contrast-agent 6.6.4 → 6.8.0

data/lib/contrast/logger/log.rb

@@ -65,7 +65,7 @@ module Contrast
         @previous_path  = current_path
         @previous_level = current_level_const
 
-        progname = Contrast::CONFIG.root.agent.logger.progname
+        progname = Contrast::CONFIG.agent.logger.progname
         @_logger = build(path: current_path, level_const: current_level_const, progname: progname)
         # If we're logging to a new path, then let's start it w/ our helpful
         # data gathering messages
@@ -85,16 +85,6 @@ module Contrast
       def logger
         @_logger
       end
-
-      # StringIO is a valid path because it logs directly to a string buffer
-      def write_permission? path
-        return false if path.nil?
-        return true if path.is_a?(StringIO)
-        return File.writable?(path) if File.exist?(path)
-
-        dir_name = File.dirname(File.absolute_path(path))
-        File.writable?(dir_name)
-      end
     end
   end
 end

data/lib/contrast/tasks/config.rb

@@ -7,7 +7,7 @@ require 'contrast/agent/reporting/reporter'
 
 module Contrast
   # A Rake task to generate a contrast_security.yaml file with some basic settings
-  module Config # rubocop:disable Metrics/ModuleLength
+  module Config
     extend Rake::DSL
     DEFAULT_CONFIG = {
         'api' => {
@@ -17,13 +17,6 @@ module Contrast
             'user_name' => 'Enter your Contrast user name'
         },
         'agent' => {
-            'service' => {
-                'logger' => {
-                    'path' => 'contrast_service.log',
-                    'level' => 'ERROR' # DEBUG | INFO | WARN | ERROR
-                },
-                'socket' => '/tmp/contrast_service.sock'
-            },
             'logger' => {
                 'level' => 'ERROR',
                 'path' => 'contrast_agent.log'
@@ -73,7 +66,9 @@ module Contrast
         config = Contrast::Configuration.new
         abort('Unable to Build Config') unless config
         missing = []
-        api_hash = config.root.api.to_hash
+
+        api_hash = config.api.to_contrast_hash
+
         api_hash.each_key do |key|
           value = mask_keys(api_hash, key)
           if value.is_a?(Contrast::Config::ApiProxyConfiguration)
@@ -123,7 +118,7 @@ module Contrast
       def self.validate_headers
         missing = []
         reporter = Contrast::Agent::Reporter.new
-        reporter_headers = reporter.client.headers.to_hash
+        reporter_headers = reporter.client.headers.to_contrast_hash
         reporter_headers.each_key do |key|
           value = mask_keys(reporter_headers, key)
           missing << key if value.nil?

data/lib/contrast/utils/assess/event_limit_utils.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/components/logger'
+require 'contrast/components/assess'
 
 module Contrast
   module Utils
@@ -16,30 +17,39 @@ module Contrast
           return false unless (context = Contrast::Agent::REQUEST_TRACKER.current)
 
           if method_policy.source_node
-            max =  (::Contrast::ASSESS.max_source_events ||
-              Contrast::Config::AssessConfiguration::DEFAULT_MAX_SOURCE_EVENTS)
+            max =  ::Contrast::ASSESS.max_context_source_events
             return at_limit?(method_policy, context.source_event_count, max)
 
           end
           if method_policy.propagation_node
-            max = (::Contrast::ASSESS.max_propagation_events ||
-              Contrast::Config::AssessConfiguration::DEFAULT_MAX_PROPAGATION_EVENTS)
+            max = ::Contrast::ASSESS.max_propagation_events
             return at_limit?(method_policy, context.propagation_event_count, max)
           end
 
