npm - @contrast/agent-bundle - Versions diffs - 5.42.0 → 5.45.1 - Mend

@contrast/agent-bundle 5.42.0 → 5.45.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (468) hide show

package/node_modules/@contrast/protect/lib/input-analysis/install/http.js CHANGED Viewed

@@ -16,13 +16,12 @@
 'use strict';
 const onFinished = require('on-finished');
-const { Event, primordials: { StringPrototypeToLowerCase, ArrayPrototypeSlice } } = require('@contrast/common');
+const { primordials: { StringPrototypeToLowerCase, ArrayPrototypeSlice } } = require('@contrast/common');
 const { patchType } = require('../constants');
 module.exports = function (core) {
   const {
     logger,
-    messages,
     scopes: { sources },
     instrumentation: { instrument },
     protect: {
@@ -75,8 +74,8 @@ module.exports = function (core) {
       onFinished(res, (/* err, req */) => {
         resData.statusCode = res.statusCode;
+        // check for probes and method-tampering outcome
         inputAnalysis.handleRequestEnd(store.protect);
-        messages.emit(Event.PROTECT, store);
       });
       const connectInputs = {
@@ -112,7 +111,7 @@ module.exports = function (core) {
   }
   function install() {
-    ['http', 'https', 'spdy', 'http2'].forEach((moduleName) => {
+    ['http', 'https', 'http2'].forEach((moduleName) => {
       instrument({
         moduleName,
         patchObjects: [{

package/node_modules/@contrast/protect/lib/input-tracing/{handlers/index.js → handlers.js} RENAMED Viewed

@@ -29,6 +29,7 @@ const {
 module.exports = function(core) {
   const {
+    protect,
     protect: {
       agentLib,
       inputTracing,
@@ -40,16 +41,21 @@ module.exports = function(core) {
   function handleFindings(sourceContext, sinkContext, ruleId, result, findings) {
     const { stacktraceOpts } = sinkContext;
     captureStacktrace(sinkContext, stacktraceOpts);
-    result.exploitMetadata.push({ sinkContext, findings });
+    result.exploited = true;
-    const mode = sourceContext.policy[ruleId];
+    const mode = sourceContext.policy.getRuleMode(ruleId);
+    const eventArg = { findings, result, sinkContext };
+    let blockInfo;
     if (BLOCKING_MODES.includes(mode)) {
       result.blocked = true;
-      const blockInfo = [mode, ruleId];
+      blockInfo = [mode, ruleId, eventArg];
       sourceContext.securityException = blockInfo;
-      throwSecurityException(sourceContext);
     }
+    protect.reportFinding(eventArg);
+    if (blockInfo) throwSecurityException(sourceContext);
   }
   inputTracing.handlePathTraversal = function(sourceContext, sinkContext) {
@@ -61,7 +67,6 @@ module.exports = function(core) {
     for (const result of results) {
       const idx = sinkContext.value.indexOf(result.value);
       const findings = idx !== -1 ? { path: sinkContext.value } : null;
       if (findings) {
         handleFindings(sourceContext, sinkContext, ruleId, result, findings);
       }
@@ -218,13 +223,7 @@ module.exports = function(core) {
         }
         if (stringFindings) {
-          const nosqlInjectionResult = { ...result, ruleId, mappedId: ruleId };
-          // don't modify ssjs-injection result items so use new exploit metadata array here
-          if (nosqlInjectionResult.idsList?.some?.((id) => id.startsWith('SSJS'))) {
-            nosqlInjectionResult.exploitMetadata = [];
-          }
+          const nosqlInjectionResult = { ...result, ruleId, mappedId: ruleId, exploited: false };
           const nosqlInjectionResults = sourceContext.resultsMap[ruleId];
           const isAlreadyPresentInNosqlresults = result.idsList &&
             result.idsList.some(
@@ -312,12 +311,13 @@ module.exports = function(core) {
       const findings = idx !== -1 ? { value: sinkContext.value } : null;
       if (findings) {
-        result.exploitMetadata.push({ sinkContext, findings });
+        result.exploited = true;
+        handleFindings(sourceContext, sinkContext, ruleId, result, findings);
+        break;
       }
     }
   };
   return inputTracing;
 };
@@ -328,7 +328,7 @@ module.exports = function(core) {
  * @returns {AnalysisResult[]}
  */
 function getResultsByRuleId(ruleId, context) {
-  if (!context.policy || context.policy[ruleId] === OFF) {
+  if (!context.policy || context.policy.getRuleMode(ruleId) === OFF) {
     return;
   }
   // because agent-lib stores all nosql-injection results under nosql-injection-mongo

