contrast-agent 5.1.0 → 6.0.0

data/lib/contrast/components/scope.rb

@@ -2,8 +2,8 @@
 # frozen_string_literal: true
 
 require 'fiber'
-require 'monitor'
 require 'contrast/agent/scope'
+require 'cs__scope/cs__scope'
 
 # This is the Scope component.
 #
@@ -12,85 +12,99 @@ require 'contrast/agent/scope'
 # execution context for which we need to special case?".
 module Contrast
   module Components
-    module Scope # :nodoc:
-      MONITOR = Monitor.new
-      EXECUTION_CONTEXT = {} # rubocop:disable Style/MutableConstant
-
-      class Interface # :nodoc:
-        def initialize
-          # This is probably redundant with #scope_for_current_ec's nil check.
-          EXECUTION_CONTEXT[Fiber.current] = Contrast::Agent::Scope.new
-        end
-
-        # This returns the scope governing the current execution context. Use this sparingly, preferring the instance
-        # & class methods to access and query scope, rather than interacting with the scope object directly.
-        def scope_for_current_ec
-          MONITOR.synchronize do
-            return EXECUTION_CONTEXT[Fiber.current] ||= Contrast::Agent::Scope.new
-          end
-        end
-      end
-
-      module InstanceMethods # :nodoc:
-        # For each instance method on a scope, define a forwarder to the scope on the current execution context's scope.
-        def scope_for_current_ec
-          MONITOR.synchronize do
-            return EXECUTION_CONTEXT[Fiber.current] ||= Contrast::Agent::Scope.new
-          end
-        end
-
-        def enter_contrast_scope!
-          scope_for_current_ec.enter_contrast_scope!
-        end
-
-        def enter_deserialization_scope!
-          scope_for_current_ec.enter_deserialization_scope!
-        end
-
-        def enter_split_scope!
-          scope_for_current_ec.enter_split_scope!
-        end
-
-        def enter_scope! name
-          scope_for_current_ec.enter_scope! name
-        end
-
-        def exit_contrast_scope!
-          scope_for_current_ec.exit_contrast_scope!
-        end
-
-        def exit_deserialization_scope!
-          scope_for_current_ec.exit_deserialization_scope!
-        end
-
-        def exit_split_scope!
-          scope_for_current_ec.exit_split_scope!
-        end
-
-        def exit_scope! name
-          scope_for_current_ec.exit_scope! name
-        end
-
-        def in_contrast_scope?
-          scope_for_current_ec.in_contrast_scope?
-        end
-
-        def in_deserialization_scope?
-          scope_for_current_ec.in_deserialization_scope?
-        end
-
-        def in_split_scope?
-          scope_for_current_ec.in_split_scope?
-        end
-
-        def split_scope_depth
-          scope_for_current_ec.split_scope_depth
-        end
-
-        def in_scope? name
-          scope_for_current_ec.in_scope? name
-        end
-
+    # Constants defined in C:
+    #
+    # MONITOR = Mutex.new This was replaced from Monitor to Mutex.
+    # EXECUTION_CONTEXT = {} Hash containing all of the current ecs as keys pointing to their scope instances.
+    # EC_KEYS = [] set while we get the current ec, and used for sweeping the dead fibers in C.
+    #
+    # Methods defined in C:
+    #
+    # class Interface
+    #   initializes the scope for the current fiber context.
+    #   def initialize end;
+    #
+    #     This returns the scope governing the current execution context. Use this sparingly, preferring the instance
+    #    & class methods to access and query scope, rather than interacting with the scope object directly.
