contrast-agent 5.1.0 → 5.2.0

data/lib/contrast/logger/cef_log.rb

@@ -0,0 +1,151 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'logger'
+require 'singleton'
+
+require 'contrast/extension/module'
+require 'contrast/logger/application'
+require 'contrast/logger/format'
+require 'contrast/logger/request'
+require 'contrast/logger/time'
+require 'contrast/logger/log'
+require 'contrast/components/config'
+require 'contrast/utils/log_utils'
+
+module Contrast
+  # Used as a wrapper around our logging. The module option specifically adds in a new method for error that raises the
+  # logged exception, used in testing so that we can see if anything unexpected happens without it being swallowed
+  # while still providing safe options for customers.
+  module Logger
+    # For development set following env var to raise logged exceptions instead of just logging.
+    if ENV['CONTRAST__AGENT__RUBY_MORE_COWBELL']
+      ::Logger.class_eval do
+        alias_method :cs__error, :error
+        alias_method :cs__warn, :warn
+
+        def error *args, **kwargs
+          if kwargs.empty?
+            cs__error(*args)
+          else
+            cs__error(*args, **kwargs)
+          end
+          args.each { |arg| raise arg if arg && arg.cs__class < Exception }
+        end
+      end
+    end
+
+    # This is the CEF Logger implementation. It uses the default ::Logger.
+    class CEFLog
+      include Singleton
+      include ::Contrast::Utils::LogUtils
+      include ::Contrast::Utils::CEFLogUtils
+
+      attr_reader :previous_path, :previous_level
+
+      def initialize
+        build_logger
+      end
+
+      # Given new settings from TeamServer, update our logging to use the new file and level, assuming they weren't
+      # set by local configuration.
+      #
+      # @param log_level [String] the level at which to log, as provided by TeamServer settings
+      def build_logger log_level = nil
+        current_level_const = find_valid_level(log_level)
+        level_change = current_level_const != previous_level
+
+        # don't needlessly recreate logger
+        return if @cef_logger && !level_change
+
+        @previous_level = current_level_const
+
+        @_cef_logger = build(path: DEFAULT_CEF_NAME, level_const: current_level_const)
+        # If we're logging to a new path, then let's start it w/ our helpful
+        # data gathering messages
+        # log_update if path_change
+      rescue StandardError => e
+        # rubocop:disable Rails/Output
+        if @_cef_logger
+          @_cef_logger.error('Unable to process update to LoggerManager.', e)
+        else
+          puts 'Unable to process update to LoggerManager.'
+          raise e if ENV['CONTRAST__AGENT__RUBY_MORE_COWBELL']
+
+          puts e.message
+          puts e.backtrace.join("\n")
+        end
+        # rubocop:enable Rails/Output
+      end
+
+      def cef_logger
+        @_cef_logger
+      end
+
+      def log msg, level = @_cef_logger.level
+        case level
+        when ::Logger::Severity::INFO
+          @_cef_logger.info(msg)
+        when ::Logger::Severity::ERROR
+          @_cef_logger.error(msg)
+        when ::Logger::Severity::WARN
+          @_cef_logger.warn(msg)
+        when ::Logger::Severity::FATAL
+          @_cef_logger.fatal(msg)
+        else
+          @_cef_logger.debug(msg)
+        end
+      end
+
+      def virtual_patch_message patch, outcome
+        message = "Virtual Patch #{ patch.fetch(:name, '') } - #{ patch[:uuid] } was triggered by this request."
+        log [message, patch, outcome], ::Logger::Severity::DEBUG
+      end
+
+      def bot_blocking_message matching_bot, outcome
+        message = "User agent #{ matching_bot[:user_agent] } matched the disallowed value #{ matching_bot[:bot] }"
+        log [message, matching_bot, outcome], ::Logger::Severity::DEBUG
+      end
+
+      def ip_denylisted_message remote_ip, block_entry, outcome
+        message = "IP Address #{ remote_ip } matched the disallowed value" \
+                  "#{ block_entry[:ip] } in the IP Blacklist #{ block_entry[:uuid] }"
+        log [message, block_entry, outcome], ::Logger::Severity::DEBUG
+      end
+
+      def successful_attack rule_id, outcome, input_type = nil, input_value = nil
+        if input_type.present? && input_value.present?
+          successful_attack_with_input = "#{ input_type } had a value that successfully exploited" \
+                                         "#{ rule_id } - #{ input_value }"
+          log [successful_attack_with_input, rule_id, outcome], ::Logger::Severity::WARN
+        else
+          successful_attack_wo_input = "An effective attack was detected against #{ rule_id }"
+          log [successful_attack_wo_input, rule_id, outcome], ::Logger::Severity::WARN
+        end
+      end
+
+      def ineffective_attack rule_id, outcome, input_type = nil, input_value = nil
+        if input_type.present? && input_value.present?
+          ineffective_attack_with_input = "#{ input_type } had a value that matched a signature for, " \
+                                          "but did not successfully exploit #{ rule_id } - #{ input_value }"
+          log [ineffective_attack_with_input, rule_id, outcome], ::Logger::Severity::WARN
+        else
+          ineffective_attack_wo_input = "An unsuccessful attack was detected against #{ rule_id }"
+          log [ineffective_attack_wo_input, rule_id, outcome], ::Logger::Severity::WARN
+        end
+      end
+
+      # newer - currently not in the agent, currently is a probe for us
+      def suspicious_attack rule_id, outcome, input_type = nil, input_value = nil
+        if input_type.present? && input_value.present?
+          suspicious_attack_with = "#{ input_type } included a potential attack value that was detected" \
+                                   "as suspicious using #{ rule_id } - #{ input_value }"
+          log [suspicious_attack_with, rule_id, outcome], ::Logger::WARN
+        elsif input_value.present?
+          suspicious_attack_without = 'Suspicious activity indicates a potential attack using ' + rule_id.to_s
+          log [suspicious_attack_without, rule_id, outcome], ::Logger::WARN
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/hash_digest.rb

