contrast-agent 6.1.0 → 6.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 456cd00d5b3c07ec1a845a6dbcb26d6d5b2891b03a352f06d290d405ff695596
-  data.tar.gz: 06ce1572dc8403fdf57ab6cbaa9ea51d8b7e52c4090d64badda5001aabb608ac
+  metadata.gz: e548b3df856f888229a5125c351404c3f5b04fcd7ecb5c91937f480ce91c9d42
+  data.tar.gz: 00c6ee55996e75602d1b80da133a362d3205cb5ef5de0f5c1a35b214528fea2a
 SHA512:
-  metadata.gz: 8ab067665857065d8325547faa13c3f41679e9a9a9de9a70245e310a2229b1d1097ee2198ae45ab9be5804835764c9004372ec03c8a7f2e2ce8ee3bafda332b1
-  data.tar.gz: cda25e738349d4ba06e6ada4fbb146341f883b92a444b9179dcb8e1e21d21d5c6fcd50503a599a9a55248e40078213f521dac5bdd610480650034455dce90f03
+  metadata.gz: ad8d0f64dc798a22072e977cf0ff83ba47df54a3f24802386a52d2d338f365a02cac5db943868a55ecdf7641e44384f580e55e5d1b05a78522e88c5244013346
+  data.tar.gz: 804a464d38a9e023da53ce82009573571a6197c9f3f00642988457ac32b8ecc8631ea0a3cfd8bc678918df8afbb1cb24c51fa79dff1fe8fb278c5e966bff74e1

data/.simplecov

@@ -1,7 +1,7 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-SimpleCov.minimum_coverage line: 95
+SimpleCov.minimum_coverage(line: 94)
 SimpleCov.start do
   add_filter '/spec/'
   enable_coverage :branch

data/Rakefile

@@ -13,7 +13,7 @@ CLOBBER << 'shared_libraries/*'
 
 Dir['ext/cs__*'].each do |extension|
   name = extension.split('/')[1]
-  Rake::ExtensionTask.new name do |ext|
+  Rake::ExtensionTask.new(name) do |ext|
     ext.lib_dir = "lib/#{ name }"
   end
 end

data/ext/build_funchook.rb

@@ -52,13 +52,13 @@ unless find_header('funchook.h', ext_path)
 
     TARGET_PATHS.each do |target_path|
       unless File.writable?(target_path)
-        puts "Unable to copy into #{ target_path } - directory not writable"
+        puts("Unable to copy into #{ target_path } - directory not writable")
         next
       end
-      puts "Copying #{ source_file_path } into #{ target_path }"
+      puts("Copying #{ source_file_path } into #{ target_path }")
       FileUtils.cp(source_file_path, target_path)
     rescue StandardError
-      puts "Error while copying #{ source_file } to #{ target_path }"
+      puts("Error while copying #{ source_file } to #{ target_path }")
     end
   end
 end

data/ext/cs__assess_basic_object/cs__assess_basic_object.c

@@ -17,6 +17,10 @@
  *  }
  */
 
+VALUE contrast_check_and_register_instance_patch(
+    const char *module_name, const char *method_name,
+    VALUE(c_fn)(const int, VALUE *, const VALUE));
+
 void contrast_assess_instance_eval_trigger_check(VALUE self, VALUE source,
                                                  VALUE ret) {
     rb_funcall(basic_eval_trigger, instance_trigger_check_method, 3, self,
@@ -61,6 +65,6 @@ void Init_cs__assess_basic_object(void) {
      * but if someone else patched BasicObject#instance_eval,
      * IDK if this is intentional... noting it.  -ajm
      */
-    contrast_register_patch("BasicObject", "instance_eval",
+    contrast_check_and_register_instance_patch("BasicObject", "instance_eval",
                             contrast_assess_basic_object_instance_eval);
 }

data/ext/extconf_common.rb

@@ -5,7 +5,7 @@ require 'mkmf'
 require_relative '../lib/contrast/agent/version'
 
 def make!
-  create_makefile "#{ $TO_MAKE }/#{ $TO_MAKE }"
+  create_makefile("#{ $TO_MAKE }/#{ $TO_MAKE }")
 end
 
 def ext_path

data/lib/contrast/agent/assess/finalizers/hash.rb

@@ -22,11 +22,11 @@ module Contrast
             else
               ObjectSpace.define_finalizer(key, finalizing_proc)
             end
-            super key.__id__, obj
+            super(key.__id__, obj)
           end
 
           def [] key
-            super key.__id__
+            super(key.__id__)
           end
 
