contrast-agent 6.2.0 → 6.5.0

data/lib/contrast/agent/reporting/reporting_events/finding_event_signature.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/utils/object_share'
+require 'contrast/components/logger'
 
 module Contrast
   module Agent
@@ -11,6 +12,8 @@ module Contrast
       # TeamServer to construct the method signature for the assess feature. They represent the method invoked when the
       # FindingEvent was generated.
       class FindingEventSignature
+        include Contrast::Components::Logger::InstanceMethods
+
         # @return [String] the types of the arguments in this event; may be different for each invocation of the
         #   method.
         attr_reader :arg_types
@@ -73,7 +76,13 @@ module Contrast
         # @return [Hash]
         # @raise [ArgumentError]
         def to_controlled_hash
-          validate
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('FindingEventSignature validation failed with: ', e)
+            return
+          end
+
           {
               argTypes: arg_types,
               className: class_name,

data/lib/contrast/agent/reporting/reporting_events/finding_event_source.rb

@@ -4,6 +4,7 @@
 require 'base64'
 require 'contrast/agent/assess/contrast_event'
 require 'contrast/agent/assess/events/source_event'
+require 'contrast/components/logger'
 
 module Contrast
   module Agent
@@ -13,6 +14,8 @@ module Contrast
       # to construct the vulnerability information for the assess feature. They indicate the type of data that the
       # event represents.
       class FindingEventSource
+        include Contrast::Components::Logger::InstanceMethods
+
         # @return [String] the name of the source
         attr_reader :name
         # @return [String] the type of the source
@@ -45,13 +48,20 @@ module Contrast
         # @return [Hash]
         # @raise [ArgumentError]
         def to_controlled_hash
-          validate
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('FindingEventSource validation failed with: ', e)
+            return
+          end
+
           {
               sourceName: name, # rubocop:disable Security/Module/Name
               sourceType: type
           }
         end
 
+        # @raise [ArgumentError]
         def validate
           raise(ArgumentError, "#{ self } did not have a proper type. Unable to continue.") unless type && !type.empty?
         end

data/lib/contrast/agent/reporting/reporting_events/finding_event_stack.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/components/logger'
+
 module Contrast
   module Agent
     module Reporting
@@ -9,6 +11,8 @@ module Contrast
       # to construct the vulnerability information for the assess feature. They represent the callstack at the time
       # that each FindingEvent was generated.
       class FindingEventStack
+        include Contrast::Components::Logger::InstanceMethods
+
         # @return [String] unused
         attr_reader :eval
         # @return [String] the stack frame to show in TeamServer; the value of an entry in #caller
@@ -51,7 +55,13 @@ module Contrast
         # @return [Hash]
         # @raise [ArgumentError]
         def to_controlled_hash
-          validate
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('FindingEventStack validation failed with: ', e)
+            return
+          end
+
           {
               file: file
             # eval: eval, # This is unused by the Ruby agent

data/lib/contrast/agent/reporting/reporting_events/finding_event_taint_range.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/assess/tag'
+require 'contrast/components/logger'
 
 module Contrast
   module Agent
@@ -11,6 +12,8 @@ module Contrast
       # TeamServer to construct the vulnerability information for the assess feature. They represent those parts of the
       # objects that are tracked because of a security relevant operation acting on them.
       class FindingEventTaintRange
+        include Contrast::Components::Logger::InstanceMethods
+
         # @return [String] the range (inclusive:exclusive), that this tag covers.
         attr_reader :range
         # @return [String] the type of action this tag represents.
@@ -41,13 +44,20 @@ module Contrast
         # @return [Hash]
         # @raise [ArgumentError]
         def to_controlled_hash
-          validate
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('FindingEventTaintRange validation failed with: ', e)
+            return
+          end
+
           {
               range: range,
               tag: tag
           }
         end
 
+        # @raise [ArgumentError]
         def validate
           unless range && !range.empty?
             raise(ArgumentError, "#{ self } did not have a proper range. Unable to continue.")

