contrast-agent 5.0.0 → 5.3.0

data/lib/contrast/agent/reporting/reporting_events/{finding_signature.rb → finding_event_signature.rb}

@@ -6,31 +6,36 @@ require 'contrast/utils/object_share'
 module Contrast
   module Agent
     module Reporting
-      # This is the new FindingSignature class which will include all the needed information for the new reporting
-      # system to relay this information in the Finding/Trace messages. These FindingObjects are used by TeamServer to
-      # construct the vulnerability information for the assess feature. They represent the signature of the method that
-      # was invoked in this event.
-      #
-      # @attr_reader arg_types [String] the types of the arguments in this event; may be different for each invocation
-      #   of the method.
-      # @attr_reader class_name [String] the name of the class of this object or the name itself if of Module type.
-      # @attr_reader constructor [Boolean] if the method is a constructor or not.
-      # @attr_reader expression_type [String] unused.
-      # @attr_reader flags [Integer] the Java flags.
-      # @attr_reader method_name [String] the name of the method.
-      # @attr_reader operator [String] unused.
-      # @attr_reader return_type [String] the type of the return in this event; may be different for each invocation of
-      #   the method.
-      # @attr_reader signature [String] the id of the Object this represents.
-      # @attr_reader void_method [Boolean] if the method is void or not; may be different for each invocation of the
-      #   method.
-      class FindingSignature
-        attr_reader :arg_types, :class_name, :constructor, :expression_type, :flags, :method_name, :operator,
-                    :return_type, :signature, :void_method
+      # This is the new FindingEventSignature class which will include all the needed information for the new reporting
+      # system to relay this information in the Finding/Trace messages. These FindingEventSignatures are used by
+      # TeamServer to construct the method signature for the assess feature. They represent the method invoked when the
+      # FindingEvent was generated.
+      class FindingEventSignature
+        # @return [String] the types of the arguments in this event; may be different for each invocation of the
+        #   method.
+        attr_reader :arg_types
+        # @return [String] the name of the class of this object or the name itself if of Module type.
+        attr_reader :class_name
+        # @return [Boolean] if the method is a constructor or not.
+        attr_reader :constructor
+        # @return [String] unused.
+        attr_reader :expression_type
+        # @return [Integer] the Java flags; static or not.
+        attr_reader :flags
+        # @return [String] the name of the method.
+        attr_reader :method_name
+        # @return [String] unused.
+        attr_reader :operator
+        # @return [String] the type of the return in this event; may be different for each invocation of the method.
+        attr_reader :return_type
+        # @return [String] unused.
+        attr_reader :signature
+        # @return [Boolean] if the method is void or not; may be different for each invocation of the method.
+        attr_reader :void_method
 
         class << self
           # @param event [Contrast::Agent::Assess::ContrastEvent] the event to build a signature for
-          # @return [Contrast::Agent::Reporting::FindingSignature]
+          # @return [Contrast::Agent::Reporting::FindingEventSignature]
           def convert event
             report = new
             report.attach_data(event)
@@ -39,7 +44,7 @@ module Contrast
         end
 
         # Parse the data from a Contrast::Agent::Assess::ContrastEvent to attach what is required for reporting to
-        # TeamServer to this Contrast::Agent::Reporting::FindingSignature
+        # TeamServer to this Contrast::Agent::Reporting::FindingEventSignature
         #
         # @param event [Contrast::Agent::Assess::ContrastEvent]
         def attach_data event
@@ -52,7 +57,7 @@ module Contrast
           @constructor = node.method_name == :new || node.method_name == :initialize
           # 8 is STATIC in Java... we have to placate them for now it has been requested that flags be removed since it
           # isn't used
-          @flags = 8 unless policy_node.instance_method?
+          @flags = 8 unless node.instance_method?
           @method_name = node.method_name
           @return_type = type_name(event.ret)
           # if there's a ret, then this method isn't nil. not 100% full proof since you can return nil, but this is the

data/lib/contrast/agent/reporting/reporting_events/finding_event_source.rb

@@ -2,6 +2,8 @@
 # frozen_string_literal: true
 
 require 'base64'
+require 'contrast/agent/assess/contrast_event'
+require 'contrast/agent/assess/events/source_event'
 