           # Something is trackable if it is not a collection and either not frozen or it was frozen after we put a

data/lib/contrast/agent/assess/policy/policy.rb

@@ -18,11 +18,20 @@ module Contrast
         # This is just a holder for our policy. Takes the policy JSON and
         # converts it into hashes that we can access nicely
         class Policy < Contrast::Agent::Patching::Policy::Policy
+          PROVIDER_CLASSES = [
+            Contrast::Agent::Assess::Rule::Provider::HardcodedKey,
+            Contrast::Agent::Assess::Rule::Provider::HardcodedPassword
+          ].cs__freeze
           # Indicates the folder in `resources` where this policy lives.
           def self.policy_folder
             'assess'
           end
 
+          def initialize
+            super
+            load_providers
+          end
+
           # Indicates is this feature has been disabled by the configuration,
           # read at startup, and therefore can never be enabled.
           def disabled_globally?
@@ -33,11 +42,6 @@ module Contrast
             Contrast::Agent::Assess::Policy::TriggerNode
           end
 
-          def initialize
-            super
-            load_providers
-          end
-
           # Our policy for dataflow rules is a 'dope ass' JSON file. Rather than
           # hard code in a bunch of things to monkey patch, we let the JSON file
           # define the conditions in which sources, propagators, and triggers are
@@ -88,11 +92,6 @@ module Contrast
               providers[instance.rule_id] = instance
             end
           end
-
-          PROVIDER_CLASSES = [
-            Contrast::Agent::Assess::Rule::Provider::HardcodedKey,
-            Contrast::Agent::Assess::Rule::Provider::HardcodedPassword
-          ].cs__freeze
         end
       end
     end

data/lib/contrast/agent/assess/policy/policy_node.rb

@@ -14,6 +14,14 @@ module Contrast
         # Ruby object, allowing for dynamic patching over hardcoded patching.
         class PolicyNode < Contrast::Agent::Patching::Policy::PolicyNode
           include PolicyNodeUtils
+          JSON_TAGS = 'tags'
+          JSON_DATAFLOW = 'dataflow'
+          # The keys used to read from policy.json to create the individual
+          # policy nodes. These are common across node types
+          JSON_SOURCE = 'source'
+          ALL_TYPE = 'A'
+          JSON_TARGET = 'target'
+          TO_MARKER = '2'
 
           attr_accessor :tags, :type
           attr_reader   :sources, :targets, :source_string, :target_string
@@ -45,7 +53,7 @@ module Contrast
             @sources = convert_policy_markers(source_string)
             @targets = convert_policy_markers(target_string)
             @_use_original_object = ORIGINAL_OBJECT_METHODS.include?(@method_name)
-            @_use_original_on_bang_method = assign_on_bang_check policy_hash
+            @_use_original_on_bang_method = assign_on_bang_check(policy_hash)
           end
 
           def assign_on_bang_check policy_hash
@@ -116,8 +124,6 @@ module Contrast
             end
           end
 
-          ALL_TYPE = 'A'
-          TO_MARKER = '2'
           # Convert our action, built from our source and target, into
           # the TS appropriate action. That's a single source to single
           # target marker (A,O,P,R)
@@ -149,13 +155,6 @@ module Contrast
             @event_action
           end
 
-          # The keys used to read from policy.json to create the individual
-          # policy nodes. These are common across node types
-          JSON_SOURCE = 'source'
-          JSON_TARGET = 'target'
-          JSON_TAGS = 'tags'
-          JSON_DATAFLOW = 'dataflow'
-
           # This method will check if a method is fit to use it's original object and
           # that the method is without bang - it does not change the source, but rather
           # creates a copy of it.

data/lib/contrast/agent/assess/policy/propagation_method.rb

@@ -216,8 +216,8 @@ module Contrast
               # If we are using the original object tracking, the preshift object is not created.
               # Instead identify the source as the original object itself and propagate with it.
               source = propagation_node.use_original_object? ? propagation_data.object : preshift
-              handle_propagation propagation_class, propagation_node, source, target
-              update_properties restore_frozen_state, propagation_node, target, propagation_data, ret
+              handle_propagation(propagation_class, propagation_node, source, target)
+              update_properties(restore_frozen_state, propagation_node, target, propagation_data, ret)
             end
 
             def handle_propagation propagation_class, propagation_node, source, target
@@ -230,7 +230,7 @@ module Contrast
 
             def update_properties restore_frozen_state, propagation_node, target, propagation_data, ret
               if propagation_node.use_original_on_bang_method?
-                properties = use_original_object_properties propagation_data
+                properties = use_original_object_properties(propagation_data)
 
                 return unless properties
               else

data/lib/contrast/agent/assess/policy/propagation_node.rb

@@ -22,6 +22,8 @@ module Contrast
           attr_reader :untags, :patch_method
           attr_accessor :action, :patch_class
 
