@contrast/agent-bundle 5.42.0 → 5.45.1

package/node_modules/@contrast/protect/lib/input-analysis/handlers.js

@@ -32,6 +32,7 @@ const {
   }
 } = require('@contrast/common');
 const { Core } = require('@contrast/core/lib/ioc/core');
+
 //
 // these rules are not implemented by agent-lib, but are being considered for
 // implementation:
@@ -100,6 +101,7 @@ module.exports = Core.makeComponent({
   factory(core) {
     const {
       logger,
+      protect,
       protect: {
         agentLib,
         inputAnalysis,
@@ -132,6 +134,124 @@ module.exports = Core.makeComponent({
     //   inputs against rules 1) is very fast and 2) dramatically pares down the number
     //   of exclusion checks that need to be made.
 
+    /**
+     * merge new findings into the existing findings
+     *
+     * @param {Object} sourceContext sourceContext.findings is the existing findings
+     * @param {Object} newFindings the findings, in {trackRequest, resultsList} format.
+     * @returns {undefined|[String]} undefined to permit else [mode, rule] to block.
+     */
+    function mergeFindings(sourceContext, newFindings) {
+      const { policy } = sourceContext;
+      const { securityException, resultsMap } = sourceContext;
+
+      if (!newFindings.trackRequest) {
+        return securityException;
+      }
+
+      newFindings.resultsList = newFindings.resultsList.filter(
+        (result) => !inputAnalysis.isResultExcluded(sourceContext, result)
+      );
+
+      normalizeFindings(policy, newFindings);
+
+      sourceContext.trackRequest = sourceContext.trackRequest || newFindings.trackRequest;
+      sourceContext.securityException = sourceContext.securityException || newFindings.securityException;
+
+      // merge them into a ruleId-indexed map (pojo)
+      for (const result of newFindings.resultsList) {
+        if (!resultsMap[result.ruleId]) {
+          resultsMap[result.ruleId] = [];
+        }
+        resultsMap[result.ruleId].push(result);
+      }
+
+      return sourceContext.securityException;
+    }
+
+    //
+    // add common fields to findings.
+    //
+    function normalizeFindings(policy, findings) {
+      // now both augment the rules and check to see if any require blocking
+      // at perimeter.
+      for (const r of findings.resultsList) {
+        // augment
+        // what additional augmentations are needed?
+        // the name/id might need to be mapped but keep the original so it's not lost
+        r.mappedId = agentLibRuleTypeToName[r.ruleId] || r.ruleId;
+
+        // if we block this or the value is found in sink, we'll know not to check
+        // this result for probe analysis in handleRequestEnd().
+        r.blocked = false;
+        r.exploited = false;
+
+        // apply exclusions here.
+        //
+        // apply exclusions after scoring inputs as it will require less work
+        // most of the time.
+        //
+        // the following might need to be changed. BAP is legacy behavior; beyond that,
+        // the only way a score >= 90 can come back is if there is no "worth-watching"
+        // option and that implies that there is no sink, so this is the only place at
+        // which the block can occur. so at a minimum 'block' should also result in a
+        // block.
+        const mode = policy.getRuleMode(r.ruleId);
+
+        if (r.score >= 90 && BLOCKING_MODES.includes(mode)) {
+          r.blocked = true;
+          findings.securityException = [mode, r.ruleId, { result: r }];
+        }
+      }
+    }
+
+    function checkIpsMatch(listEntry, ip) {
+      const parsed = address.process(ip);
+
+      // Check if IP is in CIDR range,
+      if (listEntry.cidr) {
+        if (parsed.kind() !== listEntry.cidr.kind) {
+          return null;
+        }
+
+        if (parsed.match(listEntry.cidr.range)) {
+          return { ...listEntry, match: ip };
+        } else {
+          return null;
+        }
+      }
+
+      // or do a direct comparison
+      if (parsed.toNormalizedString() === listEntry.normalizedValue) {
+        return { ...listEntry, matchedIp: ip };
+      }
+
+      return null;
+    }
+
+    /**
+     * getValueAtKey() is used to fetch the object (expected) associated
+     * with the path of keys in obj. i say expected because this is only used
+     * for fetching the objects associated with a nosql vulnerability and those
+     * should always be objects.
+     *
+     * @param {Object} obj an object with keys
+     * @param {Array} path list of keys to walk through the object
+     * @param {String} lastKey the last key (it's not in path)
+     *
+     * @returns the value at end of walking path in obj
+     */
+    function getValueAtKey(obj, path, key) {
+      for (const p of path) {
+        /* c8 ignore next 6 */
+        if (!(p in obj)) {
+          return undefined;
+        }
+        obj = obj[p];
+      }
+      return key in obj ? obj[key] : undefined;
+    }
+
     /**
      * handleConnect()
      *
@@ -169,7 +289,7 @@ module.exports = Core.makeComponent({
      * @returns {undefined|[String]} undefined to permit else [mode, rule] to block.
      */
     inputAnalysis.handleConnect = function handleConnect(sourceContext, connectInputs) {
-      const { policy: { rulesMask } } = sourceContext;
+      const rulesMask = sourceContext.policy.getRulesMask();
 
