contrast-agent 7.3.0 → 7.3.2

data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb

@@ -232,11 +232,14 @@ module Contrast
           return unless ::Contrast::AGENT.enabled?
 
           logger.trace_with_time('Rebuilding rule modes from TeamServer') do
-            ::Contrast::SETTINGS.build_protect_rules if ::Contrast::PROTECT.enabled?
+            # TODO: RUBY-999999 Make sure when updating Protect rules to reflect the mode source (always DEFAULT_VALUE)
             ::Contrast::AGENT.reset_ruleset
+            ::Contrast::SETTINGS.build_protect_rules if ::Contrast::PROTECT.enabled?
             logger.info('Current rule settings:')
             ::Contrast::PROTECT.defend_rules.each { |k, v| logger.info('Protect Rule mode set', rule: k, mode: v.mode) }
-            logger.info('Disabled Assess Rules', rules: ::Contrast::ASSESS.disabled_rules)
+            if ::Contrast::ASSESS.enabled?
+              logger.info('Disabled Assess Rules', rules: ::Contrast::ASSESS.disabled_rules)
+            end
           end
         end
 

data/lib/contrast/agent/reporting/settings/protect.rb

@@ -14,6 +14,13 @@ module Contrast
         class Protect
           # modes set by NG endpoints; block at perimeter needs to be check against the blockAtEntry boolean value
           NG_PROTECT_RULES_MODE = %w[OFF MONITORING BLOCKING].cs__freeze
+          ACTIVE_PROTECT_RULES_LIST = %w[
+            bot-blocker cmd-injection cmd-injection-command-backdoors cmd-injection-semantic-chained-commands
+            cmd-injection-semantic-dangerous-paths untrusted-deserialization nosql-injection path-traversal
+            path-traversal-semantic-file-security-bypass sql-injection sql-injection-semantic-dangerous-functions
+            unsafe-file-upload reflected-xss xxe
+          ].cs__freeze
+
           # The settings for each protect rule for this application
           #
           # @return protection_rules [Array<protectRule>] protectRule: {
@@ -80,30 +87,66 @@ module Contrast
             modes_by_id = {}
             protection_rules.each do |rule|
               setting_mode = rule[:mode] || rule['mode']
-              api_mode = if NG_PROTECT_RULES_MODE.include?(setting_mode)
-                           case setting_mode
-                           when NG_PROTECT_RULES_MODE[1]
-                             :MONITOR
-                           when NG_PROTECT_RULES_MODE[2]
-                             if rule[:blockAtEntry] || rule['blockAtEntry']
-                               :BLOCK_AT_PERIMETER
-                             else
-                               :BLOCK
-                             end
-                           else
-                             :NO_ACTION
-                           end
-                         else
-                           # modes set by newer settings endpoints are of [OFF MONITOR BLOCK BLOCK_AT_PERIMETER] and
-                           # can just be cast to symbols
-                           setting_mode.to_sym
-                         end
+              # BlockAtEnrtry is only available for the protection_rules Array.
+              # It is used in both ng and non ng payloads. If the array is empty
+              # this method will short circuit at the very first line and return
+              # empty hash. this means that the #rules_settings_to_settings_hash
+              # will be used next to extract the settings.
+              bap = rule[:blockAtEntry] || rule['blockAtEntry']
+              api_mode = assign_mode(setting_mode, block_at_entry: !!bap == bap)
 