+          TAGGER = 'Tagger'
+          PROPAGATOR = 'Propagator'
           # Most things here carry over from PolicyNode.
           # A couple things are new / have new rules
           #
@@ -41,9 +43,6 @@ module Contrast
             validate
           end
 
-          TAGGER = 'Tagger'
-          PROPAGATOR = 'Propagator'
-
           def node_class
             @_node_class ||= tagger? ? TAGGER : PROPAGATOR
           end

data/lib/contrast/agent/assess/policy/propagator/base.rb

@@ -26,7 +26,7 @@ module Contrast
               end
 
               def propagate _propagation_node, _preshift, _target
-                raise NoMethodError("Expected Base propagator subclass: #{ cs__class } to implement #propagate")
+                raise(NoMethodError("Expected Base propagator subclass: #{ cs__class } to implement #propagate"))
               end
             end
           end

data/lib/contrast/agent/assess/policy/propagator/buffer.rb

@@ -106,7 +106,8 @@ module Contrast
                   ret
                 else
                   # SELECT
-                  Contrast::Agent::Assess::Policy::Propagator::Select.select_tagger propagation_node, preshift, ret, nil
+                  Contrast::Agent::Assess::Policy::Propagator::Select.select_tagger(propagation_node, preshift, ret,
+                                                                                    nil)
                 end
               end
             end

data/lib/contrast/agent/assess/policy/propagator/database_write.rb

@@ -31,7 +31,7 @@ module Contrast
                   ::Contrast::ASSESS.tainted_columns[class_name] = tainted_columns.keys
                 end
 
-                Contrast::Agent::Assess::Policy::DynamicSourceFactory.create_sources class_type, tainted_columns
+                Contrast::Agent::Assess::Policy::DynamicSourceFactory.create_sources(class_type, tainted_columns)
               end
 
               private

data/lib/contrast/agent/assess/policy/propagator/splat.rb

@@ -51,7 +51,7 @@ module Contrast
                 if arg.is_a?(String) || arg.is_a?(File)
                   tracked_inputs << arg if tracked_value?(arg)
                 else
-                  iterable_arg tracked_inputs, arg
+                  iterable_arg(tracked_inputs, arg)
                 end
               end
 

data/lib/contrast/agent/assess/policy/propagator/split.rb

@@ -41,7 +41,7 @@ module Contrast
                 source = find_source(propagation_node.sources[0], preshift)
                 return unless (source_properties = Contrast::Agent::Assess::Tracker.properties(source))
 
-                update_element_properties propagation_node, target, preshift, source_properties
+                update_element_properties(propagation_node, target, preshift, source_properties)
                 nil
               end
 
@@ -97,7 +97,7 @@ module Contrast
               def instrument_string_split
                 @_instrument_string_split ||= begin
                   if ::Contrast::AGENT.patch_yield? && Funchook.available?
-                    require 'cs__assess_yield_track/cs__assess_yield_track'
+                    require('cs__assess_yield_track/cs__assess_yield_track')
                   end
                   true
                 rescue StandardError => e

data/lib/contrast/agent/assess/policy/propagator/trim.rb

@@ -40,7 +40,7 @@ module Contrast
                 source = preshift.object
                 args = preshift.args
                 properties.splat_from(source, ret)
-                event_data = Contrast::Agent::Assess::Events::EventData.new patcher, ret, source, ret, args
+                event_data = Contrast::Agent::Assess::Events::EventData.new(patcher, ret, source, ret, args)
                 properties.build_event(event_data)
                 ret
               end

data/lib/contrast/agent/assess/policy/source_node.rb

@@ -15,13 +15,13 @@ module Contrast
 
           JSON_TYPE = 'type'
           SOURCE_TAG = 'UNTRUSTED'
+          SOURCE = 'Source'
           def initialize source_hash = {}
             super(source_hash)
             @type = source_hash[JSON_TYPE]
             @tags << SOURCE_TAG
           end
 
