contrast-agent 5.2.0 → 6.1.0

data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb

@@ -0,0 +1,231 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/agent/protect/rule/no_sqli'
+require 'contrast/agent/protect/input_analyzer/input_analyzer'
+require 'contrast/utils/input_classification'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # This module will do the Input Classification stage of NoSQLI rule
+        # as a result input would be marked as WORTHWATCHING or IGNORE,
+        # to be analyzed at the sink level.
+        module NoSqliInputClassification
+          class << self
+            include InputClassificationBase
+
+            NOSQL_COMMENT_REGEXP = %r{"\s*(?:<--|//)}.cs__freeze
+            NOSQL_OR_REGEXP = /(?=(\s+\|\|\s+))/.cs__freeze
+            NOSQL_COMMENTS_AFTER_REGEXP = %r{(?:<--|//)}.cs__freeze
+
+            ZERO_OR_MORE_SPACES_REGEXP = /\s*/.cs__freeze
+            QUOTE_REGEXP = /['"’‘]/.cs__freeze
+            NUMBERS_AND_LETTERS_REGEXP = /[[:alnum:]]+/.cs__freeze
+            COMPARISON_REGEXP = /(?:==|>=|<=|>|<|)/.cs__freeze
+            NOSQL_QUOTED_REGEXP = /
+              #{ ZERO_OR_MORE_SPACES_REGEXP }
+              #{ QUOTE_REGEXP }
+              #{ NUMBERS_AND_LETTERS_REGEXP }
+              #{ QUOTE_REGEXP }
+              #{ ZERO_OR_MORE_SPACES_REGEXP }
+              #{ COMPARISON_REGEXP }
+              #{ ZERO_OR_MORE_SPACES_REGEXP }
+              #{ QUOTE_REGEXP }
+              #{ NUMBERS_AND_LETTERS_REGEXP }
+              #{ QUOTE_REGEXP }
+            /x.cs__freeze
+            NOSQL_NUMERIC_REGEXP = /
+              #{ ZERO_OR_MORE_SPACES_REGEXP }
+              #{ NUMBERS_AND_LETTERS_REGEXP }
+              #{ ZERO_OR_MORE_SPACES_REGEXP }
+              #{ COMPARISON_REGEXP }
+              #{ ZERO_OR_MORE_SPACES_REGEXP }
+              #{ NUMBERS_AND_LETTERS_REGEXP }
+            /x.cs__freeze
+
+            NOSQL_DEFINITE_THRESHOLD = 3
+            NOSQL_WORTH_WATCHING_THRESHOLD = 1
+            NOSQL_CONFIDENCE_THRESHOLD = 3
+            MAX_DISTANCE = 10
+
+            # Input Classification stage is done to determine if an user input is
+            # WORTHWATCHING or to be ignored.
+            #
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param value [String, Array<String>] the value of the input.
+            # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
+            #                                                       agent analysis from the current
+            #                                                       Request.
+            # @return ia [Contrast::Agent::Reporting::InputAnalysis] with updated results.
+            def classify input_type, value, input_analysis
+              return unless input_analysis.request
+
+              rule_id = Contrast::Agent::Protect::Rule::NoSqli::NAME
+
+              # double check the input to avoid calling match? on array
+              Array(value).each do |val|
+                Array(val).each do |v|
+                  input_analysis.results << nosqli_create_new_input_result(input_analysis.request,
+                                                                           rule_id,
+                                                                           input_type,
+                                                                           v)
+                end
+              end
+
+              input_analysis
+            end
+
+            private
+
+            # Creates a new instance of InputAnalysisResult with basic info.
+            #
+            # @param rule_id [String] The name of the Protect Rule.
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param score_level [Contrast::Agent::Reporting::ScoreLevel] the score tag after analysis.
+            # @param value [String, Array<String>] the value of the input.
+            # @param path [String] the path of the current request context.
+            #
+            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
+            def new_ia_result rule_id, input_type, score_level, path, value
+              super(rule_id, input_type, path, value).tap { |res| res.score_level = score_level }
+            end
+
+            # This methods checks if input should be tagged DEFINITEATTACK, WORTHWATCHING, or IGNORE,
+            # and creates a new instance of InputAnalysisResult.
+            #
+            # @param request [Contrast::Agent::Request] the current request context.
+            # @param rule_id [String] The name of the Protect Rule.
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param value [String, Array<String>] the value of the input.
+            #
+            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
+            def nosqli_create_new_input_result request, rule_id, input_type, value
+              score = evaluate_patterns(value)
+              score = evaluate_rules(value, score)
+
+              score_level = if definite_attack? score
+                              DEFINITEATTACK
+                            elsif worth_watching? score