package/node_modules/@contrast/protect/lib/input-tracing/index.js CHANGED Viewed

@@ -36,7 +36,6 @@ module.exports = function(core) {
   require('./install/mysql')(core);
   require('./install/postgres')(core);
   require('./install/sequelize')(core);
-  require('./install/spdy')(core);
   require('./install/sqlite3')(core);
   require('./install/vm')(core);
   // TODO: NODE-2360 (oracledb)

package/node_modules/@contrast/protect/lib/make-source-context.js CHANGED Viewed

@@ -18,8 +18,6 @@
 module.exports = function(core) {
   const { protect } = core;
-  const DISABLED_POLICY = { allowed: true };
   /**
    * @param {object} param
    * @param {object} param.store
@@ -33,12 +31,7 @@ module.exports = function(core) {
     // incomingMessage,
     serverResponse,
   }) {
-    if (!core.config.getEffectiveValue('protect.enable')) return DISABLED_POLICY;
     const policy = protect.getPolicy({ uriPath: sourceInfo.uriPath });
-    // URL exclusions can disable all rules
-    if (!policy || policy.rulesMask === 0) return DISABLED_POLICY;
     const protectStore = {
       resData: {
         statusCode: null,
@@ -56,6 +49,11 @@ module.exports = function(core) {
       resultsMap: Object.create(null),
     };
+    if (policy.allowed) {
+      protectStore.allowed = true;
+    }
     return protectStore;
   }

