contrast-agent 7.3.2 → 7.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a4ed370d3625c9e07c5966fb4e091e96cc37a6a2fce8376d63a547e655b27173
-  data.tar.gz: 601a4767e4317af72e2c610df6ba19bb68df2c42f128bb873539204c93801019
+  metadata.gz: 1266effb11fb78123e8461ce7295f9b4a67a88b7dda632bc57da5d70cb39f87d
+  data.tar.gz: e553aa33bd73ab712585b774578c10ff6f19ae925fdea8adb89c3b6ac253e399
 SHA512:
-  metadata.gz: 597307a8f3521cd9783c07ccc8b2f54d6bf2cf1631db84bd29fba683fbd93fc4f5eff47bbbc2ed50c37c02fd3c59d5df987526c839c5e731299cdb6e02e30c6f
-  data.tar.gz: 95898f87cbabbcc24d9ce3f0d5ba1397b4399f9ca35f4c4a1290c7e3d9c7cd26d6bf13c99affc013dea2456260aeb918349a97905863ba790ba869a272faccfc
+  metadata.gz: 7abce257d4092010babc21cff242307343ea2fc83bdbd040b8cd95e64be9b2e640963a06ae017053989be17e98442bbc528987c2da5b8f7bc8688b776022c783
+  data.tar.gz: f85de50b08e0eaa5f5d8c6a571fe4d04a03cbbcaab1f9c7f2431dac6b4373b00e04f63be94b5f02d56e222248c5fe256b61fb43ba123d041e1ce585b80e63a5f

data/lib/contrast/agent/protect/rule/base.rb

@@ -45,7 +45,6 @@ module Contrast
           #
           # @return mode [Symbol]
           def initialize
-            ::Contrast::PROTECT.defend_rules[rule_name] = self
             @mode = mode_from_settings
           end
 
@@ -63,6 +62,11 @@ module Contrast
             RULE_NAME
           end
 
+          # Update state form Settings or Configuration.
+          def update
+            @mode = mode_from_settings
+          end
+
           # Should return the short name.
           #
           # @return [String]

data/lib/contrast/agent/protect/rule/cmdi/cmd_injection.rb

@@ -31,15 +31,27 @@ module Contrast
             NAME
           end
 
+          # Sub-rules forwarders:
+
+          # @return [Contrast::Agent::Protect::Rule::CmdiBackdoors]
+          def command_backdoors
+            @_command_backdoors ||= Contrast::Agent::Protect::Rule::CmdiBackdoors.new
+          end
+
+          # @return [Contrast::Agent::Protect::Rule::CmdiChainedCommand]
+          def semantic_chained_commands
+            @_semantic_chained_commands ||= Contrast::Agent::Protect::Rule::CmdiChainedCommand.new
+          end
+
+          def semantic_dangerous_paths
+            @_semantic_dangerous_paths ||= Contrast::Agent::Protect::Rule::CmdiDangerousPath.new
+          end
+
           # Array of sub_rules:
           #
           # @return [Array]
           def sub_rules
-            @_sub_rules ||= [
-              Contrast::Agent::Protect::Rule::CmdiBackdoors.new,
-              Contrast::Agent::Protect::Rule::CmdiChainedCommand.new,
-              Contrast::Agent::Protect::Rule::CmdiDangerousPath.new
-            ].cs__freeze
+            @_sub_rules ||= [command_backdoors, semantic_chained_commands, semantic_dangerous_paths].cs__freeze
           end
 
           def applicable_user_inputs

data/lib/contrast/agent/protect/rule/input_classification/base.rb

@@ -24,7 +24,7 @@ module Contrast
               COOKIE_VALUE, PARAMETER_VALUE, HEADER, JSON_VALUE, MULTIPART_VALUE, XML_VALUE, DWR_VALUE
             ].cs__freeze
 
-            BASE64_INPUT_TYPES = [BODY, COOKIE_VALUE, HEADER, PARAMETER_VALUE, MULTIPART_VALUE, XML_VALUE].cs__freeze
+            BASE64_INPUT_TYPES = [BODY, COOKIE_VALUE, PARAMETER_VALUE, MULTIPART_VALUE, XML_VALUE].cs__freeze
 
             class << self
               include Contrast::Components::Logger::InstanceMethods
@@ -172,7 +172,9 @@ module Contrast
             end
 