@@ -29,7 +29,7 @@ module Contrast
       # request or Contrast::REQUEST_TRACKER.current.request uri and used request
       # method.
       #
-      # @param finding [Contrast::Api::Dtm::Finding] finding to be reported
+      # @param finding [Contrast::Api::Dtm::Finding, Contrast::Agent::Reporting::Finding] finding to be reported
       # @param request [Contrast::Agent::Request] our wrapper around the Rack::Request.
       # @return checksum [Integer, nil] returns nil if there is no request context or tracking
       # is disabled.
@@ -38,12 +38,20 @@ module Contrast
         return unless context || ::Contrast::ASSESS.non_request_tracking?
 
         if (route = finding.routes[0])
-          update(route.route) # the normalized URL used to access the method in the route.
-          update(route.verb) # the HTTP Verb used  to access the method in the route.
-        elsif request ||= context&.request
-          update(request.normalized_uri) # the normalized URL used to access the method in the route.
-          update(request.request_method) # The HTTP method used in the request
+          if finding.cs__is_a?(Contrast::Agent::Reporting::Finding) && (observation = route.observations[0])
+            update(observation.url)
+            update(observation.verb)
+          else
+            update(route.route) # the normalized URL used to access the method in the route.
+            update(route.verb) # the HTTP Verb used  to access the method in the route.
+          end
+          return
         end
+
+        return unless request ||= context&.request
+
+        update(request.normalized_uri) # the normalized URL used to access the method in the route.
+        update(request.request_method) # The HTTP method used in the request
       end
 