package/node_modules/@contrast/protect/lib/policy.js CHANGED Viewed

@@ -24,10 +24,10 @@ const {
     StringPrototypeToLowerCase,
     StringPrototypeSplit,
     RegExpPrototypeTest
-  }
+  },
+  set,
 } = require('@contrast/common');
 const { ConfigSource } = require('@contrast/config');
 const { BLOCK_AT_PERIMETER, OFF } = ProtectRuleMode;
 const {
   BOT_BLOCKER,
@@ -58,6 +58,121 @@ module.exports = function (core) {
     protect: { agentLib }
   } = core;
+  // todo: can we not init this and just set what's needed
+  let processedExclusions = initCompiled();
+  const policy = protect.policy = {
+    version: Date.now(),
+    exclusions: processedExclusions
+  };
+  class RequestPolicy {
+    constructor(core, sourceInfo) {
+      Object.defineProperty(this, 'core', { value: core });
+      Object.defineProperty(this, 'sourceInfo', { value: sourceInfo });
+      this.init();
+    }
+    init() {
+      const { uriPath } = this.sourceInfo;
+      this.version = core.protect.policy.version;
+      if (!this.core.config.getEffectiveValue('protect.enable')) {
+        this.allowed = true;
+        return;
+      }
+      // todo build exclusions
+      for (const [inputType, exclusions] of Object.entries(processedExclusions)) {
+        for (const e of exclusions) {
+          if (!e.matchesUriPath(uriPath)) continue;
+          // url exclusions
+          if (inputType === 'url') {
+            // if applies to all rules, there is no policy for the request i.e. disable protect
+            if (!e.policy) {
+              this.allowed = true;
+              return;
+            }
+            // merge exclusion's policy into the request's policy
+            for (const key of Object.keys(e.policy)) {
+              const value = e.policy[key];
+              if (key === 'rulesMask') {
+                if (this.exclusions?.rulesMask == null)
+                  set(this, 'exclusions.rulesMask', this.core.protect.policy.rulesMask);
+                // this is how to disable rules bitwise
+                this.exclusions.rulesMask = this.exclusions.rulesMask & ~value;
+              } else {
+                set(this, `exclusions.${key}`, value);
+              }
+            }
+          } else if (inputType === 'querystring') {
+            if (!e.policy) {
+              set(this, 'exclusions.ignoreQuerystring', true);
+            } else {
+              // merge exclusion's policy into the querystring's policy
+              // this.exclusions.querystringPolicy = this.exclusions.querystringPolicy || {};
+              for (const key of Object.keys(e.policy)) {
+                const value = e.policy[key];
+                if (key !== 'rulesMask') {
+                  set(this, `exclusions.querystringPolicy.${key}`, value);
+                }
+              }
+            }
+          } else if (inputType === 'body') {
+            if (!e.policy) {
+              set(this, 'exclusions.ignoreBody', true);
+            } else {
+              // merge exclusion's policy into the querystring's policy
+              // set(this, `exclusions.bodyPolicy = this.exclusions.bodyPolicy || {};
+              for (const key of Object.keys(e.policy)) {
+                const value = e.policy[key];
+                if (key !== 'rulesMask') {
+                  set(this, `exclusions.bodyPolicy.${key}`, value);
+                }
+              }
+            }
+          } else {
+            // copy matching input exclusions into request policy
+            if (!this.exclusions?.[inputType]) set(this, `exclusions.${inputType}`, []);
+            this.exclusions[inputType].push(e);
+          }
+        }
+      }
+    }
+    checkInit() {
+      if (!this.version == core.protect.policy.version) {
+        this.init();
+      }
+    }
+    isDisabled() {
+      this.checkInit();
+      return this.allowed === true;
+    }
+    getRulesMask(inputType) {
+      this.checkInit();
+      if (this.allowed) return 0;
+      return this.exclusions?.rulesMask ?? this.core.protect.policy.rulesMask;
+    }
+    getRuleMode(ruleId) {
+      this.checkInit();
+      if (this.allowed) return OFF;
+      return this.exclusions?.[ruleId] ?? this.core.protect.policy[ruleId];
+    }
+    getExclusionInfo(key, inputType) {
+      this.checkInit();
+      return key ? this.exclusions?.[key] : this.exclusions;
+    }
+  }
   function initCompiled() {
     return {
       url: [],
@@ -69,12 +184,6 @@ module.exports = function (core) {
     };
   }
-  let compiled = initCompiled();
-  const policy = protect.policy = {
-    exclusions: compiled
-  };
   function regExpCheck(str) {
     return str.indexOf('*') > 0 ||
       str.indexOf('.') > 0 ||
@@ -156,96 +265,19 @@ module.exports = function (core) {
         ruleId = 'nosql-injection-mongo';