             # Decodes the value for the given input type.
-            # Applies to BODY, COOKIE_VALUE, HEADER, PARAMETER_VALUE, MULTIPART_VALUE, XML_VALUE
+            #
+            # This applies to Values sources only:
+            # BODY, COOKIE_VALUE, HEADER, PARAMETER_VALUE, MULTIPART_VALUE, XML_VALUE
             #
             # @param value [String]
             # @param input_type [Symbol]
@@ -181,6 +183,9 @@ module Contrast
               return value unless Contrast::PROTECT.normalize_base64?
               return value unless BASE64_INPUT_TYPES.include?(input_type)
 
+              # TODO: RUBY-2110 Update the HEADER handling if possible.
+              # We need only the Header values.
+
               cs__decode64(value, input_type)
             end
           end

data/lib/contrast/agent/protect/rule/input_classification/encoding.rb

@@ -16,7 +16,7 @@ module Contrast
 
             # Still a list is needed for this one, as it is not possible to determine if the value is encoded or not.
             # As long as the list is short the method has a good percentage of success.
-            KNOWN_DECODING_EXCEPTIONS = %w[cmd].cs__freeze
+            KNOWN_DECODING_EXCEPTIONS = %w[cmd version if_modified_since].cs__freeze
 
             # This methods is not performant, but is more safe for false positive.
             # Base64 check is no trivial task. For example if one passes a value like 'stringdw' it will return true,

data/lib/contrast/agent/protect/rule/path_traversal/path_traversal.rb

@@ -30,11 +30,18 @@ module Contrast
             NAME
           end
 
+          # Sub-rules forwarders:
+
+          # @return [Contrast::Agent::Protect::Rule::PathTraversalSemanticBypass]
+          def semantic_file_security_bypass
+            @_semantic_file_security_bypass ||= Contrast::Agent::Protect::Rule::PathTraversalSemanticBypass.new
+          end
+
           # Array of sub_rules
           #
           # @return [Array]
           def sub_rules
-            @_sub_rules ||= [Contrast::Agent::Protect::Rule::PathTraversalSemanticBypass.new].cs__freeze
+            @_sub_rules ||= [semantic_file_security_bypass].cs__freeze
           end
 
           def applicable_user_inputs

data/lib/contrast/agent/protect/rule/sqli/sqli.rb

@@ -35,11 +35,18 @@ module Contrast
             BLOCK_MESSAGE
           end
 
+          # Sub-rules forwarders:
+
+          # @return [Contrast::Agent::Protect::Rule::SqliDangerousFunctions]
+          def semantic_dangerous_functions
+            @_semantic_dangerous_functions ||= Contrast::Agent::Protect::Rule::SqliDangerousFunctions.new
+          end
+
           # Array of sub_rules
           #
           # @return [Array]
           def sub_rules
-            @_sub_rules ||= [Contrast::Agent::Protect::Rule::SqliDangerousFunctions.new].cs__freeze
+            @_sub_rules ||= [semantic_dangerous_functions].cs__freeze
           end
 