               id = rule[:id] || rule['id']
               modes_by_id[id] = api_mode
             end
             modes_by_id
           end
+
+          # Converts settings into Agent Settings understandable hash {RULE_ID => MODE}
+          # Takes Hash<String, Contrast::Agent::Reporting::Settings::ProtectRule> and converts it
+          # to Hash<RULE_ID => MODE>
+          #
+          # @return rules [Hash<RULE_ID => MODE>, nil] Hash with rule_id as key and mode as value
+          def rules_settings_to_settings_hash
+            return {} if rule_settings.empty?
+
+            modes_by_id = {}
+            rule_settings.each do |rule_id, rule_mode|
+              next unless active_defend_rules.include?(rule_id.to_s)
+
+              modes_by_id[rule_id.to_s] = assign_mode(rule_mode.mode)
+            end
+            modes_by_id
+          end
+
+          # Returns list of actively used protection rules to be updated, or default list.
+          # This will be used to query the received settings for the ones used by the Agent.
+          def active_defend_rules
+            return ACTIVE_PROTECT_RULES_LIST unless defined?(Contrast::SETTINGS)
+
+            current_rules = (Contrast::PROTECT&.defend_rules&.keys if defined?(Contrast::PROTECT))
+            return current_rules unless current_rules&.empty?
+
+            ACTIVE_PROTECT_RULES_LIST
+          end
+
+          private
+
+          # Assigns the received settings mode to be used as actual config.
+          # @param setting_mode []
+          def assign_mode setting_mode, block_at_entry: false
+            # modes set by newer settings endpoints are of [OFF MONITOR BLOCK BLOCK_AT_PERIMETER] and
+            # can just be cast to symbols
+            return setting_mode.to_sym unless NG_PROTECT_RULES_MODE.include?(setting_mode)
+
+            case setting_mode
+            when NG_PROTECT_RULES_MODE[1]
+              :MONITOR
+            when NG_PROTECT_RULES_MODE[2]
+              block_at_entry ? :BLOCK_AT_PERIMETER : :BLOCK
+            else
+              :NO_ACTION
+            end
+          end
         end
       end
     end

data/lib/contrast/agent/reporting/settings/server_features.rb

@@ -85,6 +85,8 @@ module Contrast
                 security_logger: security_logger.settings_blank? ? nil : security_logger.to_controlled_hash,
                 assessment: @_assess ? assess.to_controlled_hash : {},
                 defend: @_protect ? protect.to_controlled_hash : {},
+                logLevel: log_level,
+                logFile: log_file,
                 telemetry: telemetry
             }.compact
           end

data/lib/contrast/agent/telemetry/exception/obfuscate.rb

@@ -16,9 +16,10 @@ module Contrast
           # is the same.
           CYPHER = CHARS.chars.shuffle.join.cs__freeze
           VERSION_MATCH = '[^0-9].-'
+          RUBY_EXT = /\.(?:rb|gemspec)$/i
 
           # List of known places after witch a user name might appear:
-          KNOWN_DIRS = %w[app application project projects git github users home user].cs__freeze
+          KNOWN_DIRS = %w[app application lib project projects git github users home user].cs__freeze
 
           class << self
             # Returns paths for known gems.
@@ -65,8 +66,8 @@ module Contrast
                                         name.tr(VERSION_MATCH, Contrast::Utils::ObjectShare::EMPTY_STRING).downcase)
 
                 obscure(name)
-                # obscure username (next dir in line)
-                obscure(dirs[idx + 1]) if dirs[idx + 1]
+                # obscure username (next dir in line), skip if it's a file name.
+                obscure(dirs[idx + 1]) if dirs[idx + 1] && (dirs[idx + 1] !~ RUBY_EXT)
               end
               cypher = dirs.join(Contrast::Utils::ObjectShare::SLASH)
               return cypher if cypher

data/lib/contrast/agent/telemetry/identifier.rb

@@ -12,7 +12,7 @@ module Contrast
       # Gets info about the instrumented application required to build unique identifiers,
       # used in the agent's Telemetry.
       module Identifier
-        MAC_REGEX = /^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$/.cs__freeze
+        MAC_REGEXP = /^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$/.cs__freeze
         LINUX_OS_REG = /hwaddr=.*?(([A-F0-9]{2}:){5}[A-F0-9]{2})/im.cs__freeze
         MAC_OS_PRIMARY = 'en0'.cs__freeze
         LINUX_PRIMARY = 'enp'.cs__freeze
@@ -87,7 +87,7 @@ module Contrast
               mac = retrieve_mac(addr)
               next unless mac
 
-              result = mac if mac&.match?(MAC_REGEX)
+              result = mac if mac.match?(MAC_REGEXP)
               break if result
             end
             result
@@ -118,33 +118,20 @@ module Contrast
             nil
           end
 
-          # Returns array of network interfaces.
-          # This is OS dependent search.
+          # Returns array of network interfaces belonging to the expected pfamily of this OS.
           #
-          # @return interfaces [Array] Returns an array of interface addresses.
-          # Socket::Ifaddr - represents a result of getifaddrs().
+          # @return interfaces [Array<Socket::Ifaddr>]
           def interfaces
-            @_interfaces ||= []
-
-            return @_interfaces unless @_interfaces.empty?
+            @_interfaces ||= Socket.getifaddrs.select { |interface| interface.addr&.pfamily == check_family }
+          end
 
