contrast-agent 6.0.0 → 6.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 47aa135a205e4a74d64b778ae543f892213ca70e47be654032147a8bfe16dc82
-  data.tar.gz: 60f0de0e2675578bfb735c4f90303748bdc5e2053f2722dac4907bf84364d2f9
+  metadata.gz: 456cd00d5b3c07ec1a845a6dbcb26d6d5b2891b03a352f06d290d405ff695596
+  data.tar.gz: 06ce1572dc8403fdf57ab6cbaa9ea51d8b7e52c4090d64badda5001aabb608ac
 SHA512:
-  metadata.gz: fdd2d1209de7366f810cb1d7355700a54cd7d7749d94736213cf96c47b8e5cedad449ec0dc2ab09753c0ecc3d064498d18d1d001edc5d998c6c615c4cd05b571
-  data.tar.gz: 888016b33c67e7f2f77f320affcd1e945a7cc6e1c01c87d559d231cbed3309bbd4fff74833a5296f21680492955977d042594a39d807d4cb91eecd6adc4b4636
+  metadata.gz: 8ab067665857065d8325547faa13c3f41679e9a9a9de9a70245e310a2229b1d1097ee2198ae45ab9be5804835764c9004372ec03c8a7f2e2ce8ee3bafda332b1
+  data.tar.gz: cda25e738349d4ba06e6ada4fbb146341f883b92a444b9179dcb8e1e21d21d5c6fcd50503a599a9a55248e40078213f521dac5bdd610480650034455dce90f03

data/ext/cs__assess_regexp/cs__assess_regexp.c

@@ -3,8 +3,20 @@
 
 #include "cs__assess_regexp.h"
 #include "../cs__common/cs__common.h"
+#include "../cs__contrast_patch/cs__contrast_patch.h"
 #include <ruby.h>
 
+extern VALUE contrast_force_patch(const int argc, VALUE *argv) {
+  return contrast_check_and_register_instance_patch(
+        "Regexp", "=~", contrast_assess_regexp_equal_squiggle);
+}
+
+/* check if method is prepended and register instance alias or prepend patch */
+VALUE contrast_check_and_register_instance_patch(const char *module_name,
+                                                  const char *method_name,
+                                                  VALUE(c_fn)(const int, VALUE *,
+                                                              const VALUE));
+
 void contrast_alias_method(const VALUE target, const char *to,
                            const char *from);
 
@@ -46,7 +58,8 @@ void Init_cs__assess_regexp(void) {
     rb_global_variable(&rb_sym_string);
     rb_sym_back_ref = ID2SYM(rb_intern("back_ref"));
     rb_global_variable(&rb_sym_back_ref);
+    rb_define_singleton_method(assess, "contrast_force_repatch_regexp", contrast_force_patch, 0);
 
-    rb_sym_assess_regexp_equal_squiggle = contrast_register_patch(
-        "Regexp", "=~", contrast_assess_regexp_equal_squiggle);
+    rb_sym_assess_regexp_equal_squiggle = contrast_check_and_register_instance_patch(
+      "Regexp", "=~", contrast_assess_regexp_equal_squiggle);
 }

data/ext/cs__assess_regexp/cs__assess_regexp.h

@@ -20,4 +20,6 @@ static VALUE contrast_assess_regexp_equal_squiggle(const int argc,
                                                    const VALUE *argv,
                                                    const VALUE regexp);
 
+extern VALUE contrast_force_patch(const int argc, VALUE *argv);
+
 void Init_cs__assess_regexp(void);

data/ext/cs__assess_string/cs__assess_string.c

@@ -17,6 +17,13 @@
  *     return rb_fstring(str);
  * }
  */
+
+/*
+ * This patch won't do the Prepend. We would call to the String instance'
+ * uminus directly and skip other propagation from prepended modules.
+ * We could come back to this one and rethink it's prepend patching.
+ */
+
 static VALUE contrast_assess_string_freeze(const int argc, VALUE *argv,
                                            const VALUE obj) {
     if (!OBJ_FROZEN(obj)) {
@@ -55,6 +62,7 @@ void Init_cs__assess_string(void) {
     VALUE tracker = rb_define_class_under(assess, "Tracker", rb_cObject);
     properties_hash = rb_const_get(tracker, rb_intern("PROPERTIES_HASH"));
 