           false # policy does not have limit
         end
 
-        def event_limit_for_rule? rule_id
-          if Contrast::Utils::Timer.now_ms > threshold_time_limit
-            @_rule_counts = nil
-            @_threshold_time_limit = nil
+        def event_limit_for_rule? rule_id # rubocop:disable Metrics/AbcSize
+          return false unless (context = Contrast::Agent::REQUEST_TRACKER.current)
+
+          saved_request_ids = rule_counts.keys.map { |k| k.to_s.split('_')[1].to_i }
+
+          # if we passed the threshold and we actually have records for that request - wipe them
+          if saved_request_ids.uniq.include?(context.request.__id__)
+            restore_defaults
             threshold_time_limit
           end
-          rule_counts[rule_id] += 1
-          # TODO: RUBY-1680 remove default
-          rule_counts[rule_id] >=
-              (::Contrast::ASSESS.max_rule_reported || Contrast::Config::AssessConfiguration::DEFAULT_MAX_RULE_REPORTED)
+
+          # if we have recorded rule counts, but none of them are for the current request_id
+          # eventually we can try and play with the time_limit_threshold -> DEFAULT_MAX_RULE_TIME_THRESHOLD
+          if !rule_counts.empty? && !saved_request_ids.include?(context.request.__id__)
+            restore_defaults
+            threshold_time_limit
+          end
+
+          rule_key = "#{ rule_id }_#{ context.request.__id__ }"
+          rule_counts[rule_key] += 1
+          rule_counts[rule_key] >= ::Contrast::ASSESS.max_rule_reported
         end
 
         # Increments the event count for the type of event that is being tracked
@@ -90,6 +100,12 @@ module Contrast
         def threshold_time_limit
           @_threshold_time_limit ||= Contrast::Utils::Timer.now_ms + (::Contrast::ASSESS.time_limit_threshold || 0)
         end
+
+        # @return nil
+        def restore_defaults
+          @_rule_counts = nil
+          @_threshold_time_limit = nil
+        end
       end
     end
   end

data/lib/contrast/utils/assess/trigger_method_utils.rb

@@ -72,7 +72,8 @@ module Contrast
           elsif trigger_node.dataflow?
             apply_dataflow_rule(trigger_node, source, object, ret, *args)
           else # trigger rule - just calling the method is dangerous
-            build_finding(trigger_node, source, object, ret, *args)
+            finding = build_finding(trigger_node, source, object, ret, *args)
+            Contrast::Agent::Assess::Policy::TriggerMethod.report_finding(finding) if finding
           end
         rescue StandardError => e
           logger.warn('Unable to apply trigger', e, node_id: trigger_node.id)
@@ -81,8 +82,8 @@ module Contrast
         # This is our method that actually checks the taint on the object our trigger_node targets for our Regexp
         # based rules.
         #
-        # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode] the node to direct applying this
-        #   trigger event
+        # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode] the node to direct applying this trigger
+        #   event
         # @param source [Object] the source of the Trigger Event
         # @param object [Object] the Object on which the method was invoked
         # @param ret [Object] the Return of the invoked method
@@ -92,7 +93,8 @@ module Contrast
           return if trigger_node.good_value && source.match?(trigger_node.good_value)
           return if trigger_node.bad_value && source !~ trigger_node.bad_value
 
-          build_finding(trigger_node, source, object, ret, *args)
+          finding = build_finding(trigger_node, source, object, ret, *args)
+          Contrast::Agent::Assess::Policy::TriggerMethod.report_finding(finding) if finding
         end
 
         # This is our method that actually checks the taint on the object our trigger_node targets for our Dataflow
@@ -104,33 +106,23 @@ module Contrast
         # @param object [Object] the Object on which the method was invoked
         # @param ret [Object] the Return of the invoked method
         # @param args [Array<Object>] the Arguments with which the method was invoked
-        def apply_dataflow_rule trigger_node, source, object, ret, *args # rubocop:disable Metrics/PerceivedComplexity
-          return unless source
+        def apply_dataflow_rule trigger_node, source, object, ret, *args
+          return unless source && Contrast::Agent::Assess::Tracker.tracked?(source)
 
           if Contrast::Agent::Assess::Tracker.trackable?(source)
-            return unless Contrast::Agent::Assess::Tracker.tracked?(source)
             return unless trigger_node.violated?(source)
 