data/lib/contrast/agent/reporting/reporting_events/finding_request.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/components/logger'
+
 module Contrast
   module Agent
     module Reporting
@@ -9,6 +11,8 @@ module Contrast
       # HTTP information for the assess feature. They represent the literal request made that resulted in the
       # vulnerability being triggered.
       class FindingRequest
+        include Contrast::Components::Logger::InstanceMethods
+
         # @return [String] the body of this request
         attr_reader :body
         # @return [Hash<String,Array<String>>] the headers of this request
@@ -68,7 +72,13 @@ module Contrast
         # @return [Hash]
         # @raise [ArgumentError]
         def to_controlled_hash
-          validate
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('FindingRequest validation failed with: ', e)
+            return
+          end
+
           {
               body: body,
               headers: headers,

data/lib/contrast/agent/reporting/reporting_events/library_discovery.rb

@@ -2,6 +2,8 @@
 # frozen_string_literal: true
 
 require 'contrast/api/dtm.pb'
+require 'contrast/utils/string_utils'
+require 'contrast/components/logger'
 
 module Contrast
   module Agent
@@ -16,41 +18,31 @@ module Contrast
       # @attr_reader file [String] the name of the Gem. Required for reporting.
       # @attr_reader hash [String] the Sha256 of the Gem, matching its hash in RubyGems. Required for reporting.
       # @attr_reader internal_date [Integer] the time, in ms, when the Gem was published. Required for reporting.
-      # @attr_reader manifest [String] the YAML form of the Gem's specification.
+      # @attr_accessor manifest [String] the YAML form of the Gem's specification.
       # @attr_reader tags [String] Inventory tags set by the user via configuration.
       # @attr_reader url [String] The homepage of the Gem.
       # @attr_reader version [String] The version of the Gem.
       class LibraryDiscovery
+        include Contrast::Components::Logger::InstanceMethods
+
+        StringUtils = Contrast::Utils::StringUtils
+
         # required attributes
         attr_reader :external_date, :file, :hash, :internal_date
         # optional attributes
-        attr_reader :class_count, :manifest, :tags, :url, :version
-
-        class << self
-          # Convert a DTM for SpeedRacer to an Event for TeamServer.
-          #
-          # @param library_dtm [Contrast::Api::Dtm::Library]
-          # @return [Contrast::Agent::Reporting::LibraryDiscovery]
-          def convert library_dtm
-            report = new
-            report.attach_data(library_dtm)
-            report
-          end
-        end
+        attr_reader :class_count, :tags, :url, :version
+        attr_accessor :manifest
 
-        # Attach the data from the protobuf models to this reporter so that it can be sent to TeamServer directly
-        #
-        # @param library_dtm [Contrast::Api::Dtm::Library]
-        def attach_data library_dtm
-          @class_count = library_dtm.class_count
-          @external_date = library_dtm.external_ms
-          @file = library_dtm.file_path
-          @hash = library_dtm.hash_code
-          @internal_date = library_dtm.internal_ms
-          @manifest = library_dtm.manifest
+        def initialize digest, spec
+          @file = StringUtils.force_utf8(spec.name) # rubocop:disable Security/Module/Name
+          @hash = StringUtils.force_utf8(digest)
+          @version     = StringUtils.force_utf8(spec.version)
+          @manifest    = StringUtils.force_utf8(StringUtils.force_utf8(spec.to_yaml.to_s))
+          @external_date = (spec.date.to_f * 1000.0).to_i
+          @internal_date = @external_date
+          @url         = StringUtils.force_utf8(spec.homepage)
+          @class_count = Contrast::Utils::Sha256Builder.instance.files(spec.full_gem_path.to_s).length
           @tags = Contrast::INVENTORY.tags
-          @url = library_dtm.url
-          @version = library_dtm.version
         end
 
         # Convert the instance variables on the class, and other information, into the identifiers required for
@@ -59,8 +51,14 @@ module Contrast
         # @return [Hash]
         # @raise [ArgumentError]
         def to_controlled_hash
-          validate
-          msg = {
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('LibraryDiscovery validation failed with: ', e)
+            return
+          end
+
+          {
               classCount: class_count,
               externalDate: external_date,
               file: file,
@@ -68,10 +66,9 @@ module Contrast
               internalDate: internal_date,
               manifest: manifest,
               url: url,
-              version: version
-          }
-          msg[:tags] = tags if tags
-          msg
+              version: version,
+              tags: tags
+          }.compact
         end
 
         # Ensure the required fields are present.

data/lib/contrast/agent/reporting/reporting_events/library_usage_observation.rb

@@ -1,11 +1,15 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/components/logger'
+
 module Contrast
   module Agent
     module Reporting
       # The usage, meaning loaded files, of a library seen during this request
       class LibraryUsageObservation
+        include Contrast::Components::Logger::InstanceMethods
+
         # @param [String] Sha256Sum of library as identified by the agent
         attr_accessor :id
         # @param [Array<String>] List of file paths that have been loaded out of or executed by the library
@@ -18,14 +22,22 @@ module Contrast
           @names = class_names
         end
 
