contrast-agent 6.6.4 → 6.8.0

data/lib/contrast/agent/assess/policy/trigger_method.rb

@@ -3,12 +3,14 @@
 
 require 'contrast/agent/assess/events/event_factory'
 require 'contrast/agent/assess/policy/trigger_validation/trigger_validation'
+require 'contrast/agent/excluder'
 require 'contrast/components/logger'
 require 'contrast/utils/object_share'
 require 'contrast/utils/sha256_builder'
 require 'contrast/utils/assess/trigger_method_utils'
 require 'contrast/agent/assess/events/event_data'
 require 'contrast/agent/reporting/reporting_events/preflight'
+require 'contrast/agent/reporting/reporting_events/application_activity'
 require 'contrast/agent/reporting/reporting_events/preflight_message'
 require 'contrast/agent/reporting/reporting_events/route_discovery'
 require 'contrast/agent/reporting/reporting_utilities/reporting_storage'
@@ -21,18 +23,14 @@ module Contrast
         # A trigger method is one which can perform a dangerous action, as described by the
         # Contrast::Agent::Assess::Policy::TriggerNode class. Each such method will call to this module just after
         # invocation in order to determine if the call was done safely. In those cases where it was not, a Finding
-        # report is issued to the Service.
-        module TriggerMethod # rubocop:disable Metrics/ModuleLength
+        # report is issued to TeamServer.
+        module TriggerMethod
           extend Contrast::Components::Logger::InstanceMethods
           extend Contrast::Utils::Assess::TriggerMethodUtils
           extend Contrast::Utils::Assess::EventLimitUtils
 
-          # The level of TeamServer compliance our traces meet when in the abnormal condition of being dataflow rules
-          # without routes.
-          MINIMUM_FINDING_VERSION = 3
-          # The level of TeamServer compliance our traces meet.
-          CURRENT_FINDING_VERSION = 4
           # Rules that always exists outside of Request Context
+          # @return [Array<String>]
           NON_REQUEST_RULES = [
             'hardcoded-password', # Contrast::Agent::Assess::Rule::Provider::HardcodedPassword.NAME,
             'hardcoded-key' # Contrast::Agent::Assess::Rule::Provider::HardcodedKey.NAME
@@ -57,7 +55,9 @@ module Contrast
               # else proceed, if the flag is true we don't need to check for context we
               # go as currently.
               # When outside of a request, only track when the feature is enabled
-              return unless Contrast::ASSESS.non_request_tracking? || context
+              return unless context ||
+                  Contrast::ASSESS.non_request_tracking? ||
+                  NON_REQUEST_RULES.include?(trigger_node.rule_id)
 
               if trigger_node.sources&.any?
                 trigger_node.sources.each do |marker|
@@ -73,95 +73,57 @@ module Contrast
               apply_trigger(trigger_node, source, object, ret, *args)
             end
 
-            def append_to_finding finding, event_data, request
-              finding.rule_id = Contrast::Utils::StringUtils.protobuf_safe_string(event_data.policy_node.rule_id)
-              finding.version = determine_compliance_version(finding)
-              append_events(finding, event_data)
-              append_route(finding, request)
-              append_hash(finding, event_data.tagged, request)
-            end
-
             # This converts the source of the finding, and the events leading up to it into a Finding
             #
             # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode] the node to direct applying this
             #   trigger event
             # @param source [Object] the source of the Trigger Event
             # @param object [Object] the Object on which the method was invoked
-            # @param ret [Object] the Return of the invoked method
+            # @param ret [Object, nil] the Return of the invoked method, or nil if void method
             # @param args [Array<Object>] the Arguments with which the method was invoked
-            # @return [Contrast::Api::Dtm::Finding, nil] the Contrast::Api::Dtm::Finding to send to TeamServer or
-            #   nil if conditions were not met
+            # @return [Contrast::Agent::Reporting::Finding, nil] the finding to send to TeamServer if found
             def build_finding trigger_node, source, object, ret, *args
               content_type = Contrast::Agent::REQUEST_TRACKER.current&.response&.content_type
-
               if content_type.nil? && trigger_node.collectable?
                 Contrast::Agent::FINDINGS.collect_finding(trigger_node, source, object, ret, *args)
                 return
               end
-
               return unless Contrast::Agent::Assess::Policy::TriggerValidation.valid?(trigger_node, object, ret, args)
 
               request = find_request(source)
               return unless reportable?(request&.env)
+              return if excluded_by_url_and_rule?(request, trigger_node.rule_id)
 