+    /* We only do alias for this one */
     rb_sym_assess_string_uminus =
         contrast_register_patch("String", "-@", &contrast_assess_string_uminus);
     rb_sym_assess_string_freeze = contrast_register_patch(

data/ext/cs__assess_test/cs__assess_test.h

@@ -0,0 +1,9 @@
+#include <ruby.h>
+
+static VALUE dummy_regexp;
+static VALUE test_regexp;
+
+VALUE rb_equal_squiggle(const int argc, const VALUE *argv)
+void rb_force_prepend(void);
+
+void Init_cs__assess_test(void)

data/ext/cs__assess_test/cs__assess_tests.c

@@ -0,0 +1,22 @@
+#include "../cs__common/cs__common.h";
+#include "ruby.h"
+#include <ruby/re.h>
+
+static VALUE dummy_regexp;
+static VALUE test_regexp;
+
+VALUE rb_equal_squiggle(const int argc, const VALUE *argv) {
+    return rb_call_super(argc, argv);
+}
+
+void rb_force_prepend(void) {
+    rb_prepend_module(rb_cRegexp, dummy_regexp);
+}
+
+void Init_cs__assess_test(void) {
+    test_regexp = rb_define_module("ForcePrepend");
+    rb_define_singleton_method(test_regexp, "cs__force_prepend",
+                               rb_force_prepend, 0);
+    dummy_regexp = rb_define_module("DummyMod");
+    rb_define_method(dummy_regexp, "=~", rb_equal_squiggle, -1);
+}

data/ext/cs__assess_test/extconf.rb

@@ -0,0 +1,5 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+$TO_MAKE = File.basename(__dir__)
+require_relative '../extconf_common'

data/ext/cs__common/cs__common.c

@@ -59,12 +59,14 @@ VALUE contrast_patcher() {
     return patcher;
 }
 
+/* register instance alias patch */
 VALUE contrast_register_patch(const char *module_name, const char *method_name,
                               VALUE(c_fn)(const int, VALUE *, const VALUE)) {
     return _contrast_register_patch(module_name, method_name, c_fn,
                                     IMPL_ALIAS_INSTANCE);
 }
 
+/* register singleton alias patch */
 VALUE contrast_register_singleton_patch(const char *module_name,
                                         const char *method_name,
                                         VALUE(c_fn)(const int, VALUE *,
@@ -73,6 +75,7 @@ VALUE contrast_register_singleton_patch(const char *module_name,
                                     IMPL_ALIAS_SINGLETON);
 }
 
+/* register instance prepend patch */
 VALUE contrast_register_prepend_patch(const char *module_name,
                                       const char *method_name,
                                       VALUE(c_fn)(const int, VALUE *,
@@ -81,6 +84,7 @@ VALUE contrast_register_prepend_patch(const char *module_name,
                                     IMPL_PREPEND_INSTANCE);
 }
 
+/* register singleton prepend patch */
 VALUE contrast_register_singleton_prepend_patch(const char *module_name,
                                                 const char *method_name,
                                                 VALUE(c_fn)(const int, VALUE *,
@@ -89,6 +93,31 @@ VALUE contrast_register_singleton_prepend_patch(const char *module_name,
                                     IMPL_PREPEND_SINGLETON);
 }
 