+        # @raise [ArgumentError]
         def to_controlled_hash
-          validate
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('LibraryUsageObservation validation failed with: ', e)
+            return
+          end
+
           {
               id: @id,
               names: @names
           }
         end
 
+        # @raise [ArgumentError]
         def validate
           raise(ArgumentError, "#{ self } did not have a proper id. Unable to continue.") unless id
           raise(ArgumentError, "#{ self } did not have a proper names. Unable to continue.") if names.empty?

data/lib/contrast/agent/reporting/reporting_events/observed_library_usage.rb

@@ -3,15 +3,16 @@
 
 require 'contrast/agent/reporting/reporting_events/application_reporting_event'
 require 'contrast/agent/reporting/reporting_events/library_usage_observation'
+require 'contrast/components/logger'
 
 module Contrast
   module Agent
     module Reporting
       # List of libraries that have been observed to have something loaded or executed.
-      #
       class ObservedLibraryUsage < Contrast::Agent::Reporting::ApplicationReportingEvent
-        # @attr_reader observations - Array[Contrast::Agent::Reporting::LibraryUsageObservation]
-        #                            - Hash of LibraryUsageObservations
+        include Contrast::Components::Logger::InstanceMethods
+
+        # @return Array[Contrast::Agent::Reporting::LibraryUsageObservation]
         attr_reader :observations
 
         def initialize
@@ -25,17 +26,19 @@ module Contrast
         end
 
         def to_controlled_hash
-          validate
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('ObservedLibraryUsage validation failed with: ', e)
+            return
+          end
+
           { observations: @observations.map(&:to_controlled_hash) }
         end
 
         def validate
           raise(ArgumentError, "#{ self } did not have observations. Unable to continue.") if observations.empty?
         end
-
-        def clear
-          @observations = []
-        end
       end
     end
   end

data/lib/contrast/agent/reporting/reporting_events/observed_route.rb

@@ -16,6 +16,8 @@ module Contrast
       # includes the literal URL and HTTP Verb used to invoke them, as they must have been called at this point to be
       # recorded.
       class ObservedRoute < Contrast::Agent::Reporting::ApplicationReportingEvent
+        include Contrast::Components::Logger::InstanceMethods
+
         # @param [String] the method signature used to uniquely identify the coverage report.
         attr_accessor :signature
         # @param [String] the normalized URL used to access the method in the route.
@@ -45,18 +47,23 @@ module Contrast
         # @return [Hash]
         # @raise [ArgumentError]
         def to_controlled_hash
-          validate
-          rc_hash = {
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('ObservedRoute validation failed with: ', e)
+            return
+          end
+
+          {
               session_id: ::Contrast::ASSESS.session_id,
               sources: @sources.map(&:to_controlled_hash),
               signature: @signature,
               verb: @verb,
               url: @url
-          }
-          rc_hash.delete(:verb) unless @verb
-          rc_hash
+          }.compact
         end
 
+        # @raise [ArgumentError]
         def validate
           raise(ArgumentError, "#{ self } did not have a proper sources. Unable to continue.") if @sources.nil?
           raise(ArgumentError, "#{ self } did not have a proper signature. Unable to continue.") unless signature

data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb

@@ -38,7 +38,13 @@ module Contrast
         # @return [Hash]
         # @raise [ArgumentError]
         def to_controlled_hash
-          validate
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('PreflightMessage validation failed with: ', e)
+            return
+          end
+
           {
               code: CODE,
               app_language: @app_language,
@@ -51,6 +57,7 @@ module Contrast
           }
         end
 
+        # @raise [ArgumentError]
         def validate
           raise(ArgumentError, "#{ cs__class } did not have a proper data. Unable to continue.") unless data
           unless @app_name

data/lib/contrast/agent/reporting/reporting_events/reporting_event.rb

@@ -14,6 +14,8 @@ module Contrast
       #
       # @abstract
       class ReportingEvent
+        include Contrast::Components::Logger::InstanceMethods
+
         # @return [String] the endpoint, with host, to which this event should be sent
         attr_reader :event_endpoint
         # @return event_method [Symbol] the HTTP method to use to send this event
@@ -35,7 +37,13 @@ module Contrast
         # @return [Hash]
         # @raise [ArgumentError]
         def to_controlled_hash
-          validate
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('ReportingEvent validation failed with: ', e)
+            return
+          end
+
           {}
         end
 

data/lib/contrast/agent/reporting/reporting_events/route_discovery.rb

@@ -3,6 +3,7 @@
 
 require 'contrast/agent/reporting/reporting_events/route_discovery_observation'
 require 'contrast/api/dtm.pb'
+require 'contrast/components/logger'
 
 module Contrast
   module Agent
@@ -17,6 +18,8 @@ module Contrast
       # @attr_reader signature [String] the unique identifier for this route; typically the method signature. Required
       #   for reporting.
       class RouteDiscovery
+        include Contrast::Components::Logger::InstanceMethods
+
         # required attributes
         attr_reader :observations, :signature
 
@@ -47,7 +50,13 @@ module Contrast
         # @return [Hash]
         # @raise [ArgumentError]
         def to_controlled_hash
-          validate
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('RouteDiscovery validation failed with: ', e)
+            return
+          end
+
           {
               count: 0, # we have this to make TS happy
               observations: @observations.map(&:to_controlled_hash),

data/lib/contrast/agent/reporting/reporting_events/route_discovery_observation.rb

@@ -3,6 +3,7 @@
 
 require 'contrast/api/dtm.pb'
 require 'contrast/utils/string_utils'
+require 'contrast/components/logger'
 
 module Contrast
   module Agent
@@ -16,6 +17,8 @@ module Contrast
       # @attr_reader verb [String] the HTTP Method requested to his this endpoint. Empty means all, so is allowed.
       #   for reporting.
       class RouteDiscoveryObservation
+        include Contrast::Components::Logger::InstanceMethods
+
         # required attributes
         attr_reader :url
         # optional attributes
@@ -47,10 +50,14 @@ module Contrast
         # @return [Hash]
         # @raise [ArgumentError]
         def to_controlled_hash
-          validate
-          hash = { url: url }
-          hash[:verb] = verb if verb
-          hash
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('RouteDiscoveryObservation validation failed with: ', e)
+            return
+          end
+
+          { url: url, verb: verb }.compact
         end
 
         # Ensure the required fields are present.

data/lib/contrast/agent/reporting/reporting_events/server_activity.rb

@@ -12,14 +12,6 @@ module Contrast
       # for its response, which contains any updated server feature settings from TeamServer. The new Server Settings
       # endpoint should let us remove this.
       class ServerActivity < Contrast::Agent::Reporting::ServerReportingEvent
-        class << self
-          # @param _server_activity_dtm [Contrast::Api::Dtm::ServerActivity]
-          # @return [Contrast::Agent::Reporting::ServerActivity]
-          def convert _server_activity_dtm
-            new
-          end
-        end
-
         def initialize
           @event_method = :PUT
           @event_endpoint = "#{ Contrast::API.api_url }/api/ng/activity/server"

data/lib/contrast/agent/reporting/reporting_utilities/audit.rb

@@ -44,10 +44,7 @@ module Contrast
         # @param file_name[String] file_name to log
         # @param data[String] String representation if the logged data
         def log_data type, file_name, data = nil
-          return unless enabled?
-
-          logger.debug('logging to file', file_name: file_name) # TODO: RUBY-99999 DO NOT COMMIT THIS
-          write_to_file(type, file_name, data)
+          write_to_file(type, file_name, data) if enabled?
         end
 
         # This method will be actually writing to the file

data/lib/contrast/agent/reporting/reporting_utilities/dtm_message.rb

@@ -1,7 +1,6 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/agent/reporting/reporting_events/server_activity'
 require 'contrast/agent/reporting/reporting_events/application_activity'
 require 'contrast/api/dtm.pb'
 
@@ -13,22 +12,6 @@ module Contrast
       # TODO: RUBY-1438 -- remove
       module DtmMessage
         class << self
-          # Checks if the message is of Contrast::Api::Dtm::ServerActivity class
-          #
-          # @param dtm [Contrast::Api::Dtm::ServerActivity, Object]
-          # @return [Boolean]
-          def server_activity? dtm
-            dtm.cs__is_a?(Contrast::Api::Dtm::ServerActivity)
-          end
-
-          # Checks if the message is of Contrast::Api::Dtm::ApplicationUpdate class
-          #
-          # @param dtm [Contrast::Api::Dtm::ApplicationUpdate,Object]
-          # @return [Boolean]
-          def application_update? dtm
-            dtm.cs__is_a?(Contrast::Api::Dtm::ApplicationUpdate)
-          end
-
           # @param dtm [Contrast::Api::Dtm::Finding,Object]
           # @return [Boolean]
           def finding? dtm
@@ -47,12 +30,7 @@ module Contrast
           # @param dtm [Contrast::Api::Dtm]
           # @return event [Contrast::Agent::Reporting::ReportingEvent, nil]
           def dtm_to_event dtm
-            # For the ServerActivity we need to create and send empty body only. This is done because we need the
-            # response from TS.
-            return Contrast::Agent::Reporting::ServerActivity.new if server_activity?(dtm)
-
             # For the others, we convert them.
-            return Contrast::Agent::Reporting::ApplicationUpdate.convert(dtm) if application_update?(dtm)
             return Contrast::Agent::Reporting::Finding.convert(dtm) if finding?(dtm)
             return Contrast::Agent::Reporting::ApplicationActivity.convert(dtm) if activity?(dtm)
 

data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb

@@ -53,12 +53,10 @@ module Contrast
         # @param event [Contrast::Agent::Reporting::ReportingEvent] The event to send to TeamServer. Really a
         #   child of the ReportingEvent rather than a literal one.
         # @param connection [Net::HTTP] open connection
-        # @param send_immediately [Boolean] flag for the logger
         # @return response [Net::HTTP::Response, nil] response from TS if no response
-        def send_event event, connection, send_immediately: false
+        def send_event event, connection
           return unless connection
 
-          log_send_event(event) if send_immediately
           request = build_request(event)
           response = connection.request(request)
           audit&.audit_event(event, response) if ::Contrast::API.request_audit_enable?

data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb

@@ -39,7 +39,7 @@ module Contrast
 
           STARTUP_EVENTS.each do |event|
             startup_event = event.new
-            send_event(startup_event, connection, send_immediately: true)
+            send_event(startup_event, connection)
           rescue StandardError => e
             handle_error(startup_event, e)
           end
@@ -66,15 +66,6 @@ module Contrast
           request
         end
 
-        # log the event sent immediately
-        #
-        # @param event [Contrast::Agent::Reporting::ReportingEvent] The event to send to TeamServer. Really a
-        #   child of the ReportingEvent rather than a literal one.
-        def log_send_event event
-          logger.debug("#{ Contrast::Agent::Reporting::ReporterClient::SERVICE_NAME } immediately sending event.",
-                       event_id: event.__id__, event_type: event.cs__class.cs__name)
-        end
-
         # Handles standard error case, logs and set status for failure
         #
         # @param event [Contrast::Agent::Reporting::ReportingEvent]
@@ -96,7 +87,6 @@ module Contrast
         # @param response [Net::HTTP::Response]
         def process_settings_response response
           response_handler.process(response)
-          logger.debug('Successfully sent startup messages to TeamServer.')
           status.success!
         end
 

data/lib/contrast/agent/request.rb

@@ -17,12 +17,6 @@ module Contrast
     # provides access to the original Rack::Request object as well as extracts
     # data in a format that the Agent expects, caching those transformations in
     # order to avoid repeatedly creating Strings & thrashing GC.
-    #
-    # @attr_reader rack_request [Rack::Request] The passed to the Agent RackRequest to be wrapped.
-    # @attr_accessor route [Contrast::Api::Dtm::RouteCoverage] the route, used for findings, of this request
-    # @attr_accessor observed_route [Contrast::Api::Dtm::ObservedRoute] the route, used for coverage of this request
-    # @attr_accessor new_observed_route [Contrast::Agent::Reporting::ObservedRoute] the route, used for coverage, of
-    # this request
     class Request
       include Contrast::Utils::RequestUtils
       include Contrast::Components::Logger::InstanceMethods
@@ -37,8 +31,12 @@ module Contrast
       STATIC_SUFFIXES = /\.(?:js|css|jpeg|jpg|gif|png|ico|woff|svg|pdf|eot|ttf|jar)$/i.cs__freeze
       MEDIA_TYPE_MARKERS = %w[image/ text/css text/javascript].cs__freeze
 
+      # @return [Rack::Request] The passed to the Agent RackRequest to be wrapped.
       attr_reader :rack_request
-      attr_accessor :route, :observed_route, :new_observed_route
+      # @return [Contrast::Api::Dtm::RouteCoverage] the route, used for findings, of this request
+      attr_accessor :route
+      # @return [Contrast::Agent::Reporting::ObservedRoute] the route, used for coverage, of this request
+      attr_accessor :observed_route
 
       # Delegate calls to the following methods to the attribute @rack_request
       def_delegators :@rack_request, :base_url, :cookies, :env, :ip, :media_type, :path, :port, :query_string,