-              process_reportable_finding(trigger_node, source, object, ret, request, *args)
+              finding = Contrast::Agent::Reporting::Finding.new(trigger_node.rule_id)
+              finding.attach_data(trigger_node, source, object, ret, request, *args)
+              return if excluded_by_input_and_rule?(request, finding, trigger_node.rule_id)
+
+              finding.hash_code = Contrast::Utils::HashDigest.generate_event_hash(finding, source, request)
+              finding
             rescue StandardError => e
               logger.error('Unable to build a finding', e, rule: trigger_node.rule_id, node_id: trigger_node.id)
+              nil
             end
 
-            def process_reportable_finding trigger_node, source, object, ret, request, *args
-              if Contrast::Agent::Reporter.enabled?
-                handle_new_finding(trigger_node, source, object, ret, request, *args)
-              else # TODO: RUBY-1438 -- remove
-                finding = Contrast::Api::Dtm::Finding.new
-                event_data = Contrast::Agent::Assess::Events::EventData.new(trigger_node, source, object, ret, args)
-                append_to_finding(finding, event_data, request)
-                logger.trace('Finding created', node_id: trigger_node.id, source_id: source.__id__,
-                                                rule: trigger_node.rule_id)
-                report_finding(finding, request)
-              end
-            end
-
-            # Given a finding, append it to an activity message and send it to the Service for processing. If an
+            # Given a finding, append it to an activity message and send it to the TeamServer for processing. If an
             # activity message does not exist, b/c we're invoked outside of a request context, build an activity and
             # immediately report it with the finding.
             #
-            # TODO: RUBY-1351
-            #
-            # @param finding [Contrast::Api::Dtm::Finding] the Finding to report.
-            # @param request [Contrast::Agent::Request] our wrapper around the Rack::Request.
-            def report_finding finding, request = nil
-              context = Contrast::Agent::REQUEST_TRACKER.current
-              if context
-                context.activity.findings << finding
-                return
-              end
-
-              return unless ::Contrast::ASSESS.non_request_tracking? || NON_REQUEST_RULES.include?(finding.rule_id)
+            # @param finding [Contrast::Agent::Reporting::Finding] the Finding to report.
+            def report_finding finding
+              return unless finding
 
-              activity = Contrast::Api::Dtm::Activity.new
-              activity.findings << finding
-              if request
-                activity.http_request = request.dtm
-              else
-                logger.debug('Attempted to report finding without request', finding: finding)
-              end
-
-              # If we're out of request context, then we need to report this finding ourselves,
-              # so we'll send it in the one-off activity we created.
-              Contrast::Agent.messaging_queue&.send_event_eventually(activity)
-            end
+              preflight = Contrast::Agent::Reporting::BuildPreflight.generate(finding)
+              return unless preflight
 
-            def handle_new_finding trigger_node, source, object, ret, request, *args
-              # sent to reporter
-              # here we will generate new type of finding
-              ruby_finding = Contrast::Agent::Reporting::Finding.new(trigger_node.rule_id)
-              ruby_finding.attach_data(trigger_node, source, object, ret, request, *args)
-              hash_code = Contrast::Utils::HashDigest.generate_event_hash(ruby_finding, source, request)
-              ruby_finding.hash_code = hash_code
+              preflight_data = preflight.messages[0].data
+              return if Contrast::Agent::REQUEST_TRACKER.current&.reported_findings&.include?(preflight_data)
 
