contrast-agent 7.3.1 → 7.3.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4223bb2218df4bdf98b2600c77c4fa148e71b830575e938a968d41e89138fb81
-  data.tar.gz: cc559a6b364c5019d9c50d8ee6b8237486ac1596ec8ade76d8e6ae4e51e1b906
+  metadata.gz: a4ed370d3625c9e07c5966fb4e091e96cc37a6a2fce8376d63a547e655b27173
+  data.tar.gz: 601a4767e4317af72e2c610df6ba19bb68df2c42f128bb873539204c93801019
 SHA512:
-  metadata.gz: 6b88f94ad140a8dd0e8099e2d4f3a396f2221de6ba9a3cbdfaa7e9327644703b7dc275c369ffe4efa29109619bf9eb182f2a0f7b85103c67e2a83246c49c137a
-  data.tar.gz: eaf65ba9546f37ace248a29657e690966deaf02aa26426b169f1f3e9639aa3f7b355ea858afd4ef0a5787bd9e2549d7927b3db89894eb6ef4bcd26daf01382e9
+  metadata.gz: 597307a8f3521cd9783c07ccc8b2f54d6bf2cf1631db84bd29fba683fbd93fc4f5eff47bbbc2ed50c37c02fd3c59d5df987526c839c5e731299cdb6e02e30c6f
+  data.tar.gz: 95898f87cbabbcc24d9ce3f0d5ba1397b4399f9ca35f4c4a1290c7e3d9c7cd26d6bf13c99affc013dea2456260aeb918349a97905863ba790ba869a272faccfc

data/ext/cs__scope/cs__scope.c

@@ -5,6 +5,7 @@
 #include "../cs__common/cs__common.h"
 #include <ruby.h>
 #include <stdlib.h>
+#include <pthread.h>
 
 /*-----------------------------------------
  |  Calls to Contrast modules and classes
@@ -23,6 +24,9 @@ static char truthy_arr[3][5] = {"true", "True", "TRUE"};
  |  Helpers
  -----------*/
 
+/* Declare new c mutex for scope locking: */
+pthread_mutex_t c_mutex;
+
 /**
  * @brief get scope for ec or create new
  *
@@ -153,22 +157,40 @@ VALUE contrast_scope_application_update() {
      * [ Do not touch, do not free. We don't control it! ]
      */
     char *eVar = getenv(c_const_ctr_agent_app_scope);
-    VALUE app_scope = eVar;
+    /* check to see if the ENV variable is set */
+    return INT2FIX(env_var_set(eVar));
+}
 
+/** 
+ * @brief Determines if the Contrast Scope should be set with the Trap Context. 
+ * @return 1 if set, 0 if not set.
+ */
+int contrast_scope_with_trap_context() {
+    char *eVar = getenv(c_const_ctr_agent_scope_trap_context);
+    return env_var_set(eVar);
+}
+
+/**
+ *  @brief Checks to see if the ENV variable is set.
+ *  @param args VALUE [String] ENV variable name.
+ *  @return 1 if set, 0 if not set.
+ */
+int env_var_set(char *eVar) {
+    VALUE env_var = eVar;
     /* check to see if the ENV variable is set */
-    if (RTEST(app_scope)) {
+    if (RTEST(env_var)) {
         /* Application Scope is set*/
         int i;
         for (i = 0; i < sizeof(truthy_arr) / sizeof(truthy_arr[0]); i++) {
             if (strcmp(eVar, truthy_arr[i]) == 0) {
-                return INT2FIX(1);
+                return 1;
             }
         }
         /* this covers all of the false values */
-        return INT2FIX(0);
+        return 0;
     } else {
         /* Application Scope is not set ( NULL )*/
-        return INT2FIX(0);
+        return 0;
     }
 }
 