-            build_finding(trigger_node, source, object, ret, *args)
+            finding = build_finding(trigger_node, source, object, ret, *args)
+            report_finding(finding) if finding
           elsif Contrast::Utils::DuckUtils.iterable_hash?(source)
-            return unless Contrast::Agent::Assess::Tracker.tracked?(source)
-
             source.each_pair do |key, value|
               apply_dataflow_rule(trigger_node, key, object, ret, *args)
               apply_dataflow_rule(trigger_node, value, object, ret, *args)
             end
           elsif Contrast::Utils::DuckUtils.iterable_enumerable?(source)
-            return unless Contrast::Agent::Assess::Tracker.tracked?(source)
-
             source.each do |value|
               apply_dataflow_rule(trigger_node, value, object, ret, *args)
             end
-          else
-            logger.debug('Trigger source is untrackable. Unable to inspect.',
-                         node_id: trigger_node.id,
-                         source_id: source.__id__,
-                         source_type: source.cs__class.cs__name,
-                         frozen: source.cs__frozen?)
           end
         end
       end

data/lib/contrast/utils/duck_utils.rb

@@ -13,6 +13,7 @@ module Contrast
         # @param method [Symbol]
         # @return [Boolean]
         def quacks_to? object, method
+          object.cs__respond_to?(method)
           return true if object.cs__respond_to?(method)
           return false unless object.is_a?(Delegator)
 

data/lib/contrast/utils/findings.rb

@@ -52,11 +52,12 @@ module Contrast
 
         while @_collection.any?
           finding = @_collection.pop
-          Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(finding[:trigger_node],
-                                                                       finding[:source],
-                                                                       finding[:object],
-                                                                       finding[:ret],
-                                                                       finding[:args])
+          collected = Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(finding[:trigger_node],
+                                                                                   finding[:source],
+                                                                                   finding[:object],
+                                                                                   finding[:ret],
+                                                                                   finding[:args])
+          Contrast::Agent::Assess::Policy::TriggerMethod.report_finding(collected) if collected
         end
         true
       end

data/lib/contrast/utils/hash_digest.rb

@@ -29,12 +29,10 @@ module Contrast
         @crc32 = 0
       end
 
-      # Update to CRC checksum the finding route and verb if finding route
-      # [Contrast::Api::Dtm::RouteCoverage] is available else update the passed
-      # request or Contrast::REQUEST_TRACKER.current.request uri and used request
-      # method.
+      # Update to CRC checksum the finding route and verb if finding route is available, else update the passed
+      # request or Contrast::REQUEST_TRACKER.current.request uri and used request method.
       #
-      # @param finding [Contrast::Api::Dtm::Finding, Contrast::Agent::Reporting::Finding] finding to be reported
+      # @param finding [Contrast::Agent::Reporting::Finding] finding to be reported
       # @param request [Contrast::Agent::Request] our wrapper around the Rack::Request.
       # @return checksum [Integer, nil] returns nil if there is no request context or tracking
       # is disabled.
@@ -43,12 +41,9 @@ module Contrast
         return unless context || ::Contrast::ASSESS.non_request_tracking?
 
         if (route = finding.routes[0])
-          if finding.cs__is_a?(Contrast::Agent::Reporting::Finding) && (observation = route.observations[0])
-            update(observation.url)
+          update(route.signature)
+          if (observation = route.observations[0])
             update(observation.verb)
-          else
-            update(route.route) # the normalized URL used to access the method in the route.
-            update(route.verb) # the HTTP Verb used  to access the method in the route.
           end
           return
         end
@@ -60,24 +55,14 @@ module Contrast
       end
 
