RubyGems - contrast-agent - Versions diffs - 6.1.2 → 6.4.0 - Mend

contrast-agent 6.1.2 → 6.4.0

Files changed (220) hide show

data/lib/contrast/agent/reporting/reporting_events/application_inventory.rb CHANGED Viewed

@@ -17,19 +17,12 @@ module Contrast
         #   discovered during first request processing.
         attr_reader :routes
-        class << self
-          def convert app_update_dtm
-            app_inventory = new
-            app_inventory.attach_data(app_update_dtm)
-            app_inventory
-          end
-        end
         def initialize
-          @routes = []
           @event_type = :application_inventory
           @event_method = :POST
           @event_endpoint = Contrast::Agent::Reporting::Endpoints.application_inventory
+          # The API spec limits us to 500 routes, so we'll enforce that here to not hold on to superfulous data.
+          @routes = Contrast::Agent.framework_manager.find_route_discovery_data.take(500)
           super
         end
@@ -39,18 +32,10 @@ module Contrast
         def to_controlled_hash
           {
-              session_id: @agent_session_id_value,
+              session_id: ::Contrast::ASSESS.session_id,
               routes: routes.map(&:to_controlled_hash)
           }
         end
-        # @param inventory_dtm [Contrast::Api::Dtm::ApplicationUpdate]
-        # @return [Contrast::Agent::Reporting::ApplicationInventory]
-        def attach_data inventory_dtm
-          inventory_dtm.routes.each do |route|
-            @routes << Contrast::Agent::Reporting::DiscoveredRoute.convert(route)
-          end
-        end
       end
     end
   end

data/lib/contrast/agent/reporting/reporting_events/application_update.rb CHANGED Viewed

@@ -17,23 +17,16 @@ module Contrast
       # system. Contains data used by TeamServer to render the Flow Map and SCA features.
       #
       # @attr_reader components [Array<Contrast::Agent::Reporting::ArchitectureComponent>]
-      # @attr_reader libraries [Array<Contrast::Agent::Reporting::LibraryDiscovery>]
+      # @attr_accessor libraries [Array<Contrast::Agent::Reporting::LibraryDiscovery>]
       class ApplicationUpdate < Contrast::Agent::Reporting::ApplicationReportingEvent
-        attr_reader :components, :libraries
-        class << self
-          # @param app_update_dtm [Contrast::Api::Dtm::ApplicationUpdate]
-          # @return [Contrast::Agent::Reporting::ApplicationUpdate]
-          def convert app_update_dtm
-            report = new
-            report.attach_data(app_update_dtm)
-            report
-          end
-        end
+        attr_reader :components
+        attr_accessor :libraries
         def initialize
           @event_method = :PUT
           @event_endpoint = "#{ Contrast::API.api_url }/api/ng/update/application"
+          @components = []
+          @libraries = []
           super
         end
@@ -41,18 +34,6 @@ module Contrast
           'update-application'
         end
-        # Attach the data from the protobuf models to this reporter so that it can be sent to TeamServer directly.
-        #
-        # @param app_update_dtm [Contrast::Api::Dtm::ApplicationUpdate]
-        def attach_data app_update_dtm
-          @components = app_update_dtm.components.map do |component|
-            Contrast::Agent::Reporting::ArchitectureComponent.convert(component)
-          end
-          @libraries = app_update_dtm.libraries.values.map do |library|
-            Contrast::Agent::Reporting::LibraryDiscovery.convert(library)
-          end
-        end
         # Convert the instance variables on the class, and other information, into the identifiers required for
         # TeamServer to process the JSON form of this message.
         #

data/lib/contrast/agent/reporting/reporting_events/architecture_component.rb CHANGED Viewed