       inputAnalysis.handleVirtualPatches(
         sourceContext,
@@ -183,6 +303,10 @@ module.exports = Core.makeComponent({
         block = inputAnalysis.handleMethodTampering(sourceContext, connectInputs);
       }
 
+      if (block) {
+        core.protect.reportFinding(block[2]);
+      }
+
       return block;
     };
 
@@ -205,17 +329,15 @@ module.exports = Core.makeComponent({
     inputAnalysis.handleQueryParams = function handleQueryParams(sourceContext, queryParams) {
       if (sourceContext.analyzedQuery) return;
       sourceContext.analyzedQuery = true;
-
       if (typeof queryParams !== 'object') {
         logger.debug({ queryParams }, 'handleQueryParams() called with non-object');
         return;
       }
-
       inputAnalysis.handleVirtualPatches(sourceContext, { PARAMETERS: queryParams });
 
       const block = commonObjectAnalyzer(sourceContext, queryParams, parameterInputTypes);
-
       if (block) {
+        core.protect.reportFinding(block[2]);
         core.protect.throwSecurityException(sourceContext);
       }
     };
@@ -230,6 +352,9 @@ module.exports = Core.makeComponent({
      * @param {Object} urlParams pojo
      */
     inputAnalysis.handleUrlParams = function(sourceContext, urlParams) {
+      const rulesMask = sourceContext.policy.getRulesMask();
+      if (!rulesMask) return;
+
       if (sourceContext.analyzedUrlParams) return;
       sourceContext.analyzedUrlParams = true;
 
@@ -240,7 +365,6 @@ module.exports = Core.makeComponent({
 
       inputAnalysis.handleVirtualPatches(sourceContext, { PARAMETERS: urlParams });
 
-      const { policy: { rulesMask } } = sourceContext;
       const resultsList = [];
       const { UrlParameter } = agentLib.InputType;
 
@@ -251,7 +375,6 @@ module.exports = Core.makeComponent({
         }
 
         const items = agentLib.scoreAtom(rulesMask, value, UrlParameter, preferWW);
-
         if (!items) {
           return;
         }
@@ -284,6 +407,9 @@ module.exports = Core.makeComponent({
       const block = mergeFindings(sourceContext, urlParamsFindings);
 
       if (block) {
+        if (block[2]) {
+          core.protect.reportFinding(block[2]);
+        }
         core.protect.throwSecurityException(sourceContext);
       }
     };
@@ -302,7 +428,8 @@ module.exports = Core.makeComponent({
 
       inputAnalysis.handleVirtualPatches(sourceContext, { HEADERS: cookies });
 
-      const { policy: { rulesMask } } = sourceContext;
+      const rulesMask = sourceContext.policy.getRulesMask();
+      if (!rulesMask) return;
 
       const cookiesArr = Object.entries(cookies).reduce((acc, [key, value]) => {
         // things like booleans will cause agent-lib to throw
@@ -315,6 +442,7 @@ module.exports = Core.makeComponent({
       const block = mergeFindings(sourceContext, cookieFindings);
 
       if (block) {
+        protect.reportFinding(block[2]);
         core.protect.throwSecurityException(sourceContext);
       }
     };
@@ -356,6 +484,7 @@ module.exports = Core.makeComponent({
       sourceContext.bodyType = bodyType;
 
       if (block) {
+        protect.reportFinding(block[2]);
         core.protect.throwSecurityException(sourceContext);
       }
     };
@@ -367,7 +496,7 @@ module.exports = Core.makeComponent({
       const { policy } = sourceContext;
       const resultsList = [];
 
-      if (policy[Rule.UNSAFE_FILE_UPLOAD] === 'off') return;
+      if (policy.getRuleMode(Rule.UNSAFE_FILE_UPLOAD) === 'off') return;
 
       for (const name of names) {
         if (!isString(name)) {
@@ -375,7 +504,7 @@ module.exports = Core.makeComponent({
           return;
         }
 