@@ -505,8 +527,48 @@ VALUE contrast_scope_interface_init(VALUE self, VALUE args) {
 VALUE contrast_scope_for_current_ec(VALUE self, VALUE args) {
     /* synchronize */
     VALUE mutex = rb_const_get(scope_mod, rb_intern(rb_const_mon));
-
-    return rb_mutex_synchronize(mutex, get_ec, 0);
+    if (contrast_scope_with_trap_context()) {
+        /**
+         * trap context safety:
+         *
+         * If  mutex  synchonize is called inside a  trap  context,
+         * it will raise a thread error. To avoid that,  there  are
+         * different  approaches as to  trap all signal  in a loop,
+         * but that is  not a good idea, since the scope is checked
+         * once, and only one signal could be trapped.  Another way
+         * is  to make new thread around the mutex  synchronization
+         * call,  but this will create a new execution context  and
+         * the returned scope will be different.
+         *
+         * Most of the  thread error occur randomly whenever GC  is
+         * started. We  cannot detect, When the  GC  is started, it
+         * will stop all current Ruby code execution while running.
+         *
+         * Instead we call the `get_ec()` directly since  Ruby have
+         * GVL (Global VM Lock) when calling it's C  API  therefore
+         * This should be safe called from Ruby land. Just in  case
+         * this is a feature flag, so that only be used when thread
+         * safety could be traded for signal safety.
+         *
+         * This is still experimental as relies ong the GLV and the
+         * Ruby VM is not thread safe by default. Various  problems
+         * might occur, when the mutex is in  Ruby  and called from
+         * different thread, at once, but since the mutex stays  in
+         * the C API context, this might work fine. Still use  only
+         * when unusual conditions are met.
+         * 
+         * In addition we could use C mutex lock just in case. Ruby
+         * Threads under the hood are C threads (pthread),  so they
+         * should be treated as such. In theory only one thread can
+         * access this code at a time.
+         */
+        pthread_mutex_lock(&c_mutex);
+        VALUE res = get_ec();
+        pthread_mutex_unlock(&c_mutex);
+        return res;
+    } else {
+        return rb_mutex_synchronize(mutex, get_ec, 0);
+    }
 }
 
 /*--------------------------------------------------------
@@ -819,6 +881,9 @@ VALUE scope_mod_sweep_dead_ecs(VALUE self, VALUE args) {
 }
 
 void Init_cs__scope() {
+    /* Init new mutex handle */
+    pthread_mutex_init(&c_mutex, NULL);
+
     /* ivs */
     rb_iv_cntr_scope = "@contrast_scope";
     rb_iv_dslr_scope = "@deserialization_scope";
@@ -829,6 +894,7 @@ void Init_cs__scope() {
     rb_const_ec = "EXECUTION_CONTEXT";
     rb_const_ec_keys = "EC_KEYS";
     c_const_ctr_agent_app_scope = "CONTRAST__AGENT__RUBY__APPLICATION_SCOPE";
+    c_const_ctr_agent_scope_trap_context = "CONTRAST__AGENT__SCOPE__WITH_TRAP_CONTEXT";
 
     /* Symbols */
     rb_sym_scope_mod = rb_intern("Scope");
@@ -977,4 +1043,7 @@ void Init_cs__scope() {
                      inst_methods_enter_method_scope, 1);
     rb_define_method(scope_inst_methods, "contrast_exit_method_scopes!",
                      inst_methods_exit_method_scope, 1);
+
+    /* free the c_mutex */
+    pthread_mutex_destroy(&c_mutex);
 }

data/ext/cs__scope/cs__scope.h

@@ -1,4 +1,5 @@
 #include <ruby.h>
+#include <ruby/thread.h>
 
 /* Calls to Contrast modules and classes */
 VALUE scope_interface;
@@ -14,6 +15,7 @@ static VALUE rb_const_ec;
 static VALUE rb_const_mon;
 static VALUE rb_const_ec_keys;
 static VALUE c_const_ctr_agent_app_scope;
+static VALUE c_const_ctr_agent_scope_trap_context;
 
 /* Symbols */
 static VALUE rb_sym_scope_mod;
@@ -58,6 +60,7 @@ VALUE scope_klass_exit_scope(VALUE self, VALUE method_scope_sym);
 VALUE contrast_scope_interface_init(VALUE self, VALUE args);
 VALUE contrast_scope_for_current_ec(VALUE self, VALUE args);
 VALUE contrast_scope_application_update();
+int contrast_scope_with_trap_context();
 