       # Update to CRC checksum the event source name and source type.

data/lib/contrast/utils/log_utils.rb

@@ -1,6 +1,9 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'socket'
+require 'contrast/agent/version'
+
 module Contrast
   module Utils
     # Method utility used by Contrast::Logger::log
@@ -106,3 +109,114 @@ module Contrast
     end
   end
 end
+
+module Contrast
+  module Utils
+    # These are the utilities for the CEF Logger, which will use the default ruby logger as we are not
+    # interested in special logging. We have the format we need and that's all we need. It would be useless
+    # to use Ougai
+    module CEFLogUtils
+      include Contrast::Utils::LogUtils
+      # <date> <host> CEF:<version>|<company>|<product>|<agent version>|<event type>
+      # |<event message>|<severity>|<other name-value pairs>
+      DEFAULT_CEF_NAME = 'security.log'
+      DEFAULT_LEVEL    = ::Logger::Severity::INFO
+      VALID_LEVELS     = ::Logger::SEV_LABEL
+      PROGNAME         = 'Contrast Agent Ruby'
+      DATE_TIME_FORMAT = '%b %d %Y %H:%M:%S.%L%z'
+      AGENT_VERSION    = Contrast::Agent::VERSION
+      EVENT_TYPE       = 'SECURITY'
+      DEFAULT_METADATA = '-'
+
+      private
+
+      def build path: STDOUT_STR, level_const: DEFAULT_LEVEL
+        logger = case path
+                 when STDOUT_STR, STDERR_STR
+                   ::Logger.new(Object.cs__const_get(path))
+                 else
+                   ::Logger.new(path)
+                 end
+        logger.progname = PROGNAME
+        logger.level = level_const
+        change_logger_formatter logger
+        logger
+      end
+
+      def context
+        Contrast::Agent::REQUEST_TRACKER.current
+      end
+
+      def change_logger_formatter logger
+        ip_address = extract_ip_address
+        logger.formatter = proc do |severity, datetime, progname, msg|
+          date_format = datetime.strftime(DATE_TIME_FORMAT)
+          message = []
+          message << "#{ date_format } #{ ip_address }"
+          message << 'CEF:0|Contrast Security'
+          message << progname
+          message << AGENT_VERSION
+          message << EVENT_TYPE
+          message << msg[0]
+          message << severity
+          message << extract_metadata(msg[1], msg[2])
+          message.join('|') + "\n"
+        end
+      end
+
+      # This method will extract the metadata information from context and other places
+      #
+      # initial structure of the data:
+      # <metadata> := <message-source>" "<source-ip>" "<source-port>" "<request-url>" "<request-method>" \
+      # "<application>" "<outcome>
+      # it could come from: blockEntry, lei, bbi(bot blocker), vp(virtual patch) or pri(rule)
+      # initially here we will use case to add it
+      def extract_metadata rule_id = nil, outcome = nil
+        message = []
+        sender_info = context&.activity&.http_request&.sender
+        rule_id ? message << "pri=#{ rule_id } " : 'asd'
+        request_method = if context.request.rack_request.env['REQUEST_METHOD'].length.positive?
+                           context.request.rack_request.env['REQUEST_METHOD']
+                         else
+                           DEFAULT_METADATA
+                         end
+        app_name = ::Contrast::APP_CONTEXT.app_name
+        attach_request_and_sender_info message, sender_info
+        message << "request=#{ context.request.url } "
+        message << "requestMethod=#{ request_method } "
+        message << "app=#{ app_name } "
+        message << "outcome=#{ outcome } "
+      end
+
+      def attach_request_and_sender_info message, sender_info
+        # here, instead of the ip, we need to report the first non-private 'X-Forwarded-For' Header if available.
+        # if not we return '-'
+        needed_header = extract_sender_ip
+        # I'm not sure if we should report the sender ip from the ActivityDtm
+        src = if needed_header
+                needed_header
+              else
+                sender_info.ip.length > 1 ? sender_info.ip : DEFAULT_METADATA
+              end
+        message << "src=#{ src }"
+        message << "port=#{ sender_info.port }"
+      end
+
+      def extract_ip_address
+        res = Socket.getifaddrs.reject do |ifaddr|
+          !ifaddr.addr.ipv4? ||
+              (ifaddr.flags & Socket::IFF_MULTICAST).zero? ||
+              ifaddr.name != 'en0' # rubocop:disable Security/Module/Name
+        end
+        return unless res.length.positive?
+
+        res[0].addr.ip_address
+      end
+
+      def extract_sender_ip
+        request_headers = context.activity.http_request.request_headers&.transform_keys(&:to_s)
+        request_headers['X-Forwarded-For']
+      end
+    end
+  end
+end

data/lib/contrast/utils/middleware_utils.rb

@@ -51,14 +51,13 @@ module Contrast
       # deprecated and soon to be removed functionality. This method handles doing that by leveraging the standard
       # Kernel#warn approach
       def inform_deprecations
-        # Ruby 2.5 is currently in security maintenance, meaning int is only receiving updates for security issues. It
-        # will move to eol on 31 March 2021. As such, we can remove support for it in Q3. We'll begin the deprecation
-        # warnings now so that customers have time to reach out if they'll be impacted.
-        # TODO: RUBY-715 remove this part of the method, leaving it empty if there are no other deprecations, when we
-        #   drop 2.5 support.
-        return unless RUBY_VERSION < '2.6.0'
+        # Ruby 2.6 will be dropped in april of 2022. We'll begin the deprecation warnings
+        # now so that customers have time to reach out if they'll be impacted.
+        # TODO: RUBY-1188 remove this part of the method, leaving it empty if there are no other deprecations, when we
+        #   drop 2.6 support.
+        return unless RUBY_VERSION < '2.7.0'
 
-        Kernel.warn('[Contrast Security] [DEPRECATION] Support for Ruby 2.5 will be removed in April 2021. '\
+        Kernel.warn('[Contrast Security] [DEPRECATION] Support for Ruby 2.6 will be removed in April 2022. '\
                     'Please contact Customer Support prior if you require continued support.')
       end
 

data/lib/contrast/utils/net_http_base.rb

@@ -59,15 +59,7 @@ module Contrast
         return @_connection_verified unless @_connection_verified.nil?
         return false if client.nil?
 