       }
-      if (protect.agentLib.RuleType[ruleId] && mode !== OFF) {
-        rulesMask = rulesMask | protect.agentLib.RuleType[ruleId];
+      if (agentLib.RuleType[ruleId] && mode !== OFF) {
+        rulesMask = rulesMask | agentLib.RuleType[ruleId];
       }
     }
     policy.rulesMask = rulesMask;
   }
-  /**
-   * This gets called by protect.makeSourceContext(). We return copy of policy to avoid
-   * inconsistent behavior if policy is updated during request handling.
-   */
-  function getPolicy({ uriPath } = {}) {
-    const requestPolicy = {
-      exclusions: {
-        ignoreQuerystring: false,
-        querystringPolicy: null,
-        ignoreBody: false,
-        bodyPolicy: null,
-        header: [],
-        cookie: [],
-        parameter: [],
-      },
-      rulesMask: policy.rulesMask,
-    };
-    for (const ruleId of Object.values(Rule)) {
-      requestPolicy[ruleId] = policy[ruleId];
-    }
-    // handle exclusions
-    for (const [inputType, exclusions] of Object.entries(compiled)) {
-      for (const e of exclusions) {
-        if (!e.matchesUriPath(uriPath)) continue;
-        // url exclusions
-        if (inputType === 'url') {
-          // if applies to all rules, there is no policy for the request i.e. disable protect
-          if (!e.policy) {
-            return null;
-          }
-          // merge exclusion's policy into the request's policy
-          for (const key of Object.keys(e.policy)) {
-            const value = e.policy[key];
-            if (key === 'rulesMask') {
-              // this is how to disable rules bitwise
-              requestPolicy.rulesMask = requestPolicy.rulesMask & ~value;
-            } else {
-              requestPolicy[key] = value;
-            }
-          }
-        } else if (inputType === 'querystring') {
-          if (!e.policy) {
-            requestPolicy.exclusions.ignoreQuerystring = true;
-          } else {
-            // merge exclusion's policy into the querystring's policy
-            requestPolicy.exclusions.querystringPolicy = requestPolicy.exclusions.querystringPolicy || {};
-            for (const key of Object.keys(e.policy)) {
-              const value = e.policy[key];
-              if (key !== 'rulesMask') {
-                requestPolicy.exclusions.querystringPolicy[key] = value;
-              }
-            }
-          }
-        } else if (inputType === 'body') {
-          if (!e.policy) {
-            requestPolicy.exclusions.ignoreBody = true;
-          } else {
-            // merge exclusion's policy into the querystring's policy
-            requestPolicy.exclusions.bodyPolicy = requestPolicy.exclusions.bodyPolicy || {};
-            for (const key of Object.keys(e.policy)) {
-              const value = e.policy[key];
-              if (key !== 'rulesMask') {
-                requestPolicy.exclusions.bodyPolicy[key] = value;
-              }
-            }
-          }
-        } else {
-          // copy matching input exclusions into request policy
-          requestPolicy.exclusions[inputType].push(e);
-        }
-      }
-    }
-    return requestPolicy;
-  }
   function updateGlobalPolicy(remoteSettings) {
     const protectionRules = remoteSettings?.protect?.rules;
+    // last updated
+    protect.policy.version = Date.now();
     if (protectionRules) {
       [
         CMD_INJECTION,
@@ -290,7 +322,8 @@ module.exports = function (core) {
       }
       updateRulesMask();
-      protect.policy.exclusions = compiled;
+      protect.policy.exclusions = processedExclusions;
       logger.info({ policy: protect.policy }, 'Protect policy updated');
     }
   }
@@ -302,7 +335,7 @@ module.exports = function (core) {
     ].filter((exclusion) => exclusion.modes.includes('defend'));
     if (!exclusions.length) return;
-    compiled = initCompiled();
+    processedExclusions = initCompiled();
     for (const exclusionDtm of exclusions) {
       exclusionDtm.type = exclusionDtm.type || 'URL';
@@ -310,7 +343,7 @@ module.exports = function (core) {
       const { name, protect_rules, urls, type } = exclusionDtm;
       const key = StringPrototypeToLowerCase.call(type);
-      if (!compiled[key]) continue;
+      if (!processedExclusions[key]) continue;
       try {
         const e = { name };
@@ -354,7 +387,7 @@ module.exports = function (core) {
           };
         }
-        compiled[key].push(e);
+        processedExclusions[key].push(e);
       } catch (err) {
         logger.error({ err, exclusionDtm }, 'failed to process exclusion');
       }
@@ -370,5 +403,7 @@ module.exports = function (core) {
   initPolicy();
-  return protect.getPolicy = getPolicy;
+  return protect.getPolicy = function getPolicy(sourceInfo) {
+    return new RequestPolicy(core, sourceInfo);
+  };
 };