-        const items = agentLib.scoreAtom(policy.rulesMask, name, type);
+        const items = agentLib.scoreAtom(policy.getRulesMask(), name, type);
 
         if (!items) {
           return;
@@ -402,6 +531,7 @@ module.exports = Core.makeComponent({
       const block = mergeFindings(sourceContext, unsafeFilenameFindings);
 
       if (block) {
+        core.protect.reportFinding(block[2]);
         core.protect.throwSecurityException(sourceContext);
       }
     };
@@ -411,6 +541,7 @@ module.exports = Core.makeComponent({
 
       if (!Object.keys(requestInput).filter(Boolean).length || !sourceContext?.virtualPatchesEvaluators.length) return;
 
+      // todo: get virtualPatchesEvaluators from protect policy instead of request
       for (const vpEvaluators of sourceContext.virtualPatchesEvaluators) {
         for (const key in requestInput) {
           const evaluator = vpEvaluators.get(key);
@@ -423,10 +554,17 @@ module.exports = Core.makeComponent({
               if (!sourceContext.resultsMap[ruleId]) {
                 sourceContext.resultsMap[ruleId] = [];
               }
-              sourceContext.resultsMap[ruleId].push({
-                name,
-                uuid
-              });
+
+              const result = {
+                key: name,
+                inputType: 'UNKNOWN',
+                ruleId: Rule.VIRTUAL_PATCH,
+                value: 'Virtual Patch',
+                blocked: true,
+              };
+              const eventArg = { result, findings: { uuid } };
+
+              protect.reportFinding(eventArg);
               sourceContext.securityException = ['block', ruleId];
               core.protect.throwSecurityException(sourceContext);
             }
@@ -453,7 +591,7 @@ module.exports = Core.makeComponent({
       if (!sourceContext || !ipDenylist.length) return;
 
       const { sourceInfo } = core.scopes.sources.getStore();
-      const match = ipListAnalysis(sourceInfo.Ip, sourceInfo.rawHeaders, ipDenylist);
+      const match = ipListAnalysis(sourceInfo.ip, sourceInfo.rawHeaders, ipDenylist);
 
       if (match) {
         logger.info(match, 'Found a matching IP to an entry in ipDeny list');
@@ -461,17 +599,28 @@ module.exports = Core.makeComponent({
           sourceContext.resultsMap[ruleId] = [];
         }
 
-        sourceContext.resultsMap[ruleId].push({
-          ip: match.matchedIp,
-          uuid: match.uuid,
-        });
+        const eventArg = {
+          result: {
+            key: 'IP Address',
+            inputType: 'UNKNOWN',
+            ruleId: Rule.IP_DENYLIST,
+            value: sourceInfo.ip,
+            blocked: true,
+          },
+          findings: {
+            uuid: match.uuid,
+            ip: match.matchedIp,
+          },
+        };
+        protect.reportFinding(eventArg);
+
         return ['block', 'ip-denylist'];
       }
     };
 
     inputAnalysis.handleMethodTampering = function(sourceContext, connectInputs) {
       const ruleId = Rule.METHOD_TAMPERING;
-      const mode = sourceContext.policy[ruleId];
+      const mode = sourceContext.policy.getRuleMode(ruleId);
       if (mode !== OFF) {
         const { method } = connectInputs;
 
@@ -481,14 +630,14 @@ module.exports = Core.makeComponent({
             key: 'method',
             value: method,
             blocked: false,
-            exploitMetadata: null,
           };
 
           sourceContext.resultsMap[ruleId] = [result];
 
           if (BLOCKING_MODES.includes(mode)) {
+            result.exploited = true;
             result.blocked = true;
-            return sourceContext.securityException = ['block', ruleId];
+            return sourceContext.securityException = ['block', ruleId, { result }];
           }
         }
       }
@@ -502,24 +651,24 @@ module.exports = Core.makeComponent({
      * @param {Object} sourceContext
      */
     inputAnalysis.handleRequestEnd = function handleRequestEnd(sourceContext) {
-      {
-        // check status code to verify method-tampering exploitation
-        const mtResult = sourceContext.resultsMap[Rule.METHOD_TAMPERING]?.[0];
-        if (mtResult) {
-          const { statusCode } = sourceContext.resData;
-          if (statusCode !== 405 || statusCode !== 501) {
-            mtResult.exploitMetadata = [{ statusCode }];
-          }
+      const { policy } = sourceContext;
+      // check status code to verify method-tampering exploitation
+      const mtResult = sourceContext.resultsMap[Rule.METHOD_TAMPERING]?.[0];
+      if (mtResult && policy.getRuleMode(Rule.METHOD_TAMPERING) !== OFF) {
+        const { statusCode } = sourceContext.resData;
+        if (statusCode !== 405 || statusCode !== 501) {
+          mtResult.exploited = true;
+          protect.reportFindings({ result: mtResult, finding: { statusCode } });
         }
       }
 
