contrast-agent 7.2.0 → 7.3.1

data/lib/contrast/agent/protect/rule/xss/reflected_xss_input_classification.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/utils/input_classification_base'
+require 'contrast/agent/protect/rule/input_classification/base'
 
 module Contrast
   module Agent
@@ -13,28 +13,32 @@ module Contrast
           REFLECTED_XSS_MATCH = 'reflected-xss-input-tracing-v1'.cs__freeze
           WORTHWATCHING_MATCH = 'xss-worth-watching-v2'.cs__freeze
           class << self
-            include InputClassificationBase
+            include Contrast::Agent::Protect::Rule::InputClassification::Base
 
             private
 
-            # This methods checks if input is tagged WORTHWATCHING or IGNORE matches value with it's
-            # key if needed and Creates new isntance of InputAnalysisResult.
+            # Creates new instance of AgentLib evaluation result with direct call to AgentLib.
             #
-            # @param request [Contrast::Agent::Request] the current request context.
             # @param rule_id [String] The name of the Protect Rule.
             # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
             # @param value [String, Array<String>] the value of the input.
-            #
-            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
-            def create_new_input_result request, rule_id, input_type, value
-              return unless Contrast::AGENT_LIB
-
-              input_eval = Contrast::AGENT_LIB.eval_input(value,
-                                                          convert_input_type(input_type),
-                                                          Contrast::AGENT_LIB.rule_set[rule_id],
-                                                          Contrast::AGENT_LIB.
-                                                            eval_option[:PREFER_WORTH_WATCHING])
+            def build_input_eval rule_id, input_type, value
+              Contrast::AGENT_LIB.eval_input(value,
+                                             Contrast::Agent::Protect::Rule::InputClassification::Base.
+                                               convert_input_type(input_type),
+                                             Contrast::AGENT_LIB.rule_set[rule_id],
+                                             Contrast::AGENT_LIB.
+                                               eval_option[:PREFER_WORTH_WATCHING])
+            end
 
+            # Creates specific result from the AgentLib evaluation.
+            #
+            # @param rule_id [String] The name of the Protect Rule.
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param value [String, Array<String>] the value of the input.
+            # @param request [Contrast::Agent::Request] the current request context.
+            # @param input_eval [Contrast::AgentLib::EvalResult] the result of the input evaluation.
+            def build_ia_result rule_id, input_type, value, request, input_eval
               score = input_eval&.score || 0
               ia_result = new_ia_result(rule_id, input_type, request.path, value)
               if score >= THRESHOLD
@@ -46,8 +50,6 @@ module Contrast
               else
                 ia_result.score_level = IGNORE
               end
-
-              add_needed_key(request, ia_result, input_type, value)
               ia_result
             end
           end

data/lib/contrast/agent/reporting/attack_result/attack_result.rb

@@ -5,6 +5,7 @@ require 'contrast/utils/object_share'
 require 'contrast/utils/timer'
 require 'contrast/agent/reporting/attack_result/response_type'
 require 'contrast/agent/reporting/attack_result/rasp_rule_sample'
+require 'contrast/utils/duck_utils'
 
 module Contrast
   module Agent
@@ -65,6 +66,11 @@ module Contrast
         def details= protect_details
           @_details = protect_details if protect_details.is_a?(Contrast::Agent::Reporting::Details::ProtectRuleDetails)
         end
+
+        def empty?
+          Contrast::Utils::DuckUtils.empty_duck?(samples) || Contrast::Utils::DuckUtils.empty_duck?(rule_id) ||
+              response == ::Contrast::Agent::Reporting::ResponseType::NO_ACTION
+        end
       end
     end
   end

data/lib/contrast/agent/reporting/input_analysis/input_analysis.rb

@@ -9,13 +9,8 @@ module Contrast
     module Reporting
       # This class will do ia analysis for our protect rules
       class InputAnalysis
-        def inputs
-          @_inputs
-        end
-
-        def inputs= extracted_inputs
-          @_inputs = extracted_inputs
-        end
+        # @return [Hash] Stored request inputs for this context.
+        attr_accessor :inputs
 
         def triggered_rules
           @_triggered_rules ||= []

data/lib/contrast/agent/reporting/input_analysis/input_analysis_result.rb

@@ -61,6 +61,17 @@ module Contrast
           @_key = key if key.is_a?(String)
         end
 