-        # Before RUBY 2.7 there is no #ipaddr
-        ipaddr = if RUBY_VERSION < '2.7.0'
-                   socket = TCPSocket.open(client.address, client.port)
-                   ipaddr = socket.peeraddr[3]
-                   socket.close
-                   ipaddr
-                 else
-                   client.ipaddr
-                 end
+        ipaddr = get_ipaddr(client)
         response = client.request(Net::HTTP::Get.new(client.address))
         verify_cert = client.address.to_s.include?('localhost') ||
             OpenSSL::SSL.verify_certificate_identity(client.peer_cert, client.address)
@@ -160,6 +152,17 @@ module Contrast
 
         @_proxy_enabled = Contrast::API.proxy_enabled? && !Contrast::API.proxy_url.nil?
       end
+
+      # Retrieve the IP address from the client.
+      #
+      # @param client [Net::HTTP]
+      # @return [String]
+      def get_ipaddr client
+        socket = TCPSocket.open(client.address, client.port)
+        ipaddr = socket.peeraddr[3]
+        socket.close
+        ipaddr
+      end
     end
   end
 end

data/lib/contrast/utils/patching/policy/patch_utils.rb

@@ -63,10 +63,6 @@ module Contrast
         rescue StandardError => e
           # Anything else was our bad and we gotta catch that to allow for normal application flow
           logger.error('Unable to apply pre patch to method.', e)
-        rescue Exception => e # rubocop:disable Lint/RescueException
-          # This is something like NoMemoryError that we can't hope to handle.  Nonetheless, shouldn't leak scope.
-          exit_contrast_scope!
-          raise e
         end
 
         # THIS IS CALLED FROM C. Do not change the signature lightly.

data/lib/contrast.rb

@@ -21,10 +21,11 @@ class Object
   alias_method :cs__singleton_class, :singleton_class
 end
 
-if RUBY_VERSION >= '3.0.0'
+if RUBY_VERSION >= '3.0.0' && RUBY_VERSION < '3.1.0'
   # This fixes Ruby 3.0 issues with Module#(some instance method) patching by preventing the prepending of
   # a JSON helper on protobuf load. String.instance_method(:+) is one of the most noticeable.
-  # TODO: RUBY-1132 Remove this once Ruby 3 is fixed.
+  # This is fixed in Ruby 3.1.0
+  # TODO: RUBY-1132 Remove this once Ruby 3 support is dropped.
   # See bug here: https://bugs.ruby-lang.org/issues/17725
   class Class
     alias_method(:cs__orig_prepend, :prepend)
@@ -73,7 +74,7 @@ require 'contrast/utils/preflight_util'
 require 'contrast/utils/assess/sampling_util'
 require 'contrast/agent'
 
-if RUBY_VERSION >= '3.0.0'
+if RUBY_VERSION >= '3.0.0' && RUBY_VERSION < '3.1.0'
   # Put prepend back as it was.
   Class.alias_method(:prepend, :cs__orig_prepend)
   Class.remove_method(:cs__orig_prepend)

data/ruby-agent.gemspec

@@ -173,7 +173,7 @@ Gem::Specification.new do |spec|
     'Testing and Protection.'
   spec.homepage     = 'https://www.contrastsecurity.com'
   spec.license      = 'CONTRAST SECURITY (see license file)'
-  spec.required_ruby_version = ['>= 2.6.0', '< 3.1.0']
+  spec.required_ruby_version = ['>= 2.6.0', '< 3.2.0']
 
   spec.bindir        = 'exe'
   spec.executables   = ['contrast_service']