+    #   def scope_for_current_ec end;
+    # end
+    #
+    # module Scope
+    #   Singleton method for cleaning the dead fibers and unused scope instances, scope GC.
+    #   def self.sweep_dead_ecs end;
+    # end
+    module Scope
+      # Methods defined in C:
+      #
+      # For each instance method on a scope, define a forwarder to the scope on the
+      # current execution context's scope.
+      # def scope_for_current_ec end;
+      #
+      # all the methods bellow are used as forwarders to be executed in the current ec.
+      # exp: in_contrast_scope? => scope_for_current_ec.enter_contrast_scope!
+      #
+      # Check if we are in contrast scope.
+      # def in_contrast_scope? end;
+      # @return [Boolean] check if we are in contrast scope
+      #                   if the scope is above 0 return true.
+      #
+      # check if we are in deserialization scope.
+      # def in_deserialization_scope? end;
+      # @return [Boolean] check if we are in contrast scope
+      #                   if the scope is above 0 return true.
+      #
+      # check if we are in split scope.
+      # def in_split_scope? end;
+      # @return [Boolean] check if we are in contrast scope
+      #                   if the scope is above 0 return true.
+      #
+      # enter contrast scope.
+      # def enter_contrast_scope! end;
+      # @return @contrast_scope [Integer] contrast scope increased.
+      #
+      # enter deserialization scope.
+      # def enter_deserialization_scope! end;
+      # @return @deserialization_scope [Integer] deserialization scope increased.
+      #
+      # enter split scope.
+      # def enter_split_scope! end;
+      # @return @split_scope [Integer] split scope increased.
+      #
+      # check split scope depth.
+      # def split_scope_depth end;
+      # @return @split_scope [Integer] split scope depth.
+      #
+      # exit contrast scope.
+      # def exit_contrast_scope! end;
+      # @return @contrast_scope [Integer] contrast scope decreased.
+      #
+      # exit deserialization scope.
+      # def exit_deserialization_scope! end;
+      # @return @deserialization_scope [Integer] deserialization scope decreased.
+      #
+      # exit split scope.
+      # def exit_split_scope! end;
+      # @return @split_scope [Integer] split scope decreased.
+      #
+      # Static methods to be used, the cases are defined by the usage from the above methods
+      #
+      # check if are in specific scope.
+      # def in_scope? name end;
+      # @param name [Symbol] scope symbol representing scope to check.
+      # @return [Boolean] check if we are in passed scope.
+      #
+      # enter specific scope.
+      # def enter_scope! name end;
+      # @param name [Symbol] scope symbol representing scope to enter.
+      # @return scope [Integer] entered scope value increased.
+      #
+      # exit specific scope.
+      # def exit_cope! name end;
+      # @param name [Symbol] scope symbol representing scope to exit.
+      # @return scope [Integer] entered scope value decreased.
+      module InstanceMethods
+        # Forwarder to execute block in contrast scope under current
+        # method execution context. On completion exits scope.
         def with_contrast_scope
           scope_for_current_ec.enter_contrast_scope!
           yield
@@ -98,6 +112,8 @@ module Contrast
           scope_for_current_ec.exit_contrast_scope!
         end
 