-          SOURCE = 'Source'
           def node_class
             SOURCE
           end

data/lib/contrast/agent/assess/policy/trigger_method.rb

@@ -93,7 +93,7 @@ module Contrast
               content_type = Contrast::Agent::REQUEST_TRACKER.current&.response&.content_type
 
               if content_type.nil? && trigger_node.collectable?
-                Contrast::Agent::FINDINGS.collect_finding trigger_node, source, object, ret, *args
+                Contrast::Agent::FINDINGS.collect_finding(trigger_node, source, object, ret, *args)
                 return
               end
 
@@ -106,8 +106,8 @@ module Contrast
                 handle_new_finding(trigger_node, source, object, ret, request, *args)
               else # TODO: RUBY-1438 -- remove
                 finding = Contrast::Api::Dtm::Finding.new
-                event_data = Contrast::Agent::Assess::Events::EventData.new trigger_node, source, object, ret, args
-                append_to_finding finding, event_data, request
+                event_data = Contrast::Agent::Assess::Events::EventData.new(trigger_node, source, object, ret, args)
+                append_to_finding(finding, event_data, request)
                 logger.trace('Finding created', node_id: trigger_node.id, source_id: source.__id__,
                                                 rule: trigger_node.rule_id)
                 report_finding(finding, request)
@@ -143,14 +143,14 @@ module Contrast
 
               # If we're out of request context, then we need to report this finding ourselves,
               # so we'll send it in the one-off activity we created.
-              Contrast::Agent.messaging_queue.send_event_eventually(activity)
+              Contrast::Agent.messaging_queue&.send_event_eventually(activity)
             end
 
             def handle_new_finding trigger_node, source, object, ret, request, *args
               # sent to reporter
               # here we will generate new type of finding
-              ruby_finding = Contrast::Agent::Reporting::Finding.new trigger_node.rule_id
-              ruby_finding.attach_data trigger_node, source, object, ret, request, *args
+              ruby_finding = Contrast::Agent::Reporting::Finding.new(trigger_node.rule_id)
+              ruby_finding.attach_data(trigger_node, source, object, ret, request, *args)
               hash_code = Contrast::Utils::HashDigest.generate_event_hash(ruby_finding, source, request)
               ruby_finding.hash_code = hash_code
 
@@ -209,7 +209,7 @@ module Contrast
               properties = Contrast::Agent::Assess::Tracker.properties(source)
               return unless properties
 
-              build_events finding, properties.event if properties.event
+              build_events(finding, properties.event) if properties.event
 
               # Google::Protobuf::Map doesn't support merge!, so we have to do this long form
               source_props = properties.properties

data/lib/contrast/agent/assess/policy/trigger_node.rb

@@ -28,6 +28,21 @@ module Contrast
 
           attr_reader :rule_id, :required_tags, :disallowed_tags, :good_value, :bad_value
 
+          ENCODER_START = 'CUSTOM_ENCODED_'
+          # By default, any rule will be triggered if the source
+          # of the rule event has an untrusted tag range that is
+          # not covered by one of its disallowed tags.
+          UNTRUSTED = 'UNTRUSTED'
+          TRIGGER = 'Trigger'
+          VALIDATOR_START = 'CUSTOM_VALIDATED_'
+          # If a level 1 rule comes from TeamServer, it will have the
+          # tag 'custom-encoder-#{ name }' or 'custom-validator-#{ name }'.
+          # All rules should take this into account.
+          # Additionally, if something is marked 'limited-chars' it means
+          # it has been properly vetted to not contain dangerous input.
+          LIMITED_CHARS = 'LIMITED_CHARS'
+          CUSTOM_ENCODED = 'CUSTOM_ENCODED'
+          CUSTOM_VALIDATED = 'CUSTOM_VALIDATED'
           def initialize trigger_hash = {}, rule_hash = {}
             super(trigger_hash)
             good_value = trigger_hash[JSON_GOOD_VALUE]
@@ -46,7 +61,6 @@ module Contrast
             validate
           end
 
-          TRIGGER = 'Trigger'
           def node_class
             TRIGGER
           end
@@ -138,10 +152,6 @@ module Contrast
 
           private
 
-          # By default, any rule will be triggered if the source
-          # of the rule event has an untrusted tag range that is
-          # not covered by one of its disallowed tags.
-          UNTRUSTED = 'UNTRUSTED'
           def populate_tags required_tags
             return unless dataflow?
 