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 require 'contrast/api/dtm.pb'
+require 'contrast/components/logger'
 module Contrast
   module Agent
@@ -17,6 +18,7 @@ module Contrast
       # @attr_reader url [String] the url used to connect to the component. Required for reporting.
       # @attr_reader vendor [String] the publisher of the component, like MySQL.
       class ArchitectureComponent
+        include Contrast::Components::Logger::InstanceMethods
         # required attributes
         attr_reader :type, :url
         # optional attributes
@@ -55,7 +57,12 @@ module Contrast
         # @return [Hash]
         # @raise [ArgumentError]
         def to_controlled_hash
-          validate
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('ArchitectureComponent validation failed with: ', e)
+            return
+          end
           {
               remoteHost: remote_host,
               remotePort: remote_port,

data/lib/contrast/agent/reporting/reporting_events/discovered_route.rb CHANGED Viewed

@@ -16,16 +16,87 @@ module Contrast
       # includes the literal URL and HTTP Verb used to invoke them, as they must have been called at this point to be
       # recorded.
       class DiscoveredRoute < Contrast::Agent::Reporting::ObservedRoute
+        include Contrast::Components::Logger::InstanceMethods
         class << self
-          # @param dtm [Contrast::Api::Dtm::RouteCoverage]
+          # @param obj [Regexp, Object]
+          # @return [String]
+          def source_or_string obj
+            if obj.cs__is_a?(Regexp)
+              obj.source
+            elsif obj.cs__respond_to?(:safe_string)
+              obj.safe_string
+            else
+              obj.to_s
+            end
+          end
+          # Convert ActionDispatch::Journey::Route to Contrast::Agent::Reporting::DiscoveredRoute
+          #
+          # @param journey_obj [ActionDispatch::Journey::Route] a rails route
+          # @param url [String, nil] use url from string instead of journey object.
           # @return [Contrast::Agent::Reporting::DiscoveredRoute]
-          def convert dtm
-            discovered_route = new
-            discovered_route.attach_data(dtm)
-            discovered_route
+          def from_action_dispatch_journey journey_obj, url = nil
+            msg = new
+            msg.signature = "#{ journey_obj.defaults[:controller] }##{ journey_obj.defaults[:action] }"
+            verb = source_or_string(journey_obj.verb)
+            msg.verb = Contrast::Utils::StringUtils.force_utf8(verb)
+            url ||= source_or_string(journey_obj.path.spec)
+            msg.url = Contrast::Utils::StringUtils.force_utf8(url)
+            msg
+          end
+          # Convert Grape route data to discovered route.
+          #
+          # @param controller [::Grape::API] the route's final controller.
+          # @param method [String] GET, PUT, POST, etc...
+          # @param url [String, nil] use url from string instead matched pattern.
+          # @param pattern [String, Grape::Router::Route] the pattern that was matched in routing.
+          # @return [Contrast::Agent::Reporting::DiscoveredRoute]
+          def from_grape_controller controller, method, pattern, url = nil
+            if pattern.cs__is_a?(Grape::Router::Route)
+              safe_pattern = pattern.pattern&.path&.to_s
+              safe_url = source_or_string(url || safe_pattern)
+            else
+              safe_pattern = source_or_string(pattern)
+              safe_url = source_or_string(url || pattern)
+            end
+            msg = new
+            msg.signature = "#{ controller }##{ method } #{ safe_pattern }"
+            msg.verb = Contrast::Utils::StringUtils.force_utf8(method)
+            msg.url = Contrast::Utils::StringUtils.force_utf8(safe_url)
+            msg
+          end
+          # Convert Sinatra route data to discovered route.
+          #
+          # @param controller [::Sinatra::Base] the route's final controller.
+          # @param method [String] GET, PUT, POST, etc...
+          # @param pattern [::Mustermann::Sinatra]  the pattern that was matched in routing.
+          # @param url [String, nil] use url from string instead matched pattern.
+          # @return [Contrast::Agent::Reporting::DiscoveredRoute]
+          def from_sinatra_route controller, method, pattern, url = nil
+            safe_pattern = source_or_string(pattern)
+            safe_url = source_or_string(url || pattern)
+            msg = new
+            msg.signature = "#{ controller }##{ method } #{ safe_pattern }"
+            msg.verb = Contrast::Utils::StringUtils.force_utf8(method)
+            msg.url = Contrast::Utils::StringUtils.force_utf8(safe_url)
+            msg
           end
         end
+        # @return [String] the controller, method, and pattern of this route
+        attr_accessor :signature
+        # @return [String] the url (or url pattern) used to access this route
+        attr_accessor :url
+        # @return [String, nil] the HTTP verb used to access this route or nil for any verb
+        attr_accessor :verb
         def initialize
           super
           @event_type = :discovered_route
@@ -34,18 +105,14 @@ module Contrast
           @url = Contrast::Utils::ObjectShare::EMPTY_STRING
         end
-        # @param dtm[Contrast::Api::Dtm::RouteCoverage]
-        def attach_data dtm
-          @signature = dtm.route
-          @verb = dtm.verb
-          @url = dtm.url
-        end
         def to_controlled_hash
-          validate
-          dr_hash = { session_id: @agent_session_id_value, signature: @signature, verb: @verb, url: @url }
-          dr_hash.delete(:verb) unless @verb
-          dr_hash
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('DiscoveredRoute validation failed with: ', e)
+            return
+          end
+          { session_id: ::Contrast::ASSESS.session_id, signature: @signature, verb: @verb, url: @url }.compact
         end
         def validate