 module Contrast
   module Agent
@@ -10,16 +12,18 @@ module Contrast
       # system to relay this information in the Finding/Trace messages. These FindingEventSource are used by TeamServer
       # to construct the vulnerability information for the assess feature. They indicate the type of data that the
       # event represents.
-      #
-      # @attr_reader name [String] the name of the source
-      # @attr_reader type [String] the type of the source
       class FindingEventSource
-        attr_reader :name, :type
+        # @return [String] the name of the source
+        attr_reader :name
+        # @return [String] the type of the source
+        attr_reader :type
 
         class << self
-          # @param event [Contrast::Agent::Assess::Events::SourceEvent] the event to pull the source off of
-          # @return [Contrast::Agent::Reporting::FindingObject]
+          # @param event [Contrast::Agent::Assess::Events::ContrastEvent] the event to pull the source off of
+          # @return [Contrast::Agent::Reporting::FindingEventSource]
           def convert event
+            return unless event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
+
             report = new
             report.attach_data(event)
             report
@@ -43,8 +47,8 @@ module Contrast
         def to_controlled_hash
           validate
           {
-              name: name, # rubocop:disable Security/Module/Name
-              type: type
+              sourceName: name, # rubocop:disable Security/Module/Name
+              sourceType: type
           }
         end
 

data/lib/contrast/agent/reporting/reporting_events/{finding_stack.rb → finding_event_stack.rb}

@@ -4,25 +4,29 @@
 module Contrast
   module Agent
     module Reporting
-      # This is the new FindingStack class which will include all the needed information for the new reporting system
-      # to relay this information in the Finding/Trace messages. These FindingStack are used by TeamServer to construct
-      # the vulnerability information for the assess feature. They represent the callstack at the time that each
-      # FindingEvent was generated.
-      #
-      # @attr_reader eval [String] unused
-      # @attr_reader file [String] the stack frame to show in TeamServer; the value of an entry in #caller
-      # @attr_reader line_number [String] unused
-      # @attr_reader method [String] unused
-      # @attr_reader signature [String] unused
-      # @attr_reader type [String] unused
-      class FindingStack
-        attr_reader :eval, :file, :line_number, :method, :signature, :type
+      # This is the new FindingEventStack class which will include all the needed information for the new reporting
+      # system to relay this information in the Finding/Trace messages. These FindingEventStack are used by TeamServer
+      # to construct the vulnerability information for the assess feature. They represent the callstack at the time
+      # that each FindingEvent was generated.
+      class FindingEventStack
+        # @return [String] unused
+        attr_reader :eval
+        # @return [String] the stack frame to show in TeamServer; the value of an entry in #caller
+        attr_reader :file
+        # @return [String] unused
+        attr_reader :line_number
+        # @return [String] unused
+        attr_reader :method
+        # @return [String] unused
+        attr_reader :signature
+        # @return [String] unused
+        attr_reader :type
 
         AGENT_CLASS_MARKER = '/lib/contrast/'
 
         class << self
-          # @param stack [Array<String>]
-          # @return [Contrast::Agent::Reporting::FindingStack,nil]
+          # @param stack [String]
+          # @return [Contrast::Agent::Reporting::FindingEventStack,nil]
           def convert stack
             return unless stack
             return if stack.include?(AGENT_CLASS_MARKER)
@@ -34,9 +38,9 @@ module Contrast
         end
 
         # Parse the data from a Contrast::Agent::Assess::Tag to attach what is required for reporting to TeamServer to
-        # this Contrast::Agent::Reporting::FindingTaintRange
+        # this Contrast::Agent::Reporting::FindingEventTaintRange
         #
-        # @param stack [Array<String>]
+        # @param stack [String]
         def attach_data stack
           @file = stack
         end
@@ -49,8 +53,8 @@ module Contrast
         def to_controlled_hash
           validate
           {
-              # eval: eval,
-              file: file # ,
+              file: file
+            # eval: eval, # This is unused by the Ruby agent
             # line_number: line_number, # This is unused by the Ruby agent
             # method: method, # This is unused by the Ruby agent
             # signature: signature, # This is unused by the Ruby agent

data/lib/contrast/agent/reporting/reporting_events/{finding_taint_range.rb → finding_event_taint_range.rb}