@@ -150,16 +160,6 @@ module Contrast
             @required_tags << UNTRUSTED
           end
 
-          ENCODER_START = 'CUSTOM_ENCODED_'
-          VALIDATOR_START = 'CUSTOM_VALIDATED_'
-          # If a level 1 rule comes from TeamServer, it will have the
-          # tag 'custom-encoder-#{ name }' or 'custom-validator-#{ name }'.
-          # All rules should take this into account.
-          # Additionally, if something is marked 'limited-chars' it means
-          # it has been properly vetted to not contain dangerous input.
-          LIMITED_CHARS = 'LIMITED_CHARS'
-          CUSTOM_ENCODED = 'CUSTOM_ENCODED'
-          CUSTOM_VALIDATED = 'CUSTOM_VALIDATED'
           def populate_disallowed disallowed_tags
             return unless dataflow?
 
@@ -195,7 +195,7 @@ module Contrast
             chunking = false
             ranges = []
             # find the start and end range of required tags:
-            search_ranges = find_required_ranges properties, required_tags
+            search_ranges = find_required_ranges(properties, required_tags)
             start_range = search_ranges.first
             end_range = search_ranges.last + 1
 

data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb

@@ -49,7 +49,7 @@ module Contrast
 
                 # Use #match? because it doesn't fill out global variables
                 # in the way match or =~ do.
-                VULNERABLE_PATTERN.match? regexp.source
+                VULNERABLE_PATTERN.match?(regexp.source)
               end
             end
           end

data/lib/contrast/agent/assess/property/evented.rb

@@ -42,8 +42,8 @@ module Contrast
             return unless event.source_type
             return unless (current_request = Contrast::Agent::REQUEST_TRACKER.current)
 
-            append_to_dtm current_request, event
-            append_to_ruby_object current_request, event
+            append_to_dtm(current_request, event)
+            append_to_ruby_object(current_request, event)
           end
 
           def append_to_dtm current_request, event

data/lib/contrast/agent/assess/property/tagged.rb

@@ -91,7 +91,7 @@ module Contrast
               value.each do |tag|
                 comparison = tag.compare_range(range.begin, range.end)
                 # ABOVE and BELOW are not affected by this check
-                tags_remove_comparison comparison, tag, remove, add, range
+                tags_remove_comparison(comparison, tag, remove, add, range)
               end
               value.delete_if { |tag| remove.include?(tag) }
               Contrast::Utils::TagUtil.ordered_merge(value, add)
@@ -166,7 +166,7 @@ module Contrast
                 comparison = tag.compare_range(range.begin, range.end)
                 length = range.end - range.begin
                 # BELOW is not affected by this check
-                shift_tags_comparison comparison, add, tag, length, range
+                shift_tags_comparison(comparison, add, tag, length, range)
               end
               Contrast::Utils::TagUtil.ordered_merge(value, add)
             end

data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb

@@ -12,28 +12,27 @@ module Contrast
           # 2) the value is a non-empty array of only Fixnums
           class HardcodedKey
             include Contrast::Agent::Assess::Rule::Provider::HardcodedValueRule
-
+            REDACTED_MARKER = ' = [**REDACTED**]'
             NAME = 'hardcoded-key'
-            def rule_id
-              NAME
-            end
-
             # These are names, determined by the security team (Matt & Ar), that
             # indicate a field is likely to be a password or secret token of some
             # sort.
             KEY_FIELD_NAMES = %w[KEY AES DES IV SECRET].cs__freeze
-
             # These are markers whose presence indicates that a field is more
             # likely to be a descriptor or requirement than an actual key.
             # We should ignore fields that contain them.
             NON_KEY_PARTIAL_NAMES = %w[CONTENT_CODES RESPONSE_CODES ERROR_CODES].cs__freeze
+            BYTE_HOLDERS = %i[ARRAY LIST].cs__freeze
+
+            def rule_id
+              NAME
+            end
 
             def name_passes? constant_string
               KEY_FIELD_NAMES.any? { |name| constant_string.index(name) } &&
                   NON_KEY_PARTIAL_NAMES.none? { |name| constant_string.index(name) }
             end
 
-            BYTE_HOLDERS = %i[ARRAY LIST].cs__freeze
             # Determine if the given value node violates the hardcode key rule
             # @param value_node [RubyVM::AbstractSyntaxTree::Node] the node to
             #   evaluate
@@ -66,7 +65,6 @@ module Contrast
               true
             end
 