 /* Scope instance methods */
 VALUE inst_methods_in_cntr_scope(VALUE self, VALUE args);
@@ -83,6 +86,7 @@ VALUE inst_methods_exit_method_scope(VALUE self, VALUE scopes_to_exit);
 VALUE is_in_scope(int scope);
 VALUE get_ec();
 VALUE rb_new_c_scope();
+int env_var_set(char *eVar);
 int scope_increase(int scope);
 int scope_decrease(int scope);
 void rb_raise_scope_no_method_err(const VALUE method_scope_sym);

data/lib/contrast/agent/inventory/policy/datastores.rb

@@ -38,9 +38,6 @@ module Contrast
               context = Contrast::Agent::REQUEST_TRACKER.current
               return unless context&.activity
 
-              context.activity.query_count += 1
-              return unless context.activity.query_count == 1
-
               Contrast::Agent::Inventory::DatabaseConfig.append_db_config(context.activity)
             end
           end

data/lib/contrast/agent/reporting/reporting_events/application_activity.rb

@@ -16,16 +16,11 @@ module Contrast
         include Contrast::Agent::Reporting::ResponseType
         include Contrast::Components::Logger::InstanceMethods
 
-        # @return [Integer]
-        attr_accessor :query_count
-        # @return [Array]
-        attr_accessor :routes
         # @return [Contrast::Agent::Response]
         attr_accessor :response
 
+        # @param ia_request [Contrast::Agent::Request]
         def initialize ia_request: nil
-          @routes = []
-          @query_count = 0
           @event_method = :PUT
           @event_type = :application_activity
           @event_endpoint = Contrast::Agent::Reporting::Endpoints.application_activity
@@ -66,7 +61,7 @@ module Contrast
         # searching with rule_id and response_type
         #
         # @param rule_id [String] name of the protect rule
-        # @param response_type[Symbol<Contrast::Agent::Reporting::ResponseType]
+        # @param response_type[Symbol<Contrast::Agent::Reporting::ResponseType>]
         #  filter by response type
         # @return [Array<Contrast::Agent::Reporting::ApplicationDefendAttackSampleActivity>, nil]
         # return any matches.
@@ -99,9 +94,8 @@ module Contrast
           defend.attackers.map { |a| a.protection_rules.values }
         end
 
-        # This is primary used for attaching new data and merging existing
-        # samples per rule entry in attackers, and to make sure the attack
-        # time_map is updated correctly.
+        # This is primary used for attaching new data and merging existing samples and counts per rule entry in
+        # attackers.
         #
         # @param attack_result [Contrast::Agent::Reporting::AttackResult]
         def attach_defend attack_result

data/lib/contrast/agent/reporting/reporting_events/application_defend_activity.rb

@@ -55,6 +55,7 @@ module Contrast
 
         # Find an existing attacker if it matches on source details
         # @param new_attacker_activity [Contrast::Agent::Reporting::ApplicationDefendAttackerActivity]
+        # @return [Contrast::Agent::Reporting::ApplicationDefendAttackerActivity, nil]
         def find_existing_attacker_activity new_attacker_activity
           attackers.find do |existing|
             existing.source_forwarded_for == new_attacker_activity.source_forwarded_for &&
@@ -67,30 +68,28 @@ module Contrast
         # @param rule [String]
         def attach_existing existing_attacker_activity, attacker_activity, rule
           new_violation = attacker_activity.protection_rules[rule]
+          return unless new_violation
+
           sample_activity = Contrast::Agent::Reporting::ApplicationDefendAttackSampleActivity
           if (previously_violated = existing_attacker_activity.protection_rules[rule])
-            if (new_blocked = new_violation.blocked)
+            if (new_blocked_samples = new_violation.blocked&.samples)&.any?
               previously_violated.blocked ||= sample_activity.new
-              previously_violated.blocked.samples.concat(new_blocked.samples) if new_blocked.samples
-              previously_violated.blocked.merge_time_maps(new_blocked.time_map)
+              previously_violated.blocked.samples.concat(new_blocked_samples)
             end
 
-            if (new_exploited = new_violation.exploited)
+            if (new_exploited_samples = new_violation.exploited&.samples)&.any?
               previously_violated.exploited ||= sample_activity.new
-              previously_violated.exploited.samples.concat(new_exploited.samples) if new_exploited.samples
-              previously_violated.exploited.merge_time_maps(new_exploited.time_map)
+              previously_violated.exploited.samples.concat(new_exploited_samples)
             end
 