       # Update to CRC checksum the event source name and source type.
-      # Expects Contrast::Api::Dtm::TraceEvent || Contrast::Agent::Assess::Events::SourceEvent
       #
-      # @param events [Protobuf::Field::FieldArray<Contrast::Api::Dtm::TraceEvent>,
-      #                                            <Contrast::Agent::Assess::Events::SourceEvent>]
-      #                                            Array of TraceEvents
+      # @param events [Array<Contrast::Agent::Reporting::FindingEvent>]
       # @return checksum [Integer, nil] returns nil if there is no events
       def update_on_sources events
-        return unless events&.any?
-
         events.each do |event|
-          if event.cs__is_a?(Contrast::Api::Dtm::TraceEvent)
-            event.event_sources&.each do |source|
-              update(source.type)
-              update(source.name) # rubocop:disable Security/Module/Name
-            end
-          elsif event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
-            update(event.source_type)
-            update(event.source_name)
+          event.event_sources.each do |source|
+            update(source.type)
+            update(source.name) # rubocop:disable Security/Module/Name
           end
         end
       end

data/lib/contrast/utils/hash_digest_extend.rb

@@ -34,7 +34,7 @@ module Contrast
       # crypto(crypto-bad-ciphers, crypto-bad-mac) rules or trigger event
       # and returns string representation.
       #
-      # @param finding [Contrast::Api::Dtm::Finding] to be reported
+      # @param finding [Contrast::Agent::Reporting::Finding] to be reported
       # @param source [Object] the source of the Trigger Event
       # @param request [Contrast::Agent::Request] our wrapper around the Rack::Request.
       # @return checksum [String] String representation of CRC32 checksum
@@ -50,7 +50,7 @@ module Contrast
       # Generates the hash checksum for configurations. Converts the finding rule_id, session_id and configPath and
       # to CRC32 checksum and returns string representation to be appended to Contrast::Api::Dtm::Finding
       #
-      # @param finding [Contrast::Api::Dtm::Finding] to be reported
+      # @param finding [Contrast::Agent::Reporting::Finding] to be reported
       # @return checksum [String] String representation of CRC32 checksum.
       def generate_config_hash finding
         hash = new
@@ -65,7 +65,7 @@ module Contrast
       # Generates the hash checksum for class scanning. Converts the rule_id, finding.properties(source, name)
       # to CRC32 checksum and returns string representation.
       #
-      # @param finding [Contrast::Api::Dtm::Finding] to be reported
+      # @param finding [Contrast::Agent::Reporting::Finding] to be reported
       # @return checksum [String] String representation of CRC32 checksum.
       def generate_class_scanning_hash finding
         hash = new
@@ -86,7 +86,7 @@ module Contrast
       # used in #generate_event_hash.
       #
       #
-      # @param finding [Contrast::Api::Dtm::Finding] to be reported
+      # @param finding [Contrast::Agent::Reporting::Finding] to be reported
       # @param algorithm [Object] the source of the Trigger Event
       # @param request [Contrast::Agent::Request] our wrapper around the Rack::Request.
       # @return checksum [String] String representation of CRC32 checksum
@@ -101,7 +101,7 @@ module Contrast
       # Generates the hash checksum for dataflow when the finding events are more than one
       # used in #generate_event_hash.
       #
-      # @param finding [Contrast::Api::Dtm::Finding] to be reported
+      # @param finding [Contrast::Agent::Reporting::Finding] to be reported
       # @param request [Contrast::Agent::Request] our wrapper around the Rack::Request.
       # @return checksum [String] String representation of CRC32 checksum
       def generate_dataflow_hash finding, request
@@ -115,7 +115,7 @@ module Contrast
       # Generates the hash checksum for trigger
       # used in #generate_event_hash.
       #
-      # @param finding [Contrast::Api::Dtm::Finding] to be reported
+      # @param finding [Contrast::Agent::Reporting::Finding] to be reported
       # @param request [Contrast::Agent::Request] our wrapper around the Rack::Request.
       # @return checksum [String] String representation of CRC32 checksum
       def generate_trigger_hash finding, request