+        # Forwarder to execute block in deserialization scope under current
+        # method execution context. On completion exits scope.
         def with_deserialization_scope
           scope_for_current_ec.enter_deserialization_scope!
           yield
@@ -105,6 +121,8 @@ module Contrast
           scope_for_current_ec.exit_deserialization_scope!
         end
 
+        # Forwarder to execute block in split scope under current
+        # method execution context. On completion exits scope.
         def with_split_scope
           scope_for_current_ec.enter_split_scope!
           yield
@@ -113,17 +131,6 @@ module Contrast
         end
       end
 
-      def self.sweep_dead_ecs
-        # TODO: RUBY-534, #sweep_dead_ecs compensates for a lack of weak tables. when we can use WeakRef, we should
-        #   investigate removing this call and instead use the WeakRef for the Execution Context's Keys or using our
-        #   Finalizers Hash for Fibers
-        MONITOR.synchronize do
-          EXECUTION_CONTEXT.delete_if do |ec, _scope|
-            !ec.alive?
-          end
-        end
-      end
-
       ClassMethods = InstanceMethods
     end
   end

data/lib/contrast/components/settings.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/api/settings.pb'
+require 'contrast/agent/reporting/settings/sensitive_data_masking'
 
 module Contrast
   module Components
@@ -13,12 +14,14 @@ module Contrast
       APPLICATION_STATE_BASE = Struct.new(:modes_by_id, :exclusion_matchers).
           new(Hash.new(Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION), [])
       PROTECT_STATE_BASE = Struct.new(:enabled, :rules).new(false, {})
-      ASSESS_STATE_BASE = Struct.new(:enabled, :sampling_settings, :disabled_assess_rules).new(false, nil, []) do
+      ASSESS_STATE_BASE = Struct.new(:enabled, :sampling_settings, :disabled_assess_rules, :session_id).new(false, nil,
+                                                                                                            [], nil) do
         def sampling_settings= new_val
           @sampling_settings = new_val
           Contrast::Utils::Assess::SamplingUtil.instance.update
         end
       end
+      SENSITIVE_DATA_MASKING_BASE = Contrast::Agent::Reporting::Settings::SensitiveDataMasking.new
 
       # This is a class.
       class Interface
@@ -26,7 +29,63 @@ module Contrast
 
         # tainted_columns are database columns that receive unsanitized input.
         attr_reader :tainted_columns # This can probably go into assess_state?
-        attr_reader :assess_state, :protect_state, :application_state
+        # Current state for Assess.
+        # enabled [Boolean] Indicate if the assess feature set is enabled for this server or not.
+        #
+        # sampling [Hash<AssessSampling>] Hash of AssessSampling Used to control the sampling feature in the agent: {
+        #  baseline          [Integer] The number of baseline requests to take before switching to sampling
+        #                               for the window.
+        #  enabled           [Boolean] If the sampling feature should be used or not.
+        #  frequency         [Integer] The number of requests to skip before observing during the sampling
+        #                               window after the baseline.
+        #  responseFrequency [Integer]
+        #  window            [Integer]
+        # }
+        #
+        # disabled_assess_rules [array<AssessRuleID(String)>] Assess rules to disable for this application.
+        attr_reader :assess_state
+        # Current State for Protect.
+        # enabled [Boolean] Indicate if the protect feature set is enabled for this server or not.
+        #
+        # Protection rules are returned as:
+        # rules [Hash<RULE_ID => MODE>, nil] Hash with rule_id as key and mode as value
+        attr_reader :protect_state
+        # Current Application State.
+        #
+        # modes_by_id [Hash<Rule_id => Mode] Returns Hash with rules and their current mode.
+        # exclusion_matchers [Array] Array of all the exclusions.
+        # code_exclusions [Array<CodeExclusion>] Array of CodeExclusion: {
+        #   name         [String] The name of the exclusion as defined by the user in TS.
+        #   modes        [String] If this exclusion applies to assess or protect. [assess, defend]
+        #   assess_rules [Array] Array of assess rules to which this exclusion applies. AssessRuleID [String]
+        #   denylist     [String] The call, if in the stack, should result in the agent not taking action.
+        # input_exclusions [Array<InputExclusions>] Array of InputExclusions: {
+        #   name           [String] The name of the input.
+        #   modes          [String] If this exclusion applies to assess or protect. [assess, defend]
+        #   assess_rules   [Array] Array of assess rules to which this exclusion applies. AssessRuleID [String]
+        #   protect_rules  [Array] Array of ProtectRuleID [String] The protect rules to which this exclusion applies.
+        #   urls           [Array] Array of URLs to which the exclusions apply. URL [String]
+        #   match_strategy [String] If this exclusion applies to all URLs or only those specified. [ALL, ONLY]
+        #   type           [String] The type of the input [COOKIE, PARAMETER, HEADER, BODY, QUERYSTRING]
+        # }
+        # url_exclusions [Array<UrlExclusions>] Array of UrlExclusions: {
+        #   name           [String] The name of the input.
+        #   modes          [String] If this exclusion applies to assess or protect. [assess, defend]
+        #   assess_rules   [Array] Array of assess rules to which this exclusion applies. AssessRuleID [String]
+        #   protect_rules  [Array] Array of ProtectRuleID [String] The protect rules to which this exclusion applies.
+        #   urls           [Array] Array of URLs to which the exclusions apply. URL [String]
+        #   match_strategy [String] If this exclusion applies to all URLs or only those specified. [ALL, ONLY]
+        #   type           [String] The type of the input [COOKIE, PARAMETER, HEADER, BODY, QUERYSTRING]
+        # }
+        attr_reader :application_state
+        # This the structure that will hold the masking rules send from TS.
+        #
+        # @return [Contrast::Agent::Reporting::Settings::SensitiveDataMasking]:
+        #           mask_http_body [Boolean] Policy flag to enable the use of masking on request body.
+        #           rules          [Array<Contrast::Agent::Reporting::Settings::SensitiveDataMaskingRule>]
+        #                          Rules to follow when using the masking. Each rules contains Id [String]
+        #                          and Keywords [Array<String>].
+        attr_reader :sensitive_data_masking
 