-            if (new_ineffective = new_violation.ineffective)
+            if (new_ineffective_samples = new_violation.ineffective&.samples)&.any?
               previously_violated.ineffective ||= sample_activity.new
-              previously_violated.ineffective.samples.concat(new_ineffective.samples) if new_ineffective.samples
-              previously_violated.ineffective.merge_time_maps(new_ineffective.time_map)
+              previously_violated.ineffective.samples.concat(new_ineffective_samples)
             end
 
-            if (new_suspicious = new_violation.suspicious)
+            if (new_suspicious_samples = new_violation.suspicious&.samples)&.any?
               previously_violated.suspicious ||= sample_activity.new
-              previously_violated.suspicious.samples.concat(new_suspicious.samples) if new_suspicious.samples
-              previously_violated.suspicious.merge_time_maps(new_suspicious.time_map)
+              previously_violated.suspicious.samples.concat(new_suspicious_samples)
             end
           else
             existing_attacker_activity.protection_rules[rule] = new_violation

data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample_activity.rb

@@ -13,21 +13,17 @@ module Contrast
       class ApplicationDefendAttackSampleActivity < Contrast::Agent::Reporting::ReportableHash
         # @return [Array<Contrast::Agent::Reporting::ApplicationDefendAttackSample>]
         attr_reader :samples
-        # @return [Hash<Integer,Integer>] map of time from start in seconds to number of attacks in that second
-        attr_reader :time_map
 
         def initialize
           @samples = []
-          @start_time = Contrast::Agent::REQUEST_TRACKER.current&.timer&.start_ms || 0 # in ms
+          @start_time = Contrast::Agent::REQUEST_TRACKER.current&.timer&.start_ms || Contrast::Utils::Timer.now_ms
           @event_type = :application_defend_attack_sample_activity
-          @time_map = Hash.new { |h, k| h[k] = 0 }
           super()
         end
 
         def to_controlled_hash
           validate
           {
-              attackTimeMap: time_map,
               samples: samples.map(&:to_controlled_hash),
               startTime: @start_time, # Start time in ms.
               total: 1 # there will only ever be 1 attack sample, until batching is done
@@ -41,32 +37,11 @@ module Contrast
         # @param attack_result [Contrast::Agent::Reporting::AttackResult]
         def attach_data attack_result
           attack_result.samples.each do |attack_sample|
-            base_time = Contrast::Agent::REQUEST_TRACKER.current&.timer&.start_ms || 0
-            sample_time = attack_sample.time_stamp.to_i
             samples << Contrast::Agent::Reporting::ApplicationDefendAttackSample.convert(attack_result, attack_sample)
-            @start_time = if sample_time.zero?
-                            @start_time
-                          else
-                            sample_time
-                          end
-            attack_second = (@start_time - base_time) / 1000 # in seconds
-            time_map[attack_second] += 1
-          end
-        end
-
-        # This method will merge time_maps of attack samples with same
-        # type.
-        #
-        # @param map [Hash<Integer,Integer>] TimeMap to append to previously_violated rule
-        # samples.
-        # @return time_map [Hash<Integer,Integer>] merged time map with updated occurrences.
-        def merge_time_maps map
-          # If the second is the same (key) if we just merge there won't be a new entry,
-          # so just increase the attack count.
-          map.each_key do |key|
-            @time_map[key] = @time_map.fetch(key, 0) + map[key]
+            # If somehow this sample was found before this container was created, change the time to reflect that
+            sample_time = attack_sample.time_stamp.to_i
+            @start_time = sample_time if sample_time < @start_time
           end
-          @time_map
         end
       end
     end

data/lib/contrast/agent/reporting/reporting_events/application_defend_attacker_activity.rb

@@ -28,8 +28,7 @@ module Contrast
         # saved request.
         def initialize ia_request: nil
           @protection_rules = {}
-          req = ia_request || Contrast::Agent::REQUEST_TRACKER.current&.request
-          if req
+          if (req = ia_request || Contrast::Agent::REQUEST_TRACKER.current&.request)
             @source_ip = req.ip || Contrast::Utils::ObjectShare::EMPTY_STRING
             @source_forwarded_for = req.headers['X-Forwarded-For']
           end

data/lib/contrast/agent/reporting/reporting_events/application_inventory_activity.rb