data/lib/contrast/utils/input_classification_base.rb

@@ -0,0 +1,156 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/agent/reporting/input_analysis/input_type'
+require 'contrast/agent/reporting/input_analysis/score_level'
+require 'contrast/agent/protect/input_analyzer/input_analyzer'
+require 'contrast/components/logger'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # This module will include all the similar information for all input classifications
+        # between different rules
+        module InputClassificationBase
+          UNKNOWN_KEY = 'unknown'
+          THRESHOLD = 90.cs__freeze
+          WORTHWATCHING_THRESHOLD = 10.cs__freeze
+          include Contrast::Agent::Reporting::InputType
+          include Contrast::Agent::Reporting::ScoreLevel
+          include Contrast::Components::Logger::InstanceMethods
+
+          KEYS_NEEDED = [COOKIE_VALUE, PARAMETER_VALUE, JSON_VALUE, MULTIPART_VALUE, XML_VALUE, DWR_VALUE].cs__freeze
+
+          # Input Classification stage is done to determine if an user input is
+          # DEFINITEATTACK or to be ignored.
+          #
+          # @param rule_id [String] Name of the protect rule.
+          # @param input_type [Symbol, Contrast::Agent::Reporting::InputType] The type of the user input.
+          # @param value [String, Array<String>] the value of the input.
+          # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
+          #                                                       agent analysis from the current
+          #                                                       Request.
+          # @return ia [Contrast::Agent::Reporting::InputAnalysis, nil] with updated results.
+          def classify rule_id, input_type, value, input_analysis
+            return unless (rule = Contrast::PROTECT.rule(rule_id))
+            return unless rule.applicable_user_inputs.include?(input_type)
+            return unless input_analysis.request
+
+            Array(value).each do |val|
+              Array(val).each do |v|
+                next unless v
+
+                result = create_new_input_result(input_analysis.request, rule.rule_name, input_type, v)
+                input_analysis.results << result unless result.nil?
+              end
+            end
+
+            input_analysis
+          rescue StandardError => e
+            logger.debug("An Error was recorded in the input classification of the #{ rule_id }")
+            logger.debug(e)
+          end
+
+          # Creates new isntance of InputAnalysisResult with basic info.
+          #
+          # @param rule_id [String] The name of the Protect Rule.
+          # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+          # @param value [String, Array<String>] the value of the input.
+          # @param path [String] the path of the current request context.
+          #
+          # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
+          def new_ia_result rule_id, input_type, path, value = nil
+            res = Contrast::Agent::Reporting::InputAnalysisResult.new
+            res.rule_id = rule_id
+            res.input_type = input_type
+            res.path = path
+            res.value = value
+            res
+          end
+
+          # This methods checks if input is value that matches a key in the input.
+          #
+          # @param request [Contrast::Agent::Request] the current request context.
+          # @param result [Contrast::Agent::Reporting::InputAnalysisResult] result to be updated.
+          # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+          # @param value [String, Array<String>] the value of the input.
+          #
+          # @return result [Contrast::Agent::Reporting::InputAnalysisResult] updated with key result.
+          def add_needed_key request, result, input_type, value
+            case input_type
+            when COOKIE_VALUE
+              result.key = request.cookies.key(value)
+            when PARAMETER_VALUE, URL_PARAMETER
+              result.key = request.parameters.key(value)
+            when HEADER
+              result.key = request.headers.key(value)
+            when UNKNOWN
+              result.key = UNKNOWN_KEY
+            else
+              result.key
+            end
+          rescue StandardError => e
+            logger.warn('Could not find proper key for input traced value', message: e)
+          end
+
+          # Some input types are not yet supported from the AgentLib.
+          # This will convert the type to the closet possible if viable,
+          # so that the input tracing could be done.
+          #
+          # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+          # @return [Integer<Contrast::AgentLib::Interface::INPUT_SET>]
+          def convert_input_type input_type
+            case input_type
+            when BODY, DWR_VALUE
+              Contrast::AGENT_LIB.input_set[:PARAMETER_VALUE]
+            when HEADER
+              Contrast::AGENT_LIB.input_set[:HEADER_VALUE]
+            when MULTIPART_VALUE, MULTIPART_FIELD_NAME
+              Contrast::AGENT_LIB.input_set[:MULTIPART_NAME]
+            else
+              Contrast::AGENT_LIB.input_set[input_type]
+            end
+          rescue StandardError
+            Contrast::AGENT_LIB.input_set[:PARAMETER_VALUE]
+          end
+
+          private
+
+          # This methods checks if input is tagged WORTHWATCHING or IGNORE matches value with it's
+          # key if needed and Creates new instance of InputAnalysisResult.
+          #
+          # @param request [Contrast::Agent::Request] the current request context.
+          # @param rule_id [String] The name of the Protect Rule.
+          # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+          # @param value [String, Array<String>] the value of the input.
+          #
+          # @return res [Contrast::Agent::Reporting::InputAnalysisResult, nil]
+          def create_new_input_result request, rule_id, input_type, value
+            return unless Contrast::AGENT_LIB
+
+            input_eval = Contrast::AGENT_LIB.eval_input(value,
+                                                        convert_input_type(input_type),
+                                                        Contrast::AGENT_LIB.rule_set[rule_id],
+                                                        Contrast::AGENT_LIB.
+                                                          eval_option[:WORTHWATCHING])
+
+            ia_result = new_ia_result(rule_id, input_type, request.path, value)
+            score = input_eval&.score || 0
+            if score >= WORTHWATCHING_THRESHOLD
+              ia_result.score_level = WORTHWATCHING
+              ia_result.ids << self::WORTHWATCHING_MATCH
+            else
+              ia_result.score_level = IGNORE
+              return
+            end
+
+            add_needed_key(request, ia_result, input_type, value) if KEYS_NEEDED.include?(input_type)
+            ia_result
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/invalid_configuration_util.rb

