contrast-agent 6.6.4 → 6.8.0

data/lib/contrast/agent/reporting/masker/masker_utils.rb

@@ -9,35 +9,6 @@ module Contrast
       # helper methods used for masking
       module MaskerUtils
         include Contrast::Utils::ObjectShare
-        # Helper to deal with Protobuf FieldHash.
-        #
-        # @param field_hash [Protobuf::Field::FieldHash] hash to be masked
-        # @param results [Array<Contrast::Api::Dtm::AttackResults>]
-        # results to match against.
-        # @return [Hash]
-        def mask_field_hash field_hash, results
-          return {} unless field_hash&.any?
-
-          hash = {}
-          # Because this is the start of a built string, we have to be sure that it is not frozen.
-          masked = +''
-          field_hash.each do |entry|
-            # Protobuf::Field::FieldHash produces array, with the key as first param and value as second.
-            new_value = entry[1].delete(SEMICOLON).split(SPACE)
-            new_value.each do |value|
-              arr = value.split(EQUALS)
-              # Add to new hash.
-              hash[arr[0]] = arr[1]
-            end
-            # Mask the newly created hash.
-            mask_with_dictionary(results, hash)
-
-            # Restore to original form.
-            hash.each { |k, v| masked += "#{ k }=#{ v }; " }
-            masked.rstrip!
-            field_hash[entry[0]] = masked
-          end
-        end
 
         # Mask raw query as it comes from the env.
         # exp:
@@ -45,7 +16,7 @@ module Contrast
         # 'ssn=contrast-redacted-ssn&id=contrast-redacted-id'
         #
         # @param query [String]
-        # @param results [Array<Contrast::Api::Dtm::AttackResults>]
+        # @param results [Array<Contrast::Agent::Reporting::ApplicationDefendAttackActivitys>]
         # results to match against.
         def mask_raw_query query, results
           masked = EMPTY_STRING

data/lib/contrast/agent/reporting/reporter.rb

@@ -18,7 +18,7 @@ module Contrast
         #
         # @return[Boolean] true if bypass is enabled, or false if bypass disabled
         def enabled?
-          @_enabled = Contrast::CONTRAST_SERVICE.use_agent_communication? if @_enabled.nil?
+          @_enabled = ::Contrast::AGENT.enabled? if @_enabled.nil?
           @_enabled
         end
       end
@@ -39,7 +39,6 @@ module Contrast
           logger.debug('Starting background Reporter thread.')
           loop do
             next unless connected?
-            next unless app_create_complete?
 
             process_event(queue.pop)
           rescue StandardError => e
@@ -120,19 +119,6 @@ module Contrast
         false
       end
 
-      # Unless we're in bypass mode, we need to make sure the service has started and built the application on
-      # TeamServer since we're doing a split style here.
-      #
-      # @return [Boolean]
-      def app_create_complete?
-        return true if Contrast::CONTRAST_SERVICE.use_agent_communication?
-        return true if Contrast::Agent.messaging_queue&.speedracer&.status&.startup_messages_sent?
-
-        logger.debug('Service startup incomplete; Application may not be created; sleeping')
-        sleep(5)
-        false
-      end
-
       # @param event [Contrast::Agent::Reporting::ReportingEvent]
       def process_event event
         client.send_event(event, connection)

data/lib/contrast/agent/reporting/reporting_events/agent_startup.rb

@@ -23,8 +23,8 @@ module Contrast
 
         def to_controlled_hash
           {
-              environment: ::Contrast::CONFIG.root.server.environment,
-              tags: ::Contrast::CONFIG.root.server.tags,
+              environment: ::Contrast::CONFIG.server.environment,
+              tags: ::Contrast::CONFIG.server.tags,
               version: Contrast::Agent::VERSION
           }
         end

data/lib/contrast/agent/reporting/reporting_events/application_activity.rb

@@ -5,6 +5,7 @@ require 'contrast/components/logger'
 require 'contrast/agent/reporting/reporting_events/application_reporting_event'
 require 'contrast/agent/reporting/reporting_events/application_defend_activity'
 require 'contrast/agent/reporting/reporting_events/application_inventory_activity'
+require 'contrast/agent/reporting/attack_result/response_type'
 