+        # @param key_type [Symbol]
+        # @return @_key [String]
+        def key_type= key_type
+          @_key_type = key_type if INPUT_TYPE.to_a.include?(key_type)
+        end
+
+        # @return @_key [String]
+        def key_type
+          @_key_type ||= INPUT_TYPE::UNDEFINED_TYPE
+        end
+
         # @return value [String]
         def value
           @_value ||= Contrast::Utils::ObjectShare::EMPTY_STRING

data/lib/contrast/agent/reporting/input_analysis/input_type.rb

@@ -30,13 +30,45 @@ module Contrast
         UNKNOWN                 = :UNKNOWN.cs__freeze
 
         class << self
+          # @return
           def to_a
-            [
+            @_to_a ||= [
               UNDEFINED_TYPE, BODY, COOKIE_NAME, COOKIE_VALUE, HEADER, PARAMETER_NAME, PARAMETER_VALUE,
               QUERYSTRING, URI, SOCKET, JSON_VALUE, JSON_ARRAYED_VALUE, MULTIPART_CONTENT_TYPE, MULTIPART_VALUE,
               MULTIPART_FIELD_NAME, MULTIPART_NAME, XML_VALUE, DWR_VALUE, METHOD, REQUEST, URL_PARAMETER, UNKNOWN
             ]
           end
+
+          # This is a hash of the input types and their corresponding values.
+          #
+          # @return [Hash]
+
+          def to_hash
+            {
+                UNDEFINED_TYPE: '1',
+                BODY: '2',
+                COOKIE_NAME: '3',
+                COOKIE_VALUE: '4',
+                HEADER: '5',
+                PARAMETER_NAME: '6',
+                PARAMETER_VALUE: '7',
+                QUERYSTRING: '8',
+                URI: '9',
+                SOCKET: '10',
+                JSON_VALUE: '11',
+                JSON_ARRAYED_VALUE: '12',
+                MULTIPART_CONTENT_TYPE: '13',
+                MULTIPART_VALUE: '14',
+                MULTIPART_FIELD_NAME: '15',
+                MULTIPART_NAME: '16',
+                XML_VALUE: '17',
+                DWR_VALUE: '18',
+                METHOD: '19',
+                REQUEST: '20',
+                URL_PARAMETER: '21',
+                UNKNOWN: '22'
+            }
+          end
         end
       end
     end

data/lib/contrast/agent/reporting/masker/masker_utils.rb

@@ -23,7 +23,7 @@ module Contrast
           hash = URI.decode_www_form(query).to_h
           mask_with_dictionary(results, hash)
           # Restore to string form.
-          hash.each { |k, v| masked += "#{ k }=#{ v }&" }
+          hash.each { |k, v| masked += "#{ k }#{ EQUALS }#{ v }#{ AMPERSAND }" }
           query = masked
           query.chomp!(masked[-1])
         end

data/lib/contrast/agent/reporting/reporting_events/application_defend_activity.rb

@@ -40,6 +40,7 @@ module Contrast
         # @param attack_result [Contrast::Agent::Reporting::AttackResult]
         def attach_data attack_result
           return unless attack_result&.cs__is_a?(Contrast::Agent::Reporting::AttackResult)
+          return if attack_result&.empty?
 
           attacker_activity = Contrast::Agent::Reporting::ApplicationDefendAttackerActivity.new(ia_request: @request)
           attacker_activity.attach_data(attack_result)

data/lib/contrast/agent/reporting/reporting_events/application_defend_attacker_activity.rb

@@ -5,6 +5,7 @@ require 'contrast/components/logger'
 require 'contrast/utils/object_share'
 require 'contrast/utils/duck_utils'
 require 'contrast/agent/reporting/reporting_events/reportable_hash'
+require 'contrast/agent/reporting/attack_result/response_type'
 require 'contrast/agent/reporting/reporting_events/application_defend_attack_activity'
 
 module Contrast

data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb

@@ -118,7 +118,7 @@ module Contrast
           mode.resend.reset_rescue_attempts
           findings_to_return.each do |index|
             preflight_message = event.messages[index.to_i]
-            corresponding_finding = Contrast::Agent::Reporting::ReportingStorage.delete(preflight_message.data)
+            corresponding_finding = Contrast::Agent::Reporting::ReportingStorage.delete(preflight_message&.data)
             next unless corresponding_finding
 
             send_event(corresponding_finding, connection)

data/lib/contrast/agent/telemetry/base.rb

@@ -143,6 +143,8 @@ module Contrast
           super
           delete_queue!
           Contrast::TELEMETRY_EXCEPTIONS&.clear
+          Contrast::TELEMETRY_IA_CACHE&.clear
+          Contrast::TELEMETRY_BASE64_HASH&.clear
         end
 
         private
@@ -174,8 +176,7 @@ module Contrast
               break unless attempt_to_start?
 