-              new_preflight = Contrast::Agent::Reporting::BuildPreflight.build(ruby_finding, request)
-              Contrast::Agent.reporter&.send_event(new_preflight)
+              Contrast::Agent::Reporting::ReportingStorage[preflight.messages[0].data] = finding
+              if Contrast::Agent::REQUEST_TRACKER.current
+                Contrast::Agent::REQUEST_TRACKER.current.reported_findings << preflight_data
+              end
+              Contrast::Agent.reporter&.send_event(preflight)
             end
 
             private
@@ -203,30 +165,6 @@ module Contrast
               end
             end
 
-            def append_events finding, event_data
-              append_from_source(finding, event_data.tagged)
-              finding.events << Contrast::Agent::Assess::Events::EventFactory.build(event_data).to_dtm_event
-            end
-
-            def append_from_source finding, source
-              return unless source
-              return unless Contrast::Agent::Assess::Tracker.trackable?(source)
-
-              properties = Contrast::Agent::Assess::Tracker.properties(source)
-              return unless properties
-
-              build_events(finding, properties.event) if properties.event
-
-              # CSGoogle::Protobuf::Map doesn't support merge!, so we have to do this long form
-              source_props = properties.properties
-              return unless source_props
-
-              source_props.each_pair do |key, value|
-                key = Contrast::Utils::StringUtils.force_utf8(key)
-                finding.properties[key] = Contrast::Utils::StringUtils.force_utf8(value)
-              end
-            end
-
             def build_events finding, event
               return unless event
 
@@ -238,36 +176,17 @@ module Contrast
               finding.events << event.to_dtm_event
             end
 
-            def append_route finding, request
-              context = Contrast::Agent::REQUEST_TRACKER.current
-              if context
-                finding.routes << context.route if context.route
-              elsif request&.route
-                finding.routes << request.route
-              end
-            end
-
-            def append_hash finding, source, request
-              hash_code = Contrast::Utils::HashDigest.generate_event_hash(finding, source, request)
-              finding.hash_code = Contrast::Utils::StringUtils.force_utf8(hash_code)
-              finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
-            end
-
-            # Because our APIs are not versioned, TeamServer relies on a field, version, to tell it what, if any,
-            # validation it can preform on the findings we send it. Examine the finding and determine the level to
-            # which it conforms.
+            # Check if the finding should be excluded due to the assess exclusion rules.
             #
-            # @param finding [Contrast::Api::Dtm::Finding]
-            # @return [int] the version of compliance
-            def determine_compliance_version finding
-              return MINIMUM_FINDING_VERSION unless finding
-              # as routes are the only variable between findings, in the case where we couldn't determine one, any
-              # finding with a route is at maximum compliance
-              return CURRENT_FINDING_VERSION if finding.routes.any?
-              # any finding without events is not of a dataflow type and therefore at maximum compliance
-              return CURRENT_FINDING_VERSION unless finding.events.any?
+            # @param request [Contrast::Agent::Request] a wrapper around the Rack::Request for the current request
+            # @param rule_id [String]
+            # return [Boolean]
+            def excluded_by_url_and_rule? request, rule_id
+              Contrast::SETTINGS.excluder.assess_excluded_by_url_and_rule?(request, rule_id)
+            end
 
-              MINIMUM_FINDING_VERSION
+            def excluded_by_input_and_rule? request, finding, rule_id
+              Contrast::SETTINGS.excluder.assess_excluded_by_input_and_rule?(request, finding, rule_id)
             end
           end
         end

data/lib/contrast/agent/assess/policy/trigger_node.rb

@@ -3,7 +3,7 @@
 
 require 'contrast/agent/assess/policy/trigger/reflected_xss'
 require 'contrast/agent/assess/policy/trigger/xpath'
-require 'contrast/api/decorators/trace_taint_range_tags'
+require 'contrast/agent/reporting/reporting_events/finding_event_taint_range_tags'
 require 'contrast/components/logger'
 