+                              WORTHWATCHING
+                            else
+                              IGNORE
+                            end
+
+              new_ia_result(rule_id, input_type, score_level, request.path, value)
+            end
+
+            # This method evaluates the patterns relevant to NoSQL Injection to check whether
+            # the input is matched by any of them. The total score of all patterns matched is
+            # returned, unless the individual matching pattern score matches or exceeds
+            # NOSQL_CONFIDENCE_THRESHOLD *and* the total score for all evaluations matches or
+            # exceeds NOSQL_DEFINITE_THRESHOLD, in which case the total score achieved to that
+            # point is returned.
+            #
+            # @param value [String] the value of the input.
+            # @param value [Integer] the total score thus far.
+            #
+            # @return res [Integer]
+            def evaluate_patterns value, total_score = 0
+              applicable_patterns = nosqli_patterns
+              return total_score if applicable_patterns.nil?
+
+              total_patterns_score = 0
+              applicable_patterns.each do |pattern|
+                next unless value.match?(pattern[:value])
+
+                total_patterns_score += pattern[:score].to_i
+                total_score += pattern[:score].to_i
+
+                if pattern[:score].to_i >= NOSQL_CONFIDENCE_THRESHOLD && definite_attack?(total_score)
+                  return total_score
+                end
+              end
+
+              total_score
+            end
+
+            def evaluate_comment_rule value
+              (value =~ NOSQL_COMMENT_REGEXP).nil? ? 0 : 2 # None/Medium
+            end
+
+            # This method evaluates the searcher rules relevant to NoSQL Injection to check whether
+            # the input is matched by any of them. The total score of all rules matched is
+            # returned, unless the individual matching rukle score matches or exceeds
+            # NOSQL_CONFIDENCE_THRESHOLD *and* the total score for all evaluations matches or
+            # exceeds NOSQL_DEFINITE_THRESHOLD, in which case the total score achieved to that
+            # point is returned.
+            #
+            # @param value [String] the value of the input.
+            # @param value [Integer] the total score thus far.
+            #
+            # @return res [Integer]
+            def evaluate_rules value, total_score = 0
+              total_rules_score = 0
+              %i[evaluate_comment_rule evaluate_or_rule].each do |method|
+                rule_score = send(method, value)
+                total_rules_score += rule_score
+                total_score += rule_score
+
+                return total_score if rule_score >= NOSQL_CONFIDENCE_THRESHOLD && definite_attack?(total_score)
+              end
+
+              total_score
+            end
+
+            # This method evaluates the input value for NoSQL Or searches. Each possible match is
+            # checked. If a match is found then a score of either 3 (High) or 4 (Critical) will
+            # be returned, depending on whether the regexp for finding comments is also matched.
+            #
+            # @param value [String] the value of the input.
+            #
+            # @return res [Integer]
+            def evaluate_or_rule value
+              score = 0
+
+              locs = matches_by_position value, NOSQL_OR_REGEXP
+              return score if locs.empty?
+
+              locs.each do |loc|
+                [NOSQL_QUOTED_REGEXP, NOSQL_NUMERIC_REGEXP].each do |pattern|
+                  pattern_locs = matches_by_position(value[loc[1]..], pattern)
+                  next unless !pattern_locs.empty? && pattern_locs[0][0] < MAX_DISTANCE
+
+                  return 4 if value.match?(NOSQL_COMMENTS_AFTER_REGEXP, loc[1] + pattern_locs[0][1]) # Critical
+
+                  score = 3 # High
+                  break
+                end
+              end
+
+              score
+            end
+
+            # This method returns the patterns to be checked against the input value.
+            #
+            # @return res [Array, nil]
+            def nosqli_patterns
+              server_features = Contrast::Agent::Reporting::Settings::ServerFeatures.new
+              rule_definitions = server_features&.protect&.rule_definition_list
+              rule_definitions&.find { |r| r[:name] == Contrast::Agent::Protect::Rule::NoSqli::NAME }&.dig(:patterns)
+            end
+
+            def matches_by_position value, pattern
+              value.to_enum(:scan, pattern).map { Regexp.last_match.offset(Regexp.last_match.size - 1) }
+            end
+
+            def definite_attack? score
+              score >= NOSQL_DEFINITE_THRESHOLD
+            end
+
+            def worth_watching? score
+              score >= NOSQL_WORTH_WATCHING_THRESHOLD
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/no_sqli.rb