 module Contrast
   module Agent
@@ -12,38 +13,106 @@ module Contrast
       # This is the new ApplicationActivity class which will include all the needed information for the new reporting
       # system to report
       class ApplicationActivity < Contrast::Agent::Reporting::ApplicationReportingEvent
-        class << self
-          # @param app_activity_dtm [Contrast::Api::Dtm::Activity]
-          # @return [Contrast::Agent::Reporting::ApplicationActivity]
-          def convert app_activity_dtm
-            app_activity = new
-            app_activity.attach_data(app_activity_dtm)
-            app_activity
-          end
-        end
+        include Contrast::Agent::Reporting::ResponseType
+
+        # @return [Integer]
+        attr_accessor :query_count
+        # @return [Array]
+        attr_accessor :routes
+        # @return [Contrast::Agent::Response]
+        attr_accessor :response
 
         def initialize
+          @routes = []
+          @query_count = 0
           @event_method = :PUT
           @event_type = :application_activity
           @event_endpoint = Contrast::Agent::Reporting::Endpoints.application_activity
           super
         end
 
+        # @return [Contrast::Agent::Reporting::FindingRequest] Current context's request
+        def request
+          @_request ||= FindingRequest.convert(Contrast::Agent::REQUEST_TRACKER.current&.request)
+        end
+
+        # @return [Contrast::Agent::Reporting::ApplicationDefendActivity] main
+        # activity for all protect rules.
+        def defend
+          @_defend ||= Contrast::Agent::Reporting::ApplicationDefendActivity.new
+        end
+
+        # @return [Contrast::Agent::Reporting::ApplicationInventoryActivity] main
+        # activity for all inventory activity reporting.
+        def inventory
+          @_inventory ||= Contrast::Agent::Reporting::ApplicationInventoryActivity.new
+        end
+
+        # @return file_name [String] used for audit
         def file_name
           'activity-application'
         end
 
         def to_controlled_hash
           hsh = { lastUpdate: since_last_update }
-          hsh[:defend] = @defend&.to_controlled_hash if @defend
-          hsh[:inventory] = @inventory&.to_controlled_hash if @inventory
+          hsh[:defend] = @_defend&.to_controlled_hash if @_defend
+          hsh[:inventory] = @_inventory&.to_controlled_hash if @_inventory
           hsh
         end
 
-        # @param activity_dtm [Contrast::Api::Dtm::ApplicationActivity]
-        def attach_data activity_dtm
-          @defend = Contrast::Agent::Reporting::ApplicationDefendActivity.convert(activity_dtm)
-          @inventory = Contrast::Agent::Reporting::ApplicationInventoryActivity.convert(activity_dtm)
+        # Look for attack results and access to samples by
+        # searching with rule_id and response_type
+        #
+        # @param rule_id [String] name of the protect rule
+        # @param response_type[Symbol<Contrast::Agent::Reporting::ResponseType]
+        #  filter by response type
+        # @return [Array<Contrast::Agent::Reporting::ApplicationDefendAttackSampleActivity>, nil]
+        # return any matches.
+        def attack_results_for rule_id, response_type = nil
+          results = []
+          defend.attackers.each do |attacker|
+            next unless attacker.protection_rules[rule_id]
+
+            result = case response_type
+                     when BLOCKED, BLOCKED_AT_PERIMETER
+                       attacker.protection_rules[rule_id].blocked
+                     when EXPLOITED
+                       attacker.protection_rules[rule_id].exploited
+                     when PROBED
+                       attacker.protection_rules[rule_id].ineffective
+                     when SUSPICIOUS
+                       attacker.protection_rules[rule_id].suspicious
+                     else
+                       attacker.protection_rules[rule_id]
+                     end
+            results << result if result
+          end
+          results
+        end
+
+        # By reference. List of all results only by values, no rule_ids.
+        #
+        # @return [Array<[Contrast::Agent::Reporting::ApplicationDefendAttackerActivity]>]
+        def attack_results
+          results = []
+          defend.attackers.each { |a| results << a.protection_rules.values }
+          results
+        end
+
+        # This is primary used for attaching new data and merging existing
+        # samples per rule entry in attackers, and to make sure the attack
+        # time_map is updated correctly.
+        #
+        # @param attack_result [Contrast::Agent::Reporting::AttackResult]
+        def attach_defend attack_result
+          defend.attach_data(attack_result)
+        end
+
+        # This is primary used for attaching new inventory reporting
+        #
+        # @param architecture [Contrast::Agent::Reporting::AttackResult]
+        def attach_inventory architecture
+          inventory.attach_data(architecture)
         end
       end
     end

data/lib/contrast/agent/reporting/reporting_events/application_defend_activity.rb

@@ -13,20 +13,9 @@ module Contrast
         # @return [Array<Contrast::Agent::Reporting::ApplicationDefendAttackerActivity>]
         attr_reader :attackers
 