 module Contrast
@@ -185,8 +185,8 @@ module Contrast
 
             tags.each do |tag|
               raise(ArgumentError, "Rule #{ rule_id } had an invalid tag. #{ tag } is not a known value.") unless
-                Contrast::Api::Decorators::TraceTaintRangeTags::VALID_TAGS.include?(tag) ||
-                    Contrast::Api::Decorators::TraceTaintRangeTags::VALID_SOURCE_TAGS.include?(tag)
+                Contrast::Agent::Reporting::FindingEventTaintRangeTags::VALID_TAGS.include?(tag) ||
+                    Contrast::Agent::Reporting::FindingEventTaintRangeTags::VALID_SOURCE_TAGS.include?(tag)
             end
           end
 

data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb

@@ -7,7 +7,7 @@ module Contrast
       module Policy
         module TriggerValidation
           # Validator used to assert a REDOS finding is actually vulnerable
-          # before serializing that finding as a DTM to report to the service.
+          # before serializing that finding as a DTM to report to the TeamServer.
           module REDOSValidator
             RULE_NAME = 'redos'
 

data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb

@@ -7,7 +7,7 @@ module Contrast
       module Policy
         module TriggerValidation
           # Validator used to assert a SSRF finding is actually vulnerable
-          # before serializing that finding as a DTM to report to the service.
+          # before serializing that finding as a DTM to report to the TeamServer.
           module SSRFValidator
             RULE_NAME = 'ssrf'
             URL_PATTERN = %r{(?<protocol>http|https|ftp|sftp|telnet|gopher|rtsp|rtsps|ssh|svn)://(?<host>[^/?]+)(?<path>/?[^?]*)(?<query_string>\?.*)?}i.cs__freeze # rubocop:disable Layout/LineLength

data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb

@@ -8,7 +8,7 @@ module Contrast
         module TriggerValidation
           # Validator used to assert a Reflected XSS finding is actually
           # vulnerable before serializing that finding as a DTM to report to
-          # the service.
+          # the TeamServer.
           module XSSValidator
             RULE_NAME = 'reflected-xss'
             SAFE_CONTENT_TYPES = %w[/csv /javascript /json /pdf /x-javascript /x-json].cs__freeze

data/lib/contrast/agent/assess/property/evented.rb

@@ -42,24 +42,14 @@ module Contrast
             return unless event.source_type
             return unless (current_request = Contrast::Agent::REQUEST_TRACKER.current)
 
-            append_to_ruby_object(current_request, event)
-          end
-
-          # @param current_request [Contrast::Agent::RequestContext]
-          # @param event [Contrast::Agent::Assess::Events::ContrastEvent]
-          def append_to_ruby_object current_request, event
             if current_request.observed_route.sources.any? do |source|
-              source.type == event.forced_source_type &&
-                    source.name == event.forced_source_name # rubocop:disable Security/Module/Name
+              source.type == event.source_type && source.name == event.source_name # rubocop:disable Security/Module/Name
             end
 
               return
             end
 
-            event_source = event.build_event_source
-            return unless event_source
-
-            current_request.observed_route.sources << event_source
+            current_request.observed_route.sources << event.event_source if event.event_source
           end
         end
       end

data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb

@@ -11,9 +11,8 @@ module Contrast
     module Assess
       module Rule
         module Provider
-          # Hardcoded rules detect if any secret value has been written
-          # directly into the sourcecode of the application. To use this base
-          # class, a provider must implement three methods:
+          # Hardcoded rules detect if any secret value has been written directly into the sourcecode of the
+          # application. To use this base class, a provider must implement three methods:
           # 1) name_passes? : does the constant name match a given value set
           # 2) value_node_passes? : does the value of the constant match a
           #    given value set
@@ -21,23 +20,21 @@ module Contrast
           module HardcodedValueRule
             include Contrast::Components::Logger::InstanceMethods
 
+            # @return [Boolean]
             def disabled?
               !::Contrast::ASSESS.enabled? || ::Contrast::ASSESS.rule_disabled?(rule_id)
             end
 