+/* check if method is prepended and register instance alias or prepend patch */
+/* module name c_char "Module"; */
+/* method name c_char  "method"; */
+/* c_func => pointer */
+VALUE contrast_check_and_register_instance_patch(
+    const char *module_name, const char *method_name,
+    VALUE(c_fn)(const int, VALUE *, const VALUE)) {
+
+    VALUE object, method, is_prepended, patch_type;
+    /* check if method is prepended */
+    object = rb_const_get(rb_cObject, rb_intern(module_name));
+    method = ID2SYM(rb_intern(method_name));
+    is_prepended = contrast_check_prepended(object, method, Qtrue);
+
+    if (is_prepended == Qtrue) {
+        /* prepend patch */
+        return _contrast_register_patch(module_name, method_name, c_fn,
+                                        IMPL_PREPEND_INSTANCE);
+    } else {
+        /* alias patch */
+        return _contrast_register_patch(module_name, method_name, c_fn,
+                                        IMPL_ALIAS_INSTANCE);
+    }
+}
+
 static VALUE
 _contrast_register_patch(const char *module_name, const char *method_name,
                          VALUE(c_fn)(const int, VALUE *, const VALUE),
@@ -133,6 +162,7 @@ _contrast_register_patch(const char *module_name, const char *method_name,
         break;
     case IMPL_PREPEND_INSTANCE:
         impl = ID2SYM(rb_sym_prepend_instance);
+        break;
     case IMPL_PREPEND_SINGLETON:
         impl = ID2SYM(rb_sym_prepend_singleton);
         break;
@@ -151,6 +181,71 @@ int rb_ver_below_three() {
     return ruby_version < 3;
 }
 
+/* used for direct check on object: String.cs__prepended? *args  */
+extern VALUE contrast_check_prepended(VALUE self, VALUE method_name,
+                                      VALUE is_instance) {
+    return _contrast_check_prepended(self, method_name, is_instance);
+}
+
+/* used for passing object to look if not called on itself.
+Contrast::Agent::Assess.cs__object_method_prepended? object, :method_name,
+true/false */
+extern VALUE contrast_lookout_prepended(VALUE self, VALUE object_name,
+                                        VALUE method_name, VALUE is_instance) {
+    /* object_name must be the object, the self value is needed to prevent
+     lookout for self, since is always passed first we skip it */
+    VALUE result =
+        _contrast_check_prepended(object_name, method_name, is_instance);
+    return result;
+}
+
+static VALUE _contrast_check_prepended(VALUE object, VALUE method_name,
+                                       VALUE is_instance) {
+    VALUE entry, ancestors, object_idx, entry_methods;
+    VALUE result = Qfalse;
+    int i;
+    int y;
+
+    /* get self ancestors */
+    ancestors = rb_mod_ancestors(object);
+    /* get the size of the array */
+    int length = RARRAY_LEN(ancestors);
+    /* Locate self in ancestors: */
+    for (i = 0; i < length; ++i) {
+        entry = rb_ary_entry(ancestors, i);
+        if (entry == object) {
+            object_idx = i;
+            break;
+        }
+    }
+
+    /* find all the prepended modules */
+    /* we have the object place in ancestors: */
+    /* [suspect, suspect, object, ...] */
+    for (i = 0; i < object_idx; ++i) {
+        entry = rb_ary_entry(ancestors, i);
+        if (is_instance == Qtrue) {
+            entry_methods = rb_class_instance_methods(1, entry, entry);
+        } else {
+            entry_methods = rb_obj_singleton_methods(1, entry, entry);
+        }
+
+        /* Loop through the instance/singleton methods of the prepended modules
+         */
+        int entry_methods_length = RARRAY_LEN(entry_methods);
+        for (y = 0; y <= entry_methods_length; ++y) {
+            if (rb_ary_entry(entry_methods, y) == method_name) {
+                result = Qtrue;
+                break;
+            }
+        }
+        if (result == Qtrue) {
+            break;
+        }
+    }
+    return result;
+}
+
 void Init_cs__common(void) {
     cs__send_method = rb_intern("send");
     cs__alias_method_sym = ID2SYM(rb_intern("alias_method"));
@@ -191,4 +286,10 @@ void Init_cs__common(void) {
 
     core_extensions = rb_define_module_under(contrast, "Extension");
     core_assess = rb_define_module_under(core_extensions, "Assess");
+    /* defined for direct object check */
+    rb_define_singleton_method(rb_cObject, "cs__prepended?",
+                               contrast_check_prepended, 2);
+    /* defined for object lookout */
+    rb_define_singleton_method(assess, "cs__object_method_prepended?",
+                               contrast_lookout_prepended, 4);
 }

data/ext/cs__common/cs__common.h

@@ -57,15 +57,39 @@ VALUE contrast_register_singleton_patch(const char *module_name,
                                         VALUE(c_fn)(const int, VALUE *,
                                                     const VALUE));
 