               # Start pushing exceptions to queue for reporting.
-              Contrast::TELEMETRY_EXCEPTIONS&.each_value { |value| queue << value }
-              Contrast::TELEMETRY_EXCEPTIONS&.clear
+              gather_telemetry_events
               until queue.empty?
                 event = queue.pop
                 begin
@@ -189,6 +190,31 @@ module Contrast
             end
           end
         end
+
+        # Fills the queue with events that were not able to be sent previously.
+        def gather_telemetry_events
+          gather_exceptions
+          gather_encoding_events
+          gather_ia_cache_events
+        end
+
+        # Retrieves the exceptions that were accumulated.
+        def gather_exceptions
+          Contrast::TELEMETRY_EXCEPTIONS&.each_value { |value| queue << value }
+          Contrast::TELEMETRY_EXCEPTIONS&.clear
+        end
+
+        # Retrieves the base64 encoded events that were accumulated.
+        def gather_encoding_events
+          Contrast::TELEMETRY_BASE64_HASH&.each_value { |values| values.each { |event| queue << event } }
+          Contrast::TELEMETRY_BASE64_HASH&.clear
+        end
+
+        # Retrieves the IA cache events that were accumulated.
+        def gather_ia_cache_events
+          Contrast::TELEMETRY_IA_CACHE&.each_value { |values| values.each { |event| queue << event } }
+          Contrast::TELEMETRY_IA_CACHE&.clear
+        end
       end
     end
   end

data/lib/contrast/agent/telemetry/base64_hash.rb

@@ -0,0 +1,55 @@
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/telemetry/input_analysis_encoding_event'
+
+module Contrast
+  module Agent
+    module Telemetry
+      # This hash will store the telemetry data for the Protect InputAnalysis cache.
+      class Base64Hash < Hash
+        include Contrast::Components::Logger::InstanceMethods
+        # Set per request:
+        HASH_SIZE_LIMIT = 100
+
+        # Wrapper to set a value in this Telemetry::Hash only if the provided value is of the data_type for this
+        # Telemetry::CacheHash or the hash has not reached its limit for unique keys.
+        # Saves Array of reportable events.
+        #
+        # @param key [Object] the key to which to associate the value
+        # @param events [array<Object>]
+        # @return [Object, nil] echo back out the value as the Hash#[]= method does, or nil if not of the expected
+        #   data_type
+        def []= key, events
+          # If telemetry is not running, do not add more as we want to avoid a memory leak.
+          return unless Contrast::Agent.telemetry_queue&.running?
+          # If the Hash is full, do not add more as we want to avoid consuming all application resources.
+          return if at_limit?
+          # If the given value is of unexpected type, do not add it to avoid issues later where type is assumed.
+          return unless valid_event?(events)
+
+          super(key, events)
+        end
+
+        # Determine if hash has reached exception event limit.
+        #
+        # @return [Boolean]
+        def at_limit?
+          unless length < HASH_SIZE_LIMIT
+            logger.debug("[Telemetry] Number of IA base64 events exceeds limit of #{ HASH_SIZE_LIMIT }")
+            return true
+          end
+          false
+        end
+
+        private
+
+        # Checks to see if the given object is a valid event.
+        # @param events [Contrast::Agent::Telemetry::InputAnalysisEncodingEvent]
+        def valid_event? events
+          events&.all?(Contrast::Agent::Telemetry::InputAnalysisEncodingEvent)
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/telemetry/cache_hash.rb