data/lib/contrast/agent/reporting/reporting_events/finding.rb CHANGED Viewed

@@ -130,12 +130,18 @@ module Contrast
         # @return [Hash]
         # @raise [ArgumentError]
         def to_controlled_hash
-          validate
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('Finding event validation failed with: ', e)
+            return
+          end
           hsh = {
               created: created,
               hash: hash_code.to_s,
               ruleId: rule_id,
-              session_id: @agent_session_id_value.to_s,
+              session_id: ::Contrast::ASSESS.session_id,
               version: 4
           }
           hsh[:events] = events.map(&:to_controlled_hash) if event_based?
@@ -152,7 +158,7 @@ module Contrast
         # @raise [ArgumentError]
         def validate
           raise(ArgumentError, "#{ self } did not have a proper rule. Unable to continue.") unless @rule_id
-          unless @agent_session_id_value
+          unless ::Contrast::ASSESS.session_id
             raise(ArgumentError, "#{ self } did not have a proper session id. Unable to continue.")
           end
           if event_based? && events.empty?

data/lib/contrast/agent/reporting/reporting_events/finding_event.rb CHANGED Viewed

@@ -8,6 +8,7 @@ require 'contrast/agent/reporting/reporting_events/finding_event_signature'
 require 'contrast/agent/reporting/reporting_events/finding_event_source'
 require 'contrast/agent/reporting/reporting_events/finding_event_stack'
 require 'contrast/agent/reporting/reporting_events/finding_event_taint_range'
+require 'contrast/components/logger'
 module Contrast
   module Agent
@@ -17,6 +18,8 @@ module Contrast
       # construct the vulnerability information for the assess feature. They represent the operation the application
       # underwent that transformed data during the dataflow.
       class FindingEvent
+        include Contrast::Components::Logger::InstanceMethods
         # @return [Symbol] what the event did; CREATION, A2O, A2P, A2A, A2R, O2A, O2O, O2P, O2R, P2A, P2O, P2P, P2R,
         #   TAG, TRIGGER.
         attr_reader :action
@@ -120,7 +123,13 @@ module Contrast
         # @return [Hash]
         # @raise [ArgumentError]
         def to_controlled_hash # rubocop:disable Metrics/AbcSize
-          validate
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('FindingEvent validation failed with: ', e)
+            return
+          end
           {
               action: action,
               args: args.map(&:to_controlled_hash),

data/lib/contrast/agent/reporting/reporting_events/finding_event_object.rb CHANGED Viewed