@@ -39,6 +39,19 @@ module Contrast
             raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
           end
 
+          def build_attack_with_match context, input_analysis_result, result, candidate_string, **kwargs
+            if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
+                  mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
+
+              return result
+            end
+
+            result ||= build_attack_result(context)
+            update_successful_attack_response(context, input_analysis_result, result, candidate_string)
+            append_sample(context, input_analysis_result, result, candidate_string, **kwargs)
+            result
+          end
+
           protected
 
           def find_attacker context, potential_attack_string, **kwargs
@@ -53,6 +66,20 @@ module Contrast
             end
             super(context, potential_attack_string, **kwargs)
           end
+
+          def infilter? context
+            return false unless context&.agent_input_analysis&.results
+            return false unless enabled?
+            return false if protect_excluded_by_code?
+
+            true
+          end
+
+          def gather_ia_results context
+            context.agent_input_analysis.results.select do |ia_result|
+              ia_result.rule_id == rule_name
+            end
+          end
         end
       end
     end

data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb

@@ -7,6 +7,8 @@ require 'contrast/agent/protect/rule/sqli'
 require 'contrast/agent/reporting/input_analysis/score_level'
 require 'contrast/agent/protect/rule/sqli/sqli_worth_watching'
 require 'contrast/agent/protect/input_analyzer/input_analyzer'
+require 'contrast/utils/input_classification'
+require 'contrast/components/logger'
 
 module Contrast
   module Agent
@@ -17,9 +19,9 @@ module Contrast
         # to be analyzed at the sink level.
         module SqliInputClassification
           class << self
-            include Contrast::Agent::Reporting::InputType
-            include Contrast::Agent::Reporting::ScoreLevel
+            include InputClassificationBase
             include Contrast::Agent::Protect::Rule::SqliWorthWatching
+            include Contrast::Components::Logger::InstanceMethods
 
             WORTHWATCHING_MATCH = 'sqli-worth-watching-v2'
             SQLI_KEYS_NEEDED = [
@@ -37,43 +39,25 @@ module Contrast
             # @return ia [Contrast::Agent::Reporting::InputAnalysis] with updated results.
             def classify input_type, value, input_analysis
               return unless Contrast::Agent::Protect::Rule::Sqli::APPLICABLE_USER_INPUTS.include?(input_type)
-              return unless input_analysis.request
+              return unless super
 
               rule_id = Contrast::Agent::Protect::Rule::Sqli::NAME
-              results = []
 
               # double check the input to avoid calling match? on array
               Array(value).each do |val|
                 Array(val).each do |v|
-                  results << sqli_create_new_input_result(input_analysis.request, rule_id, input_type, v)
+                  input_analysis.results << sqli_create_new_input_result(input_analysis.request, rule_id, input_type, v)
                 end
               end
 
-              input_analysis.results = results
               input_analysis
+            rescue StandardError => e
+              logger.debug('An Error was recorded in the input classification of the sqli.')
+              logger.debug(e)
             end
 
             private
 
-            # Creates new isntance of InputAnalysisResult with basic info.
-            #
-            # @param rule_id [String] The name of the Protect Rule.
-            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
-            # @param score_level [Contrast::Agent::Reporting::ScoreLevel] the score tag after analysis.
-            # @param value [String, Array<String>] the value of the input.
-            # @param path [String] the path of the current request context.
-            #
-            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
-            def new_ia_result rule_id, input_type, score_level, path, value
-              res = Contrast::Agent::Reporting::InputAnalysisResult.new
-              res.rule_id = rule_id
-              res.input_type = input_type
-              res.path = path
-              res.score_level = score_level
-              res.value = value
-              res
-            end
-
             # This methods checks if input is tagged WORTHWATCHING or IGNORE matches value with it's
             # key if needed and Creates new isntance of InputAnalysisResult.
             #
@@ -84,37 +68,17 @@ module Contrast
             #
             # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
             def sqli_create_new_input_result request, rule_id, input_type, value
-              result = if sqli_worth_watching? value
-                         ia_result = new_ia_result(rule_id, input_type, WORTHWATCHING, request.path, value)
-                         ia_result.ids << WORTHWATCHING_MATCH
-                         ia_result
-                       else
-                         new_ia_result(rule_id, input_type, IGNORE, request.path, value)
-                       end
-              if SQLI_KEYS_NEEDED.include? input_type
-                result.key = sqli_add_needed_key request, result, input_type, value
-              end
-              result
-            end
-
-            # This methods checks if input is value that matches a key in the input.
-            #
-            # @param request [Contrast::Agent::Request] the current request context.
-            # @param result [Contrast::Agent::Reporting::InputAnalysisResult] result to be updated.
-            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
-            # @param value [String, Array<String>] the value of the input.
-            #
-            # @return result [Contrast::Agent::Reporting::InputAnalysisResult] updated with key result.
-            def sqli_add_needed_key request, result, input_type, value
-              case input_type
-              when COOKIE_VALUE
-                result.key = request.cookies.key(value)
-              when PARAMETER_VALUE
-                result.key = request.parameters.key(value)
+              ia_result = new_ia_result(rule_id, input_type, request.path, value)
+              if sqli_worth_watching? value
+                ia_result.ids << WORTHWATCHING_MATCH
+                ia_result.score_level = WORTHWATCHING
+                ia_result
               else
-                result.key
+                ia_result.score_level = IGNORE
               end
-              result.key
+
+              add_needed_key request, ia_result, input_type, value if SQLI_KEYS_NEEDED.include? input_type
+              ia_result
             end
           end
         end