@@ -0,0 +1,55 @@
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/telemetry/input_analysis_cache_event'
+
+module Contrast
+  module Agent
+    module Telemetry
+      # This hash will store the telemetry data for the Protect InputAnalysis cache.
+      class CacheHash < Hash
+        include Contrast::Components::Logger::InstanceMethods
+        # Set per request:
+        HASH_SIZE_LIMIT = 100
+
+        # Wrapper to set a value in this Telemetry::Hash only if the provided value is of the data_type for this
+        # Telemetry::CacheHash or the hash has not reached its limit for unique keys.
+        # Saves Array of reportable events.
+        #
+        # @param key [Object] the key to which to associate the value
+        # @param events [array<Object>]
+        # @return [Object, nil] echo back out the value as the Hash#[]= method does, or nil if not of the expected
+        #   data_type
+        def []= key, events
+          # If telemetry is not running, do not add more as we want to avoid a memory leak.
+          return unless Contrast::Agent.telemetry_queue&.running?
+          # If the Hash is full, do not add more as we want to avoid consuming all application resources.
+          return if at_limit?
+          # If the given value is of unexpected type, do not add it to avoid issues later where type is assumed.
+          return unless valid_event?(events)
+
+          super(key, events)
+        end
+
+        # Determine if hash has reached exception event limit.
+        #
+        # @return [Boolean]
+        def at_limit?
+          unless length < HASH_SIZE_LIMIT
+            logger.debug("[Telemetry] Number of IA cache events exceeds limit of #{ HASH_SIZE_LIMIT }")
+            return true
+          end
+          false
+        end
+
+        private
+
+        # Checks to see if the given object is a valid event.
+        # @param event [Contrast::Agent::Telemetry::InputAnalysisCacheEvent]
+        def valid_event? events
+          events&.all?(Contrast::Agent::Telemetry::InputAnalysisCacheEvent)
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/telemetry/client.rb

@@ -65,6 +65,7 @@ module Contrast
                         else
                           60
                         end
+          logger.debug('[Telemetry] received response.', response_code: status_code)
           ready_after if status_code == 429
         end
 
@@ -76,6 +77,8 @@ module Contrast
           return true if event.cs__is_a?(Contrast::Agent::Telemetry::Event)
           return true if event.cs__is_a?(Contrast::Agent::Telemetry::StartupMetricsEvent)
           return true if event.cs__is_a?(Contrast::Agent::Telemetry::Exception::Event)
+          return true if event.cs__is_a?(Contrast::Agent::Telemetry::InputAnalysisCacheEvent)
+          return true if event.cs__is_a?(Contrast::Agent::Telemetry::InputAnalysisEncodingEvent)
 
           false
         end
@@ -93,12 +96,17 @@ module Contrast
           "#{ Contrast::Agent::Telemetry::Base::URL }#{ endpoint }#{ path }"
         end
 
-        # Helper Method to get json representation of Telemetry Event data, handles error on to_json
+        # Helper Method to get json representation of Telemetry Event data, handles error on to_json.
+        # Generating bodies for exceptions and startup metrics is different.
         #
         # @param event [Contrast::Agent::Telemetry::Event, Array<Contrast::Agent::Telemetry::Exception::Event>]
         # @return [String] - JSON
         def get_event_json event
-          Array(event.to_controlled_hash).to_json
+          if event.cs__is_a?(Contrast::Agent::Telemetry::Exception::Event)
+            return Array(event.to_controlled_hash).to_json
+          end
+
+          [event.to_controlled_hash].to_json
         rescue Exception => e # rubocop:disable Lint/RescueException
           logger.error('[Telemetry] Unable to convert TelemetryEvent to JSON string', e, hsh)
           raise(e)

data/lib/contrast/agent/telemetry/exception/obfuscate.rb

@@ -16,9 +16,10 @@ module Contrast
           # is the same.
           CYPHER = CHARS.chars.shuffle.join.cs__freeze
           VERSION_MATCH = '[^0-9].-'
+          RUBY_EXT = /\.(?:rb|gemspec)$/i
 