-            # Parse the file pertaining to the given TracePoint to walk its AST
-            # to determine if a Constant is hardcoded. For our purposes, this
-            # hard coding means directly set rather than as an interpolated
-            # String or through a method call.
+            # Parse the file pertaining to the given TracePoint to walk its AST to determine if a Constant is
+            # hardcoded. For our purposes, this hard coding means directly set rather than as an interpolated String or
+            # through a method call.
             #
-            # Note: This is a top layer check, we make no assertions about what
-            # the methods or interpolations do. Their presence, even if only
-            # calling a hardcoded thing, causes this check to not report.
+            # Note: This is a top layer check, we make no assertions about what the methods or interpolations do.
+            # Their presence, even if only calling a hardcoded thing, causes this check to not report.
             #
-            # @param trace_point [TracePoint] the TracePoint event created on
-            #   the :end of a Module being loaded
-            # @param ast [RubyVM::AbstractSyntaxTree::Node] the abstract syntax
-            #   tree of the Module defined in the TracePoint end event
+            # @param trace_point [TracePoint] the TracePoint event created on the :end of a Module being loaded
+            # @param ast [RubyVM::AbstractSyntaxTree::Node] the abstract syntax tree of the Module defined in the
+            #   TracePoint end event
             def parse trace_point, ast
               return if disabled?
 
@@ -56,8 +53,8 @@ module Contrast
             private
 
             # @param mod [Module] the module to which this AST pertains
-            # @param ast [RubyVM::AbstractSyntaxTree::Node, Object] a node
-            #   within the AST, which may be a leaf, so any Object
+            # @param ast [RubyVM::AbstractSyntaxTree::Node, Object] a node within the AST, which may be a leaf, so any
+            #   Object
             def parse_ast mod, ast
               return unless ast.cs__is_a?(RubyVM::AbstractSyntaxTree::Node)
               return unless ast.cs__respond_to?(:children)
@@ -72,32 +69,27 @@ module Contrast
               # https://www.rubydoc.info/gems/ruby-internal/Node/CDECL
               return unless ast.type == :CDECL
 
-              # The CDECL Node has two children, the first being the Constant
-              # name as a symbol, the second as the value to assign to that
-              # constant
+              # The CDECL Node has two children, the first being the Constant name as a symbol, the second as the value
+              # to assign to that constant
               children = ast.children
               name = children[0].to_s
               # If that constant name doesn't pass our checks, move on.
               return unless name_passes?(name)
 
               value = children[1]
-              # The assignment node could be a direct value or a call of some
-              # sort. We leave it to each rule to properly handle these nodes.
+              # The assignment node could be a direct value or a call of some sort. We leave it to each rule to
+              # properly handle these nodes.
               return unless value_node_passes?(value)
 
-              if Contrast::Agent::Reporter.enabled?
-                new_finding_and_reporting(mod, name)
-              else # TODO: RUBY-1438 -- remove
-                build_finding(mod, name)
-              end
+              build_and_report(mod, name)
+            rescue StandardError => e
+              logger.error('Unable to parse AST for Hardcoded Rule analysis.', e)
             end
 
-            # Constants can be set as frozen directly. We need to account for
-            # this change as it means the Node given to the :CDECL call will be
-            # a :CALL, not a constant.
+            # Constants can be set as frozen directly. We need to account for this change as it means the Node given to
+            # the :CDECL call will be a :CALL, not a constant.
             #
-            # @param value_node [RubyVM::AbstractSyntaxTree::Node] the node to
-            #   evaluate
+            # @param value_node [RubyVM::AbstractSyntaxTree::Node] the node to evaluate
             # @return [Boolean] is this a freeze call or not
             def freeze_call? value_node
               return false unless value_node.type == :CALL
@@ -109,61 +101,29 @@ module Contrast
               children[1] == :freeze
             end
 