-            arr = Socket.getifaddrs
-            idx = 0
-            check_family = 0
-            while idx < arr.length
-              # We need only network adapters MACs. Checking for pfamily of every socket address:
-              # 18 for Mac OS and 17 for Linux.
-              # family should be an address family such as: :INET, :INET6, :UNIX, etc.
-              check_family = 18 if Contrast::Utils::OS.mac?
-              check_family = 17 if Contrast::Utils::OS.linux?
-              if arr[idx].addr.pfamily != check_family
-                idx += 1
-                next
-              end
-              @_interfaces << arr[idx]
-              idx += 1
-            end
-            @_interfaces
+          # We need only network adapters MACs. Checking for pfamily of every socket address:
+          # 18 for Mac OS and 17 for Linux. Family should be an address family such as: :INET, :INET6, :UNIX, etc.
+          # It corresponds to the Addrinfo.pfamily value.
+          #
+          # @return [Integer]
+          def check_family
+            @_check_family ||= Contrast::Utils::OS.mac? ? 18 : 17
           end
         end
       end

data/lib/contrast/agent/version.rb

@@ -3,6 +3,6 @@
 
 module Contrast
   module Agent
-    VERSION = '7.3.0'
+    VERSION = '7.3.2'
   end
 end

data/lib/contrast/components/assess.rb

@@ -17,14 +17,26 @@ module Contrast
 
         # @return [Boolean, nil]
         attr_accessor :enable
-        # @return [Array, nil]
-        attr_writer :enable_scan_response, :enable_dynamic_sources, :sampling, :rules, :stacktraces, :tags
+        # @return [Boolean, nil]
+        attr_writer :enable_scan_response
+        # @return [Boolean, nil]
+        attr_writer :enable_dynamic_sources
+        # @return [Contrast::Components::Sampling::Interface]
+        attr_writer :sampling
+        # @return [Contrast::Components::AssessRules::Interface]
+        attr_writer :rules
+        # @return [String, nil]
+        attr_writer :stacktraces
+        # @return [Array<String>, nil]
+        attr_writer :tags
         # @return [String]
         attr_reader :canon_name
-        # @return [Array]
+        # @return [Array<String>]
         attr_reader :config_values
         # @return [Boolean]
         attr_writer :enable_original_object
+        # @return [Boolean]
+        attr_writer :enable_response_as_source
         # @return [Integer]
         attr_writer :max_context_source_events
         # @return [Integer]
@@ -46,6 +58,7 @@ module Contrast
           enable_scan_response
           enable_original_object
           enable_dynamic_sources
+          enable_response_as_source
           stacktraces
           max_context_source_events
           max_propagation_events
@@ -63,27 +76,33 @@ module Contrast
           @enable_scan_response = hsh[:enable_scan_response]
           @enable_dynamic_sources = hsh[:enable_dynamic_sources]
           @enable_original_object = hsh[:enable_original_object]
+          @enable_response_as_source = hsh[:enable_response_as_source]
           @sampling = Contrast::Components::Sampling::Interface.new(hsh[:sampling])
           @rules = Contrast::Components::AssessRules::Interface.new(hsh[:rules])
           @stacktraces = hsh[:stacktraces]
           assign_limits(hsh)
         end
 
-        # @return [Boolean, true]
+        # @return [Boolean]
         def enable_scan_response
           @enable_scan_response.nil? ? true : @enable_scan_response
         end
 
-        # @return [Boolean, true]
+        # @return [Boolean]
         def enable_dynamic_sources
           @enable_dynamic_sources.nil? ? true : @enable_dynamic_sources
         end
 
-        # @return [Boolean, true]
+        # @return [Boolean]
         def enable_original_object
           @enable_original_object.nil? ? true : @enable_original_object
         end
 
+        # @return [Boolean]
+        def enable_response_as_source
+          @enable_response_as_source.nil? ? false : @enable_response_as_source
+        end
+
         # @return [Contrast::Components::Sampling::Interface]
         def sampling
           @sampling ||= Contrast::Components::Sampling::Interface.new
@@ -209,6 +228,13 @@ module Contrast
           @_track_original_object
         end
 