           # List of known places after witch a user name might appear:
-          KNOWN_DIRS = %w[app application project projects git github users home user].cs__freeze
+          KNOWN_DIRS = %w[app application lib project projects git github users home user].cs__freeze
 
           class << self
             # Returns paths for known gems.
@@ -65,8 +66,8 @@ module Contrast
                                         name.tr(VERSION_MATCH, Contrast::Utils::ObjectShare::EMPTY_STRING).downcase)
 
                 obscure(name)
-                # obscure username (next dir in line)
-                obscure(dirs[idx + 1]) if dirs[idx + 1]
+                # obscure username (next dir in line), skip if it's a file name.
+                obscure(dirs[idx + 1]) if dirs[idx + 1] && (dirs[idx + 1] !~ RUBY_EXT)
               end
               cypher = dirs.join(Contrast::Utils::ObjectShare::SLASH)
               return cypher if cypher

data/lib/contrast/agent/telemetry/{hash.rb → exception_hash.rb}

@@ -10,7 +10,7 @@ module Contrast
       # This is the Telemetry::Hash, which will store Contrast::Agent::Telemetry::Exception::Event, so we can push
       # freely, without worrying about validating the event before that. Telemetry::Hash has a max size of events,
       # default is 10 events
-      class Hash < Hash
+      class ExceptionHash < Hash
         include Contrast::Components::Logger::InstanceMethods
         HASH_SIZE_LIMIT = 10
 

data/lib/contrast/agent/telemetry/identifier.rb

@@ -12,7 +12,7 @@ module Contrast
       # Gets info about the instrumented application required to build unique identifiers,
       # used in the agent's Telemetry.
       module Identifier
-        MAC_REGEX = /^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$/.cs__freeze
+        MAC_REGEXP = /^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$/.cs__freeze
         LINUX_OS_REG = /hwaddr=.*?(([A-F0-9]{2}:){5}[A-F0-9]{2})/im.cs__freeze
         MAC_OS_PRIMARY = 'en0'.cs__freeze
         LINUX_PRIMARY = 'enp'.cs__freeze
@@ -87,7 +87,7 @@ module Contrast
               mac = retrieve_mac(addr)
               next unless mac
 
-              result = mac if mac&.match?(MAC_REGEX)
+              result = mac if mac.match?(MAC_REGEXP)
               break if result
             end
             result
@@ -118,33 +118,20 @@ module Contrast
             nil
           end
 
-          # Returns array of network interfaces.
-          # This is OS dependent search.
+          # Returns array of network interfaces belonging to the expected pfamily of this OS.
           #
-          # @return interfaces [Array] Returns an array of interface addresses.
-          # Socket::Ifaddr - represents a result of getifaddrs().
+          # @return interfaces [Array<Socket::Ifaddr>]
           def interfaces
-            @_interfaces ||= []
-
-            return @_interfaces unless @_interfaces.empty?
+            @_interfaces ||= Socket.getifaddrs.select { |interface| interface.addr&.pfamily == check_family }
+          end
 
-            arr = Socket.getifaddrs
-            idx = 0
-            check_family = 0
-            while idx < arr.length
-              # We need only network adapters MACs. Checking for pfamily of every socket address:
-              # 18 for Mac OS and 17 for Linux.
-              # family should be an address family such as: :INET, :INET6, :UNIX, etc.
-              check_family = 18 if Contrast::Utils::OS.mac?
-              check_family = 17 if Contrast::Utils::OS.linux?
-              if arr[idx].addr.pfamily != check_family
-                idx += 1
-                next
-              end
-              @_interfaces << arr[idx]
-              idx += 1
-            end
-            @_interfaces
+          # We need only network adapters MACs. Checking for pfamily of every socket address:
+          # 18 for Mac OS and 17 for Linux. Family should be an address family such as: :INET, :INET6, :UNIX, etc.
+          # It corresponds to the Addrinfo.pfamily value.
+          #
+          # @return [Integer]
+          def check_family
+            @_check_family ||= Contrast::Utils::OS.mac? ? 18 : 17
           end
         end
       end

data/lib/contrast/agent/telemetry/input_analysis_cache_event.rb

@@ -0,0 +1,27 @@
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/telemetry/input_analysis_event'
+
+module Contrast
+  module Agent
+    module Telemetry
+      # Event to report all gather information from the Input Analysis Cache statistics, hits and misses.
+      class InputAnalysisCacheEvent < Contrast::Agent::Telemetry::InputAnalysisEvent
+        NAME = 'InputAnalysis cache event'
+        PATH = '/protect_input_analysis_cache'
+
+        private
+
+        # Creates the tags for the event
+        #
+        # @param rule_id [String]
+        # @param match_rates [Contrast::Agent::Protect::Rule::InputClassification::MatchRates]
+        def add_tags rule_id, match_rates
+          super(rule_id, match_rates)
+          @tags['score_level'] = match_rates&.score_level.dup&.to_s || NOT_APPLICABLE
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/telemetry/input_analysis_encoding_event.rb