-        class << self
-          # @param activity_dtm [Contrast::Api::Dtm::ApplicationActivity]
-          # @return [Contrast::Agent::Reporting::ApplicationDefendActivity]
-          def convert activity_dtm
-            activity = new
-            activity.attach_data(activity_dtm.results)
-            activity
-          end
-        end
-
         def initialize
           @attackers = []
           @event_type = :application_defend_activity
-          super
         end
 
         def to_controlled_hash
@@ -35,20 +24,19 @@ module Contrast
           }
         end
 
-        # @param attack_dtms [Array<Contrast::Api::Dtm::AttackResult>]
-        def attach_data attack_dtms
-          attack_dtms.each do |attack_result|
-            attacker_activity = Contrast::Agent::Reporting::ApplicationDefendAttackerActivity.convert(attack_result)
-            existing_attacker_activity = attackers.find do |existing|
-              existing.source_forwarded_for == attacker_activity.source_forwarded_for &&
-                  existing.source_ip == attacker_activity.source_ip
-            end
-            rule = attack_result.rule_id
-            if existing_attacker_activity
-              attach_existing(existing_attacker_activity, attacker_activity, rule)
-            else
-              attackers << attacker_activity
-            end
+        # @param attack_result [Contrast::Agent::Reporting::AttackResult]
+        def attach_data attack_result
+          attacker_activity = Contrast::Agent::Reporting::ApplicationDefendAttackerActivity.new
+          attacker_activity.attach_data(attack_result)
+          existing_attacker_activity = attackers.find do |existing|
+            existing.source_forwarded_for == attacker_activity.source_forwarded_for &&
+                existing.source_ip == attacker_activity.source_ip
+          end
+          rule = attack_result.rule_id
+          if existing_attacker_activity
+            attach_existing(existing_attacker_activity, attacker_activity, rule)
+          else
+            attackers << attacker_activity
           end
         end
 

data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_activity.rb

@@ -1,8 +1,6 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/api/dtm.pb'
-require 'contrast/api/decorators/response_type'
 require 'contrast/components/logger'
 require 'contrast/agent/reporting/reporting_events/application_defend_attack_sample_activity'
 
@@ -19,44 +17,41 @@ module Contrast
         attr_accessor :ineffective
         # @return [Contrast::Agent::Reporting::ApplicationDefendAttackSampleActivity]
         attr_accessor :suspicious
-
-        class << self
-          # @param attack_result [Contrast::Api::Dtm::AttackResult]
-          def convert attack_result
-            activity = new
-            activity.attach_data(attack_result)
-            activity
-          end
-        end
+        # Helper method to determine before hand the response type and iv needed for access
+        #
+        # @return [Contrast::Agent::Reporting::ResponseType]
+        attr_reader :response_type
 
         def initialize
           @start_time = start_time
-          super
         end
 
         def to_controlled_hash
           {
               startTime: @start_time,
-              blocked: blocked&.to_controlled_hash || Contrast::Utils::ObjectShare::EMPTY_HASH,
-              exploited: exploited&.to_controlled_hash || Contrast::Utils::ObjectShare::EMPTY_HASH,
-              ineffective: ineffective&.to_controlled_hash || Contrast::Utils::ObjectShare::EMPTY_HASH,
-              suspicious: suspicious&.to_controlled_hash || Contrast::Utils::ObjectShare::EMPTY_HASH
+              blocked: @blocked&.to_controlled_hash || Contrast::Utils::ObjectShare::EMPTY_HASH,
+              exploited: @exploited&.to_controlled_hash || Contrast::Utils::ObjectShare::EMPTY_HASH,
+              ineffective: @ineffective&.to_controlled_hash || Contrast::Utils::ObjectShare::EMPTY_HASH,
+              suspicious: @suspicious&.to_controlled_hash || Contrast::Utils::ObjectShare::EMPTY_HASH
           }
         end
 