+        def track_response_as_source?
+          @track_response_as_source = !false?(enable_response_as_source) if
+            @track_response_as_source.nil?
+
+          @track_response_as_source
+        end
+
         # The id for this process, based on the session metadata or id provided by the user, as indicated in
         # application startup.
         def session_id
@@ -234,6 +260,7 @@ module Contrast
         end
 
         # Sets Event limits from configuration and converts string numbers to integers.
+        # @param hsh [Hash] the configuration hash
         def assign_limits hsh
           return unless hsh
 

data/lib/contrast/components/base.rb

@@ -3,6 +3,7 @@
 
 require 'contrast/config/diagnostics/tools'
 require 'contrast/utils/object_share'
+require 'contrast/utils/duck_utils'
 
 module Contrast
   module Components
@@ -89,12 +90,13 @@ module Contrast
         add_effective_config_values(effective_config, config_values, canon_name, "#{ CONTRAST }.#{ canon_name }")
       end
 
-      # attempts to stringifys the config value if it is an array with the join char
+      # attempts to stringify the config value if it is an array with the join char
+      #
       # @param val[Object] val to stringify
       # @param join_char[String, ','] join character defaults to ','
       # @return [String, Object] the stringified val or the object as is
       def stringify_array val, join_char = ','
-        return val.join(join_char) if val.cs__is_a?(Array)
+        return val.join(join_char) if val.cs__is_a?(Array) && val.any?
 
         val
       end

data/lib/contrast/components/config.rb

@@ -24,7 +24,6 @@ module Contrast
     # it should break LOUDLY.  Better to waste half an hour of the sysadmin's
     # time than to silently fail to deliver functionality.
     module Config
-      CONTRAST_ENV_MARKER = 'CONTRAST__'
       CONTRAST_LOG = 'contrast.log'
       CONTRAST_NAME = 'Contrast Agent'
       DATE_TIME = '%Y-%m-%dT%H:%M:%S.%L%z'
@@ -180,7 +179,8 @@ module Contrast
           # For env variables resembling CONTRAST__WHATEVER__NESTED_VALUE
           # override raw.whatever.nested_value
           ENV.each do |env_key, env_value|
-            next unless env_key.to_s.start_with?(CONTRAST_ENV_MARKER)
+            next unless env_key.to_s.start_with?(Contrast::Configuration::CONTRAST_ENV_MARKER)
+            next if Contrast::Configuration::DEPRECATED_PROPERTIES.include?(env_key.to_s)
 
             config_item = Contrast::Utils::EnvConfigurationItem.new(env_key, env_value)
             assign_value_to_path_array(self, config_item.dot_path_array, config_item.value)

data/lib/contrast/components/protect.rb

@@ -10,7 +10,7 @@ module Contrast
     module Protect
       # A wrapper build around the Common Agent Configuration project to allow for access of the values contained in
       # its parent_configuration_spec.yaml.  Specifically, this allows for querying the state of the Protect product.
-      class Interface
+      class Interface # rubocop:disable Metrics/ClassLength
         include Contrast::Components::ComponentBase
         include Contrast::Config::BaseConfiguration
 
@@ -168,6 +168,19 @@ module Contrast
 
           @_forcibly_enabled ||= true?(::Contrast::CONFIG.protect.enable)
         end
+
+        # Used for conversion to contrast metrics hash:
+        def forcibly_enabled
+          forcibly_enabled?
+        end
+
+        def forcibly_disabled
+          forcibly_disabled?
+        end
+
+        def report_custom_code_sysfile_access
+          report_custom_code_sysfile_access?
+        end
       end
     end
   end

data/lib/contrast/components/settings.rb

@@ -156,7 +156,7 @@ module Contrast
         def update_from_application_settings settings_response
           return unless (app_settings = settings_response&.application_settings)
 