@@ -7,8 +7,8 @@ require 'contrast/components/scope'
 
 module Contrast
   module Utils
-    # This utility allows us to report invalid configurations detected in
-    # customer applications, as determined by Configuration Rules at runtime.
+    # This utility allows us to report invalid configurations detected in customer applications, as determined by
+    # Configuration Rules at runtime.
     module InvalidConfigurationUtil
       include Contrast::Components::Logger::InstanceMethods
       include Contrast::Components::Scope::InstanceMethods
@@ -20,64 +20,39 @@ module Contrast
       # Build and report a finding for the given rule
       #
       # @param rule_id [String] the rule that was violated by the configuration
-      # @param user_provided_options [Hash] the configuration value(s) which
-      #   violated the rule
-      # @param call_location [Thread::Backtrace::Location] the location where
-      #   the bad configuration was set
+      # @param user_provided_options [Hash] the configuration value(s) which violated the rule
+      # @param call_location [Thread::Backtrace::Location] the location where the bad configuration was set
       def cs__report_finding rule_id, user_provided_options, call_location
         with_contrast_scope do
-          finding = Contrast::Api::Dtm::Finding.new
-          finding.version = Contrast::Agent::Assess::Policy::TriggerMethod::CURRENT_FINDING_VERSION
-          finding.rule_id = rule_id
-          set_properties(finding, user_provided_options, call_location)
-          hash = Contrast::Utils::HashDigest.generate_config_hash(finding)
-          finding.hash_code = Contrast::Utils::StringUtils.force_utf8(hash)
-          finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
-          if Contrast::Agent::Reporter.enabled? # TODO: RUBY-1438 -- remove
-            cs__report_new_finding(hash, rule_id, user_provided_options, call_location)
-          else
-            Contrast::Agent::Assess::Policy::TriggerMethod.report_finding(finding)
-          end
+          finding = build_finding(rule_id, user_provided_options, call_location)
+          return unless finding
+
+          Contrast::Agent::Assess::Policy::TriggerMethod.report_finding(finding)
         end
       rescue StandardError => e
         logger.error('Unable to build a finding', e, rule: rule_id)
       end
 