-        # @param attack_result [Contrast::Api::Dtm::AttackResult]
+        # @param attack_result [Contrast::Agent::Reporting::AttackResult]
         # @return [Contrast::Agent::Reporting::Defend::AttackSampleActivity]
         def attach_data attack_result
-          attack_sample_activity =
-            Contrast::Agent::Reporting::ApplicationDefendAttackSampleActivity.convert(attack_result)
-          case attack_result.response
-          when ::Contrast::Api::Dtm::AttackResult::ResponseType::BLOCKED
+          attack_sample_activity = Contrast::Agent::Reporting::ApplicationDefendAttackSampleActivity.new
+          attack_sample_activity.attach_data(attack_result)
+          @response_type = attack_result.response
+          case response_type
+          when ::Contrast::Agent::Reporting::ResponseType::BLOCKED,
+              ::Contrast::Agent::Reporting::ResponseType::BLOCKED_AT_PERIMETER
+
             @blocked = attack_sample_activity
-          when ::Contrast::Api::Dtm::AttackResult::ResponseType::MONITORED
+          when ::Contrast::Agent::Reporting::ResponseType::MONITORED
             @exploited = attack_sample_activity
-          when ::Contrast::Api::Dtm::AttackResult::ResponseType::PROBED
+          when ::Contrast::Agent::Reporting::ResponseType::PROBED
             @ineffective = attack_sample_activity
-          when ::Contrast::Api::Dtm::AttackResult::ResponseType::SUSPICIOUS
+          when ::Contrast::Agent::Reporting::ResponseType::SUSPICIOUS
             @suspicious = attack_sample_activity
           end
         end

data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample.rb

@@ -5,7 +5,8 @@ require 'contrast/agent/protect/rule/cmd_injection'
 require 'contrast/agent/protect/rule/deserialization'
 require 'contrast/agent/protect/rule/http_method_tampering'
 require 'contrast/agent/protect/rule/no_sqli'
-require 'contrast/api/dtm.pb'
+require 'contrast/agent/reporting/attack_result/user_input'
+require 'contrast/agent/reporting/attack_result/response_type'
 require 'contrast/components/logger'
 
 module Contrast
@@ -16,12 +17,20 @@ module Contrast
       class ApplicationDefendAttackSample
         include Contrast::Agent::Reporting::InputType
 
-        # @return [Hash] => start: ms, elapsed: ms
-        attr_reader :time_stamp
+        # @return [Contrast::Agent::Reporting::UserInput]
+        attr_accessor :user_input
+        # @return [Array<Contrast::Agent::Reporting::ApplicationDefendAttackSampleStack>]
+        attr_reader :stack
+        # Details are per rule specific and should be set when the sample is build
+        #
+        # @return [Contrast::Agent::Reporting::Details::ProtectRuleDetails, {}]
+        attr_accessor :details
+        # @return [Integer] time in ms
+        attr_accessor :time_stamp
 
         class << self
-          # @param attack_result [Contrast::Api::Dtm::AttackResult]
-          # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
+          # @param attack_result [Contrast::Agent::Reporting::AttackResult]
+          # @param attack_sample [Contrast::Agent::Reporting::ApplicationDefendAttackSample]
           def convert attack_result, attack_sample
             activity = new
             activity.attach_data(attack_result, attack_sample)
@@ -30,151 +39,62 @@ module Contrast
         end
 
         def initialize
+          @time_stamp = Contrast::Agent::REQUEST_TRACKER.current&.timer&.start_ms || 0 # in ms
           @blocked = false
           @event_type = :application_defend_attack_sample
+          @user_input = Contrast::Agent::Reporting::UserInput.new
+          @request = Contrast::Agent::REQUEST_TRACKER.current&.activity&.request
+          @stack = Contrast::Utils::StackTraceUtils.build_protect_report_stack_array
+          @details = {}
         end
 
         def to_controlled_hash
           {
               blocked: @blocked,
-              input: @input,
-              details: @details,
+              input: build_input(@user_input),
+              details: @details&.to_controlled_hash,
               request: @request&.to_controlled_hash,
               stack: @stack&.map(&:to_controlled_hash),
-              timestamp: time_stamp
+              timestamp: build_time_stamp
           }
         end
 
-        # @param attack_result [Contrast::Api::Dtm::AttackResult]
-        # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
-        def attach_data attack_result, attack_sample
-          @blocked = attack_result.response == ::Contrast::Api::Dtm::AttackResult::ResponseType::BLOCKED
-          @input = build_input(attack_sample)
-          @details = build_details(attack_result.rule_id, attack_sample)
-          @time_stamp = build_time_stamp(attack_sample.timestamp_ms)
-          @request = FindingRequest.convert(Contrast::Agent::REQUEST_TRACKER.current&.request)
-          @stack = Contrast::Utils::StackTraceUtils.build_protect_report_stack_array
-        end
-
-        # @param start [Integer]
-        # @return [Hash]
-        def build_time_stamp start
-          {
-              start: start,
-              elapsed: Contrast::Utils::Timer.now_ms - start
-          }
+        # @param response_type [Contrast::Agent::Reporting::ResponseType]
+        # @return [Boolean] check if response type is blocked
+        def blocked? response_type
+          @blocked = response_type == Contrast::Agent::Reporting::ResponseType::BLOCKED
         end
 