@@ -15,7 +15,7 @@ module Contrast
       class ApplicationInventoryActivity < Contrast::Agent::Reporting::ApplicationReportingEvent
         # return [Array<Contrast::Agent::Reporting::ArchitectureComponent>]
         attr_reader :components
-        # @ return [Array<String>, nil] - User-Agent Header value
+        # @ return [Array<String>] - User-Agent Header value
         attr_reader :browsers
 
         def initialize
@@ -34,7 +34,7 @@ module Contrast
         end
 
         # @param architectures [Array<Contrast::Agent::Reporting::ArchitectureComponent>,
-        # Contrast::Agent::Reporting::ArchitectureComponent]
+        #   Contrast::Agent::Reporting::ArchitectureComponent]
         def attach_data architectures
           Array(architectures).each do |architecture|
             @components << architecture

data/lib/contrast/agent/reporting/reporting_events/finding_request.rb

@@ -31,7 +31,7 @@ module Contrast
         attr_reader :uri
         # @return [String] the HTTP version of this request
         attr_reader :version
-        # @return [Integer]
+        # @return [String]
         attr_reader :ip
         # @return [String] Byte representation of the body
         attr_accessor :body_binary
@@ -40,7 +40,7 @@ module Contrast
 
         class << self
           # @param request [Contrast::Agent::Request]
-          # @return [Contrast::Agent::Reporting::FindingRequest]
+          # @return [Contrast::Agent::Reporting::FindingRequest, nil]
           def convert request
             return unless request
 

data/lib/contrast/agent/reporting/reporting_utilities/ng_response_extractor.rb

@@ -126,10 +126,23 @@ module Contrast
         # @param response_data [Hash]
         # @param res [Contrast::Agent::Reporting::Response]
         def ng_extract_log_settings response_data, res
-          return unless (log_level = response_data[:logLevel])
+          # agent_startup event defines the log level under features.
+          log_level = if response_data[:features]
+                        response_data[:features][:logLevel]
+                      else
+                        response_data[:logLevel]
+                      end
+          return unless log_level
 
           res.server_features.log_level = log_level
-          res.server_features.log_file = response_data[:logFile] if response_data[:logFile]
+          log_file = if response_data[:features]
+                       response_data[:features][:logFile]
+                     else
+                       response_data[:logFile]
+                     end
+          return unless log_file
+
+          res.server_features.log_file = log_file
         end
       end
     end

data/lib/contrast/agent/reporting/reporting_utilities/response.rb

@@ -87,8 +87,6 @@ module Contrast
               messages: messages,
               features: server_features.nil? ? nil : server_features.to_controlled_hash,
               settings: application_settings.nil? ? nil : application_settings.to_controlled_hash,
-              logLevel: server_features&.log_level,
-              logFile: server_features&.log_file,
               reactions: server_features.nil? ? nil : reactions.map(&:to_controlled_hash)
           }.compact
         end

data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb

@@ -232,11 +232,14 @@ module Contrast
           return unless ::Contrast::AGENT.enabled?
 
           logger.trace_with_time('Rebuilding rule modes from TeamServer') do
-            ::Contrast::SETTINGS.build_protect_rules if ::Contrast::PROTECT.enabled?
+            # TODO: RUBY-999999 Make sure when updating Protect rules to reflect the mode source (always DEFAULT_VALUE)
             ::Contrast::AGENT.reset_ruleset
+            ::Contrast::SETTINGS.build_protect_rules if ::Contrast::PROTECT.enabled?
             logger.info('Current rule settings:')
             ::Contrast::PROTECT.defend_rules.each { |k, v| logger.info('Protect Rule mode set', rule: k, mode: v.mode) }
-            logger.info('Disabled Assess Rules', rules: ::Contrast::ASSESS.disabled_rules)
+            if ::Contrast::ASSESS.enabled?
+              logger.info('Disabled Assess Rules', rules: ::Contrast::ASSESS.disabled_rules)
+            end
           end
         end
 