data/lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb

@@ -99,9 +99,7 @@ module Contrast
           # @param substrings [Array] set of substrings to inspect.
           # @return true | false
           def contains_substring? input, substrings
-            return true if substrings.any? { |sub| input.include?(sub) }
-
-            false
+            substrings.any? { |sub| input.include?(sub) }
           end
 
           # Helper method to find the number of substrings.
@@ -111,7 +109,6 @@ module Contrast
           def number_of_substrings input, substring
             number = 0
             input.each_char.reduce(0) { |_acc, elem| number += 1 if contains_substring?(elem, substring) }
-
             number
           end
         end

data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb

@@ -0,0 +1,82 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/agent/protect/rule/unsafe_file_upload'
+require 'contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher'
+require 'contrast/agent/protect/input_analyzer/input_analyzer'
+require 'contrast/utils/input_classification'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # This module will do the Input Classification stage of Unsafe File Upload
+        # rule. As a result input would be marked as DEFINITEATTACK or IGNORE.
+        module UnsafeFileUploadInputClassification
+          UNSAFE_UPLOAD_MATCH = 'unsafe-file-upload-input-tracing-v1'
+
+          class << self
+            include InputClassificationBase
+            include Contrast::Agent::Protect::Rule::UnsafeFileUploadMatcher
+
+            # Input Classification stage is done to determine if an user input is
+            # DEFINITEATTACK or to be ignored.
+            #
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param value [String, Array<String>] the value of the input.
+            # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
+            #                                                       agent analysis from the current
+            #                                                       Request.
+            # @return ia [Contrast::Agent::Reporting::InputAnalysis] with updated results.
+            def classify input_type, value, input_analysis
+              unless Contrast::Agent::Protect::Rule::UnsafeFileUpload::APPLICABLE_USER_INPUTS.include?(input_type)
+                return
+              end
+              return unless input_analysis.request
+
+              rule_id = Contrast::Agent::Protect::Rule::UnsafeFileUpload::NAME
+              results = []
+
+              Array(value).each do |val|
+                Array(val).each do |v|
+                  results << create_new_input_result(input_analysis.request, rule_id, input_type, v)
+                end
+              end
+
+              input_analysis.results = results
+              input_analysis
+            end
+
+            private
+
+            # This methods checks if input is tagged DEFINITEATTACK or IGNORE matches value with it's
+            # key if needed and Creates new isntance of InputAnalysisResult.
+            #
+            # @param request [Contrast::Agent::Request] the current request context.
+            # @param rule_id [String] The name of the Protect Rule.
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param value [String, Array<String>] the value of the input.
+            #
+            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
+            def create_new_input_result request, rule_id, input_type, value
+              ia_result = new_ia_result rule_id, input_type, request.path, value
+              if unsafe_match? value
+                ia_result.score_level = DEFINITEATTACK
+                ia_result.ids << UNSAFE_UPLOAD_MATCH
+              else
+                ia_result.score_level = IGNORE
+              end
+              ia_result.key = if input_type == MULTIPART_FIELD_NAME
+                                Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_FILENAME
+                              else
+                                Contrast::Agent::Protect::InputAnalyzer::DISPOSITION_NAME
+                              end
+              ia_result
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_matcher.rb