-            REDACTED_MARKER = ' = [**REDACTED**]'
             def redacted_marker
               REDACTED_MARKER
             end

data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb

@@ -15,12 +15,9 @@ module Contrast
           #     mixing the characters counts as a violation of this rule
           class HardcodedPassword
             include Contrast::Agent::Assess::Rule::Provider::HardcodedValueRule
-
             NAME = 'hardcoded-password'
-            def rule_id
-              NAME
-            end
-
+            REDACTED_MARKER = ' = "**REDACTED**"'
+            PROPERTY_NAME_PATTERN = /^[a-z]+[._][._a-z]*[a-z]+$/.cs__freeze
             # These are names, determined by the security team (Matt & Ar), that
             # indicate a field is likely to be a password or secret token of some
             # sort.
@@ -34,6 +31,10 @@ module Contrast
               URI
             ].cs__freeze
 
+            def rule_id
+              NAME
+            end
+
             # If the constant looks like a password and it doesn't look like a
             # password descriptor, it passes for this rule
             def name_passes? constant_string
@@ -62,12 +63,10 @@ module Contrast
             # characters are probably more likely to appear together in a
             # default placeholder than in a password. Note this is opposite of
             # the behavior in Java
-            PROPERTY_NAME_PATTERN = /^[a-z]+[._][._a-z]*[a-z]+$/.cs__freeze
             def probably_property_name? value
               value.match?(PROPERTY_NAME_PATTERN)
             end
 
-            REDACTED_MARKER = ' = "**REDACTED**"'
             def redacted_marker
               REDACTED_MARKER
             end

data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb

@@ -86,9 +86,9 @@ module Contrast
               return unless value_node_passes?(value)
 
               if Contrast::Agent::Reporter.enabled?
-                new_finding_and_reporting mod, name
+                new_finding_and_reporting(mod, name)
               else # TODO: RUBY-1438 -- remove
-                build_finding mod, name
+                build_finding(mod, name)
               end
             end
 
@@ -112,7 +112,7 @@ module Contrast
             def build_finding clazz, constant_string
               class_name = clazz.cs__name
 
-              finding = assign_finding class_name, constant_string
+              finding = assign_finding(class_name, constant_string)
               activity = Contrast::Api::Dtm::Activity.new
               activity.findings << finding
               Contrast::Agent.messaging_queue.send_event_eventually(activity, force: true)
@@ -153,12 +153,12 @@ module Contrast
 
               # extract to new method
               # here we will generate new type of finding
-              ruby_finding = Contrast::Agent::Reporting::Finding.new rule_id
+              ruby_finding = Contrast::Agent::Reporting::Finding.new(rule_id)
               ruby_finding.hash_code = hash
               ruby_finding.properties[SOURCE_KEY] = clazz.cs__name
               ruby_finding.properties[CONSTANT_NAME_KEY] = constant_string
               ruby_finding.properties[CODE_SOURCE_KEY] = constant_string + redacted_marker
-              save_and_report_finding ruby_finding, new_preflight
+              save_and_report_finding(ruby_finding, new_preflight)
             end
 
             def save_and_report_finding ruby_finding, new_preflight

data/lib/contrast/agent/assess/rule/response/base_rule.rb

@@ -17,6 +17,7 @@ module Contrast
           # These rules check the content of the HTTP Response to determine if something was set incorrectly or
           # insecurely in it.
           class BaseRule
+            DATA = 'data'.cs__freeze
             # Analyze a given application response to determine if it violates the rule
             #
             # TODO: RUBY-999999 either extract the response's body or memoize it to some degree so that it's not
@@ -47,8 +48,6 @@ module Contrast
 
             protected
 
-            DATA = 'data'.cs__freeze
-
             # Rules discern which responses they can/should analyze.
             #
             # @param response [Contrast::Agent::Response] the response of the application
@@ -82,7 +81,7 @@ module Contrast
               finding.rule_id = rule_id
               context = Contrast::Agent::REQUEST_TRACKER.current
               finding.routes << context.route if context&.route
-              build_evidence evidence, finding
+              build_evidence(evidence, finding)
               hash = Contrast::Utils::HashDigest.generate_config_hash(finding)
               finding.hash_code = Contrast::Utils::StringUtils.force_utf8(hash)
               finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)