package/node_modules/@contrast/protect/lib/semantic-analysis/handlers.js CHANGED Viewed

@@ -44,6 +44,7 @@ const getRuleResults = function(obj, prop) {
 module.exports = function(core) {
   const {
+    protect,
     protect: {
       agentLib,
       semanticAnalysis,
@@ -52,27 +53,32 @@ module.exports = function(core) {
     captureStacktrace,
   } = core;
-  function handleResult(sourceContext, sinkContext, ruleId, mode, finding) {
+  function handleResult(sourceContext, sinkContext, ruleId, mode, findings) {
     const { value, stacktraceOpts } = sinkContext;
     captureStacktrace(sinkContext, stacktraceOpts);
     // shoehorn findings into agent-lib result data model
     const result = {
       blocked: false,
+      inputType: InputType.UNKNOWN,
       ruleId,
       value,
       mappedId: ruleId,
-      exploitMetadata: [{ sinkContext, command: value }],
-      ...finding
+      exploited: true,
     };
     getRuleResults(sourceContext.resultsMap, ruleId).push(result);
+    let blockInfo;
     if (BLOCKING_MODES.includes(mode)) {
       result.blocked = true;
-      const blockInfo = [mode, ruleId];
+      blockInfo = [mode, ruleId];
       sourceContext.securityException = blockInfo;
-      throwSecurityException(sourceContext);
     }
+    protect.reportFinding({ findings, result, sinkContext });
+    if (blockInfo) throwSecurityException(sourceContext);
   }
   /**
@@ -149,7 +155,7 @@ module.exports = function(core) {
   }
   semanticAnalysis.handleCmdInjectionSemanticDangerous = function(sourceContext, sinkContext) {
-    const mode = sourceContext.policy[Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS];
+    const mode = sourceContext.policy.getRuleMode(Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS);
     if (mode == OFF) return;
@@ -161,7 +167,7 @@ module.exports = function(core) {
   };
   semanticAnalysis.handleCmdInjectionSemanticChainedCommands = function(sourceContext, sinkContext) {
-    const mode = sourceContext.policy[Rule.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS];
+    const mode = sourceContext.policy.getRuleMode(Rule.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS);
     if (mode == OFF) return;
@@ -173,38 +179,33 @@ module.exports = function(core) {
   };
   semanticAnalysis.handleCommandInjectionCommandBackdoors = function(sourceContext, sinkContext) {
-    const mode = sourceContext.policy[Rule.CMD_INJECTION_COMMAND_BACKDOORS];
+    const mode = sourceContext.policy.getRuleMode(Rule.CMD_INJECTION_COMMAND_BACKDOORS);
     if (mode == OFF) return;
     const finding = findBackdoorInjection(sourceContext, sinkContext.value);
     if (finding) {
-      handleResult(sourceContext, sinkContext, Rule.CMD_INJECTION_COMMAND_BACKDOORS, mode, finding);
+      handleResult(sourceContext, sinkContext, Rule.CMD_INJECTION_COMMAND_BACKDOORS, mode);
     }
   };
   semanticAnalysis.handlePathTraversalFileSecurityBypass = function(sourceContext, sinkContext) {
-    const mode = sourceContext.policy[Rule.PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS];
+    const mode = sourceContext.policy.getRuleMode(Rule.PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS);
     if (mode == OFF) return;
     if (agentLib.isDangerousPath(sinkContext.value, true)) {
-      handleResult(sourceContext, sinkContext, Rule.PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS, mode, {
-        exploitMetadata: [{ sinkContext, path: sinkContext.value }]
-      });
+      handleResult(sourceContext, sinkContext, Rule.PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS, mode);
     }
   };
   semanticAnalysis.handleXXE = function (sourceContext, sinkContext) {
-    const mode = sourceContext.policy[Rule.XXE];
+    const mode = sourceContext.policy.getRuleMode(Rule.XXE);
     if (mode == OFF) return;
     const findings = findExternalEntities(sinkContext.value);
     if (findings.entities.length) {
-      handleResult(sourceContext, sinkContext, Rule.XXE, mode, {
-        exploitMetadata: [{ sinkContext, ...findings }],
-      });
+      handleResult(sourceContext, sinkContext, Rule.XXE, mode, findings);
     }
   };

package/node_modules/@contrast/protect/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.65.0",
+  "version": "1.68.0",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -14,23 +14,23 @@
   "types": "lib/index.d.ts",
   "engines": {
     "npm": ">=6.13.7 <7 || >= 8.3.1",
-    "node": ">= 16.9.1"
+    "node": ">= 18.7.0"
   },
   "scripts": {
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
     "@contrast/agent-lib": "^9.1.0",
-    "@contrast/common": "1.35.0",
-    "@contrast/config": "1.50.0",
-    "@contrast/core": "1.55.0",
-    "@contrast/dep-hooks": "1.24.0",
-    "@contrast/esm-hooks": "2.29.0",
-    "@contrast/instrumentation": "1.34.0",
-    "@contrast/logger": "1.28.0",
-    "@contrast/patcher": "1.27.0",
-    "@contrast/rewriter": "1.31.0",
-    "@contrast/scopes": "1.25.0",
+    "@contrast/common": "1.37.0",
+    "@contrast/config": "1.52.1",
+    "@contrast/core": "1.57.1",
+    "@contrast/dep-hooks": "1.26.1",
+    "@contrast/esm-hooks": "2.32.0",
+    "@contrast/instrumentation": "1.36.1",
+    "@contrast/logger": "1.30.1",
+    "@contrast/patcher": "1.29.1",
+    "@contrast/rewriter": "1.34.0",
+    "@contrast/scopes": "1.27.1",
     "async-hook-domain": "^4.0.1",
     "ipaddr.js": "^2.0.1",
     "on-finished": "^2.4.1",