-            def build_finding clazz, constant_string
-              class_name = clazz.cs__name
-
-              finding = assign_finding(class_name, constant_string)
-              activity = Contrast::Api::Dtm::Activity.new
-              activity.findings << finding
-              Contrast::Agent.messaging_queue.send_event_eventually(activity, force: true)
-            rescue StandardError => e
-              logger.error('Unable to build a finding for Hardcoded Rule', e)
-              nil
-            end
+            # @param mod [Module] the module to which this AST pertains
+            # @param name [String] the name of the hardcoded constant
+            def build_and_report mod, name
+              finding = build_finding(mod, name)
+              return unless finding
 
-            # @param class_name [String] the name of the class in which the hardcoded value is present
-            # @param constant_string [String] the name of the constant
-            # @return [Contrast::Api::Dtm::Finding]
-            def assign_finding class_name, constant_string
-              finding = Contrast::Api::Dtm::Finding.new
-              finding.rule_id = Contrast::Utils::StringUtils.protobuf_safe_string(rule_id)
-              finding.version = Contrast::Agent::Assess::Policy::TriggerMethod::CURRENT_FINDING_VERSION
-
-              finding.properties[SOURCE_KEY] = Contrast::Utils::StringUtils.protobuf_safe_string(class_name)
-              finding.properties[CONSTANT_NAME_KEY] = Contrast::Utils::StringUtils.protobuf_safe_string(constant_string)
-              finding.properties[CODE_SOURCE_KEY] =
-                Contrast::Utils::StringUtils.protobuf_safe_string(constant_string + redacted_marker)
-
-              hash = Contrast::Utils::HashDigest.generate_class_scanning_hash(finding)
-              finding.hash_code = Contrast::Utils::StringUtils.protobuf_safe_string(hash)
-              finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
-              finding
-            end
+              preflight = Contrast::Agent::Reporting::BuildPreflight.generate(finding)
+              return unless preflight
 
-            def new_finding_and_reporting clazz, constant_string
-              return unless Contrast::Agent::Reporter.enabled?
-
-              # sent to reporter
-              # and add logger message for the report of the preflight
-              new_preflight = Contrast::Agent::Reporting::Preflight.new
-              new_preflight_message = Contrast::Agent::Reporting::PreflightMessage.new
-              new_preflight_message.hash_code = hash
-              new_preflight_message.data = "#{ rule_id },#{ hash }"
-              new_preflight.messages << new_preflight_message
-
-              # extract to new method
-              # here we will generate new type of finding
-              ruby_finding = Contrast::Agent::Reporting::Finding.new(rule_id)
-              ruby_finding.hash_code = hash
-              ruby_finding.properties[SOURCE_KEY] = clazz.cs__name
-              ruby_finding.properties[CONSTANT_NAME_KEY] = constant_string
-              ruby_finding.properties[CODE_SOURCE_KEY] = constant_string + redacted_marker
-              save_and_report_finding(ruby_finding, new_preflight)
+              Contrast::Agent::Reporting::ReportingStorage[preflight.messages[0].data] = finding
+              Contrast::Agent.reporter&.send_event(preflight)
             end
 
-            def save_and_report_finding ruby_finding, new_preflight
-              Contrast::Agent::Reporting::ReportingStorage[hash] = ruby_finding
-              Contrast::Agent.reporter&.send_event(new_preflight)
+            # @param clazz [Class] the Class or Module containing the constant
+            # @param constant_string [String]
+            # @return [Contrast::Agent::Reporting::Finding]
+            def build_finding clazz, constant_string
+              finding = Contrast::Agent::Reporting::Finding.new(rule_id)
+              finding.properties[SOURCE_KEY] = clazz.cs__name
+              finding.properties[CONSTANT_NAME_KEY] = constant_string
+              finding.properties[CODE_SOURCE_KEY] = constant_string + redacted_marker
+              finding.hash_code = Contrast::Utils::HashDigest.generate_class_scanning_hash(finding)
+              finding
             end
           end
         end

data/lib/contrast/agent/assess/rule/response/base_rule.rb

@@ -3,10 +3,8 @@
 
 require 'rack'
 require 'json'
-require 'contrast/agent/reporting/reporting_utilities/dtm_message'
 require 'contrast/agent/reporting/reporting_utilities/build_preflight'
 require 'contrast/utils/hash_digest'
-require 'contrast/utils/preflight_util'
 require 'contrast/utils/string_utils'
 
 module Contrast
@@ -32,18 +30,11 @@ module Contrast
               finding = build_finding(violation)
               return unless finding
 