data/service_executables/VERSION

@@ -1 +1 @@
-2.27.3
+2.28.6

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: contrast-agent
 version: !ruby/object:Gem::Version
-  version: 5.1.0
+  version: 5.2.0
 platform: ruby
 authors:
 - galen.palmer@contrastsecurity.com
@@ -13,7 +13,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2022-01-24 00:00:00.000000000 Z
+date: 2022-02-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -617,19 +617,20 @@ executables:
 - contrast_service
 extensions:
 - ext/cs__common/extconf.rb
-- ext/cs__contrast_patch/extconf.rb
-- ext/cs__assess_yield_track/extconf.rb
+- ext/cs__os_information/extconf.rb
+- ext/cs__assess_basic_object/extconf.rb
+- ext/cs__assess_kernel/extconf.rb
 - ext/cs__assess_hash/extconf.rb
-- ext/cs__assess_marshal_module/extconf.rb
+- ext/cs__assess_yield_track/extconf.rb
 - ext/cs__assess_fiber_track/extconf.rb
-- ext/cs__assess_string_interpolation26/extconf.rb
-- ext/cs__assess_basic_object/extconf.rb
-- ext/cs__assess_array/extconf.rb
 - ext/cs__assess_regexp/extconf.rb
-- ext/cs__assess_kernel/extconf.rb
-- ext/cs__os_information/extconf.rb
 - ext/cs__assess_string/extconf.rb
+- ext/cs__assess_array/extconf.rb
+- ext/cs__contrast_patch/extconf.rb
+- ext/cs__scope/extconf.rb
+- ext/cs__assess_string_interpolation26/extconf.rb
 - ext/cs__assess_module/extconf.rb
+- ext/cs__assess_marshal_module/extconf.rb
 extra_rdoc_files: []
 files:
 - ".clang-format"
@@ -687,6 +688,9 @@ files:
 - ext/cs__os_information/cs__os_information.c
 - ext/cs__os_information/cs__os_information.h
 - ext/cs__os_information/extconf.rb
+- ext/cs__scope/cs__scope.c
+- ext/cs__scope/cs__scope.h
+- ext/cs__scope/extconf.rb
 - ext/extconf_common.rb
 - funchook/LICENSE
 - funchook/Makefile.in
@@ -879,16 +883,19 @@ files:
 - lib/contrast/agent/assess/rule/provider/hardcoded_key.rb
 - lib/contrast/agent/assess/rule/provider/hardcoded_password.rb
 - lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb
-- lib/contrast/agent/assess/rule/response/autocomplete_rule.rb
+- lib/contrast/agent/assess/rule/response/auto_complete_rule.rb
 - lib/contrast/agent/assess/rule/response/base_rule.rb
-- lib/contrast/agent/assess/rule/response/cachecontrol_rule.rb
-- lib/contrast/agent/assess/rule/response/clickjacking_rule.rb
+- lib/contrast/agent/assess/rule/response/body_rule.rb
+- lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb
+- lib/contrast/agent/assess/rule/response/click_jacking_header_rule.rb
 - lib/contrast/agent/assess/rule/response/csp_header_insecure_rule.rb
 - lib/contrast/agent/assess/rule/response/csp_header_missing_rule.rb
+- lib/contrast/agent/assess/rule/response/framework/rails_support.rb
+- lib/contrast/agent/assess/rule/response/header_rule.rb
 - lib/contrast/agent/assess/rule/response/hsts_header_rule.rb
 - lib/contrast/agent/assess/rule/response/parameters_pollution_rule.rb
-- lib/contrast/agent/assess/rule/response/x_content_type_rule.rb
-- lib/contrast/agent/assess/rule/response/x_xss_protection_rule.rb
+- lib/contrast/agent/assess/rule/response/x_content_type_header_rule.rb
+- lib/contrast/agent/assess/rule/response/x_xss_protection_header_rule.rb
 - lib/contrast/agent/assess/tag.rb
 - lib/contrast/agent/assess/tracker.rb
 - lib/contrast/agent/at_exit_hook.rb
@@ -918,6 +925,7 @@ files:
 - lib/contrast/agent/patching/policy/policy.rb
 - lib/contrast/agent/patching/policy/policy_node.rb
 - lib/contrast/agent/patching/policy/trigger_node.rb
+- lib/contrast/agent/protect/input_analyzer/input_analyzer.rb
 - lib/contrast/agent/protect/policy/applies_command_injection_rule.rb
 - lib/contrast/agent/protect/policy/applies_deserialization_rule.rb
 - lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb
@@ -942,12 +950,18 @@ files:
 - lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb
 - lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb
 - lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb
+- lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb
+- lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb
 - lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb
 - lib/contrast/agent/protect/rule/unsafe_file_upload.rb
 - lib/contrast/agent/protect/rule/xss.rb
 - lib/contrast/agent/protect/rule/xxe.rb
 - lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb
 - lib/contrast/agent/reaction_processor.rb
+- lib/contrast/agent/reporting/input_analysis/input_analysis.rb
+- lib/contrast/agent/reporting/input_analysis/input_analysis_result.rb
+- lib/contrast/agent/reporting/input_analysis/input_type.rb
+- lib/contrast/agent/reporting/input_analysis/score_level.rb
 - lib/contrast/agent/reporting/report.rb
 - lib/contrast/agent/reporting/reporter.rb
 - lib/contrast/agent/reporting/reporting_events/application_inventory.rb
@@ -956,16 +970,19 @@ files:
 - lib/contrast/agent/reporting/reporting_events/discovered_route.rb
 - lib/contrast/agent/reporting/reporting_events/finding.rb
 - lib/contrast/agent/reporting/reporting_events/finding_event.rb
+- lib/contrast/agent/reporting/reporting_events/finding_event_object.rb
+- lib/contrast/agent/reporting/reporting_events/finding_event_parent_object.rb
+- lib/contrast/agent/reporting/reporting_events/finding_event_property.rb
+- lib/contrast/agent/reporting/reporting_events/finding_event_signature.rb
 - lib/contrast/agent/reporting/reporting_events/finding_event_source.rb
-- lib/contrast/agent/reporting/reporting_events/finding_object.rb
+- lib/contrast/agent/reporting/reporting_events/finding_event_stack.rb
+- lib/contrast/agent/reporting/reporting_events/finding_event_taint_range.rb
 - lib/contrast/agent/reporting/reporting_events/finding_request.rb
-- lib/contrast/agent/reporting/reporting_events/finding_signature.rb
-- lib/contrast/agent/reporting/reporting_events/finding_stack.rb
-- lib/contrast/agent/reporting/reporting_events/finding_taint_range.rb
 - lib/contrast/agent/reporting/reporting_events/library_discovery.rb
 - lib/contrast/agent/reporting/reporting_events/library_usage_observation.rb
 - lib/contrast/agent/reporting/reporting_events/observed_library_usage.rb
 - lib/contrast/agent/reporting/reporting_events/observed_route.rb
+- lib/contrast/agent/reporting/reporting_events/poll.rb
 - lib/contrast/agent/reporting/reporting_events/preflight.rb
 - lib/contrast/agent/reporting/reporting_events/preflight_message.rb
 - lib/contrast/agent/reporting/reporting_events/reporting_event.rb
@@ -1028,10 +1045,12 @@ files:
 - lib/contrast/api/decorators/application_startup.rb
 - lib/contrast/api/decorators/application_update.rb
 - lib/contrast/api/decorators/architecture_component.rb
+- lib/contrast/api/decorators/bot_blocker.rb
 - lib/contrast/api/decorators/finding.rb
 - lib/contrast/api/decorators/http_request.rb
 - lib/contrast/api/decorators/input_analysis.rb
 - lib/contrast/api/decorators/instrumentation_mode.rb
+- lib/contrast/api/decorators/ip_denylist.rb
 - lib/contrast/api/decorators/library.rb
 - lib/contrast/api/decorators/library_usage_update.rb
 - lib/contrast/api/decorators/message.rb
@@ -1044,6 +1063,7 @@ files:
 - lib/contrast/api/decorators/trace_taint_range.rb
 - lib/contrast/api/decorators/trace_taint_range_tags.rb
 - lib/contrast/api/decorators/user_input.rb
+- lib/contrast/api/decorators/virtual_patch.rb
 - lib/contrast/api/dtm.pb.rb
 - lib/contrast/api/settings.pb.rb
 - lib/contrast/components/agent.rb
@@ -1099,7 +1119,6 @@ files:
 - lib/contrast/extension/delegator.rb
 - lib/contrast/extension/extension.rb
 - lib/contrast/extension/inventory.rb
-- lib/contrast/extension/kernel.rb
 - lib/contrast/extension/module.rb
 - lib/contrast/extension/protect.rb
 - lib/contrast/extension/protect/psych.rb
@@ -1121,6 +1140,7 @@ files:
 - lib/contrast/framework/sinatra/support.rb
 - lib/contrast/funchook/funchook.rb
 - lib/contrast/logger/application.rb
+- lib/contrast/logger/cef_log.rb
 - lib/contrast/logger/format.rb
 - lib/contrast/logger/log.rb
 - lib/contrast/logger/request.rb
@@ -1201,7 +1221,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 2.6.0
   - - "<"
     - !ruby/object:Gem::Version
-      version: 3.1.0
+      version: 3.2.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="