         def initialize
           reset_state
@@ -38,10 +97,14 @@ module Contrast
 
         # @param features [Contrast::Api::Settings::ServerFeatures, Contrast::Agent::Reporting::Response]
         def update_from_server_features features
-          if features&.class == Contrast::Agent::Reporting::Response
-            @protect_state.enabled = features.server_features.protect.enabled?
-            @assess_state.enabled = features.server_features.assess.enabled?
-            @assess_state.sampling_settings = features.server_features.assess.sampling
+          if features.cs__is_a?(Contrast::Agent::Reporting::Response)
+            server_features = features.server_features
+            log_file = server_features.log_file
+            log_level = server_features.log_level
+            Contrast::Logger::Log.instance.update(log_file, log_level) if log_file || log_level
+            @protect_state.enabled = server_features.protect.enabled?
+            @assess_state.enabled = server_features.assess.enabled?
+            @assess_state.sampling_settings = server_features.assess.sampling
           else
             @protect_state.enabled = features.protect_enabled?
             @assess_state.enabled = features.assess_enabled?
@@ -52,10 +115,13 @@ module Contrast
         # @param features [Contrast::Api::Settings::ApplicationSettings, Contrast::Agent::Reporting::Response]
         def update_from_application_settings features
           if features&.class == Contrast::Agent::Reporting::Response
-            @application_state.modes_by_id = features.application_settings.protect.protection_rules_to_settings_hash
+            settings = features.application_settings
+            @application_state.modes_by_id = settings.protect.protection_rules_to_settings_hash
             # TODO: RUBY-1438 this needs to be translated
             # @application_state.exclusion_matchers = new_vals[:exclusion_matchers]
-            @assess_state.disabled_assess_rules = features.application_settings.assess.disabled_rules
+            update_sensitive_data_policy(settings.sensitive_data_masking)
+            @assess_state.disabled_assess_rules = settings.assess.disabled_rules
+            @assess_state.session_id = settings.assess.session_id if settings.assess.session_id
           else
             new_vals = features.application_state_translation
             @application_state.modes_by_id = new_vals[:modes_by_id]
@@ -70,6 +136,7 @@ module Contrast
           @assess_state = ASSESS_STATE_BASE.dup
           @application_state = APPLICATION_STATE_BASE.dup
           @tainted_columns = {}
+          @sensitive_data_masking = SENSITIVE_DATA_MASKING_BASE.dup
         end
 