data/lib/contrast/agent/reporting/settings/protect.rb

@@ -14,6 +14,13 @@ module Contrast
         class Protect
           # modes set by NG endpoints; block at perimeter needs to be check against the blockAtEntry boolean value
           NG_PROTECT_RULES_MODE = %w[OFF MONITORING BLOCKING].cs__freeze
+          ACTIVE_PROTECT_RULES_LIST = %w[
+            bot-blocker cmd-injection cmd-injection-command-backdoors cmd-injection-semantic-chained-commands
+            cmd-injection-semantic-dangerous-paths untrusted-deserialization nosql-injection path-traversal
+            path-traversal-semantic-file-security-bypass sql-injection sql-injection-semantic-dangerous-functions
+            unsafe-file-upload reflected-xss xxe
+          ].cs__freeze
+
           # The settings for each protect rule for this application
           #
           # @return protection_rules [Array<protectRule>] protectRule: {
@@ -80,30 +87,66 @@ module Contrast
             modes_by_id = {}
             protection_rules.each do |rule|
               setting_mode = rule[:mode] || rule['mode']
-              api_mode = if NG_PROTECT_RULES_MODE.include?(setting_mode)
-                           case setting_mode
-                           when NG_PROTECT_RULES_MODE[1]
-                             :MONITOR
-                           when NG_PROTECT_RULES_MODE[2]
-                             if rule[:blockAtEntry] || rule['blockAtEntry']
-                               :BLOCK_AT_PERIMETER
-                             else
-                               :BLOCK
-                             end
-                           else
-                             :NO_ACTION
-                           end
-                         else
-                           # modes set by newer settings endpoints are of [OFF MONITOR BLOCK BLOCK_AT_PERIMETER] and
-                           # can just be cast to symbols
-                           setting_mode.to_sym
-                         end
+              # BlockAtEnrtry is only available for the protection_rules Array.
+              # It is used in both ng and non ng payloads. If the array is empty
+              # this method will short circuit at the very first line and return
+              # empty hash. this means that the #rules_settings_to_settings_hash
+              # will be used next to extract the settings.
+              bap = rule[:blockAtEntry] || rule['blockAtEntry']
+              api_mode = assign_mode(setting_mode, block_at_entry: !!bap == bap)
 
               id = rule[:id] || rule['id']
               modes_by_id[id] = api_mode
             end
             modes_by_id
           end
+
+          # Converts settings into Agent Settings understandable hash {RULE_ID => MODE}
+          # Takes Hash<String, Contrast::Agent::Reporting::Settings::ProtectRule> and converts it
+          # to Hash<RULE_ID => MODE>
+          #
+          # @return rules [Hash<RULE_ID => MODE>, nil] Hash with rule_id as key and mode as value
+          def rules_settings_to_settings_hash
+            return {} if rule_settings.empty?
+
+            modes_by_id = {}
+            rule_settings.each do |rule_id, rule_mode|
+              next unless active_defend_rules.include?(rule_id.to_s)
+
+              modes_by_id[rule_id.to_s] = assign_mode(rule_mode.mode)
+            end
+            modes_by_id
+          end
+
+          # Returns list of actively used protection rules to be updated, or default list.
+          # This will be used to query the received settings for the ones used by the Agent.
+          def active_defend_rules
+            return ACTIVE_PROTECT_RULES_LIST unless defined?(Contrast::SETTINGS)
+
+            current_rules = (Contrast::PROTECT&.defend_rules&.keys if defined?(Contrast::PROTECT))
+            return current_rules unless current_rules&.empty?
+
+            ACTIVE_PROTECT_RULES_LIST
+          end
+
+          private
+
+          # Assigns the received settings mode to be used as actual config.
+          # @param setting_mode []
+          def assign_mode setting_mode, block_at_entry: false
+            # modes set by newer settings endpoints are of [OFF MONITOR BLOCK BLOCK_AT_PERIMETER] and
+            # can just be cast to symbols
+            return setting_mode.to_sym unless NG_PROTECT_RULES_MODE.include?(setting_mode)
+
+            case setting_mode
+            when NG_PROTECT_RULES_MODE[1]
+              :MONITOR
+            when NG_PROTECT_RULES_MODE[2]
+              block_at_entry ? :BLOCK_AT_PERIMETER : :BLOCK
+            else
+              :NO_ACTION
+            end
+          end
         end
       end
     end