-VALUE contrast_register_singleton_prepend_patch(
-    const char *module_name, const char *method_name,
-    VALUE(c_fn)(const int, VALUE *, const VALUE));
+VALUE contrast_register_prepend_patch(const char *module_name,
+                                      const char *method_name,
+                                      VALUE(c_fn)(const int, VALUE *,
+                                                  const VALUE));
 
-static VALUE
-_contrast_register_patch(const char *module_name, const char *method_name,
+
+VALUE contrast_register_singleton_prepend_patch(const char *module_name,
+                                                const char *method_name,
+                                                VALUE(c_fn)(const int, VALUE *,
+                                                             const VALUE));
+
+VALUE contrast_register_prepend_patch(const char *module_name,
+                                                const char *method_name,
+                                                VALUE(c_fn)(const int, VALUE *,
+                                                             const VALUE));
+
+static VALUE _contrast_register_patch(const char *module_name, const char *method_name,
                          VALUE(c_fn)(const int, VALUE *, const VALUE),
                          patch_impl patch_impl);
 
+static VALUE _contrast_check_prepended(VALUE self, VALUE method_name, VALUE is_instance);
+
+extern VALUE contrast_check_prepended(VALUE self, VALUE method_name, VALUE is_instance);
+
+extern VALUE contrast_lookout_prepended(VALUE self, VALUE object_name, VALUE method_name,
+                               VALUE is_instance);
+
+/* check if method is prepended and register instance alias or prepend patch */
+VALUE contrast_check_and_register_instance_patch(const char *module_name,
+                                                const char *method_name,
+                                                VALUE(c_fn)(const int, VALUE *,
+                                                            const VALUE));
+
 VALUE contrast_patcher();
 
 void Init_cs__common(void);

data/ext/cs__contrast_patch/cs__contrast_patch.c

@@ -488,7 +488,7 @@ VALUE contrast_patch_prepend(const VALUE self, const VALUE originalModule,
             rb_funcall(originalModule, rb_intern("included_in"), 0);
         if (RB_TYPE_P(rb_incl_in_mod_ary, T_ARRAY)) {
             int i = 0;
-            int size = rb_funcall(rb_incl_in_mod_ary, rb_intern("length"), 0);
+            int size = RARRAY_LEN(rb_incl_in_mod_ary);
             for (i = 0; i < size; ++i) {
                 module_at = rb_ary_entry(rb_incl_in_mod_ary, i);
                 if (RB_TYPE_P(module_at, T_MODULE)) {

data/ext/cs__tests/cs__tests.c

@@ -0,0 +1,12 @@
+/* Copyright (c) 2022 Contrast Security, Inc.  See
+ * https://www.contrastsecurity.com/enduser-terms-0317a for more details. */
+
+#include "cs__tests.h"
+#include "../cs__common/cs__common.h"
+#include <ruby.h>
+
+/* Define any tests functions here, you could call a patch function and define
+ * it in Ruby */
+
+void Init_cs__tests(void) {
+}

data/ext/cs__tests/cs__tests.h

@@ -0,0 +1,3 @@
+#include <ruby.h>
+
+void Init_cs__tests(void);

data/ext/cs__tests/extconf.rb

@@ -0,0 +1,5 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+$TO_MAKE = File.basename(__dir__)
+require_relative '../extconf_common'