-      if (!config.protect.probe_analysis.enable) return;
-
       // Detecting probes
-      const { resultsMap, policy: { rulesMask } } = sourceContext;
+      const rulesMask = sourceContext.policy.getRulesMask();
+      if (rulesMask == 0 || !config.protect.probe_analysis.enable) return;
+      const probeReports = [];
+      const { resultsMap } = sourceContext;
       const probesRules = [Rule.CMD_INJECTION, Rule.PATH_TRAVERSAL, Rule.SQL_INJECTION, Rule.XXE];
       const probes = {};
-
       const findingsForScoreRequest = {
         HeaderValue: {},
         ParameterValue: {},
@@ -532,7 +681,7 @@ module.exports = Core.makeComponent({
         resultsByRuleId.forEach(resultByRuleId => {
           const {
             ruleId,
-            exploitMetadata,
+            exploited,
             score,
             value,
             key,
@@ -540,10 +689,11 @@ module.exports = Core.makeComponent({
           } = resultByRuleId;
 
           if (
-            !isMonitorMode(ruleId, sourceContext) ||
-            exploitMetadata.length > 0 ||
+            sourceContext.policy.getRuleMode(ruleId) !== MONITOR ||
+            exploited === true || // todo: remove
             score >= 90 ||
-            !probesRules.some((rule) => rule === ruleId)
+            !probesRules.some((rule) => rule === ruleId) ||
+            inputType == InputType.UNKNOWN
           ) {
             return;
           }
@@ -562,9 +712,7 @@ module.exports = Core.makeComponent({
           valueToResultByRuleId[value] = resultByRuleId;
         });
       });
-
       const { ParameterValue, HeaderValue, CookieValue } = findingsForScoreRequest;
-
       const results =
         agentLib.scoreRequestConnect(
           rulesMask,
@@ -579,20 +727,21 @@ module.exports = Core.makeComponent({
         ).resultsList || [];
 
       Object.entries(findingsForScoreAtom).forEach(([value, inputTypes]) => {
-        Object.entries(inputTypes).forEach(([inputType, resultByRuleId]) =>
-          (
-            agentLib.scoreAtom(rulesMask, value, agentLib.InputType[inputType], {
-              preferWorthWatching: false,
-            }) || []
-          ).forEach(result => {
+        Object.entries(inputTypes).forEach(([inputType, resultByRuleId]) => {
+          if (agentLib.InputType[inputType] == null) return;
+          const alibResult = agentLib.scoreAtom(rulesMask, value, agentLib.InputType[inputType], {
+            preferWorthWatching: false,
+          }) || [];
+          alibResult.forEach(result => {
             results.push({ value, ...result });
+            probeReports.push({ value, ...result });
             valueToResultByRuleId[value] = resultByRuleId;
-          })
-        );
+          });
+        });
       });
 
       results
-        .filter(({ score, ruleId }) => score >= 90 && isMonitorMode(ruleId, sourceContext))
+        .filter(({ score, ruleId }) => score >= 90 && sourceContext.policy.getRuleMode(ruleId) == MONITOR)
         .forEach((result) => {
           const resultByRuleId = valueToResultByRuleId[result.value];
           const probe = Object.assign({}, resultByRuleId, result, {
@@ -613,14 +762,88 @@ module.exports = Core.makeComponent({
         }
 
         resultsMap[probe.ruleId].push(probe);
+        probeReports.push(probe);
       });
+
+      for (const result of probeReports) {
+        core.protect.reportFinding({ result });
+      }
+    };
+
+    /**
+     * Reads the source context's policy and compares to result item to check whether to ignore it.
+     * @param {ProtectMessage} sourceContext
+     * @param {Result} result
+     * @returns {boolean} whether result should be excluded
+     */
+    inputAnalysis.isResultExcluded = function isResultExcluded(sourceContext, result) {
+      const exclusions = sourceContext.policy.getExclusionInfo();
+      if (!exclusions) return false;
+
+      const { ruleId, path, inputType, value } = result;
+      const inputName = path ? path[path.length - 1] : null;
+
+      let checkCookiesInHeader = false;
+      let inputExclusions;
+
+      switch (inputType) {
+        case 'JsonKey':
+        case 'JsonValue':
+        case 'MultipartName': {
+          if (
+            exclusions?.ignoreBody ||
+            exclusions?.bodyPolicy?.[ruleId] == OFF
+          ) return true;
+
+          return false;
+        }
+        case 'ParameterKey':
+        case 'ParameterValue': {
+          const qsExcluded = exclusions.ignoreQuerystring || exclusions.querystringPolicy?.[ruleId] === OFF;
+          if (qsExcluded) return true;
+          inputExclusions = exclusions.parameter;
+          break;
+        }
+        case 'CookieValue': {
+          inputExclusions = exclusions.cookie;
+          break;
+        }
+        case 'HeaderKey':
+        case 'HeaderValue': {
+          if (path[0] && StringPrototypeToLowerCase.call(path[0]) === 'cookie') {
+            inputExclusions = exclusions.cookie;
+            checkCookiesInHeader = true;
+          } else {
+            inputExclusions = exclusions?.header;
+          }
+          break;
+        }
+      }
+
+      if (!inputName || !inputExclusions) return false;
+
+      for (const excl of inputExclusions) {
+        let nameCheck = false;
+        if (checkCookiesInHeader) {
+          nameCheck = excl.checkCookiesInHeader(value);
+        } else {
+          nameCheck = excl.matchesInputName(inputName);
+        }
+        if (!nameCheck) continue;
+        if (!excl.policy || excl.policy[ruleId] === OFF) {
+          return true;
+        }
+      }
+
+      return false;
     };
 
     /**
      * commonObjectAnalyzer() walks an object supplied by the end-user and checks
      * it for vulnerabilities.
      *
-     * This can cause the request to be blocked, depending on the mode and findings.
+     *
+ This can cause the request to be blocked, depending on the mode and findings.
      *
      * @param {Object} sourceContext the sourceContext for the request
      * @param {Object} object the object to analyze. It could be from any input
@@ -632,14 +855,14 @@ module.exports = Core.makeComponent({
      * @returns {Array | undefined} returns an array with block info if vulnerability was found.
      */
     function commonObjectAnalyzer(sourceContext, object, inputTypes) {
-      const { policy: { rulesMask } } = sourceContext;
-      if (!rulesMask) return;
-
       // use inputTypes to set params...
       const { keyType, inputType } = inputTypes;
       const inputTypeStr = inputTypes === jsonInputTypes ? 'Json' : 'Parameter';
       const resultsList = [];
 
+      const rulesMask = sourceContext.policy.getRulesMask();
+      if (!rulesMask) return;
+
       // it's possible to optimize this if qs (or a similar package) is not loaded
       // or if none of the values of queryParams are objects. a quick '.includes()'
       // could be used to determine that. if none are objects then traverseKeysAndValues()
@@ -768,184 +991,3 @@ module.exports = Core.makeComponent({
     }
   },
 });
-
-/**
- * Reads the source context's policy and compares to result item to check whether to ignore it.
- * @param {ProtectMessage} sourceContext
- * @param {Result} result
- * @returns {boolean} whether result should be excluded
- */
-function isResultExcluded(sourceContext, result) {
-  const { policy: { exclusions } } = sourceContext;
-  const { ruleId, path, inputType, value } = result;
-  const inputName = path ? path[path.length - 1] : null;
-
-  let checkCookiesInHeader = false;
-  let inputExclusions;
-  switch (inputType) {
-    case 'JsonKey':
-    case 'JsonValue':
-    case 'MultipartName': {
-      return exclusions.ignoreBody || exclusions.bodyPolicy?.[ruleId] === OFF;
-    }
-    case 'ParameterKey':
-    case 'ParameterValue': {
-      const qsExcluded = exclusions.ignoreQuerystring || exclusions.querystringPolicy?.[ruleId] === OFF;
-      if (qsExcluded) return true;
-      inputExclusions = exclusions.parameter;
-      break;
-    }
-    case 'CookieValue': {
-      inputExclusions = exclusions.cookie;
-      break;
-    }
-    case 'HeaderKey':
-    case 'HeaderValue': {
-      if (path[0] && StringPrototypeToLowerCase.call(path[0]) === 'cookie') {
-        inputExclusions = exclusions.cookie;
-        checkCookiesInHeader = true;
-      } else {
-        inputExclusions = exclusions.header;
-      }
-      break;
-    }
-  }
-
-  if (!inputName || !inputExclusions) return false;
-
-  for (const excl of inputExclusions) {
-    let nameCheck = false;
-    if (checkCookiesInHeader) {
-      nameCheck = excl.checkCookiesInHeader(value);
-    } else {
-      nameCheck = excl.matchesInputName(inputName);
-    }
-    if (!nameCheck) continue;
-    if (!excl.policy || excl.policy[ruleId] === OFF) {
-      return true;
-    }
-  }
-
-  return false;
-}
-
-/**
- * merge new findings into the existing findings
- *
- * @param {Object} sourceContext sourceContext.findings is the existing findings
- * @param {Object} newFindings the findings, in {trackRequest, resultsList} format.
- * @returns {undefined|[String]} undefined to permit else [mode, rule] to block.
- */
-function mergeFindings(sourceContext, newFindings) {
-  const { policy, securityException, resultsMap } = sourceContext;
-
-  if (!newFindings.trackRequest) {
-    return securityException;
-  }
-
-  newFindings.resultsList = newFindings.resultsList.filter(
-    (result) => !isResultExcluded(sourceContext, result)
-  );
-
-  normalizeFindings(policy, newFindings);
-
-  sourceContext.trackRequest = sourceContext.trackRequest || newFindings.trackRequest;
-  sourceContext.securityException = sourceContext.securityException || newFindings.securityException;
-
-  // merge them into a ruleId-indexed map (pojo)
-  for (const result of newFindings.resultsList) {
-    if (!resultsMap[result.ruleId]) {
-      resultsMap[result.ruleId] = [];
-    }
-    resultsMap[result.ruleId].push(result);
-  }
-
-  return sourceContext.securityException;
-}
-
-//
-// add common fields to findings.
-//
-function normalizeFindings(policy, findings) {
-  // now both augment the rules and check to see if any require blocking
-  // at perimeter.
-  for (const r of findings.resultsList) {
-    // augment
-    // what additional augmentations are needed?
-    // the name/id might need to be mapped but keep the original so it's not lost
-    r.mappedId = agentLibRuleTypeToName[r.ruleId] || r.ruleId;
-    // this finding resulted in blocking, i.e., it is not a probe.
-    r.blocked = false;
-
-    // sink analysis will add findings here
-    r.exploitMetadata = [];
-
-    // apply exclusions here.
-    //
-    // apply exclusions after scoring inputs as it will require less work
-    // most of the time.
-    //
-    // the following might need to be changed. BAP is legacy behavior; beyond that,
-    // the only way a score >= 90 can come back is if there is no "worth-watching"
-    // option and that implies that there is no sink, so this is the only place at
-    // which the block can occur. so at a minimum 'block' should also result in a
-    // block.
-    const mode = policy[r.ruleId];
-    if (r.score >= 90 && BLOCKING_MODES.includes(mode)) {
-      r.blocked = true;
-      findings.securityException = [mode, r.ruleId];
-    }
-  }
-}
-
-
-function checkIpsMatch(listEntry, ip) {
-  const parsed = address.process(ip);
-
-  // Check if IP is in CIDR range,
-  if (listEntry.cidr) {
-    if (parsed.kind() !== listEntry.cidr.kind) {
-      return null;
-    }
-
-    if (parsed.match(listEntry.cidr.range)) {
-      return { ...listEntry, match: ip };
-    } else {
-      return null;
-    }
-  }
-
-  // or do a direct comparison
-  if (parsed.toNormalizedString() === listEntry.normalizedValue) {
-    return { ...listEntry, matchedIp: ip };
-  }
-
-  return null;
-}
-
-/**
- * getValueAtKey() is used to fetch the object (expected) associated
- * with the path of keys in obj. i say expected because this is only used
- * for fetching the objects associated with a nosql vulnerability and those
- * should always be objects.
- *
- * @param {Object} obj an object with keys
- * @param {Array} path list of keys to walk through the object
- * @param {String} lastKey the last key (it's not in path)
- *
- * @returns the value at end of walking path in obj
- */
-function getValueAtKey(obj, path, key) {
-  for (const p of path) {
-    /* c8 ignore next 6 */
-    if (!(p in obj)) {
-      return undefined;
-    }
-    obj = obj[p];
-  }
-  return key in obj ? obj[key] : undefined;
-}
-
-function isMonitorMode(ruleId, sourceContext) {
-  return sourceContext.policy[ruleId] === MONITOR;
-}