@@ -1,22 +1,24 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/agent/assess/tag'
+
 module Contrast
   module Agent
     module Reporting
-      # This is the new FindingObject class which will include all the needed information for the new reporting system
-      # to relay this information in the Finding/Trace messages. These FindingTaintRanges are used by TeamServer to
-      # construct the vulnerability information for the assess feature. They represent those parts of the objects that
-      # are tracked because of a security relevant operation acting on them.
-      #
-      # @attr_reader range [String] the range (inclusive:exclusive), that this tag covers.
-      # @attr_reader tag [String] the type of action this tag represents.
-      class FindingTaintRange
-        attr_reader :range, :tag
+      # This is the new FindingEventTaintRange class which will include all the needed information for the new
+      # reporting system to relay this information in the Finding/Trace messages. These FindingTaintRanges are used by
+      # TeamServer to construct the vulnerability information for the assess feature. They represent those parts of the
+      # objects that are tracked because of a security relevant operation acting on them.
+      class FindingEventTaintRange
+        # @return [String] the range (inclusive:exclusive), that this tag covers.
+        attr_reader :range
+        # @return [String] the type of action this tag represents.
+        attr_reader :tag
 
         class << self
           # @param tag [Contrast::Agent::Assess::Tag] the tag to convert
-          # @return [Contrast::Agent::Reporting::FindingTaintRange]
+          # @return [Contrast::Agent::Reporting::FindingEventTaintRange]
           def convert tag
             report = new
             report.attach_data(tag)
@@ -25,7 +27,7 @@ module Contrast
         end
 
         # Parse the data from a Contrast::Agent::Assess::Tag to attach what is required for reporting to TeamServer to
-        # this Contrast::Agent::Reporting::FindingTaintRange
+        # this Contrast::Agent::Reporting::FindingEventTaintRange
         #
         # @param tag [Contrast::Agent::Assess::Tag] the tag to convert
         def attach_data tag
@@ -47,10 +49,10 @@ module Contrast
         end
 
         def validate
-          raise(ArgumentError, "#{ self } did not have a proper hash. Unable to continue.") unless hash && !hash.empty?
-          return unless value && !value.empty?
-
-          raise(ArgumentError, "#{ self } did not have a proper value. Unable to continue.")
+          unless range && !range.empty?
+            raise(ArgumentError, "#{ self } did not have a proper range. Unable to continue.")
+          end
+          raise(ArgumentError, "#{ self } did not have a proper tag. Unable to continue.") unless tag && !tag.empty?
         end
       end
     end

data/lib/contrast/agent/reporting/reporting_events/finding_request.rb

@@ -4,31 +4,36 @@
 module Contrast
   module Agent
     module Reporting
-      # This is the new Finding class which will include all the needed information for the new reporting system to
-      # relay this information in the Finding/Trace messages. These findings are used by TeamServer to construct the
-      # vulnerability information for the assess feature. They represent those parts of the application, either through
-      # configuration, method invocation, or dataflow, which are determined to be insecure.
-      #
-      # @attr_accessor events [Array<Contrast::Agent::Assess::ContrastEvent>] if a dataflow based finding, the
-      #   representation of those method calls which constitute a dangerous code path.
-      # @attr_accessor properties [Hash<String,String>] a set of values that TeamServer can use to provide more context
-      #   to the user when rendering the finding. For some findings, a specific set of keys and values are required.
-      # @attr_accessor request [Contrast::Agent::Request, nil] the request, if any, in which this finding occurred
-      # @attr_accessor hash_code [String] the unique identifier of this finding.
-      # @attr_reader rule_id [String] the name of the rule violated; must match those in TeamServer.
+      # This is the new FindingRequest class which will include all the needed information for the new reporting system
+      # to relay this information in the Finding/Trace messages. These requests are used by TeamServer to construct the
+      # HTTP information for the assess feature. They represent the literal request made that resulted in the
+      # vulnerability being triggered.
       class FindingRequest
-        attr_reader :body, :headers, :method, :parameters, :port, :protocol, :query_string, :uri, :version
+        # @return [String] the body of this request
+        attr_reader :body
+        # @return [Hash<String,Array<String>>] the headers of this request
+        attr_reader :headers
+        # @return [String] the HTTP verb of this request
+        attr_reader :method
+        # @return [Hash<String,Array<String>>] the parameters of this request
+        attr_reader :parameters
+        # @return [Integer] the port to which this request connected
+        attr_reader :port
+        # @return [String] the HTTP(S) protocol of this request
+        attr_reader :protocol
+        # @return [String] the query string of this request
+        attr_reader :query_string
+        # @return [String] the url, including path and script, of this request
+        attr_reader :uri
+        # @return [String] the HTTP version of this request
+        attr_reader :version
 