data/lib/contrast/agent/assess/contrast_object.rb

@@ -8,24 +8,22 @@ require 'contrast/agent/assess/tracker'
 module Contrast
   module Agent
     module Assess
-      # This class is a convenient holder of our version of an Object. It
-      # creates a String version of the Object from the original provided
-      # and keeps reference to the original's Tags, letting us determine if it
-      # was tracked when we try to report to TeamServer.
+      # This class is a convenient holder of our version of an Object. It creates a String version of the Object from
+      # the original provided and keeps reference to the original's Tags, letting us determine if it was tracked when
+      # we try to report to TeamServer.
       #
-      # @attr_reader object [String, nil] the Contrast string representing the
-      #   object.
-      # @attr_reader object_type [String] the name of the object's module.
-      # @attr_reader tags [Hash{String => Contrast::Agent::Assess::Tag}, nil]
-      #   the tags on the object before it was captured.
-      #
-      # TODO: RUBY-1083 determine if this is expensive and/or worth not storing
-      #   these values directly on ContrastEvent and passing them around. Args
-      #   probably make the argument for wrapping them b/c otherwise we'll have
-      #   to keep two arrays in synch or make an array of arrays, at which
-      #   point, we may as well make this.
+      # TODO: RUBY-1083 determine if this is expensive and/or worth not storing these values directly on ContrastEvent
+      #   and passing them around. Args probably make the argument for wrapping them b/c otherwise we'll have to keep
+      #   two arrays in synch or make an array of arrays, at which point, we may as well make this.
       class ContrastObject
-        attr_reader :object, :object_type, :tags
+        # @return [String] the Contrast String representation of the Object.
+        attr_reader :object
+        # @return [Integer] the __id__ of the original Object.
+        attr_reader :tracked_object_id
+        # @return [String] the name of the Class/Module of the Object.
+        attr_reader :object_type
+        # @return [Hash<Contrast::Agent::Assess::Tag>] the tags on the original Object.
+        attr_reader :tags
 
         # Capture the details about the object which we need to render it in
         # TeamServer.
@@ -34,10 +32,12 @@ module Contrast
         def initialize object
           if object
             @object = Contrast::Utils::ClassUtil.to_contrast_string(object)
+            @tracked_object_id = object.__id__
             @object_type = object.cs__class.cs__name
             @tags = Contrast::Agent::Assess::Tracker.properties(object)&.get_tags
           else
             @object = Contrast::Utils::ObjectShare::NIL_STRING
+            @tracked_object_id = nil.__id__
             @object_type = nil.cs__class.cs__name
           end
         end

data/lib/contrast/agent/assess/events/source_event.rb

@@ -9,22 +9,22 @@ module Contrast
   module Agent
     module Assess
       module Events
-        # This class holds the data about an event in the application
-        # We'll use it to build an event that TeamServer can consume if
-        # the object to which this event belongs ends in a trigger.
-        #
-        # @attr_reader request [Contrast::Agent::Request] our wrapper around the Rack::Request at the time this source
-        #  was created
-        # @attr_reader source_name [String] the name of the source if it comes from a map-like entity
-        # @attr_reader source_type [String] the TeamServer understood type of source; i.e. parameter
+        # This class holds the data about an event in the application. We'll use it to build an event that TeamServer
+        # can consume if the object to which this event belongs ends in a trigger.
         class SourceEvent < Contrast::Agent::Assess::ContrastEvent
-          attr_reader :request, :source_name, :source_type
+          # @return [Contrast::Agent::Request] our wrapper around the Rack::Request at the time this source
+          #   was created
+          attr_reader :request
+          # @return [String] the name of the source if it comes from a map-like entity
+          attr_reader :source_name
+          # @return [String] the TeamServer understood type of source; i.e. parameter
+          attr_reader :source_type
 
           # @param event_data [Contrast::Agent::Assess::Events::EventData]
-          # @param source_type [String] the type of this source, from the
-          #       source_node, or a KEY_TYPE if invoked for a map,
-          # @param source_name [String, nil] the name of this source, i.e.
-          #       the key used to accessed if from a map or nil if a type like,
+          # @param source_type [String] the type of this source, from the source_node, or a KEY_TYPE if invoked for a
+          #   Hash
+          # @param source_name [String, nil] the name of this source, i.e. the key used to accessed if from a Hash or
+          #   nil if a type like
           def initialize event_data, source_type = nil, source_name = nil
             super(event_data)
             @source_type = source_type
@@ -54,8 +54,7 @@ module Contrast
             @_forced_source_name ||= Contrast::Utils::StringUtils.force_utf8(source_name)
           end
 
-          # Probably only for source events, but we'll go
-          # with source_type instead. java & .net support source_type
+          # Probably only for source events, but we'll go with source_type instead. java & .net support source_type
           # in propagation events, so we'll future proof this
           def build_event_source_dtm
             # You can have a source w/o a name, but not w/o a type
@@ -67,8 +66,7 @@ module Contrast
             dtm
           end
 