         def build_protect_rules
@@ -86,6 +153,37 @@ module Contrast
           Contrast::Agent::Protect::Rule::Xss.new
           Contrast::Agent::Protect::Rule::Xxe.new
         end
+
+        # Update the sensitive data masking policy from settings,
+        # received from TS. In case the settings are empty,
+        # keep current ones.
+        #
+        # @param sensitive_data_masking [Contrast::Agent::Reporting::Settings::SensitiveDataMasking]
+        # Ts Response settings for sensitive data masking policy
+        def update_sensitive_data_policy sensitive_data_masking
+          @sensitive_data_masking.mask_http_body = sensitive_data_masking.mask_http_body? unless
+            settings_empty?(sensitive_data_masking.mask_http_body?)
+          @sensitive_data_masking.mask_attack_vector = sensitive_data_masking.mask_attack_vector? unless
+            settings_empty?(sensitive_data_masking.mask_attack_vector?)
+          return if settings_empty?(sensitive_data_masking.rules)
+
+          @sensitive_data_masking.rules = sensitive_data_masking.rules
+          # update with the newly received rules.
+          Contrast::Agent::Reporting::Masker.send(:update_dictionary)
+        end
+
+        private
+
+        # check if settings are empty and return true if so.
+        #
+        # @param settings [String, Boolean, Array, Hash]
+        # @return true | false
+        def settings_empty? settings
+          return false if !!settings == settings
+          return true if settings.nil? || settings.empty?
+
+          false
+        end
       end
     end
   end

data/lib/contrast/config/agent_configuration.rb

@@ -1,23 +1,52 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/config/service_configuration'
+require 'contrast/config/logger_configuration'
+require 'contrast/config/ruby_configuration'
+require 'contrast/config/heap_dump_configuration'
+require 'contrast/config/api_configuration'
+
 module Contrast
   module Config
     # Common Configuration settings. Those in this section pertain to the
     # core functionality of the Agent.
     class AgentConfiguration < BaseConfiguration
-      KEYS = {
-          enable: EMPTY_VALUE,
-          start_bundled_service: true,
-          omit_body: EMPTY_VALUE,
-          service: Contrast::Config::ServiceConfiguration,
-          logger: Contrast::Config::LoggerConfiguration,
-          ruby: Contrast::Config::RubyConfiguration,
-          heap_dump: Contrast::Config::HeapDumpConfiguration
-      }.cs__freeze
-
-      def initialize hsh
-        super(hsh, KEYS)
+      # @return [Boolean, nil]
+      attr_accessor :enable
+      # @return [Boolean, nil]
+      attr_accessor :omit_body
+      attr_writer :ruby, :service, :logger, :heap_dump
+
+      def initialize hsh = {}
+        @enable = traverse_config(hsh, :enable)
+        @start_bundled_service = traverse_config(hsh, :start_bundled_service)
+        @omit_body = traverse_config(hsh, :omit_body)
+        @service = Contrast::Config::ServiceConfiguration.new(traverse_config(hsh, :service))
+        @logger = Contrast::Config::LoggerConfiguration.new(traverse_config(hsh, :logger))
+        @ruby = Contrast::Config::RubyConfiguration.new(traverse_config(hsh, :ruby))
+        @heap_dump = Contrast::Config::HeapDumpConfiguration.new(traverse_config(hsh, :heap_dump))
+      end
+
+      # @return [Boolean, true]
+      def start_bundled_service
+        @start_bundled_service.nil? ? true : @start_bundled_service
+      end
+
+      def service
+        @service ||= Contrast::Config::ServiceConfiguration.new
+      end
+
+      def logger
+        @logger ||= Contrast::Config::LoggerConfiguration.new
+      end
+
+      def ruby
+        @ruby ||= Contrast::Config::RubyConfiguration.new
+      end
+
+      def heap_dump
+        @heap_dump ||= Contrast::Config::HeapDumpConfiguration.new
       end
     end
   end