@@ -3,6 +3,7 @@
 require 'base64'
 require 'contrast/agent/assess/contrast_object'
+require 'contrast/components/logger'
 module Contrast
   module Agent
@@ -12,6 +13,8 @@ module Contrast
       # TeamServer to construct the vulnerability information for the assess feature. They represent those parts of the
       # objects that were acted on in a Dataflow Finding.
       class FindingEventObject
+        include Contrast::Components::Logger::InstanceMethods
         # @return [Integer] the id of the Object this represents.
         attr_reader :hash
         # @return [Boolean] if the Object is tracked or not
@@ -52,7 +55,13 @@ module Contrast
         # @return [Hash]
         # @raise [ArgumentError]
         def to_controlled_hash
-          validate
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('FindingEventObject validation failed with: ', e)
+            return
+          end
           {
               hash: hash,
               tracked: tracked,
@@ -60,6 +69,7 @@ module Contrast
           }
         end
+        # @raise [ArgumentError]
         def validate
           raise(ArgumentError, "#{ self } did not have a proper hash. Unable to continue.") unless hash
           raise(ArgumentError, "#{ self } did not have a proper tracked. Unable to continue.") if tracked.nil?

data/lib/contrast/agent/reporting/reporting_events/finding_event_parent_object.rb CHANGED Viewed

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 require 'base64'
+require 'contrast/components/logger'
 module Contrast
   module Agent
@@ -11,6 +12,8 @@ module Contrast
       # used by TeamServer to relate this event to those that came previously. They represent the events that directly
       # preceding the FindingEvent generated.
       class FindingEventParentObject
+        include Contrast::Components::Logger::InstanceMethods
         # @return [Integer] the Id of the parent event
         attr_reader :id
@@ -24,12 +27,19 @@ module Contrast
         # @return [Hash]
         # @raise [ArgumentError]
         def to_controlled_hash
-          validate
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('FindingEventParentObject validation failed with: ', e)
+            return
+          end
           {
               id: id
           }
         end
+        # @raise [ArgumentError]
         def validate
           raise(ArgumentError, "#{ self } did not have a proper id. Unable to continue.") unless id
         end

data/lib/contrast/agent/reporting/reporting_events/finding_event_property.rb CHANGED Viewed

@@ -1,6 +1,8 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
+require 'contrast/components/logger'
 module Contrast
   module Agent
     module Reporting
@@ -8,6 +10,8 @@ module Contrast
       # system to relay this information in the Finding/Trace messages. Events have properties on them which are held
       # as an array of key-value pairs.
       class FindingEventProperty
+        include Contrast::Components::Logger::InstanceMethods
         # @return [String] the key of the property
         attr_reader :key
         # @return [String] the value of the source
@@ -24,13 +28,20 @@ module Contrast
         # @return [Hash]
         # @raise [ArgumentError]
         def to_controlled_hash
-          validate
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('FindingEventProperty validation failed with: ', e)
+            return
+          end
           {
               key: key,
               value: value
           }
         end
+        # @raise [ArgumentError]
         def validate
           raise(ArgumentError, "#{ self } did not have a proper key. Unable to continue.") unless key && !key.empty?
         end

data/lib/contrast/agent/reporting/reporting_events/finding_event_signature.rb CHANGED Viewed

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 require 'contrast/utils/object_share'
+require 'contrast/components/logger'
 module Contrast
   module Agent
@@ -11,6 +12,8 @@ module Contrast
       # TeamServer to construct the method signature for the assess feature. They represent the method invoked when the
       # FindingEvent was generated.
       class FindingEventSignature
+        include Contrast::Components::Logger::InstanceMethods
         # @return [String] the types of the arguments in this event; may be different for each invocation of the
         #   method.
         attr_reader :arg_types
@@ -73,7 +76,13 @@ module Contrast
         # @return [Hash]
         # @raise [ArgumentError]
         def to_controlled_hash
-          validate
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('FindingEventSignature validation failed with: ', e)
+            return
+          end
           {
               argTypes: arg_types,
               className: class_name,

data/lib/contrast/agent/reporting/reporting_events/finding_event_source.rb CHANGED Viewed