         class << self
-          # @param request [Contrast::Api::Dtm::HttpRequest,Contrast::Agent::Request]
+          # @param request [Contrast::Agent::Request]
           # @return [Contrast::Agent::Reporting::FindingRequest]
           def convert request
             report = new
-            if request.cs__is_a?(Contrast::Agent::Request)
-              report.attach_data(request)
-            else
-              report.attach_dtm_data(request)
-            end
+            report.attach_data(request)
             report
           end
         end
@@ -41,8 +46,6 @@ module Contrast
           @body = request.body
           @headers = {}
           request.headers.each_pair do |key, value|
-            next unless key && value
-
             # We need to change from the uppercase _ format to capitalized - format.
             header = key.split('_')
             header.each(&:capitalize!)
@@ -51,9 +54,7 @@ module Contrast
           end
           @method = request.request_method
           @parameters = {}
-          request.parameters.each_pair do |key, value|
-            @parameters[key] = value
-          end
+          request.parameters.each_pair { |key, value| @parameters[key] = Array(value) }
           @port = request.port || 0
           @protocol = request.scheme
           @query_string = request.query_string
@@ -61,34 +62,6 @@ module Contrast
           @version = request.version
         end
 
-        # Parse the data from a Contrast::Api::Dtm::HttpRequest to attach what is required for reporting to TeamServer
-        # to this Contrast::Agent::Reporting::FindingRequest
-        #
-        # @param request_dtm [Contrast::Api::Dtm::HttpRequest]
-        def attach_dtm_data request_dtm
-          @body = request_dtm.request_body_binary
-          @headers = {}
-          request_dtm.request_headers.each_pair do |key, value|
-            next unless key && value
-
-            # We need to change from the uppercase _ format to capitalized - format.
-            header = key.split('_')
-            header.each(&:capitalize!)
-            header = header.join('-')
-            headers[header] = value.split
-          end
-          @method = request_dtm.method # rubocop:disable Security/Object/Method
-          @parameters = {}
-          request_dtm.normalized_request_params.each_value do |pair|
-            @parameters[pair.key] = pair.values
-          end
-          @port = nil
-          @protocol = request_dtm.protocol
-          @query_string = request_dtm.query_string
-          @uri = request_dtm.uri
-          @version = request_dtm.version
-        end
-
         # Convert the instance variables on the class, and other information, into the identifiers required for
         # TeamServer to process the JSON form of this message.
         #
@@ -110,7 +83,7 @@ module Contrast
         end
 
         def validate
-          unless cs__method && !cs__method.empty?
+          unless method && !method.empty? # rubocop:disable Security/Object/Method
             raise(ArgumentError, "#{ self } did not have a proper method. Unable to continue.")
           end
           raise(ArgumentError, "#{ self } did not have a proper uri. Unable to continue.") unless uri && !uri.empty?

data/lib/contrast/agent/reporting/reporting_events/poll.rb

@@ -0,0 +1,29 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/reporting/reporting_events/reporting_event'
+
+module Contrast
+  module Agent
+    module Reporting
+      # This is the new Poll class for the Heartbeat Service.
+      class Poll < Contrast::Agent::Reporting::ReportingEvent
+        def initialize
+          @event_type = :heartbeat
+          @event_endpoint = Contrast::Agent::Reporting::Endpoints.heartbeat
+          super
+        end
+
+        # This is commented out as I am not aware if we're supposed to send some information and/or parse it to hash
+        # In https://github.com/Contrast-Security-Inc/contrast-service/blob/next/reporting/tsreporter.go
+        #
+        # Convert the instance variables on the class, and other information, into the identifiers required for
+        # TeamServer to process the JSON form of this message.
+        #
+        # @return [Hash]
+        # @raise [ArgumentError]
+        # def to_controlled_hash; end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/reporting_events/reporting_event.rb

@@ -12,13 +12,14 @@ module Contrast
       # reporting system.
       #
       # @abstract
-      # @attr_reader routes [Array]
-      # @attr_reader event_method [Symbol] the HTTP method to use to send this event
       class ReportingEvent
-        attr_reader :event_endpoint, :event_method
+        # @return [String] the endpoint, with host, to which this event should be sent
+        attr_reader :event_endpoint
+        # @return event_method [Symbol] the HTTP method to use to send this event
+        attr_reader :event_method
 
         def initialize
-          @agent_session_id_value = 0 # TODO: RUBY-99999 Contrast::APP_CONTEXT.session_id once we have app start
+          @agent_session_id_value = '0' # TODO: RUBY-1514 Contrast::APP_CONTEXT.session_id once we have app start
           @event_endpoint ||= nil
           @event_method ||= :POST
         end