-          # Probably only for source events, but we'll go
-          # with source_type instead. java & .net support source_type
+          # Probably only for source events, but we'll go with source_type instead. java & .net support source_type
           # in propagation events, so we'll future proof this
           def build_event_source
             # You can have a source w/o a name, but not w/o a type
@@ -80,8 +78,8 @@ module Contrast
             trace_event_source
           end
 
-          # We have to do a little work to figure out what our TS appropriate
-          # target is. To break this down, the logic is as follows:
+          # We have to do a little work to figure out what our TS appropriate target is. To break this down, the logic
+          # is as follows:
           # 1) I'll set the event's source and target to TS values.
           # 2) Return the first source/target as the taint target.
           def determine_taint_target event_dtm

data/lib/contrast/agent/assess/policy/policy_scanner.rb

@@ -32,22 +32,8 @@ module Contrast
               mod = trace_point.self
               return if mod.cs__frozen? || mod.singleton_class?
 
-              different_ruby_version trace_point, provider_values, mod
-            end
-
-            def different_ruby_version trace_point, provider_values, mod
-              # TODO: RUBY-1014 - remove non-AST approach
-              if RUBY_VERSION >= '2.6.0'
-                # TODO: RUBY-714 EOL 2.5. That check will be removed and the code will be brought back in here.
-                ast = RubyVM::AbstractSyntaxTree.parse_file(trace_point.path)
-                provider_values.each do |provider|
-                  provider.parse(trace_point, ast)
-                end
-              else
-                provider_values.each do |provider|
-                  provider.analyze(mod)
-                end
-              end
+              ast = RubyVM::AbstractSyntaxTree.parse_file(trace_point.path)
+              provider_values.each { |provider| provider.parse(trace_point, ast) }
             end
 
             def policy

data/lib/contrast/agent/assess/policy/propagator/split.rb

@@ -178,27 +178,23 @@ module Contrast
   end
 end
 
-if RUBY_VERSION >= '2.6.0'
-  # Special class to handle String#split in 2.6 which, when given a block,
-  # propagates each split piece directly
-  class String
-    alias_method :cs__patched_string_split_special, :split
-
-    # Override of the the standard split method to handle the 2.6 direct yield case.
-    #
-    # Note: because this patch is applied before our standard propagation, this
-    # call is wrapped in it. As such, any call here happens in scope, so there is
-    # no need to manage it on our own.
-    def split *args, &block
-      if block
-        Contrast::Agent::Assess::Policy::Propagator::Split.wrap_split(self, args) do
-          cs__patched_string_split_special(*args, &block)
-        end
-      else
+# Special class to handle String#split in which, when given a block, propagates each split piece directly.
+class String
+  alias_method :cs__patched_string_split_special, :split
+
+  # Override of the the standard split method to handle the direct yield case.
+  #
+  # Note: because this patch is applied before our standard propagation, this call is wrapped in it. As such, any call
+  # here happens in scope, so there is no need to manage it on our own.
+  def split *args, &block
+    if block
+      Contrast::Agent::Assess::Policy::Propagator::Split.wrap_split(self, args) do
         cs__patched_string_split_special(*args, &block)
       end
+    else
+      cs__patched_string_split_special(*args, &block)
     end
   end
-
-  Contrast::Agent::Assess::Policy::Propagator::Split.instrument_string_split
 end
+
+Contrast::Agent::Assess::Policy::Propagator::Split.instrument_string_split

data/lib/contrast/agent/assess/policy/trigger_method.rb

@@ -12,6 +12,7 @@ require 'contrast/agent/reporting/reporting_events/preflight'
 require 'contrast/agent/reporting/reporting_events/preflight_message'
 require 'contrast/agent/reporting/reporting_events/route_discovery'
 require 'contrast/agent/reporting/reporting_utilities/reporting_storage'
+require 'contrast/agent/reporting/reporting_utilities/build_preflight'
 
 module Contrast
   module Agent
@@ -152,18 +153,9 @@ module Contrast
               ruby_finding.attach_data trigger_node, source, object, ret, request, *args
               hash_code = Contrast::Utils::HashDigest.generate_event_hash(ruby_finding, source, request)
               ruby_finding.hash_code = hash_code
-              # save the current finding
-              Contrast::Agent::Reporting::ReportingStorage[hash_code] = ruby_finding
 