           def applicable_user_inputs

data/lib/contrast/agent/protect/state.rb

@@ -0,0 +1,110 @@
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/components/logger'
+
+module Contrast
+  module Agent
+    module Protect
+      # Master class for each protect rule. This class will hold all the rules references.
+      # Any access to the rules should be done through this class. and new rules should be
+      # added here. Each main rule should require and include and initialize it's sub-rules.
+      class State
+        include Contrast::Components::Logger::InstanceMethods
+
+        # @return [boolean] State dictated by local or server settings
+        attr_accessor :enabled
+        # @return [Contrast::Agent::Protect::Rule::BotBlocker] the bot blocker rule
+        attr_reader :bot_blocker
+        # @return [Contrast::Agent::Protect::Rule::CmdInjection] the command injection rule
+        attr_reader :cmd_injection
+        # @return [Contrast::Agent::Protect::Rule::CmdiBackdoors]
+        attr_reader :cmd_injection_command_backdoors
+        # @return [Contrast::Agent::Protect::Rule::CmdiChainedCommand]
+        attr_reader :cmd_injection_semantic_chained_commands
+        # @return [Contrast::Agent::Protect::Rule::CmdiDangerousPath]
+        attr_reader :cmd_injection_semantic_dangerous_paths
+        # @return [Contrast::Agent::Protect::Rule::Deserialization]
+        attr_reader :untrusted_deserialization
+        # @return [Contrast::Agent::Protect::Rule::NoSqli]
+        attr_reader :nosql_injection
+        # @return [Contrast::Agent::Protect::Rule::PathTraversal]
+        attr_reader :path_traversal
+        # @return [Contrast::Agent::Protect::Rule::PathTraversalSemanticBypass]
+        attr_reader :path_traversal_semantic_file_security_bypass
+        # @return [Contrast::Agent::Protect::Rule::Sqli]
+        attr_reader :sql_injection
+        # @return [Contrast::Agent::Protect::Rule::SqliDangerousFunctions]
+        attr_reader :sql_injection_semantic_dangerous_functions
+        # @return [Contrast::Agent::Protect::Rule::UnsafeFileUpload] the unsafe file upload rule
+        attr_reader :unsafe_file_upload
+        # @return [Contrast::Agent::Protect::Rule::Xss] the reflected xss rule
+        attr_reader :reflected_xss
+        # @return [Contrast::Agent::Protect::Rule::Xxe] the xxe rule
+        attr_reader :xxe
+
+        # Initialize all the protect rules. This should be the one place to access each live
+        # rule reference.
+        def initialize
+          @bot_blocker = Contrast::Agent::Protect::Rule::BotBlocker.new
+          @cmd_injection = Contrast::Agent::Protect::Rule::CmdInjection.new
+          @cmd_injection_command_backdoors = @cmd_injection.command_backdoors
+          @cmd_injection_semantic_chained_commands = @cmd_injection.semantic_chained_commands
+          @cmd_injection_semantic_dangerous_paths = @cmd_injection.semantic_dangerous_paths
+          @untrusted_deserialization = Contrast::Agent::Protect::Rule::Deserialization.new
+          @nosql_injection = Contrast::Agent::Protect::Rule::NoSqli.new
+          @path_traversal = Contrast::Agent::Protect::Rule::PathTraversal.new
+          @path_traversal_semantic_file_security_bypass = @path_traversal.semantic_file_security_bypass
+          @sql_injection = Contrast::Agent::Protect::Rule::Sqli.new
+          @sql_injection_semantic_dangerous_functions = @sql_injection.semantic_dangerous_functions
+          @unsafe_file_upload = Contrast::Agent::Protect::Rule::UnsafeFileUpload.new
+          @reflected_xss = Contrast::Agent::Protect::Rule::Xss.new
+          @xxe = Contrast::Agent::Protect::Rule::Xxe.new
+        end
+
+        # Return the Rules in Hash form {rule_id => rule_class }.
+        # This is used to traverse for each rule and update it's settings.
+        # Also is the way a rule is retrieved given the ID is known.
+        #
+        # @return [Hash<String, Contrast::Agent::Protect::Rule::Base>]
+        def rules
+          @_rules ||= {
+              @bot_blocker.rule_name => @bot_blocker,
+              @cmd_injection.rule_name => @cmd_injection,
+              @cmd_injection_command_backdoors.rule_name => @cmd_injection_command_backdoors,
+              @cmd_injection_semantic_chained_commands.rule_name => @cmd_injection_semantic_chained_commands,
+              @cmd_injection_semantic_dangerous_paths.rule_name => @cmd_injection_semantic_dangerous_paths,
+              @untrusted_deserialization.rule_name => @untrusted_deserialization,
+              @nosql_injection.rule_name => @nosql_injection,
+              @path_traversal.rule_name => @path_traversal,
+              @path_traversal_semantic_file_security_bypass.rule_name => @path_traversal_semantic_file_security_bypass,
+              @sql_injection.rule_name => @sql_injection,
+              @sql_injection_semantic_dangerous_functions.rule_name => @sql_injection_semantic_dangerous_functions,
+              @unsafe_file_upload.rule_name => @unsafe_file_upload,
+              @reflected_xss.rule_name => @reflected_xss,
+              @xxe.rule_name => @xxe
+          }
+        end
+
+        # Update all settings from configuration.
+        def update
+          rules.values.each(&:update)
+          logger.info('Current rule settings:')
+          rules.each { |k, v| logger.info('Protect Rule mode set', rule: k, mode: v.mode) }
+        end
+
+        # Check the local configurations first then the server settings.
+        def enabled?
+          Contrast::PROTECT.enable || Contrast::SETTINGS.protect_state.enabled
+        end
+
+        # @param [String] rule_id
+        # @return [Contrast::Agent::Protect::Rule::Base]
+        def [] rule_id
+          rules[rule_id]
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample_activity.rb