data/lib/contrast/config/api_configuration.rb

@@ -9,18 +9,43 @@ module Contrast
   module Config
     # Api keys configuration
     class ApiConfiguration < BaseConfiguration
-      URL = 'https://app.contrastsecurity.com/Contrast'
-      KEYS = {
-          api_key: EMPTY_VALUE,
-          url: URL,
-          user_name: EMPTY_VALUE,
-          service_key: EMPTY_VALUE,
-          proxy: Contrast::Config::ApiProxyConfiguration,
-          request_audit: Contrast::Config::RequestAuditConfiguration,
-          certificate: Contrast::Config::CertificationConfiguration
-      }.cs__freeze
-      def initialize hsh
-        super(hsh, KEYS)
+      # @return [String]
+      attr_accessor :api_key
+      # @return [String]
+      attr_accessor :user_name
+      # @return [String]
+      attr_accessor :service_key
+      attr_writer :url, :proxy, :request_audit, :certificate
+
+      DEFAULT_URL = 'https://app.contrastsecurity.com/Contrast'
+
+      def initialize hsh = {}
+        @api_key = traverse_config(hsh, :api_key)
+        @url = traverse_config(hsh, :url)
+        @user_name = traverse_config(hsh, :user_name)
+        @service_key = traverse_config(hsh, :service_key)
+        @proxy = Contrast::Config::ApiProxyConfiguration.new(traverse_config(hsh, :proxy))
+        @request_audit = Contrast::Config::RequestAuditConfiguration.new(traverse_config(hsh, :request_audit))
+        @certificate = Contrast::Config::CertificationConfiguration.new(traverse_config(hsh, :certificate))
+      end
+
+      def url
+        @url.nil? ? DEFAULT_URL : @url
+      end
+
+      # @return [Contrast::Config::ApiProxyConfiguration]
+      def proxy
+        @proxy ||= Contrast::Config::ApiProxyConfiguration.new
+      end
+
+      # @return [Contrast::Config::RequestAuditConfiguration]
+      def request_audit
+        @request_audit ||= Contrast::Config::RequestAuditConfiguration.new
+      end
+
+      # @return [Contrast::Config::CertificationConfiguration]
+      def certificate
+        @certificate ||= Contrast::Config::CertificationConfiguration.new
       end
     end
   end

data/lib/contrast/config/api_proxy_configuration.rb

@@ -5,9 +5,18 @@ module Contrast
   module Config
     # Api Proxy keys configuration
     class ApiProxyConfiguration < BaseConfiguration
-      KEYS = { enable: false, url: EMPTY_VALUE }.cs__freeze
-      def initialize hsh
-        super(hsh, KEYS)
+      # @return [String] proxy url
+      attr_accessor :url
+      attr_writer :enable
+
+      def initialize hsh = {}
+        @enable = traverse_config(hsh, :enable)
+        @url = traverse_config(hsh, :url)
+      end
+
+      # @return [Boolean, false]
+      def enable
+        @enable.nil? ? false : @enable
       end
     end
   end

data/lib/contrast/config/application_configuration.rb

@@ -8,21 +8,45 @@ module Contrast
     # Common Configuration settings. Those in this section pertain to the
     # application identification functionality of the Agent.
     class ApplicationConfiguration < BaseConfiguration
-      KEYS = {
-          name: EMPTY_VALUE,
-          version: EMPTY_VALUE,
-          language: EMPTY_VALUE,
-          path: EMPTY_VALUE,
-          group: EMPTY_VALUE,
-          tags: EMPTY_VALUE,
-          code: EMPTY_VALUE,
-          metadata: EMPTY_VALUE,
-          session_id: Contrast::Utils::ObjectShare::EMPTY_STRING,
-          session_metadata: Contrast::Utils::ObjectShare::EMPTY_STRING
-      }.cs__freeze
+      # @return [String]
+      attr_accessor :name
+      # @return [String]
+      attr_accessor :version
+      # @return [String]
+      attr_accessor :language
+      # @return [String]
+      attr_accessor :path
+      # @return [String]
+      attr_accessor :group
+      # @return [String]
+      attr_accessor :tags
+      # @return [String]
+      attr_accessor :code
+      # @return [String]
+      attr_accessor :metadata
+      attr_writer :session_id, :session_metadata
 