data/lib/contrast/agent/reporting/reporting_events/route_discovery.rb

@@ -49,6 +49,7 @@ module Contrast
         def to_controlled_hash
           validate
           {
+              count: 0, # we have this to make TS happy
               observations: @observations.map(&:to_controlled_hash),
               signature: @signature
           }

data/lib/contrast/agent/reporting/reporting_events/server_activity.rb

@@ -23,7 +23,7 @@ module Contrast
 
         def initialize
           @event_method = :PUT
-          @event_endpoint = "#{ Contrast::API.api_url }/api/ng/activity/servers"
+          @event_endpoint = "#{ Contrast::API.api_url }/api/ng/activity/server"
           super
         end
 

data/lib/contrast/agent/reporting/reporting_utilities/audit.rb

@@ -84,13 +84,13 @@ module Contrast
         # Here we will generate the directories for the requests and responses
         def generate_paths
           message_directories = File.expand_path(path_to_audits)
-          FileUtils.mkdir_p(message_directories) unless Dir.exist?(message_directories)
+          make_directory(message_directories) unless Dir.exist?(message_directories)
 
           requests_destination = File.expand_path(File.join(message_directories, '/requests'))
           responses_destination = File.expand_path(File.join(message_directories, '/responses'))
 
-          Dir.mkdir(requests_destination) if enabled_for_requests? && !Dir.exist?(requests_destination)
-          Dir.mkdir(responses_destination) if enabled_for_responses? && !Dir.exist?(responses_destination)
+          make_directory(requests_destination) if enabled_for_requests? && !Dir.exist?(requests_destination)
+          make_directory(responses_destination) if enabled_for_responses? && !Dir.exist?(responses_destination)
 
           @path_for_requests ||= requests_destination if enabled_for_requests?
           @path_for_responses ||= responses_destination if enabled_for_responses?
@@ -98,6 +98,13 @@ module Contrast
           logger.warn('Generating the paths failed with: ', e: e)
         end
 
+        # Make the directory provided, including any required intermediary directories.
+        # We do this here in order to make allow us to easily override directory
+        # creation while testing.
+        def make_directory directory
+          FileUtils.mkdir_p(directory)
+        end
+
         # Retrieves the configuration value if the request audit is enabled
         # @return [Boolean]
         def enabled?

data/lib/contrast/agent/reporting/reporting_utilities/endpoints.rb

@@ -59,7 +59,6 @@ module Contrast
 
           # @return [String,nil]
           def observed_route
-            # "/v1.0/routes/localhost///rails/ruby/observed"
             with_rescue do
               "#{ route_endpoint }/observed".cs__freeze
             end

data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb

@@ -57,6 +57,7 @@ module Contrast
         # @return response [Net::HTTP::Response, nil] response from TS if no response
         def send_event event, connection, send_immediately = false
           return unless Contrast::Agent::Reporter.enabled?
+          return unless connection
 
           response = send_events(event, connection)
           log_send_event event if send_immediately

data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb

@@ -15,8 +15,35 @@ module Contrast
         include Contrast::Components::Scope::InstanceMethods
         include Contrast::Agent::Reporting::Endpoints
 
+        # @param event [Contrast::Agent::Reporting::Preflight] the preflight we handle here
+        # @param response [Net::HTTP::Response,nil] The response we handle and read from
+        # @param connection [Net::HTTP] open connection
+        def handle_response event, response, connection
+          return unless event && response && connection
+          return unless event.cs__is_a?(Contrast::Agent::Reporting::Preflight)
+
+          preflight_message = event.messages[0]
+          # for handling multiple findings
+          # we'll only extract the indexes without *
+          # findings_to_return = response.body.split(',').delete_if { |el| el.include?('*') }
+          # after that we'll do some magic and return them the same way we do for corresponding_finding
+          corresponding_finding = Contrast::Agent::Reporting::ReportingStorage.delete(preflight_message.hash_code)
+          return unless corresponding_finding
+
+          audit&.audit_event(corresponding_finding, response) if ::Contrast::API.request_audit_enable?
+          send_event(corresponding_finding, connection, true)
+          nil
+        rescue StandardError => e
+          logger.error('Unable to handle response', e)
+        end
+
         private
 