@@ -32,6 +32,8 @@ module Contrast
 
         def validate
           raise(ArgumentError, 'Start Time is not presented') unless @start_time
+
+          nil
         end
 
         # @param attack_result [Contrast::Agent::Reporting::AttackResult]

data/lib/contrast/agent/reporting/reporting_events/architecture_component.rb

@@ -59,6 +59,8 @@ module Contrast
             raise(ArgumentError, "#{ self } did not have a proper type - '#{ type }'. Unable to continue.")
           end
           raise(ArgumentError, "#{ self } did not have a proper URL. Unable to continue.") unless url
+
+          nil
         end
       end
     end

data/lib/contrast/agent/reporting/reporting_events/finding.rb

@@ -125,6 +125,7 @@ module Contrast
         # @raise [ArgumentError]
         def validate
           raise(ArgumentError, "#{ self } did not have a proper rule. Unable to continue.") unless @rule_id
+
           unless ::Contrast::ASSESS.session_id
             raise(ArgumentError, "#{ self } did not have a proper session id. Unable to continue.")
           end

data/lib/contrast/agent/reporting/reporting_events/finding_event.rb

@@ -422,6 +422,8 @@ module Contrast
           raise(ArgumentError, "#{ self } did not have a proper thread. Unable to continue.") unless thread
           raise(ArgumentError, "#{ self } did not have a proper time. Unable to continue.") unless time
           raise(ArgumentError, "#{ self } did not have a proper type. Unable to continue.") unless type
+
+          nil
         end
 
         # @raise [ArgumentError]
@@ -435,6 +437,8 @@ module Contrast
           raise(ArgumentError, "#{ self } did not have a proper signature. Unable to continue.") unless signature
           raise(ArgumentError, "#{ self } did not have a proper stack. Unable to continue.") unless stack
           raise(ArgumentError, "#{ self } did not have a proper tags. Unable to continue.") unless reportable_tags
+
+          nil
         end
       end
     end

data/lib/contrast/agent/reporting/reporting_events/finding_request.rb

@@ -108,6 +108,8 @@ module Contrast
             raise(ArgumentError, "#{ self } did not have a proper method. Unable to continue.")
           end
           raise(ArgumentError, "#{ self } did not have a proper uri. Unable to continue.") unless uri && !uri.empty?
+
+          nil
         end
 
         # @param request [Contrast::Agent::Request]

data/lib/contrast/agent/reporting/reporting_events/observed_library_usage.rb

@@ -30,6 +30,8 @@ module Contrast
 
         def validate
           raise(ArgumentError, "#{ self } did not have observations. Unable to continue.") if observations.empty?
+
+          nil
         end
       end
     end

data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb

@@ -38,14 +38,15 @@ module Contrast
         def to_controlled_hash
           validate
           {
+              appLanguage: Contrast::Utils::ObjectShare::RUBY,
+              appName: ::Contrast::APP_CONTEXT.name, # rubocop:disable Security/Module/Name
+              appPath: ::Contrast::APP_CONTEXT.name, # rubocop:disable Security/Module/Name
+              appVersion: ::Contrast::APP_CONTEXT.version,
               code: CODE,
-              app_language: Contrast::Utils::ObjectShare::RUBY,
-              app_name: ::Contrast::APP_CONTEXT.name, # rubocop:disable Security/Module/Name
-              app_version: ::Contrast::APP_CONTEXT.version,
               data: '',
               key: 0,
-              routes: @routes.map(&:to_controlled_hash),
-              session_id: ::Contrast::ASSESS.session_id
+              session_id: ::Contrast::ASSESS.session_id,
+              routes: @routes.map(&:to_controlled_hash)
           }
         end
 