@@ -4,6 +4,7 @@
 require 'base64'
 require 'contrast/agent/assess/contrast_event'
 require 'contrast/agent/assess/events/source_event'
+require 'contrast/components/logger'
 module Contrast
   module Agent
@@ -13,6 +14,8 @@ module Contrast
       # to construct the vulnerability information for the assess feature. They indicate the type of data that the
       # event represents.
       class FindingEventSource
+        include Contrast::Components::Logger::InstanceMethods
         # @return [String] the name of the source
         attr_reader :name
         # @return [String] the type of the source
@@ -45,13 +48,20 @@ module Contrast
         # @return [Hash]
         # @raise [ArgumentError]
         def to_controlled_hash
-          validate
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('FindingEventSource validation failed with: ', e)
+            return
+          end
           {
               sourceName: name, # rubocop:disable Security/Module/Name
               sourceType: type
           }
         end
+        # @raise [ArgumentError]
         def validate
           raise(ArgumentError, "#{ self } did not have a proper type. Unable to continue.") unless type && !type.empty?
         end

data/lib/contrast/agent/reporting/reporting_events/finding_event_stack.rb CHANGED Viewed

@@ -1,6 +1,8 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
+require 'contrast/components/logger'
 module Contrast
   module Agent
     module Reporting
@@ -9,6 +11,8 @@ module Contrast
       # to construct the vulnerability information for the assess feature. They represent the callstack at the time
       # that each FindingEvent was generated.
       class FindingEventStack
+        include Contrast::Components::Logger::InstanceMethods
         # @return [String] unused
         attr_reader :eval
         # @return [String] the stack frame to show in TeamServer; the value of an entry in #caller
@@ -51,7 +55,13 @@ module Contrast
         # @return [Hash]
         # @raise [ArgumentError]
         def to_controlled_hash
-          validate
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('FindingEventStack validation failed with: ', e)
+            return
+          end
           {
               file: file
             # eval: eval, # This is unused by the Ruby agent

data/lib/contrast/agent/reporting/reporting_events/finding_event_taint_range.rb CHANGED Viewed

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 require 'contrast/agent/assess/tag'
+require 'contrast/components/logger'
 module Contrast
   module Agent
@@ -11,6 +12,8 @@ module Contrast
       # TeamServer to construct the vulnerability information for the assess feature. They represent those parts of the
       # objects that are tracked because of a security relevant operation acting on them.
       class FindingEventTaintRange
+        include Contrast::Components::Logger::InstanceMethods
         # @return [String] the range (inclusive:exclusive), that this tag covers.
         attr_reader :range
         # @return [String] the type of action this tag represents.
@@ -41,13 +44,20 @@ module Contrast
         # @return [Hash]
         # @raise [ArgumentError]
         def to_controlled_hash
-          validate
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('FindingEventTaintRange validation failed with: ', e)
+            return
+          end
           {
               range: range,
               tag: tag
           }
         end
+        # @raise [ArgumentError]
         def validate
           unless range && !range.empty?
             raise(ArgumentError, "#{ self } did not have a proper range. Unable to continue.")

data/lib/contrast/agent/reporting/reporting_events/finding_request.rb CHANGED Viewed

@@ -1,6 +1,8 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
+require 'contrast/components/logger'
 module Contrast
   module Agent
     module Reporting
@@ -9,6 +11,8 @@ module Contrast
       # HTTP information for the assess feature. They represent the literal request made that resulted in the
       # vulnerability being triggered.
       class FindingRequest
+        include Contrast::Components::Logger::InstanceMethods
         # @return [String] the body of this request
         attr_reader :body
         # @return [Hash<String,Array<String>>] the headers of this request
@@ -68,7 +72,13 @@ module Contrast
         # @return [Hash]
         # @raise [ArgumentError]
         def to_controlled_hash
-          validate
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('FindingRequest validation failed with: ', e)
+            return
+          end
           {
               body: body,
               headers: headers,