-      def cs__report_new_finding hash_code, rule_id, user_provided_options, call_location
-        new_preflight = Contrast::Agent::Reporting::Preflight.new
-        new_preflight_message = Contrast::Agent::Reporting::PreflightMessage.new
-        new_preflight_message.hash_code = hash_code
-        new_preflight_message.data = "#{ rule_id },#{ hash_code }"
-        new_preflight.messages << new_preflight_message
-
-        ruby_finding = Contrast::Agent::Reporting::Finding.new(rule_id)
-        ruby_finding.hash_code = hash_code
-        set_new_finding_properties(ruby_finding, user_provided_options, call_location)
-        Contrast::Agent.reporter&.send_event(new_preflight)
-        Contrast::Agent::Reporting::ReportingStorage[hash_code] = ruby_finding
-      end
-
       private
 
       # Set the properties needed to report and subsequently render this finding on the finding given.
       #
-      # @param finding [Contrast::Api::Dtm::Finding] the configuration finding to populate
-      # @param user_provided_options [Hash] the configuration value(s) which
-      #   violated the rule
-      # @param call_location [Thread::Backtrace::Location] the location where
-      #   the bad configuration was set
-      def set_properties finding, user_provided_options, call_location
-        path = call_location.path
+      # @param rule_id [String] the rule that was violated by the configuration
+      # @param user_provided_options [Hash] the configuration value(s) which violated the rule
+      # @param call_location [Thread::Backtrace::Location] the location where the bad configuration was set
+      # @return [Contrast::Agent::Reporting::Finding]
+      def build_finding rule_id, user_provided_options, call_location
+        finding = Contrast::Agent::Reporting::Finding.new(rule_id)
+        finding.properties[CS__SESSION_ID] = user_provided_options[:key].to_s if user_provided_options
         # just get the file name, not the full path
-        path = path.split(Contrast::Utils::ObjectShare::SLASH).last
-        session_id = user_provided_options[:key].to_s if user_provided_options
-        finding.properties[CS__SESSION_ID] = Contrast::Utils::StringUtils.force_utf8(session_id)
-        finding.properties[CS__PATH] = Contrast::Utils::StringUtils.force_utf8(path)
-        file_path = call_location.absolute_path
-        snippet = file_snippet(file_path, call_location)
-        finding.properties[CS__SNIPPET] = Contrast::Utils::StringUtils.force_utf8(snippet)
+        finding.properties[CS__PATH] = call_location.path.split(Contrast::Utils::ObjectShare::SLASH).last
+        finding.properties[CS__SNIPPET] = file_snippet(call_location.absolute_path, call_location)
+        finding.hash_code = Contrast::Utils::HashDigest.generate_config_hash(finding)
+        finding
       end
 
+      # @param file_path [String] full path to the file with the property
+      # @param call_location [Thread::Backtrace::Location] the location where the bad configuration was set
       def file_snippet file_path, call_location
         idx = call_location&.lineno
         if file_path && idx && File.exist?(file_path)
@@ -94,18 +69,6 @@ module Contrast
         end
         call_location&.label&.dup
       end
-
-      def set_new_finding_properties finding, user_provided_options, call_location
-        path = call_location.path
-        # just get the file name, not the full path
-        path = path.split(Contrast::Utils::ObjectShare::SLASH).last
-        session_id = user_provided_options[:key].to_s if user_provided_options
-        finding.properties[CS__SESSION_ID] = session_id
-        finding.properties[CS__PATH] = path
-        file_path = call_location.absolute_path
-        snippet = file_snippet(file_path, call_location)
-        finding.properties[CS__SNIPPET] = snippet
-      end
     end
   end
 end