data/lib/contrast/agent/reporting/settings/server_features.rb

@@ -85,6 +85,8 @@ module Contrast
                 security_logger: security_logger.settings_blank? ? nil : security_logger.to_controlled_hash,
                 assessment: @_assess ? assess.to_controlled_hash : {},
                 defend: @_protect ? protect.to_controlled_hash : {},
+                logLevel: log_level,
+                logFile: log_file,
                 telemetry: telemetry
             }.compact
           end

data/lib/contrast/agent/version.rb

@@ -3,6 +3,6 @@
 
 module Contrast
   module Agent
-    VERSION = '7.3.1'
+    VERSION = '7.3.2'
   end
 end

data/lib/contrast/components/protect.rb

@@ -10,7 +10,7 @@ module Contrast
     module Protect
       # A wrapper build around the Common Agent Configuration project to allow for access of the values contained in
       # its parent_configuration_spec.yaml.  Specifically, this allows for querying the state of the Protect product.
-      class Interface
+      class Interface # rubocop:disable Metrics/ClassLength
         include Contrast::Components::ComponentBase
         include Contrast::Config::BaseConfiguration
 
@@ -168,6 +168,19 @@ module Contrast
 
           @_forcibly_enabled ||= true?(::Contrast::CONFIG.protect.enable)
         end
+
+        # Used for conversion to contrast metrics hash:
+        def forcibly_enabled
+          forcibly_enabled?
+        end
+
+        def forcibly_disabled
+          forcibly_disabled?
+        end
+
+        def report_custom_code_sysfile_access
+          report_custom_code_sysfile_access?
+        end
       end
     end
   end

data/lib/contrast/components/settings.rb

@@ -156,7 +156,7 @@ module Contrast
         def update_from_application_settings settings_response
           return unless (app_settings = settings_response&.application_settings)
 
-          @application_state.modes_by_id = app_settings.protect.protection_rules_to_settings_hash
+          extract_protect_app_settings(app_settings)
           update_exclusion_matchers(app_settings.exclusions)
           app_settings.protect.virtual_patches = app_settings.protect.virtual_patches unless
             settings_empty?(app_settings.protect.virtual_patches)
@@ -294,6 +294,16 @@ module Contrast
           level[parts[-1]] = value
           Contrast::CONFIG.sources.set(parts.join('.'), Contrast::Components::Config::Sources::CONTRAST_UI)
         end
+
+        # Extract the rules modes from protection_rules or rules_settings fields.
+        #
+        # @param app_settings [Contrast::Agent::Reporting::Settings::ApplicationSettings]
+        def extract_protect_app_settings app_settings
+          modes_by_id = app_settings.protect.protection_rules_to_settings_hash
+          modes_by_id = app_settings.protect.rules_settings_to_settings_hash if settings_empty?(modes_by_id)
+          # Preserve previous state if no new settings are extracted:
+          @application_state.modes_by_id = modes_by_id unless settings_empty?(modes_by_id)
+        end
       end
     end
   end

data/lib/contrast/utils/reporting/application_activity_batch_utils.rb

@@ -23,9 +23,6 @@ module Contrast
           return unless activity
           return if activity.defend.attackers.empty?
 
-          activity_batch.query_count += activity.query_count
-          activity_batch.routes << activity.routes
-          activity_batch.routes.flatten!
           merge_attackers(activity)
           activity_batch.attach_inventory(activity.inventory) unless activity.inventory.empty?
         end

data/lib/contrast.rb

@@ -75,7 +75,7 @@ module Contrast # :nodoc:
   API = CONFIG.api
   SETTINGS = Contrast::Components::Settings::Interface.new
   ASSESS = CONFIG.assess
-  PROTECT = Contrast::Components::Protect::Interface.new
+  PROTECT = CONFIG.protect
   INVENTORY = CONFIG.inventory
   AGENT = CONFIG.agent
   RUBY_INTERFACE = AGENT.ruby

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: contrast-agent
 version: !ruby/object:Gem::Version
-  version: 7.3.1
+  version: 7.3.2
 platform: ruby
 authors:
 - galen.palmer@contrastsecurity.com
@@ -13,7 +13,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-08-04 00:00:00.000000000 Z
+date: 2023-08-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler