contrast-agent 7.3.2 → 7.4.1

data/lib/contrast/agent/protect/rule/no_sqli/no_sqli.rb

@@ -32,6 +32,9 @@ module Contrast
             NAME
           end
 
+          # Return the specific blocking message for this rule.
+          #
+          # @return [String] the reason for the raised security exception.
           def block_message
             BLOCK_MESSAGE
           end
@@ -56,9 +59,9 @@ module Contrast
             return unless result
 
             append_to_activity(context, result)
-
+            record_triggered(context)
             cef_logging(result, :successful_attack)
-            raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked?
+            raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked_violation?(result)
           end
 
           def build_attack_with_match context, input_analysis_result, result, candidate_string, **kwargs

data/lib/contrast/agent/protect/rule/path_traversal/path_traversal.rb

@@ -26,21 +26,37 @@ module Contrast
             JSON_VALUE, MULTIPART_VALUE, MULTIPART_FIELD_NAME, XML_VALUE, DWR_VALUE, URI
           ].cs__freeze
 
+          BLOCK_MESSAGE = 'Path Traversal rule triggered. Request blocked.'
+
           def rule_name
             NAME
           end
 
+          # Sub-rules forwarders:
+
+          # @return [Contrast::Agent::Protect::Rule::PathTraversalSemanticBypass]
+          def semantic_file_security_bypass
+            @_semantic_file_security_bypass ||= Contrast::Agent::Protect::Rule::PathTraversalSemanticBypass.new
+          end
+
           # Array of sub_rules
           #
           # @return [Array]
           def sub_rules
-            @_sub_rules ||= [Contrast::Agent::Protect::Rule::PathTraversalSemanticBypass.new].cs__freeze
+            @_sub_rules ||= [semantic_file_security_bypass].cs__freeze
           end
 
           def applicable_user_inputs
             APPLICABLE_USER_INPUTS
           end
 
+          # Return the specific blocking message for this rule.
+          #
+          # @return [String] the reason for the raised security exception.
+          def block_message
+            BLOCK_MESSAGE
+          end
+
           # Path Traversal input classification
           #
           # @return [module<Contrast::Agent::Protect::Rule::PathTraversalInputClassification>]
@@ -48,19 +64,15 @@ module Contrast
             @_classification ||= Contrast::Agent::Protect::Rule::PathTraversalInputClassification.cs__freeze
           end
 
-          def infilter context, method, path
+          def infilter context, _method, path
             return unless infilter?(context)
 
             result = find_attacker(context, path)
             return unless result
 
             append_to_activity(context, result)
-            return unless blocked?
-
-            result_rule_name = Contrast::Utils::StringUtils.transform_string(result.rule_id)
-            cef_logging(result, :successful_attack, value: path)
-            exception_messasge = "#{ result_rule_name } rule triggered. Call to File.#{ method } blocked."
-            raise(Contrast::SecurityException.new(self, exception_messasge))
+            record_triggered(context)
+            raise(Contrast::SecurityException.new(self, block_message)) if blocked_violation?(result)
           end
 
           protected

data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_semantic_security_bypass.rb

@@ -53,10 +53,10 @@ module Contrast
             return unless result
 
             append_to_activity(context, result)
-            return unless blocked?
+            record_triggered(context)
+            return unless blocked_violation?(result)
 
             result_rule_name = Contrast::Utils::StringUtils.transform_string(result.rule_id)
-            cef_logging(result, :successful_attack, value: path)
             exception_messasge = "#{ result_rule_name } rule triggered. Call to File.#{ method } blocked."
             raise(Contrast::SecurityException.new(self, exception_messasge))
           end

data/lib/contrast/agent/protect/rule/sqli/sqli.rb

@@ -35,11 +35,18 @@ module Contrast
             BLOCK_MESSAGE
           end
 
+          # Sub-rules forwarders:
+
+          # @return [Contrast::Agent::Protect::Rule::SqliDangerousFunctions]
+          def semantic_dangerous_functions
+            @_semantic_dangerous_functions ||= Contrast::Agent::Protect::Rule::SqliDangerousFunctions.new
+          end
+
           # Array of sub_rules
           #
           # @return [Array]
           def sub_rules
-            @_sub_rules ||= [Contrast::Agent::Protect::Rule::SqliDangerousFunctions.new].cs__freeze
+            @_sub_rules ||= [semantic_dangerous_functions].cs__freeze
           end
 
           def applicable_user_inputs

data/lib/contrast/agent/protect/rule/sqli/sqli_base_rule.rb

@@ -26,9 +26,8 @@ module Contrast
             return unless result
 
             append_to_activity(context, result)
-
-            cef_logging(result, :successful_attack)
-            raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked?
+            record_triggered(context)
+            raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked_violation?(result)
           end
         end
       end

data/lib/contrast/agent/protect/rule/sqli/sqli_semantic/sqli_dangerous_functions.rb

@@ -26,9 +26,8 @@ module Contrast
             return unless result
 
             append_to_activity(context, result)
-
-            cef_logging(result, :successful_attack)
-            raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked?
+            record_triggered(context)
+            raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked_violation?(result)
           end
 
           protected
@@ -39,8 +38,8 @@ module Contrast
 
           def build_violation context, potential_attack_string
             result = build_attack_result(context)
-            update_successful_attack_response(context, nil, result, potential_attack_string)
             append_sample(context, nil, result, potential_attack_string)
+            update_successful_attack_response(context, nil, result, potential_attack_string)
             result
           end
 

data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload.rb

@@ -28,6 +28,9 @@ module Contrast
             APPLICABLE_USER_INPUTS
           end
 
+          # Return the specific blocking message for this rule.
+          #
+          # @return [String] the reason for the raised security exception.
           def block_message
             BLOCK_MESSAGE
           end

data/lib/contrast/agent/protect/rule/utils/builders.rb

@@ -29,8 +29,8 @@ module Contrast
           #   this input
           def build_attack_with_match context, ia_result, result, candidate_string, **kwargs
             result ||= build_attack_result(context)
-            update_successful_attack_response(context, ia_result, result, candidate_string)
             append_sample(context, ia_result, result, candidate_string, **kwargs)
+            update_successful_attack_response(context, ia_result, result, candidate_string)
 
             result
           end
@@ -53,8 +53,8 @@ module Contrast
           #   this input
           def build_attack_without_match context, ia_result, result, **kwargs
             result ||= build_attack_result(context)
-            update_perimeter_attack_response(context, ia_result, result)
             append_sample(context, ia_result, result, nil, **kwargs)
+            update_perimeter_attack_response(context, ia_result, result)
 
             result
           end
@@ -97,11 +97,10 @@ module Contrast
           # @param potential_attack_string [String]
           def build_violation context, potential_attack_string
             result = build_attack_result(context)
+            append_sample(context, nil, result, potential_attack_string)
             update_successful_attack_response(context, nil, result, potential_attack_string)
             return unless result
 
-            append_sample(context, nil, result, potential_attack_string)
-            cef_logging(result, :successful_attack)
             result
           end
         end

data/lib/contrast/agent/protect/rule/utils/filters.rb

@@ -25,11 +25,12 @@ module Contrast
 
             ia_results.each do |ia_result|
               result = build_attack_result(context)
-              build_attack_without_match(context, ia_result, result)
-              append_to_activity(context, result)
+              result = build_attack_without_match(context, ia_result, result)
+              next unless result
 
-              cef_logging(result, :successful_attack)
-              raise(Contrast::SecurityException.new(self, block_message)) if blocked?
+              append_to_activity(context, result)
+              record_triggered(context)
+              raise(Contrast::SecurityException.new(self, block_message)) if blocked_violation?(result)
             end
           end
 
@@ -39,10 +40,10 @@ module Contrast
           # @param context [Contrast::Agent::RequestContext]
           # @return [Boolean]
           def prefilter? context
-            return false unless context
             return false unless enabled?
-            return false unless (results = gather_ia_results(context)) && results.any?
             return false if protect_excluded_by_url?(rule_name)
+            return false unless context
+            return false unless (results = gather_ia_results(context)) && results.any?
             return false if protect_excluded_by_input?(results)
 
             true
@@ -52,13 +53,20 @@ module Contrast
           # have a different implementation based on the rule. As such, there
           # is not parent implementation.
           #
-          # @param _context [Contrast::Agent::RequestContext] the context for
+          # @param context [Contrast::Agent::RequestContext] the context for
           #   the current request
-          # @param _match_string [String] the input that violated the rule and
+          # @param match_string [String] the input that violated the rule and
           #   matched the attack detection logic
           # @param _kwargs [Hash] key-value pairs used by the rule to build a
           #   report.
-          def infilter _context, _match_string, **_kwargs; end
+          def infilter context, match_string, _kwargs
+            return unless infilter?(context)
+            return unless (result = build_violation(context, match_string))
+
+            append_to_activity(context, result)
+            record_triggered(context)
+            raise(Contrast::SecurityException.new(self, block_message)) if blocked?
+          end
 
           # Infilter check always called before infilter to check if the rule is infilter
           # capable, not disabled or in other way excluded by url or input exclusions.
@@ -74,6 +82,18 @@ module Contrast
             true
           end
 
+          # Check befor commiting infilter
+          #
+          # @param context [Contrast::Agent::RequestContext]
+          def postfilter? context
+            return false unless enabled? && POSTFILTER_MODES.include?(mode)
+            return false if protect_excluded_by_url?(rule_name)
+            return false if protect_excluded_by_input?(gather_ia_results(context))
+            return false if mode == :NO_ACTION || mode == :PERMIT
+
+            true
+          end
+
           # Actions required for the rules that have to happen after the
           # application has completed its processing of the request.
           #
@@ -88,18 +108,14 @@ module Contrast
           # @param context [Contrast::Agent::RequestContext]
           # @raise [Contrast::SecurityException]
           def postfilter context
-            return unless enabled? && POSTFILTER_MODES.include?(mode)
-            return false if protect_excluded_by_url?(rule_name)
-            return if protect_excluded_by_input?(gather_ia_results(context))
-
-            return if mode == :NO_ACTION || mode == :PERMIT
+            return unless postfilter?(context)
 
             result = find_postfilter_attacker(context, nil)
             return unless result&.samples&.any?
 
-            cef_logging(result)
             append_to_activity(context, result)
-            return unless result.response == :BLOCKED
+            record_triggered(context)
+            return unless blocked_violation?(result)
 
             raise(Contrast::SecurityException.new(self, "#{ rule_name } triggered in postfilter. Response blocked."))
           end

data/lib/contrast/agent/protect/rule/xss/xss.rb

@@ -3,6 +3,8 @@
 
 require 'contrast/agent/protect/rule/base'
 require 'contrast/agent/protect/rule/xss/reflected_xss_input_classification'
+require 'contrast/agent/reporting/details/xss_details'
+require 'contrast/agent/reporting/details/xss_match'
 require 'contrast/agent/reporting/input_analysis/input_type'
 
 module Contrast
@@ -25,10 +27,56 @@ module Contrast
             NAME
           end
 
+          # Return the specific blocking message for this rule.
+          #
+          # @return [String] the reason for the raised security exception.
           def block_message
             BLOCK_MESSAGE
           end
 
+          # Prefilter check always called before infilter to check if the rule is infilter
+          # capable, not disabled or in other way excluded by url or input exclusions.
+          #
+          # @param context [Contrast::Agent::RequestContext]
+          # @return [Boolean]
+          def prefilter? context
+            return false unless enabled?
+            return false if protect_excluded_by_url?(rule_name)
+            return false unless context
+            return false unless (results = gather_ia_results(context)) && results.any?
+            return false if protect_excluded_by_input?(results)
+
+            true
+          end
+
+          def prefilter context
+            return unless prefilter?(context)
+
+            ia_results = gather_ia_results(context)
+
+            ia_results.each do |ia_result|
+              result = build_attack_result(context)
+              result = build_attack_without_match(context, ia_result, result)
+              next unless result
+
+              append_to_activity(context, result)
+              # XSS is being triggered, so we need to add it to the triggered rules,
+              # So the IA won't be done for this rule again for the current request.
+              record_triggered(context)
+              raise(Contrast::SecurityException.new(self, block_message)) if blocked_violation?(result)
+            end
+          end
+
+          # XSS is evaluated only on prefilter
+          def infilter? _context
+            false
+          end
+
+          # XSS is evaluated only on prefilter
+          def postfilter? _context
+            false
+          end
+
           # XSS Upload input classification
           #
           # @return [module<Contrast::Agent::Protect::Rule::ReflectedXssInputClassification>]
@@ -43,6 +91,38 @@ module Contrast
           def applicable_user_inputs
             APPLICABLE_USER_INPUTS
           end
+
+          # Adding XSS details
+          #
+          # @param context [Contrast::Agent::RequestContext]
+          # @param ia_result [Contrast::Agent::Reporting::InputAnalysisResult]
+          # @param _xss_string
+          # @param **_kwargs
+          # @return [Contrast::Agent::Reporting::RaspRuleSample]
+          def build_sample context, ia_result, _xss_string, **_kwargs
+            sample = build_base_sample(context, ia_result)
+            sample.details = Contrast::Agent::Reporting::Details::XssDetails.new
+            sample.details.input = ia_result.value
+
+            # TODO: RUBY-99999 check the if the ReflectedXss matches are needed.
+            xss_match = Contrast::Agent::Reporting::Details::XssMatch.new(ia_result.value)
+            sample.details.matches << xss_match unless xss_match.empty?
+
+            sample
+          end
+
+          private
+
+          # @param context [Contrast::Agent::RequestContext]
+          # @param potential_attack_string [String, nil]
+          # @return [Contrast::Agent::Reporting::AttackResult, nil]
+          def find_postfilter_attacker context, potential_attack_string, **kwargs
+            ia_results = gather_ia_results(context)
+            ia_results.reject! do |ia_result|
+              ia_result.score_level == Contrast::Agent::Reporting::ScoreLevel::IGNORE
+            end
+            find_attacker_with_results(context, potential_attack_string, ia_results, **kwargs)
+          end
         end
       end
     end

data/lib/contrast/agent/protect/rule/xxe/xxe.rb

@@ -26,6 +26,13 @@ module Contrast
             NAME
           end
 
+          # Return the specific blocking message for this rule.
+          #
+          # @return [String] the reason for the raised security exception.
+          def block_message
+            BLOCK_MESSAGE
+          end
+
           # Given an xml, evaluate it for an XXE attack. There's no return here
           # as this method handles appending the evaluation to the request
           # context, connecting it to the reporting mechanism at request end.
@@ -43,9 +50,9 @@ module Contrast
             return unless result
 
             append_to_activity(context, result)
-            return unless blocked?
+            record_triggered(context)
+            return unless blocked_violation?(result)
 
-            cef_logging(result, :successful_attack, value: xml)
             raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE))
           end
 

data/lib/contrast/agent/protect/state.rb

@@ -0,0 +1,110 @@
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/components/logger'
+
+module Contrast
+  module Agent
+    module Protect
+      # Master class for each protect rule. This class will hold all the rules references.
+      # Any access to the rules should be done through this class. and new rules should be
+      # added here. Each main rule should require and include and initialize it's sub-rules.
+      class State
+        include Contrast::Components::Logger::InstanceMethods
+
+        # @return [boolean] State dictated by local or server settings
+        attr_accessor :enabled
+        # @return [Contrast::Agent::Protect::Rule::BotBlocker] the bot blocker rule
+        attr_reader :bot_blocker
+        # @return [Contrast::Agent::Protect::Rule::CmdInjection] the command injection rule
+        attr_reader :cmd_injection
+        # @return [Contrast::Agent::Protect::Rule::CmdiBackdoors]
+        attr_reader :cmd_injection_command_backdoors
+        # @return [Contrast::Agent::Protect::Rule::CmdiChainedCommand]
+        attr_reader :cmd_injection_semantic_chained_commands
+        # @return [Contrast::Agent::Protect::Rule::CmdiDangerousPath]
+        attr_reader :cmd_injection_semantic_dangerous_paths
+        # @return [Contrast::Agent::Protect::Rule::Deserialization]
+        attr_reader :untrusted_deserialization
+        # @return [Contrast::Agent::Protect::Rule::NoSqli]
+        attr_reader :nosql_injection
+        # @return [Contrast::Agent::Protect::Rule::PathTraversal]
+        attr_reader :path_traversal
+        # @return [Contrast::Agent::Protect::Rule::PathTraversalSemanticBypass]
+        attr_reader :path_traversal_semantic_file_security_bypass
+        # @return [Contrast::Agent::Protect::Rule::Sqli]
+        attr_reader :sql_injection
+        # @return [Contrast::Agent::Protect::Rule::SqliDangerousFunctions]
+        attr_reader :sql_injection_semantic_dangerous_functions
+        # @return [Contrast::Agent::Protect::Rule::UnsafeFileUpload] the unsafe file upload rule
+        attr_reader :unsafe_file_upload
+        # @return [Contrast::Agent::Protect::Rule::Xss] the reflected xss rule
+        attr_reader :reflected_xss
+        # @return [Contrast::Agent::Protect::Rule::Xxe] the xxe rule
+        attr_reader :xxe
+
+        # Initialize all the protect rules. This should be the one place to access each live
+        # rule reference.
+        def initialize
+          @bot_blocker = Contrast::Agent::Protect::Rule::BotBlocker.new
+          @cmd_injection = Contrast::Agent::Protect::Rule::CmdInjection.new
+          @cmd_injection_command_backdoors = @cmd_injection.command_backdoors
+          @cmd_injection_semantic_chained_commands = @cmd_injection.semantic_chained_commands
+          @cmd_injection_semantic_dangerous_paths = @cmd_injection.semantic_dangerous_paths
+          @untrusted_deserialization = Contrast::Agent::Protect::Rule::Deserialization.new
+          @nosql_injection = Contrast::Agent::Protect::Rule::NoSqli.new
+          @path_traversal = Contrast::Agent::Protect::Rule::PathTraversal.new
+          @path_traversal_semantic_file_security_bypass = @path_traversal.semantic_file_security_bypass
+          @sql_injection = Contrast::Agent::Protect::Rule::Sqli.new
+          @sql_injection_semantic_dangerous_functions = @sql_injection.semantic_dangerous_functions
+          @unsafe_file_upload = Contrast::Agent::Protect::Rule::UnsafeFileUpload.new
+          @reflected_xss = Contrast::Agent::Protect::Rule::Xss.new
+          @xxe = Contrast::Agent::Protect::Rule::Xxe.new
+        end
+
+        # Return the Rules in Hash form {rule_id => rule_class }.
+        # This is used to traverse for each rule and update it's settings.
+        # Also is the way a rule is retrieved given the ID is known.
+        #
+        # @return [Hash<String, Contrast::Agent::Protect::Rule::Base>]
+        def rules
+          @_rules ||= {
+              @bot_blocker.rule_name => @bot_blocker,
+              @cmd_injection.rule_name => @cmd_injection,
+              @cmd_injection_command_backdoors.rule_name => @cmd_injection_command_backdoors,
+              @cmd_injection_semantic_chained_commands.rule_name => @cmd_injection_semantic_chained_commands,
+              @cmd_injection_semantic_dangerous_paths.rule_name => @cmd_injection_semantic_dangerous_paths,
+              @untrusted_deserialization.rule_name => @untrusted_deserialization,
+              @nosql_injection.rule_name => @nosql_injection,
+              @path_traversal.rule_name => @path_traversal,
+              @path_traversal_semantic_file_security_bypass.rule_name => @path_traversal_semantic_file_security_bypass,
+              @sql_injection.rule_name => @sql_injection,
+              @sql_injection_semantic_dangerous_functions.rule_name => @sql_injection_semantic_dangerous_functions,
+              @unsafe_file_upload.rule_name => @unsafe_file_upload,
+              @reflected_xss.rule_name => @reflected_xss,
+              @xxe.rule_name => @xxe
+          }
+        end
+
+        # Update all settings from configuration.
+        def update
+          rules.values.each(&:update)
+          logger.info('Current rule settings:')
+          rules.each { |k, v| logger.info('Protect Rule mode set', rule: k, mode: v.mode) }
+        end
+
+        # Check the local configurations first then the server settings.
+        def enabled?
+          Contrast::PROTECT.enable || Contrast::SETTINGS.protect_state.enabled
+        end
+
+        # @param [String] rule_id
+        # @return [Contrast::Agent::Protect::Rule::Base]
+        def [] rule_id
+          rules[rule_id]
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/details/xss_match.rb

@@ -9,6 +9,9 @@ module Contrast
       module Details
         # Matcher data for XSS rule.
         class XssMatch
+          EVIDENCE_START = /<script.*?>/i.cs__freeze
+          EVIDENCE_END = %r{</script.*?>}i.cs__freeze
+
           # @return [Integer] in ms
           attr_accessor :evidence_start
           # @return [String]
@@ -16,6 +19,16 @@ module Contrast
           # @return [Integer]
           attr_accessor :offset
 
+          # @param xss_string [String] to check for matches.
+          def initialize xss_string = ''
+            return if xss_string.empty?
+
+            @evidence_start = xss_string.index(EVIDENCE_START)
+            @offset = (xss_string[0...@evidence_start] || '').length
+            @evidence = xss_string[@evidence_start...xss_string.index(EVIDENCE_END)].gsub(EVIDENCE_START, '').
+                gsub(EVIDENCE_END, '')
+          end
+
           def to_controlled_hash
             {
                 evidenceStart: evidence_start,
@@ -23,6 +36,10 @@ module Contrast
                 offset: offset
             }
           end
+
+          def empty?
+            evidence_start.nil? || evidence.nil? || offset.nil?
+          end
         end
       end
     end

data/lib/contrast/agent/reporting/input_analysis/input_analysis.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/utils/object_share'
+require 'contrast/utils/duck_utils'
 require 'contrast/agent/reporting/input_analysis/input_analysis_result'
 
 module Contrast
@@ -12,10 +13,20 @@ module Contrast
         # @return [Hash] Stored request inputs for this context.
         attr_accessor :inputs
 
+        # Records rules triggered on sink.
+        #
+        # @return [Array<String>] array with rule names.
         def triggered_rules
           @_triggered_rules ||= []
         end
 
+        # Records rules with input analysis for current request.
+        #
+        # @return [Array<String>] array with rule names.
+        def analysed_rules
+          @_analysed_rules ||= []
+        end
+
         # result from input analysis
         #
         # @return @_results [Array<Contrast::Agent::Reporting::Settings::InputAnalysisResult>]
@@ -44,6 +55,27 @@ module Contrast
         def request= request
           @_request = request if request.instance_of?(Contrast::Agent::Request)
         end
+
+        # Check if the InputAnalysis is empty.
+        def no_inputs?
+          Contrast::Utils::DuckUtils.empty_duck?(inputs)
+        end
+
+        # We add the analysed rules to the list. The IA won't be build for this rule,
+        # since already it's already available.
+        #
+        # @param rule_name [String] name to record.
+        def record_analysed_rule rule_name
+          analysed_rules << rule_name unless triggered_rules.include?(rule_name)
+        end
+
+        # We add the triggered rules to the list. After request analysis will skip this rule
+        # as already triggered.
+        #
+        # @param rule_name [String] name to record.
+        def record_rule_triggered rule_name
+          triggered_rules << rule_name unless triggered_rules.include?(rule_name)
+        end
       end
     end
   end

data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample_activity.rb

@@ -32,6 +32,8 @@ module Contrast
 
         def validate
           raise(ArgumentError, 'Start Time is not presented') unless @start_time
+
+          nil
         end
 
         # @param attack_result [Contrast::Agent::Reporting::AttackResult]

data/lib/contrast/agent/reporting/reporting_events/architecture_component.rb

@@ -59,6 +59,8 @@ module Contrast
             raise(ArgumentError, "#{ self } did not have a proper type - '#{ type }'. Unable to continue.")
           end
           raise(ArgumentError, "#{ self } did not have a proper URL. Unable to continue.") unless url
+
+          nil
         end
       end
     end

data/lib/contrast/agent/reporting/reporting_events/finding.rb

@@ -119,15 +119,12 @@ module Contrast
               ruleId: rule_id,
               session_id: ::Contrast::ASSESS.session_id,
               version: 4
-          }
+          }.compact
         end
 
         # @raise [ArgumentError]
         def validate
           raise(ArgumentError, "#{ self } did not have a proper rule. Unable to continue.") unless @rule_id
-          unless ::Contrast::ASSESS.session_id
-            raise(ArgumentError, "#{ self } did not have a proper session id. Unable to continue.")
-          end
           if event_based? && events.empty?
             raise(ArgumentError, "#{ self } did not have proper events for #{ @rule_id }. Unable to continue.")
           end