-              new_preflight = Contrast::Agent::Reporting::Preflight.new
-              new_preflight_message = Contrast::Agent::Reporting::PreflightMessage.new
-              if request.route
-                new_preflight_message.routes << Contrast::Agent::Reporting::RouteDiscovery.convert(request.route)
-              end
-              new_preflight_message.hash_code = hash_code
-              new_preflight_message.data = "#{ trigger_node.rule_id },#{ hash_code }"
-              new_preflight.messages << new_preflight_message
-              Contrast::Agent.reporter&.send_event_immediately(new_preflight)
+              new_preflight = Contrast::Agent::Reporting::BuildPreflight.build(ruby_finding, request)
+              Contrast::Agent.reporter&.send_event(new_preflight)
             end
 
             private

data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb

@@ -113,12 +113,17 @@ module Contrast
               class_name = clazz.cs__name
 
               finding = assign_finding class_name, constant_string
-              Contrast::Agent::Assess::Policy::TriggerMethod.report_finding(finding)
+              activity = Contrast::Api::Dtm::Activity.new
+              activity.findings << finding
+              Contrast::Agent.messaging_queue.send_event_eventually(activity, force: true)
             rescue StandardError => e
               logger.error('Unable to build a finding for Hardcoded Rule', e)
               nil
             end
 
+            # @param class_name [String] the name of the class in which the hardcoded value is present
+            # @param constant_string [String] the name of the constant
+            # @return [Contrast::Api::Dtm::Finding]
             def assign_finding class_name, constant_string
               finding = Contrast::Api::Dtm::Finding.new
               finding.rule_id = Contrast::Utils::StringUtils.protobuf_safe_string(rule_id)
@@ -158,7 +163,7 @@ module Contrast
 
             def save_and_report_finding ruby_finding, new_preflight
               Contrast::Agent::Reporting::ReportingStorage[hash] = ruby_finding
-              Contrast::Agent.reporter&.send_event_immediately(new_preflight)
+              Contrast::Agent.reporter&.send_event(new_preflight)
             end
           end
         end

data/lib/contrast/agent/assess/rule/response/base_rule.rb

@@ -4,6 +4,7 @@
 require 'rack'
 require 'json'
 require 'contrast/agent/reporting/reporting_utilities/dtm_message'
+require 'contrast/agent/reporting/reporting_utilities/build_preflight'
 require 'contrast/utils/hash_digest'
 require 'contrast/utils/preflight_util'
 require 'contrast/utils/string_utils'
@@ -32,8 +33,13 @@ module Contrast
 
               if Contrast::Agent::Reporter.enabled?
                 report = Contrast::Agent::Reporting::DtmMessage.dtm_to_event(finding)
-                # TODO: RUBY-99999 preflight
-                Contrast::Agent.reporter.send_event(report)
+                if report.is_a?(Contrast::Agent::Reporting::Finding)
+                  request = Contrast::Agent::REQUEST_TRACKER.current&.request
+                  preflight = Contrast::Agent::Reporting::BuildPreflight.build(report, request)
+                  Contrast::Agent.reporter&.send_event(preflight)
+                else
+                  Contrast::Agent.reporter&.send_event(report)
+                end
               else
                 Contrast::Agent::REQUEST_TRACKER.current.activity.findings << finding
               end
@@ -58,7 +64,7 @@ module Contrast
 
             # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
             #
-            # @param response [Contrast::Agent::Response] the response of the application
+            # @param _response [Contrast::Agent::Response] the response of the application
             # @return [Hash, nil] the evidence required to prove the violation of the rule
             def violated? _response; end
 
@@ -92,6 +98,8 @@ module Contrast
               evidence.each_pair do |key, value|
                 finding.properties[key] = if value.cs__is_a?(Hash)
                                             Contrast::Utils::StringUtils.protobuf_format(value.to_json)
+                                          elsif value.cs__is_a?(Array)
+                                            value.map { Contrast::Utils::StringUtils.protobuf_format(_1) }.to_s
                                           else
                                             Contrast::Utils::StringUtils.protobuf_format(value)
                                           end