protect state indicates a security exception should be thrown. This method
-      # ensures that the attack reports are generated. Normally these should be generated on
-      # Speedracer for any attacks detected during prefilter.
+      # NOTE: this method is only used as a backstop if Speedracer sends Input Evaluations when the protect state
+      # indicates a security exception should be thrown. This method ensures that the attack reports are generated.
+      # Normally these should be generated on Speedracer for any attacks detected during prefilter.
       #
       # @param agent_settings [Contrast::Api::Settings::AgentSettings]
       def handle_protect_state agent_settings
@@ -165,12 +183,11 @@ module Contrast
         raise Contrast::SecurityException.new(nil, (state.security_message || 'Blocking suspicious behavior'))
       end
 
-      # append anything we've learned to the request seen message
-      # this is the sum-total of all inventory information that has
-      # been accumulated since the last request
+      # append anything we've learned to the request seen message this is the sum-total of all inventory information
+      # that has been accumulated since the last request
       def extract_after rack_response
         @response = Contrast::Agent::Response.new(rack_response)
-        activity.http_response = @response.dtm if @sample_response
+        activity.http_response = @response.dtm if @sample_res
       rescue StandardError => e
         logger.error('Unable to extract information after request', e)
       end
@@ -185,14 +202,13 @@ module Contrast
 
       def reset_activity
         @activity = Contrast::Api::Dtm::Activity.new(http_request: request.dtm)
-        @server_activity = Contrast::Api::Dtm::ServerActivity.new # it doesn't look like this is ever actually used?
+        @server_activity = Contrast::Api::Dtm::ServerActivity.new
         @observed_route = Contrast::Api::Dtm::ObservedRoute.new
       end
 
       private
 
-      # Generate attack results directly from any evaluations on the
-      # agent settings object.
+      # Generate attack results directly from any evaluations on the agent settings object.
       #
       # @param agent_settings [Contrast::Api::Settings::AgentSettings]
       def build_attack_results agent_settings
@@ -204,12 +220,14 @@ module Contrast
           rule = ::Contrast::PROTECT.rule(rule_id)
           next unless rule
 
-          logger.debug('Building attack result from Contrast Service input analysis result', result: ia_result.inspect)
+          if logger.debug?
+            logger.debug('Building attack result from Contrast Service input analysis result',
+                         result: ia_result.inspect)
+          end
 
           attack_result = if rule.mode == :BLOCK
-                            # special case for rules (like reflected xss)
-                            # that used to have an infilter / block
-                            # mode but now are just block at perimeter
+                            # special case for rules (like reflected xss) that used to have an infilter / block mode
+                            # but now are just block at perimeter
                             rule.build_attack_with_match(self, ia_result, attack_results_by_rule[rule_id],
                                                          ia_result.value)
                           else

data/lib/contrast/agent/rule_set.rb

@@ -16,8 +16,7 @@ module Contrast
       # terminate requests on attack detection if set to block at perimeter
       def prefilter
         context = Contrast::Agent::REQUEST_TRACKER.current
-        # TODO: RUBY-801 We shouldn't be responsible for knowing what modes are enabled
-        return unless context&.analyze_request? || ::Contrast::PROTECT.enabled?
+        return unless context&.analyze_request?
 
         logger.trace_with_time('Running prefilter...') do
           map { |rule| rule.prefilter(context) }
@@ -33,8 +32,7 @@ module Contrast
       # has been created. The main actions here are analyzing the response for unsafe state or actions.
       def postfilter
         context = Contrast::Agent::REQUEST_TRACKER.current
-        # TODO: RUBY-801 We shouldn't be responsible for knowing what modes are enabled
-        return unless context&.analyze_response? || ::Contrast::PROTECT.enabled?
+        return unless context&.analyze_response?
 