package/node_modules/@contrast/reporter/lib/index.js CHANGED Viewed

@@ -17,6 +17,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.default = init;
 const file_1 = __importDefault(require("./reporters/file"));
 const contrast_ui_1 = __importDefault(require("./reporters/contrast-ui"));
 const security_logger_1 = __importDefault(require("./reporters/security-logger"));
@@ -51,5 +52,4 @@ function init(core, options = DEFAULT_OPTIONS) {
     }
     return core.reporter;
 }
-exports.default = init;
 //# sourceMappingURL=index.js.map

package/node_modules/@contrast/reporter/lib/reporters/base.d.ts CHANGED Viewed

@@ -1,4 +1,3 @@
-/// <reference types="node" />
 import { Event, Messages } from '@contrast/common';
 import { Config } from '@contrast/config';
 import { Core as _Core } from '@contrast/core';

package/node_modules/@contrast/reporter/lib/reporters/contrast-ui/endpoints/application-activity/index.d.ts CHANGED Viewed

@@ -1,10 +1,12 @@
 import { Core } from '../../../base';
-import { AttackModel, ContrastUIReporter } from '../../types';
+import { ContrastUIReporter } from '../../types';
 import NgEndpoint from '../ng-endpoint';
+import { Translations } from './translations';
 export default class ApplicationActivity extends NgEndpoint {
-    defendPayload: AttackModel[];
+    translations: Translations;
     lastUpdate: number;
     userAgentSet: Set<string>;
+    attackersMap: Map<string, any>;
     constructor(core: Core, uiReporter: ContrastUIReporter);
     put(): Promise<void>;
 }

package/node_modules/@contrast/reporter/lib/reporters/contrast-ui/endpoints/application-activity/index.js CHANGED Viewed

@@ -23,30 +23,30 @@ const translations_1 = require("./translations");
 class ApplicationActivity extends ng_endpoint_1.default {
     constructor(core, uiReporter) {
         super(core, { ...uiReporter, url: '/api/ng/activity/application' });
-        this.defendPayload = [];
-        this.defendPayload = [];
         this.lastUpdate = 0;
         this.userAgentSet = new Set();
-        uiReporter.subscribeWithLock(common_1.Event.PROTECT, (store) => {
-            if (!store.protect || !store.sourceInfo)
+        this.attackersMap = new Map();
+        this.translations = new translations_1.Translations(core);
+        uiReporter.subscribeWithLock(common_1.Event.PROTECT_FINDING, (eventArg) => {
+            // validate before passing to accumulator helpers
+            if (!eventArg.store.sourceInfo?.ip)
                 return;
-            const result = (0, translations_1.handleProtectMessage)(store);
-            if (result?.userAgent) {
-                this.userAgentSet.add(result.userAgent);
+            try {
+                this.translations.accumulateUserAgent(this.userAgentSet, eventArg);
+                this.translations.accumulateFinding(this.attackersMap, eventArg);
             }
-            if (result?.attackModel) {
-                this.defendPayload.push(result.attackModel);
+            catch (err) {
+                core.logger.error({ err }, 'unable to accumulate protect finding');
             }
         });
     }
     async put() {
-        const { client, core: { config }, url, } = this;
-        const attackers = this.defendPayload;
-        this.defendPayload = [];
+        const attackers = Array.from(this.attackersMap.values());
+        this.attackersMap.clear();
         const browsers = Array.from(this.userAgentSet.values());
         this.userAgentSet.clear();
-        this.lastUpdate += config.agent.polling.app_activity_ms;
-        const resp = await client.put(url, {
+        this.lastUpdate += this.core.config.agent.polling.app_activity_ms;
+        const resp = await this.client.put(this.url, {
             inventory: { browsers },
             defend: { attackers },
             lastUpdate: this.lastUpdate,