-      def initialize hsh
-        super(hsh, KEYS)
+      def initialize hsh = {}
+        @name = traverse_config(hsh, :name)
+        @version = traverse_config(hsh, :version)
+        @language = traverse_config(hsh, :language)
+        @path = traverse_config(hsh, :path)
+        @group = traverse_config(hsh, :group)
+        @tags = traverse_config(hsh, :tags)
+        @code = traverse_config(hsh, :code)
+        @metadata = traverse_config(hsh, :metadata)
+        @session_id = traverse_config(hsh, :session_id)
+        @session_metadata = traverse_config(hsh, :session_metadata)
+      end
+
+      # @return [String, Contrast::Utils::ObjectShare::EMPTY_STRING]
+      def session_id
+        @session_id ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+      end
+
+      # @return [String, Contrast::Utils::ObjectShare::EMPTY_STRING]
+      def session_metadata
+        @session_metadata ||= Contrast::Utils::ObjectShare::EMPTY_STRING
       end
     end
   end

data/lib/contrast/config/assess_configuration.rb

@@ -6,18 +6,53 @@ module Contrast
     # Common Configuration settings. Those in this section pertain to the
     # assess functionality of the Agent.
     class AssessConfiguration < BaseConfiguration
-      KEYS = {
-          tags: EMPTY_VALUE,
-          enable: EMPTY_VALUE,
-          enable_scan_response: true,
-          enable_dynamic_sources: true,
-          sampling: Contrast::Config::SamplingConfiguration,
-          rules: Contrast::Config::AssessRulesConfiguration,
-          stacktraces: 'ALL'
-      }.cs__freeze
-
-      def initialize hsh
-        super(hsh, KEYS)
+      # @return [String, nil]
+      attr_accessor :tags
+      # @return [Boolean, nil]
+      attr_accessor :enable
+      attr_writer :enable_scan_response, :enable_dynamic_sources, :sampling, :rules, :stacktraces
+
+      DEFAULT_STACKTRACES = 'ALL'
+
+      def initialize hsh = {}
+        @enable = traverse_config(hsh, :enable)
+        @tags = traverse_config(hsh, :tags)
+        @enable_scan_response = traverse_config(hsh, :enable_scan_response)
+        @enable_dynamic_sources = traverse_config(hsh, :enable_dynamic_sources)
+        @enable_original_object = traverse_config(hsh, :enable_original_object)
+        @sampling = Contrast::Config::SamplingConfiguration.new(traverse_config(hsh, :sampling))
+        @rules = Contrast::Config::AssessRulesConfiguration.new(traverse_config(hsh, :rules))
+        @stacktraces = traverse_config(hsh, :stacktraces)
+      end
+
+      # @return [Boolean, true]
+      def enable_scan_response
+        @enable_scan_response.nil? ? true : @enable_scan_response
+      end
+
+      # @return [Boolean, true]
+      def enable_dynamic_sources
+        @enable_dynamic_sources.nil? ? true : @enable_dynamic_sources
+      end
+
+      # @return [Boolean, true]
+      def enable_original_object
+        @enable_original_object.nil? ? true : @enable_original_object
+      end
+
+      # @return [Contrast::Config::SamplingConfiguration]
+      def sampling
+        @sampling ||= Contrast::Config::SamplingConfiguration.new
+      end
+
+      # @return [Contrast::Config::AssessRulesConfiguration]
+      def rules
+        @rules ||= Contrast::Config::AssessRulesConfiguration.new
+      end
+
+      # @return [String] stacktrace level
+      def stacktraces
+        @stacktraces ||= DEFAULT_STACKTRACES
       end
     end
   end