         logger.trace_with_time('Running postfilter...') do
           map { |rule| rule.postfilter(context) }

data/lib/contrast/agent/scope.rb

@@ -104,39 +104,51 @@ module Contrast
         exit_split_scope!
       end
 
-      # Dynamic versions of the above.
-      # These are equivalent, but they're slower and riskier.
-      # Prefer the static methods if you know what scope you need at the call site.
+      # Static methods to be used, the cases are defined by the usage from the above methods
+      # if more methods are added - please extend the case statements as they are no longed dynamic
       def in_scope? name
-        cs__class.ensure_valid_scope! name
-        call = with_contrast_scope { :"in_#{ name }_scope?" }
-        send(call)
+        case name
+        when :contrast
+          in_contrast_scope?
+        when :deserialization
+          in_deserialization_scope?
+        when :split
+          in_split_scope?
+        else
+          raise NoMethodError, "Scope '#{ name.inspect }' is not registered as a scope."
+        end
       end
 
       def enter_scope! name
-        cs__class.ensure_valid_scope! name
-        call = with_contrast_scope { :"enter_#{ name }_scope!" }
-        send(call)
+        case name
+        when :contrast
+          enter_contrast_scope!
+        when :deserialization
+          enter_deserialization_scope!
+        when :split
+          enter_split_scope!
+        else
+          raise NoMethodError, "Scope '#{ name.inspect }' is not registered as a scope."
+        end
       end
 
       def exit_scope! name
-        cs__class.ensure_valid_scope! name
-        call = with_contrast_scope { :"exit_#{ name }_scope!" }
-        send(call)
+        case name
+        when :contrast
+          exit_contrast_scope!
+        when :deserialization
+          exit_deserialization_scope!
+        when :split
+          exit_split_scope!
+        else
+          raise NoMethodError, "Scope '#{ name.inspect }' is not registered as a scope."
+        end
       end
 
       class << self
         def valid_scope? scope_sym
           Contrast::Agent::Scope::SCOPE_LIST.include? scope_sym
         end
-
-        def ensure_valid_scope! scope_sym
-          unless valid_scope? scope_sym # rubocop:disable Style/GuardClause
-            with_contrast_scope do
-              raise NoMethodError, "Scope '#{ scope_sym.inspect }' is not registered as a scope."
-            end
-          end
-        end
       end
     end
   end

data/lib/contrast/agent/static_analysis.rb

@@ -28,7 +28,7 @@ module Contrast
 
           app_update_msg = Contrast::Api::Dtm::ApplicationUpdate.build
 
-          Contrast::Utils::InventoryUtil.append_db_config(app_update_msg)
+          Contrast::Agent::Inventory::DatabaseConfig.append_db_config(app_update_msg)
           Contrast::Agent.messaging_queue.send_event_eventually(app_update_msg)
         end
 

data/lib/contrast/agent/tracepoint_hook.rb

@@ -27,18 +27,31 @@ module Contrast
 
         private
 
+        # Use the TracePoint from the :end event, meaning the completion of a definition of a Class or Module (or
+        # really the completion of that piece of a definition, as determined by an `end` statement since there could be
+        # definitions across multiple files) to carry out actions required on definition. This typically involves
+        # patching and usage analysis
+        #
+        # @param tracepoint_event [TracePoint] the TracePoint from the :end
         def process tracepoint_event
           with_contrast_scope do
-            logger.trace('Received TracePoint end event', module: tracepoint_event.self.to_s)
-
+            # the Module or Class that was loaded during this event
             loaded_module = tracepoint_event.self
+            # the file being loaded that contained this definition
             path = tracepoint_event.path
             return if path&.include?('contrast')
 
+            logger.trace('Received TracePoint end event', module: loaded_module, path: path)
+
+            Contrast::Agent.framework_manager.register_late_framework(loaded_module)
             Contrast::Agent::Inventory::DependencyUsageAnalysis.instance.associate_file(path) if path
             Contrast::Agent::Patching::Policy::Patcher.patch_specific_module(loaded_module)
-            Contrast::Agent::Assess::Policy::RewriterPatch.rewrite_interpolation(loaded_module) if RUBY_VERSION < '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
+            if RUBY_VERSION < '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
+              Contrast::Agent::Assess::Policy::RewriterPatch.rewrite_interpolation(loaded_module)
+            end
             Contrast::Agent::Assess::Policy::PolicyScanner.scan(tracepoint_event)
+          rescue StandardError => e
+            logger.error('Unable to complete TracePoint analysis', e, module: loaded_module, path: path)
           end
         end
       end