+        # TODO: RUBY-1466 find better home for this?
+        def audit
+          @_audit ||= Contrast::Agent::Reporting::Audit.new
+        end
+
         # This method will build headers of the request required for TS communication
         #
         # @param request [Net::HTTPRequest]
@@ -67,7 +94,7 @@ module Contrast
         # @param response [Net::HTTP::Response]
         # @return response [Net::HTTP::Response]
         def process_response response
-          response_handler.process response
+          response_handler.process(response)
           logger.debug('Successfully sent startup messages to service.')
           status.success!
           response
@@ -129,25 +156,6 @@ module Contrast
         end
 
         # Eventually here we'll handle more response types and etc
-
-        # @param event [Contrast::Agent::Reporting::Preflight] the preflight we handle here
-        # @param response [Net::HTTP::Response,nil] The response we handle and read from
-        # @param connection [Net::HTTP] open connection
-        def handle_response event, response, connection
-          return unless event || response || connection
-          return unless event.cs__is_a?(Contrast::Agent::Reporting::Preflight)
-
-          preflight_message = event.messages[0]
-          # for handling multiple findings
-          # we'll only extract the indexes without *
-          # findings_to_return = response.body.split(',').delete_if { |el| el.include?('*') }
-          # after that we'll do some magic and return them the same way we do for corresponding_finding
-          corresponding_finding = Contrast::Agent::Reporting::ReportingStorage.delete(preflight_message.hash_code)
-          return unless corresponding_finding
-
-          send_event corresponding_finding, connection, true
-          nil
-        end
       end
     end
   end

data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb

@@ -37,7 +37,7 @@ module Contrast
                                                                         assess_on: ::Contrast::ASSESS.enabled?)
           response
         rescue StandardError => e
-          logger.error(e.message)
+          logger.error('Unable to process response from TeamServer', e)
           nil
         end
 

data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb

@@ -54,7 +54,7 @@ module Contrast
         #
         # @param response [Contrast::Agent::Reporting::Response]
         def update_reaction response
-          return unless response.application_settings.reactions.any?
+          return unless response.application_settings.reactions&.any?
 
           response.application_settings.reactions.each do |reaction|
             # The enums are all uppercase, we need to downcase them before attempting to log.
@@ -134,6 +134,8 @@ module Contrast
         # @return res [Contrast::Agent::Reporting::Response]
         def extract_assess response_data, res
           assessments = response_data[:settings][:assessment]
+          return unless assessments
+
           res.application_settings.assess.disabled_rules = assessments[:disabledRules]
           res.application_settings.assess.session_id = assessments[:session_id]
         end
@@ -142,6 +144,8 @@ module Contrast
         # @return res [Contrast::Agent::Reporting::Response]
         def extract_protect response_data, res
           protect = response_data[:settings][:defend]
+          return unless protect
+
           res.application_settings.protect.protection_rules = protect[:protectionRules]
           res.application_settings.protect.virtual_patches = protect[:virtualPatches]
         end
@@ -150,6 +154,8 @@ module Contrast
         # @return res [Contrast::Agent::Reporting::Response]
         def extract_exclusions response_data, res
           exclusions = response_data[:settings][:exceptions]
+          return unless exclusions
+
           res.application_settings.exclusions.code_exclusions = exclusions[:codeExceptions]
           res.application_settings.exclusions.input_exclusions = exclusions[:inputExceptions]
           res.application_settings.exclusions.url_exclusions = exclusions[:urlExceptions]
@@ -165,6 +171,8 @@ module Contrast
         # @return res [Contrast::Agent::Reporting::Response]
         def extract_assess_server_features response_data, res
           assess = response_data[:assessment]
+          return unless assess
+
           res.server_features.assess.enabled = assess[:enabled]
           res.server_features.assess.disabled_rules = assess[:disabledRules]
           res.server_features.assess.sampling = assess[:sampling]
@@ -176,6 +184,8 @@ module Contrast
         # @return res [Contrast::Agent::Reporting::Response]
         def extract_protect_server_features response_data, res
           protect = response_data[:defend]
+          return unless protect
+
           res.server_features.protect.enabled = protect[:enabled]
           res.server_features.protect.bot_blocker = protect[:bot_blocker]
           res.server_features.protect.syslog = protect[:syslog]
@@ -185,6 +195,8 @@ module Contrast
         # @return res [Contrast::Agent::Reporting::Response]
         def extract_protect_lists response_data, res
           protect = response_data[:defend]
+          return unless protect
+
           res.server_features.protect.ip_allowlist = protect[:ipAllowlist]
           res.server_features.protect.ip_denylist = protect[:ipDenyList]
           res.server_features.protect.log_enchancers = protect[:logEnhancers]