@@ -0,0 +1,26 @@
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/telemetry/input_analysis_event'
+
+module Contrast
+  module Agent
+    module Telemetry
+      # Event to report all gather information from the Input Analysis Cache statistics, hits and misses.
+      class InputAnalysisEncodingEvent < Contrast::Agent::Telemetry::InputAnalysisEvent
+        NAME = 'InputAnalysis encoding event'
+        PATH = '/protect_input_analysis_encoding'
+
+        private
+
+        # Creates the tags for the event
+        #
+        # @param _rule_id [String]
+        # @param encode_rates [Contrast::Agent::Protect::Rule::InputClassification::EncodingRates]
+        def add_tags _rule_id, encode_rates
+          super(nil, encode_rates)
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/telemetry/input_analysis_event.rb

@@ -0,0 +1,91 @@
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/metrics_hash'
+require 'contrast/agent/telemetry/metric_event'
+require 'contrast/agent/version'
+require 'contrast/components/logger'
+
+module Contrast
+  module Agent
+    module Telemetry
+      # Event to report all gather information from the Input Analysis metrics.
+      class InputAnalysisEvent < Contrast::Agent::Telemetry::MetricEvent
+        include Contrast::Components::Logger::InstanceMethods
+        NOT_APPLICABLE = 'n/a'
+
+        attr_reader :fields
+
+        # Override the name for any derived classes
+        NAME = 'InputAnalysis event'
+        # Override the path for any derived classes
+        PATH = '/protect_input_analysis'
+
+        # @param rule_id [String] the rule name.
+        # @param rates [Contrast::Agent::Protect::Rule::InputClassification::Rates] base class for all rates.
+        def initialize rule_id, rates
+          super()
+          @fields = MetricsHash.new(Integer)
+          add_tags(rule_id, rates)
+          generate_fields(rates)
+        end
+
+        # Returns the name of the event.
+        #
+        # @return [String]
+        def name
+          cs__class::NAME
+        end
+
+        # Returns the path to report the event.
+        #
+        # @return [String]
+        def path
+          cs__class::PATH
+        end
+
+        # Override the empty check for any derived classes if needed.
+        def empty?
+          super && Contrast::Utils::DuckUtils.empty_duck?(@tags)
+        end
+
+        private
+
+        # Creates the tags for the event. Overrides the base class to add the rule_id and match_rate.
+        #
+        # @param rule_id [String, nil]
+        # @param rates [Contrast::Agent::Protect::Rule::InputClassification::Rates]
+        def add_tags rule_id, rates
+          return if Contrast::Utils::DuckUtils.empty_duck?(rates)
+          return unless rates.cs__is_a?(Contrast::Agent::Protect::Rule::InputClassification::Rates)
+
+          @tags['event_type'] = name # rubocop:disable Security/Module/Name
+          @tags['test_environment'] = ENV['CONTRAST_AGENT_TELEMETRY_TEST'] == '1' ? 'true' : 'false'
+          @tags['rule_id'] = rule_id if rule_id
+          @tags['input_type'] = rates&.input_type.dup&.to_s || NOT_APPLICABLE
+          add_system_tags
+        end
+
+        # Creates the fields for the event.
+        # Override if needed.
+        #
+        # @param rates [Contrast::Agent::Protect::Rule::InputClassification::Rates] base class for all rates.
+        def generate_fields rates
+          return if Contrast::Utils::DuckUtils.empty_duck?(rates)
+          return unless rates.cs__is_a?(Contrast::Agent::Protect::Rule::InputClassification::Rates)
+
+          rates.to_fields.each { |field, value| @fields[field] = value.dup }
+        end
+
+        # Adds the system tags to the event.
+        def add_system_tags
+          @tags['agent_version'] = VERSION
+          @tags['ruby_version'] = RUBY_VERSION
+          @tags['os_type'] = sys_info['os_type'] == 'Darwin' ? 'MacOS' : 'Linux'
+          @tags['os_arch'] = sys_info['os_arch']
+          @tags['os_version'] = sys_info['os_version']
+        end
+      end
+    end
+  end
+end