@@ -57,6 +58,9 @@ module Contrast
           unless ::Contrast::ASSESS.session_id
             raise(ArgumentError, "#{ cs__class } did not have a proper session id. Unable to continue.")
           end
+          unless Contrast::APP_CONTEXT.name # rubocop:disable Security/Module/Name
+            raise(ArgumentError, "#{ cs__class } did not have a proper Application Name. Unable to continue.")
+          end
 
           nil
         end

data/lib/contrast/agent/reporting/reporting_events/reportable_hash.rb

@@ -28,12 +28,31 @@ module Contrast
         #
         #  @return [String, nil] - JSON
         def event_json
-          hsh = to_controlled_hash
-          hsh.to_json
-        rescue ArgumentError => e
-          # Log the error and raise it for the client to handle:
-          logger.error(validation_error_message, e)
-          raise(e)
+          return unless valid?
+
+          to_controlled_hash.to_json
+        end
+
+        # Check before building the json if the event is valid.
+        # This will also log the error if the event is invalid.
+        # This will save some object creation in the reporter
+        # in the case of an invalid event, and will stop the
+        # reporting of the event.
+        #
+        # @return [Boolean]
+        # @raise [ArgumentError]
+        def valid?
+          @_valid ||= begin
+            validate
+            # Some deeply nested validations only happens on
+            # the to_controlled_hash method, so we need to
+            # invoke it.
+            to_controlled_hash
+            true
+          rescue ArgumentError => e
+            handle_validation_error(e)
+            false
+          end
         end
 
         private
@@ -41,6 +60,11 @@ module Contrast
         def validation_error_message
           "#{ cs__class } failed validation with: "
         end
+
+        # @param error [ArgumentError]
+        def handle_validation_error error
+          logger.error(validation_error_message, error)
+        end
       end
     end
   end

data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb

@@ -72,8 +72,8 @@ module Contrast
         # @return response [Net::HTTP::Response, nil] response from TS if no response
         def send_event event, connection
           return unless connection
+          return unless event.valid?
 
-          response = nil
           logger.debug('[Reporter] Preparing to send reporting event', event_class: event.cs__class)
           request = build_request(event)
           response = connection.request(request)

data/lib/contrast/agent/reporting/reporting_utilities/resend.rb

@@ -12,7 +12,7 @@ module Contrast
         RESCUE_ATTEMPTS = 3
         TIMEOUT = 5
         RETRY_ERRORS = [
-          Net::OpenTimeout, Net::ReadTimeout, ArgumentError, EOFError, OpenSSL::SSL::SSLError, Resolv::ResolvError,
+          Net::OpenTimeout, Net::ReadTimeout, EOFError, OpenSSL::SSL::SSLError, Resolv::ResolvError,
           Errno::ECONNRESET, Errno::ECONNREFUSED, Errno::ETIMEDOUT, Errno::ESHUTDOWN, Errno::EHOSTDOWN, NameError,
           Errno::EHOSTUNREACH, Errno::EISCONN, Errno::ECONNABORTED, Errno::ENETRESET, Errno::ENETUNREACH, SocketError,
           NameError, NoMethodError, Timeout::Error, RuntimeError

data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb

@@ -232,11 +232,7 @@ module Contrast
           return unless ::Contrast::AGENT.enabled?
 
           logger.trace_with_time('Rebuilding rule modes from TeamServer') do
-            # TODO: RUBY-999999 Make sure when updating Protect rules to reflect the mode source (always DEFAULT_VALUE)
-            ::Contrast::AGENT.reset_ruleset
-            ::Contrast::SETTINGS.build_protect_rules if ::Contrast::PROTECT.enabled?
-            logger.info('Current rule settings:')
-            ::Contrast::PROTECT.defend_rules.each { |k, v| logger.info('Protect Rule mode set', rule: k, mode: v.mode) }
+            ::Contrast::PROTECT.state.update if ::Contrast::PROTECT.enabled?
             if ::Contrast::ASSESS.enabled?
               logger.info('Disabled Assess Rules', rules: ::Contrast::ASSESS.disabled_rules)
             end

data/lib/contrast/agent/reporting/settings/protect.rb

@@ -121,10 +121,10 @@ module Contrast
           # Returns list of actively used protection rules to be updated, or default list.
           # This will be used to query the received settings for the ones used by the Agent.
           def active_defend_rules
-            return ACTIVE_PROTECT_RULES_LIST unless defined?(Contrast::SETTINGS)
+            return ACTIVE_PROTECT_RULES_LIST unless defined?(Contrast::PROTECT)
 
-            current_rules = (Contrast::PROTECT&.defend_rules&.keys if defined?(Contrast::PROTECT))
-            return current_rules unless current_rules&.empty?
+            current_rules = Contrast::PROTECT.defend_rules.keys
+            return current_rules unless current_rules.empty?
 