@@ -0,0 +1,45 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # Here will be made the match of the user input provided by the
+        # Agent InputAnalysis.
+        module UnsafeFileUploadMatcher
+          EXPLOIT_CHARS = %w[.. ; � < > ~ *].cs__freeze
+          # Extensions that can be executed on the server side or can be dangerous on the client side:
+          # https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
+          EXPLOITABLE_EXTENSIONS = %w[.php .exe .rb .jsp .pht .phtml .shtml .asa .cer .asax .swf .xap].cs__freeze
+
+          # Match the user input to see if the filename
+          # contains malicious file extension.
+          #
+          # @param input [String] The filename
+          # extracted from the current request
+          # @return true | false
+          def unsafe_match? input
+            suspicious_chars?(input) || suspicious_extensions?(input)
+          end
+
+          private
+
+          # @param input [String] The filename
+          # extracted from the current request
+          # @return true | false
+          def suspicious_chars? input
+            input.chars.any? { |c| EXPLOIT_CHARS.include? c }
+          end
+
+          # @param input [String] The filename
+          # extracted from the current request
+          # @return true | false
+          def suspicious_extensions? input
+            EXPLOITABLE_EXTENSIONS.include? File.extname(input).downcase
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb

@@ -2,19 +2,61 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/protect/rule/base_service'
+require 'contrast/agent/reporting/input_analysis/input_type'
+require 'contrast/agent/reporting/input_analysis/score_level'
 
 module Contrast
   module Agent
     module Protect
       module Rule
         # The Ruby implementation of the Protect Unsafe File Upload rule.
+        # The unsafe-file-upload rule can trigger the following results:
+        # BLOCKED in Blocking mode na SUSPICIOUS in Monitor mode.
         class UnsafeFileUpload < Contrast::Agent::Protect::Rule::BaseService
+          include Contrast::Agent::Reporting::InputType
+
           NAME = 'unsafe-file-upload'
           BLOCK_MESSAGE = 'Unsafe file upload rule triggered. Request blocked.'
+          APPLICABLE_USER_INPUTS = [MULTIPART_NAME, MULTIPART_FIELD_NAME].cs__freeze
 
           def rule_name
             NAME
           end
+
+          def block_message
+            BLOCK_MESSAGE
+          end
+
+          def prefilter context
+            return unless prefilter?(context)
+
+            ia_results = gather_ia_results context
+
+            ia_results.each do |ia_result|
+              result = build_attack_result(context)
+              build_attack_without_match context, ia_result, result
+              append_to_activity context, result
+
+              cef_logging result, :successful_attack
+              raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
+            end
+          end
+
+          private
+
+          def prefilter? context
+            return false unless context&.agent_input_analysis&.results
+            return false unless enabled?
+            return false if protect_excluded_by_code?
+
+            true
+          end
+
+          def gather_ia_results context
+            context.agent_input_analysis.results.select do |ia_result|
+              ia_result.rule_id == rule_name
+            end
+          end
         end
       end
     end

data/lib/contrast/agent/reporting/attack_result/attack_result.rb

@@ -0,0 +1,63 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/utils/timer'
+require 'contrast/agent/reporting/attack_result/response_type'
+require 'contrast/agent/reporting/attack_result/rasp_rule_sample'
+
+module Contrast
+  module Agent
+    module Reporting
+      # This class will hold the new Attacks results generated by our
+      # protect rules.
+      class AttackResult
+        RESPONSE_TYPE = Contrast::Agent::Reporting::ResponseType
+        # Generated the attack result
+        #
+        # @return @_response_type [Contrast::Agent::Reporting::ResponseType]
+        def response
+          @_response ||= RESPONSE_TYPE::NO_ACTION
+        end
+
+        # sets the response_type
+        #
+        # @param response_type [Contrast::Agent::Reporting::Settings::InputAnalysisResult]
+        # @return @_response_type []
+        def response= response_type
+          @_response = response_type if RESPONSE_TYPE.to_a.include?(response_type)
+        end
+
+        # @return @_rule_id [String]
+        def rule_id
+          @_rule_id ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+        end
+
+        # @param rule_id [String]
+        # @return @_rule_id [String]
+        def rule_id= rule_id
+          @_rule_id = rule_id if rule_id.is_a?(String)
+        end
+
+        # @return @_samples [Array<Contrast::Agent::Reporting::RaspRuleSample>]
+        def samples
+          @_samples ||= []
+        end
+
+        # @param samples [Array<Contrast::Agent::Reporting::RaspRuleSample>]
+        # @return @_samples [Array<Contrast::Agent::Reporting::RaspRuleSample>]
+        def samples= samples
+          @_samples = samples if samples.is_a?(Array)
+        end
+
+        def tags
+          @_tags ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+        end
+
+        def tags= tags
+          @_tags = tags if tags.is_a?(String)
+        end
+      end
+    end
+  end
+end