-              if Contrast::Agent::Reporter.enabled?
-                report = Contrast::Agent::Reporting::DtmMessage.dtm_to_event(finding)
-                if report.is_a?(Contrast::Agent::Reporting::Finding)
-                  request = Contrast::Agent::REQUEST_TRACKER.current&.request
-                  preflight = Contrast::Agent::Reporting::BuildPreflight.build(report, request)
-                  Contrast::Agent.reporter&.send_event(preflight)
-                else
-                  Contrast::Agent.reporter&.send_event(report)
-                end
-              else
-                Contrast::Agent::REQUEST_TRACKER.current.activity.findings << finding
-              end
+              preflight = Contrast::Agent::Reporting::BuildPreflight.generate(finding)
+              return unless preflight
+
+              Contrast::Agent::Reporting::ReportingStorage[preflight.messages[0].data] = finding
+              Contrast::Agent.reporter&.send_event(preflight)
             end
 
             protected
@@ -75,16 +66,15 @@ module Contrast
             # Convert the given evidence into a finding. The rule will populate this evidence with each of the
             #
             # @param evidence [Hash] the properties required to build this finding.
-            # @return [Contrast::Api::Dtm::Finding]
+            # @return [Contrast::Agent::Reporting::Finding]
             def build_finding evidence
-              finding = Contrast::Api::Dtm::Finding.new
-              finding.rule_id = rule_id
+              finding = Contrast::Agent::Reporting::Finding.new(rule_id)
               context = Contrast::Agent::REQUEST_TRACKER.current
-              finding.routes << context.route if context&.route
+              finding.routes << context.discovered_route if context&.discovered_route
               build_evidence(evidence, finding)
+              finding.request = Contrast::Agent::Reporting::FindingRequest.convert(context.request) if context&.request
               hash = Contrast::Utils::HashDigest.generate_config_hash(finding)
               finding.hash_code = Contrast::Utils::StringUtils.force_utf8(hash)
-              finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
               finding
             end
 
@@ -92,16 +82,10 @@ module Contrast
             # Change it accordingly the rule you work on
             #
             # @param evidence [Hash] the properties required to build this finding.
-            # @param finding [Contrast::Api::Dtm::Finding] finding to attach the evidence to
+            # @param finding [Contrast::Agent::Reporting::Finding] finding to attach the evidence to
             def build_evidence evidence, finding
               evidence.each_pair do |key, value|
-                finding.properties[key] = if value.cs__is_a?(Hash)
-                                            Contrast::Utils::StringUtils.protobuf_format(value.to_json)
-                                          elsif value.cs__is_a?(Array)
-                                            value.map { Contrast::Utils::StringUtils.protobuf_format(_1) }.to_s
-                                          else
-                                            Contrast::Utils::StringUtils.protobuf_format(value)
-                                          end
+                finding.properties[key] = value
               end
             end
 

data/lib/contrast/agent/assess/rule/response/body_rule.rb

@@ -2,9 +2,7 @@
 # frozen_string_literal: true
 
 require 'rack'
-require 'contrast/agent/reporting/reporting_utilities/dtm_message'
 require 'contrast/utils/hash_digest'
-require 'contrast/utils/preflight_util'
 require 'contrast/utils/string_utils'
 require 'contrast/agent/assess/rule/response/base_rule'
 
@@ -22,7 +20,7 @@ module Contrast
             START_PROP = 'start'.cs__freeze
             END_PROP = 'end'.cs__freeze
             FORM_START_REGEXP = /<form/i.cs__freeze
-            META_TYPE = 'meta'
+            META_TYPE = 'META tag'
             PRAGMA = 'pragma'
 
             # Rules discern which responses they can/should analyze.