-        # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
-        def build_input attack_sample
-          user_input = attack_sample.user_input
+        # @param user_input [Contrast::Agent::Reporting::UserInput]
+        def build_input user_input
           {
               documentPath: user_input.path,
-              documentType: build_document_type(user_input.document_type),
+              documentType: user_input.document_type.to_s,
               filters: user_input.matcher_ids,
               name: user_input.key,
-              time: attack_sample.timestamp_ms,
-              type: build_input_type(user_input.input_type),
+              time: time_stamp,
+              type: user_input.input_type.to_s,
               value: user_input.value
           }
         end
 
-        # Convert the document type api enum to a String constant TeamServer can understand.
-        #
-        # @param type_enum [::Contrast::Api::Dtm::HttpRequest::DocumentType]
-        # @return [String]
-        def build_document_type type_enum
-          case type_enum
-          when ::Contrast::Api::Dtm::HttpRequest::DocumentType::JSON
-            'JSON'
-          when ::Contrast::Api::Dtm::HttpRequest::DocumentType::XML
-            'XML'
-          else
-            'NORMAL'
-          end
-        end
-
-        # Convert the input type api enum to a String constant TeamServer can understand.
-        #
-        # @param type_enum [when ::Contrast::Api::Dtm::UserInput::InputType]
-        # @return [String]
-        def build_input_type type_enum
-          case type_enum
-          when ::Contrast::Api::Dtm::UserInput::InputType::UNDEFINED_TYPE
-            'UNDEFINED_TYPE'
-          when ::Contrast::Api::Dtm::UserInput::InputType::BODY
-            'BODY'
-          when ::Contrast::Api::Dtm::UserInput::InputType::COOKIE_NAME
-            'COOKIE_NAME'
-          when ::Contrast::Api::Dtm::UserInput::InputType::COOKIE_VALUE
-            'COOKIE_VALUE'
-          when ::Contrast::Api::Dtm::UserInput::InputType::HEADER
-            'HEADER'
-          when ::Contrast::Api::Dtm::UserInput::InputType::PARAMETER_NAME
-            'PARAMETER_NAME'
-          when ::Contrast::Api::Dtm::UserInput::InputType::PARAMETER_VALUE
-            'PARAMETER_VALUE'
-          when ::Contrast::Api::Dtm::UserInput::InputType::QUERYSTRING
-            'QUERYSTRING'
-          when ::Contrast::Api::Dtm::UserInput::InputType::URI
-            'URI'
-          when ::Contrast::Api::Dtm::UserInput::InputType::SOCKET
-            'SOCKET'
-          when ::Contrast::Api::Dtm::UserInput::InputType::JSON_VALUE
-            'JSON_VALUE'
-          when ::Contrast::Api::Dtm::UserInput::InputType::JSON_ARRAYED_VALUE
-            'JSON_ARRAYED_VALUE'
-          when ::Contrast::Api::Dtm::UserInput::InputType::MULTIPART_CONTENT_TYPE
-            'MULTIPART_CONTENT_TYPE'
-          when ::Contrast::Api::Dtm::UserInput::InputType::MULTIPART_VALUE
-            'MULTIPART_VALUE'
-          when ::Contrast::Api::Dtm::UserInput::InputType::MULTIPART_FIELD_NAME
-            'MULTIPART_FIELD_NAME'
-          when ::Contrast::Api::Dtm::UserInput::InputType::MULTIPART_NAME
-            'MULTIPART_NAME'
-          when ::Contrast::Api::Dtm::UserInput::InputType::XML_VALUE
-            'XML_VALUE'
-          when ::Contrast::Api::Dtm::UserInput::InputType::DWR_VALUE
-            'DWR_VALUE'
-          when ::Contrast::Api::Dtm::UserInput::InputType::METHOD
-            'METHOD'
-          when ::Contrast::Api::Dtm::UserInput::InputType::REQUEST
-            'REQUEST'
-          when ::Contrast::Api::Dtm::UserInput::InputType::URL_PARAMETER
-            'URL_PARAMETER'
-          else # ::Contrast::Api::Dtm::UserInput::InputType::UNKNOWN
-            'UNKNOWN'
-          end
+        # @param attack_result [Contrast::Agent::Reporting::AttackResult]
+        # @param attack_sample [Contrast::Agent::Reporting::RaspRuleSample]
+        def attach_data attack_result, attack_sample
+          @blocked = attack_result.response == ::Contrast::Agent::Reporting::ResponseType::BLOCKED
+          @user_input = attack_sample.user_input
+          @details = attack_sample.details
+          @time_stamp = attack_sample.time_stamp
+          @request = FindingRequest.convert(Contrast::Agent::REQUEST_TRACKER.current&.request)
+          @stack = Contrast::Utils::StackTraceUtils.build_protect_report_stack_array
         end
 