             ACTIVE_PROTECT_RULES_LIST
           end

data/lib/contrast/agent/reporting/settings/sampling.rb

@@ -24,10 +24,11 @@ module Contrast
 
           def initialize hsh
             @baseline = hsh[:baseline]
-            @enabled = hsh[:enabled]
-            @request_frequency = hsh[:frequency]
-            @response_frequency = hsh[:responseFrequency]
-            @window_ms = hsh[:window]
+            # NG endpoints vs non-ng
+            @enabled = hsh[:enabled] || hsh[:enable]
+            @request_frequency = hsh[:frequency] || hsh[:request_frequency]
+            @response_frequency = hsh[:responseFrequency] || hsh[:response_frequency]
+            @window_ms = hsh[:window] || hsh[:window_ms]
           end
 
           def to_controlled_hash

data/lib/contrast/agent/version.rb

@@ -3,6 +3,6 @@
 
 module Contrast
   module Agent
-    VERSION = '7.3.2'
+    VERSION = '7.4.0'
   end
 end

data/lib/contrast/components/agent.rb

@@ -26,6 +26,8 @@ module Contrast
         attr_reader :config_values
         # @return [Boolean]
         attr_accessor :enable
+        # @return [Boolean]
+        attr_accessor :omit_body
 
         CANON_NAME = 'agent'
         CONFIG_VALUES = %w[enabled? omit_body?].cs__freeze
@@ -95,16 +97,12 @@ module Contrast
           @_ruleset ||= Contrast::Agent::RuleSet.new(retrieve_protect_ruleset.values)
         end
 
-        def reset_ruleset
-          @_ruleset = nil
-        end
-
         def patch_yield?
           !false?(ruby.propagate_yield)
         end
 
         def omit_body?
-          @_omit_body
+          true?(@_omit_body)
         end
 
         def disable_agent!

data/lib/contrast/components/api.rb

@@ -129,7 +129,7 @@ module Contrast
         #
         # @param effective_config [Contrast::Config::Diagnostics::EffectiveConfig]
         def to_effective_config effective_config
-          add_effective_config_values(effective_config, CONFIG_VALUES, CANON_NAME, CONTRAST)
+          add_effective_config_values(effective_config, CONFIG_VALUES, CANON_NAME, CANON_NAME)
           effective_proxy(effective_config)
           request_audit&.to_effective_config(effective_config)
           certificate&.to_effective_config(effective_config)
@@ -139,10 +139,10 @@ module Contrast
 
         # @param effective_config [Contrast::Config::Diagnostics::EffectiveConfig]
         def effective_proxy effective_config
-          add_single_effective_value(effective_config, ENABLE, proxy_enable.to_s, PROXY_NAME, "#{ CONTRAST }.proxy")
+          add_single_effective_value(effective_config, ENABLE, proxy_enable.to_s, PROXY_NAME)
           return unless proxy_url && proxy_enable
 
-          add_single_effective_value(effective_config, 'url', proxy_url, PROXY_NAME, "#{ CONTRAST }.proxy")
+          add_single_effective_value(effective_config, 'url', proxy_url, PROXY_NAME)
         end
 
         def certification_truly_enabled? config_path

data/lib/contrast/components/assess_rules.rb

@@ -16,7 +16,6 @@ module Contrast
 
         SPEC_KEY = :disabled_rules.cs__freeze
         CANON_NAME = 'assess.rules'
-        NAME_PREFIX = "#{ CONTRAST }.#{ CANON_NAME }".cs__freeze
 