-          @application_state.modes_by_id = app_settings.protect.protection_rules_to_settings_hash
+          extract_protect_app_settings(app_settings)
           update_exclusion_matchers(app_settings.exclusions)
           app_settings.protect.virtual_patches = app_settings.protect.virtual_patches unless
             settings_empty?(app_settings.protect.virtual_patches)
@@ -294,6 +294,16 @@ module Contrast
           level[parts[-1]] = value
           Contrast::CONFIG.sources.set(parts.join('.'), Contrast::Components::Config::Sources::CONTRAST_UI)
         end
+
+        # Extract the rules modes from protection_rules or rules_settings fields.
+        #
+        # @param app_settings [Contrast::Agent::Reporting::Settings::ApplicationSettings]
+        def extract_protect_app_settings app_settings
+          modes_by_id = app_settings.protect.protection_rules_to_settings_hash
+          modes_by_id = app_settings.protect.rules_settings_to_settings_hash if settings_empty?(modes_by_id)
+          # Preserve previous state if no new settings are extracted:
+          @application_state.modes_by_id = modes_by_id unless settings_empty?(modes_by_id)
+        end
       end
     end
   end

data/lib/contrast/config/diagnostics/command_line.rb

@@ -13,9 +13,9 @@ module Contrast
         class << self
           def command_line_settings
             cli = Contrast::Config::Diagnostics::Tools.flatten_settings(Contrast::CONFIG.sources.
-              for(Contrast::Components::Config::Sources::COMMAND_LINE))
+              for(Contrast::Components::Config::Sources::COMMAND_LINE), cli: true)
 
-            Contrast::Config::Diagnostics::Tools.to_config_values(cli, source: true)
+            Contrast::Config::Diagnostics::Tools.to_config_values(cli, source: true, cli: true)
           end
         end
       end

data/lib/contrast/config/diagnostics/environment_variables.rb

@@ -21,7 +21,7 @@ module Contrast
           # @return [Array] array of all the values needed to be written.
           def environment_settings env
             env_hash = env.select do |e|
-              e.to_s.start_with?(Contrast::Components::Config::CONTRAST_ENV_MARKER) || NON_COMMON_ENV.include?(e.to_s)
+              e.to_s.start_with?(Contrast::Configuration::CONTRAST_ENV_MARKER) || NON_COMMON_ENV.include?(e.to_s)
             end
             environment_settings = []
             env_hash.each do |key, value|
@@ -41,6 +41,7 @@ module Contrast
                                                         Contrast::Utils::ObjectShare::EMPTY_STRING)
                 end
                 effective_value.value = Contrast::Config::Diagnostics::Tools.value_to_s(value)
+                effective_value.key = key
               end
               environment_settings << efc_value if efc_value
             end

data/lib/contrast/config/diagnostics/tools.rb

@@ -11,13 +11,15 @@ module Contrast
       # Diagnostics tools to be included in config components.
       module Tools
         CHECK = 'd'
+        CONTRAST_MARK = 'CONTRAST_'
         class << self
           # Creates new config instances for each read config entry from the flat generated configs.
           #
           # @param flats [Array] of flatten configs produced by #flatten_settings
           # @param source [Boolean] flag to set the desired value class, it may be a effective or source value.
+          # @param cli [Boolean] flag to check if the value comes from cli.
           # @return [Array<Contrast::Config::Diagnostics::SourceConfigValue>]
-          def to_config_values flats, source: false
+          def to_config_values flats, source: false, cli: false
             config_value_klass = if source
                                    Contrast::Config::Diagnostics::SourceConfigValue
                                  else
@@ -27,7 +29,11 @@ module Contrast
             flats.each do |entry|
               entry.each do |key, value|
                 efc_value = config_value_klass.new.tap do |config_value|
-                  config_value.canonical_name = Contrast::Utils::ObjectShare::CONTRAST_DOT + key
+                  config_value.canonical_name = Contrast::Utils::ObjectShare::CONTRAST_DOT + key unless cli
+                  if cli && key.to_s.include?(CONTRAST_MARK)
+                    config_value.canonical_name = key.gsub(Contrast::Utils::ObjectShare::DOUBLE_UNDERSCORE,
+                                                           Contrast::Utils::ObjectShare::PERIOD).downcase
+                  end
                   config_value.key = key
                   config_value.value = value_to_s(value)
                 end
@@ -40,17 +46,21 @@ module Contrast
           # Flattens out the read settings from file, env or contrast ui.
           # example: {"agent.polling.server_settings_ms"=>"50000"}
           #
+          # If cli is set we avoid adding the path and additional '.' to the key.
+          #
           #  @param data [Hash, nil]
           #  @param path  [String] where to look for settings.
           #  @param config [Hash] symbolized config to fetch keys from.
-          def flatten_settings data, path = [], config: Contrast::CONFIG.config.loaded_config
+          #  @param cli [Boolean] does the config come from cli.
+          def flatten_settings data, path = [], config: Contrast::CONFIG.config.loaded_config, cli: false
             return [] unless data
 
             data.each_with_object([]) do |(k, v), entries|
               if v.cs__is_a?(Hash)
                 entries.concat(flatten_settings(v, path.dup.append(k.to_sym)))
               else
-                entries << { "#{ path.join('.') }.#{ k }" => config.dig(*path, k).to_s }
+                entries << { k.to_s => config.dig(*path, k).to_s } if cli
+                entries << { "#{ path.join('.') }.#{ k }" => config.dig(*path, k).to_s } unless cli
               end
             end.flatten # rubocop:disable Style/MethodCalledOnDoEndBlock
           end
@@ -62,7 +72,7 @@ module Contrast
             return if value.nil?
             return value if value.cs__is_a?(String)
 
-            value.each_with_object({}) do |(k, v), m| # rubocop:disable Style/HashTransformValues
+            value&.each_with_object({}) do |(k, v), m| # rubocop:disable Style/HashTransformValues
               m[k] = if v.cs__is_a?(Hash)
                        value_to_s(v)
                      elsif v.cs__is_a?(Array)

data/lib/contrast/configuration.rb

@@ -64,44 +64,29 @@ module Contrast
     KEYS_TO_REDACT = %i[api_key url service_key user_name].cs__freeze
     REDACTED = '**REDACTED**'
 
-    def initialize cli_options = nil, default_name = DEFAULT_YAML_PATH # rubocop:disable Metrics/AbcSize
+    DEPRECATED_PROPERTIES = %w[
+      CONTRAST__AGENT__SERVICE__ENABLE CONTRAST__AGENT__SERVICE__LOGGER__LEVEL
+      CONTRAST__AGENT__SERVICE__LOGGER__PATH CONTRAST__AGENT__SERVICE__LOGGER__STDOUT
+    ].cs__freeze
+
+    def initialize cli_options = nil, default_name = DEFAULT_YAML_PATH
       @default_name = default_name
 
       # Load config_kv from file
       config_kv = Contrast::Utils::HashUtils.deep_symbolize_all_keys(load_config)
-      unless cli_options
-        cli_options = {}
-        ENV.each do |key, value|
-          next unless key.to_s.start_with?(CONTRAST_ENV_MARKER)
 
-          cli_options[key] = value
-        end
-      end
-
-      # Overlay CLI options - they take precedence over config file
-      cli_options = Contrast::Utils::HashUtils.deep_symbolize_all_keys(cli_options)
-      if cli_options
-        config_kv = Contrast::Utils::HashUtils.precedence_merge(cli_options, config_kv)
-        @_source_file_extensions = Contrast::Utils::HashUtils.
-            precedence_merge(assign_source_to(cli_options,
-                                              Contrast::Components::Config::Sources::COMMAND_LINE),
-                             @_source_file_extensions)
-      end
+      # Load cli options from env
+      cli_options ||= cli_to_hash
+      config_kv = Contrast::Utils::HashUtils.precedence_merge(config_kv, cli_options)
+      update_sources_from_cli(cli_options)
 
       # Some in-flight rewrites to maintain backwards compatibility
       config_kv = update_prop_keys(config_kv)
+      @sources = Contrast::Components::Config::Sources.new(source_file_extensions)
       @loaded_config = config_kv
 
-      @sources = Contrast::Components::Config::Sources.new(@_source_file_extensions)
-
-      @api = Contrast::Components::Api::Interface.new(config_kv[:api])
-      @enable = config_kv[:enable]
-      @agent = Contrast::Components::Agent::Interface.new(config_kv[:agent])
-      @application = Contrast::Components::AppContext::Interface.new(config_kv[:application])
-      @server = Contrast::Config::ServerConfiguration.new(config_kv[:server])
-      @assess = Contrast::Components::Assess::Interface.new(config_kv[:assess])
-      @inventory = Contrast::Components::Inventory::Interface.new(config_kv[:inventory])
-      @protect = Contrast::Components::Protect::Interface.new(config_kv[:protect])
+      # requires loaded_config:
+      create_config_components
     end
 
     # Get a loggable YAML format of this configuration
@@ -155,7 +140,7 @@ module Contrast
     # reverse order of precedence (first is most important).
     def configuration_paths
       @_configuration_paths ||= begin
-        basename = default_name.split('.').first
+        basename = default_name.split('.')[0]
         # Order of extensions comes from here:
         extensions = Contrast::Components::Config::Sources::APP_CONFIGURATION_EXTENSIONS
 
@@ -263,6 +248,18 @@ module Contrast
 
     private
 
+    # Creates and updates the config components with the loaded config values.
+    def create_config_components
+      @api = Contrast::Components::Api::Interface.new(loaded_config[:api])
+      @enable = loaded_config[:enable]
+      @agent = Contrast::Components::Agent::Interface.new(loaded_config[:agent])
+      @application = Contrast::Components::AppContext::Interface.new(loaded_config[:application])
+      @server = Contrast::Config::ServerConfiguration.new(loaded_config[:server])
+      @assess = Contrast::Components::Assess::Interface.new(loaded_config[:assess])
+      @inventory = Contrast::Components::Inventory::Interface.new(loaded_config[:inventory])
+      @protect = Contrast::Components::Protect::Interface.new(loaded_config[:protect])
+    end
+
     # We cannot use all access components at this point, unfortunately, as they
     # may not have been initialized. Instead, we need to access the logger
     # directly.
@@ -367,5 +364,40 @@ module Contrast
         end
       end
     end
+
+    # Update the source mapping to reflect the cli values passed. Using raw string rather than path values.
+    #
+    # @param cli_options[Hash<Symbol, String>]
+    def update_sources_from_cli cli_options
+      @_source_file_extensions = Contrast::Utils::HashUtils.
+          precedence_merge(assign_source_to(cli_options,
+                                            Contrast::Components::Config::Sources::COMMAND_LINE),
+                           @_source_file_extensions)
+    end
+
+    # Find all the set Contrast environment variables and cast them to their hash form. Keys will be split on __ and
+    # converted to symbols to match parsing of the YAML file
+    #
+    # @return [Hash<Symbol, (Hash, String)>]
+    def cli_to_hash
+      cli_options ||= ENV.select do |name, _value|
+        name.to_s.start_with?(CONTRAST_ENV_MARKER) && !DEPRECATED_PROPERTIES.include?(name.to_s)
+      end
+
+      converted = {}
+      cli_options&.each do |key, value|
+        # Split the env key into path components
+        path = key.to_s.split(Contrast::Utils::ObjectShare::DOUBLE_UNDERSCORE)
+        # Remove the `CONTRAST` start
+        path&.shift
+        # Convert it to hash form, with lowercase symbol keys
+        as_hash = path&.reverse&.reduce(value) do |assigned_value, path_segment|
+          { path_segment.downcase.to_sym => assigned_value }
+        end
+        # And join it w/ the parsed keys
+        Contrast::Utils::HashUtils.precedence_merge!(converted, as_hash)
+      end
+      converted
+    end
   end
 end

data/lib/contrast/logger/application.rb

@@ -17,8 +17,8 @@ module Contrast
         ENV.each do |env_key, env_value|
           env_key = env_key.to_s
           next unless ENV_KEYS.include?(env_key) ||
-              (env_key.start_with?(Contrast::Components::Config::CONTRAST_ENV_MARKER) &&
-                  !env_key.start_with?("#{ Contrast::Components::Config::CONTRAST_ENV_MARKER }API"))
+              (env_key.start_with?(Contrast::Configuration::CONTRAST_ENV_MARKER) &&
+                  !env_key.start_with?("#{ Contrast::Configuration::CONTRAST_ENV_MARKER }API"))
 
           info('Environment settings', key: env_key, value: env_value)
         end
@@ -30,7 +30,7 @@ module Contrast
         loggable = ::Contrast::CONFIG.loggable
         info('Current configuration', configuration: loggable)
         env_keys = ENV.keys.select do |env_key|
-          env_key&.to_s&.start_with?(Contrast::Components::Config::CONTRAST_ENV_MARKER)
+          env_key&.to_s&.start_with?(Contrast::Configuration::CONTRAST_ENV_MARKER)
         end
         env_items = env_keys.map { |env_key| Contrast::Utils::EnvConfigurationItem.new(env_key, nil) }
         env_translations = env_items.each_with_object({}) do |conversion, hash|