-        # This is a temporary method to facilitate the translation of API details to Reporting details. As we move off
-        # of protobuf, this responsibility should shift from this class to the individual rules, as they do today when
-        # they populate their details in Contrast::Api::Dtm::RaspRuleSample
-        #
-        # @param rule_id [String]
-        # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
-        # @return [Hash] the details for this specific rule
-        def build_details rule_id, attack_sample
-          case rule_id
-          when Contrast::Agent::Protect::Rule::CmdInjection::NAME
-            Contrast::Agent::Protect::Rule::CmdInjection.extract_details(attack_sample)
-          when Contrast::Agent::Protect::Rule::Deserialization::NAME
-            Contrast::Agent::Protect::Rule::Deserialization.extract_details(attack_sample)
-          when Contrast::Agent::Protect::Rule::HttpMethodTampering::NAME
-            Contrast::Agent::Protect::Rule::HttpMethodTampering.extract_details(attack_sample)
-          when Contrast::Agent::Protect::Rule::NoSqli::NAME
-            Contrast::Agent::Protect::Rule::NoSqli.extract_details(attack_sample)
-          when Contrast::Agent::Protect::Rule::PathTraversal::NAME
-            Contrast::Agent::Protect::Rule::PathTraversal.extract_details(attack_sample)
-          when Contrast::Agent::Protect::Rule::Sqli::NAME
-            Contrast::Agent::Protect::Rule::Sqli.extract_details(attack_sample)
-          when Contrast::Agent::Protect::Rule::Xss::NAME
-            Contrast::Agent::Protect::Rule::Xss.extract_details(attack_sample)
-          when Contrast::Agent::Protect::Rule::Xxe::NAME
-            Contrast::Agent::Protect::Rule::Xxe.extract_details(attack_sample)
-          else # something unknown or Contrast::Agent::Protect::Rule::UnsafeFileUpload::NAME
-            Contrast::Utils::ObjectShare::EMPTY_HASH
-          end
+        # @return [Hash]
+        def build_time_stamp
+          {
+              start: time_stamp,
+              elapsed: Contrast::Utils::Timer.now_ms - time_stamp
+          }
         end
       end
     end

data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample_activity.rb

@@ -16,21 +16,11 @@ module Contrast
         # @return [Hash<Integer,Integer>] map of time from start in seconds to number of attacks in that second
         attr_reader :time_map
 
-        class << self
-          # @param attack_result [Contrast::Api::Dtm::AttackResult]
-          def convert attack_result
-            activity = new
-            activity.attach_data(attack_result)
-            activity
-          end
-        end
-
         def initialize
           @samples = []
           @start_time = Contrast::Agent::REQUEST_TRACKER.current&.timer&.start_ms || 0 # in ms
           @event_type = :application_defend_attack_sample_activity
           @time_map = Hash.new { |h, k| h[k] = 0 }
-          super
         end
 
         def to_controlled_hash
@@ -42,17 +32,16 @@ module Contrast
           }
         end
 
-        # @param attack_result [Contrast::Api::Dtm::AttackResult]
+        # @param attack_result [Contrast::Agent::Reporting::AttackResult]
         def attach_data attack_result
           attack_result.samples.each do |attack_sample|
             base_time = Contrast::Agent::REQUEST_TRACKER.current&.timer&.start_ms || 0
-            dmt_time = attack_sample.timestamp_ms.to_i
-            converted = Contrast::Agent::Reporting::ApplicationDefendAttackSample.convert(attack_result, attack_sample)
-            samples << converted
-            @start_time = if dmt_time.zero?
+            sample_time = attack_sample.time_stamp.to_i
+            samples << Contrast::Agent::Reporting::ApplicationDefendAttackSample.convert(attack_result, attack_sample)
+            @start_time = if sample_time.zero?
                             @start_time
                           else
-                            dmt_time
+                            sample_time
                           end
             attack_second = (@start_time - base_time) / 1000 # in seconds
             time_map[attack_second] += 1