         # @return [Array, nil] list of disabled assess rules
         attr_accessor :disabled_rules
@@ -36,7 +35,7 @@ module Contrast
         #
         # @param effective_config [Contrast::Config::Diagnostics::EffectiveConfig]
         def to_effective_config effective_config
-          add_single_effective_value(effective_config, SPEC_KEY.to_s, disabled_rules, canon_name, NAME_PREFIX)
+          add_single_effective_value(effective_config, SPEC_KEY.to_s, disabled_rules || [], canon_name)
         end
 
         private

data/lib/contrast/components/base.rb

@@ -12,7 +12,6 @@ module Contrast
     module ComponentBase
       include Contrast::Config::Diagnostics::Tools
 
-      CONTRAST = 'contrast'
       ENABLE = 'enable'
 
       # Used for config diagnostics. Override per rule.
@@ -87,7 +86,7 @@ module Contrast
       #
       # @param effective_config [Contrast::Config::Diagnostics::EffectiveConfig]
       def to_effective_config effective_config
-        add_effective_config_values(effective_config, config_values, canon_name, "#{ CONTRAST }.#{ canon_name }")
+        add_effective_config_values(effective_config, config_values, canon_name)
       end
 
       # attempts to stringify the config value if it is an array with the join char

data/lib/contrast/components/config/sources.rb

@@ -11,6 +11,8 @@ module Contrast
       # This component encapsulates storing the source for each entry in the config,
       # so that we can report on where the value was set from.
       class Sources
+        # [ CORPORATE_RULE, COMMAND_LINE, JAVA_SYSTEM_PROPERTY, ENVIRONMENT_VARIABLE, APP_CONFIGURATION_FILE,
+        # USER_CONFIGURATION_FILE, CONTRAST_UI, DEFAULT_VALUE ]
         ENVIRONMENT_VARIABLE = 'ENVIRONMENT_VARIABLE'
         COMMAND_LINE = 'COMMAND_LINE'
         CONTRAST_UI = 'CONTRAST_UI'
@@ -57,6 +59,27 @@ module Contrast
           deep_select(data.dup, type, [])
         end
 
+        # @param path [String] the canonical name for the config entry (such as api.proxy.enable) or source
+        #   if the source(CONTRAST_UI, ENVIRONMENT_VARIABLE...) flag is set true.
+        # @param source [Boolean] flag to specify we are passing in a source, no need to look for it.
+        # @return [Boolean] true if the entry is from a YAML file
+        def configuration_file_source? path, source: false
+          s = source ? path : Contrast::CONFIG.sources.get(path)
+          return true if s.include?(APP_CONFIGURATION_EXTENSIONS[0]) || s.include?(APP_CONFIGURATION_EXTENSIONS[1])
+
+          false
+        end
+
+        # Check to see whether the source has been overridden by local settings.
+        # @param path [String] the canonical name for the config entry (such as api.proxy.enable)
+        def source_overridden? path
+          source = Contrast::CONFIG.sources.get(path)
+          return true if [ENVIRONMENT_VARIABLE, COMMAND_LINE].include?(source)
+          return true if configuration_file_source?(source, source: true)
+
+          false
+        end
+
         private
 
         # @param path [String] the canonical name for a config entry (such as api.proxy.enable)

data/lib/contrast/components/logger.rb

@@ -33,6 +33,8 @@ module Contrast
         include InstanceMethods
         include Contrast::Components::ComponentBase
 
+        DEFAULT_NAME = 'contrast.log'
+        DEFAULT_LEVEL = 'INFO'
         CANON_NAME = 'agent.logger'
         CONFIG_VALUES = %w[path level progname].cs__freeze
 
@@ -56,6 +58,23 @@ module Contrast
           @level = hsh[:level]
           @progname = hsh[:progname]
         end
+
+        def to_effective_config effective_config
+          path_setting = nil
+          level_setting = nil
+
+          if defined?(Contrast::SETTINGS)
+            path_setting = Contrast::SETTINGS.agent_state.logger_path
+            level_setting = Contrast::SETTINGS.agent_state.logger_level
+          end
+
+          path_setting ||= DEFAULT_NAME
+          level_setting ||= DEFAULT_LEVEL
+
+          add_single_effective_value(effective_config, config_values[0], path || path_setting, CANON_NAME)
+          add_single_effective_value(effective_config, config_values[1], level || level_setting, CANON_NAME)
+          add_single_effective_value(effective_config, config_values[2], progname, CANON_NAME)
+        end
       end
     end
   end