@contrast/agent 4.12.0 → 4.13.0

package/lib/protect/sample-aggregator.js

@@ -20,7 +20,7 @@ Copyright: 2022 Contrast Security, Inc
 
 const _ = require('lodash');
 
-const POINTS_PATH = 'sample.assessment.results.points';
+const { IMPORTANCE } = require('../constants');
 
 /**
  * Compares two findings and returns the one which is
@@ -38,31 +38,26 @@ const rankEffectiveness = (a, b) => {
     return null;
   }
 
-  /* Otherwise, we want the one that is effective. */
-  return _.find([a, b], (f) => f.sample.effective);
+  // effective is a boolean, so there is no "higher" effectiveness.
+  return a.sample.effective ? a : b;
 };
 
 /**
- * Compares two findings and returns the one which is
- * ranked higher in terms of assessment score. If their
- * assessment score  is the same, <code>null</code> is
- * returned, signifying that a ranking order cannot be
- * determined for this criteria.
+ * Compares two findings and returns the one which has the highest
+ * score. If their scores are the same, return the first finding.
  * @param   {object}      a First finding
  * @param   {object}      b Second finding
- * @returns {object | null}
+ * @returns {object}
  */
-const rankPoints = (a, b) => {
-  const p1 = _.get(a, POINTS_PATH);
-  const p2 = _.get(b, POINTS_PATH);
+const POINTS_PATH = 'sample.assessment.results.points';
 
-  /* If both findings share point values, we can't rank them. */
-  if (p1 === p2) {
-    return null;
-  }
+function rankPoints(a, b) {
+  const pA = _.get(a, POINTS_PATH);
+  const pB = _.get(b, POINTS_PATH);
 
-  return p1 < p2 ? b : a;
-};
+  // return a if a is greater than or equal to b
+  return pA < pB ? b : a;
+}
 
 /**
  * Ranks two findings against effectiveness and score.
@@ -72,64 +67,77 @@ const rankPoints = (a, b) => {
  * @param   {object} b Second finding
  * @returns {object}   The highest-ranked finding
  */
-const rankFindings = (a, b) => rankEffectiveness(a, b) || rankPoints(a, b) || a;
+const rankFindings = (a, b) => rankEffectiveness(a, b) || rankPoints(a, b);
 
 /**
- * Takes a collection of findings and organizes them into
- * a map having keys being unique input types and paths,
- * and values being unique findings pertaining to each key.
+ * Takes a collection of findings and organizes them into a map having keys
+ * being unique input types and paths, and values being unique findings pertaining
+ * to each key.
  * @param   {object} memo    The map being created
  * @param   {object} finding Current finding in iteratee
  * @returns {object}         Map of ranked findings per type/path
  */
-const rankIntoMap = (memo, finding) => {
+function rankIntoMap(memo, finding) {
   const type = _.get(finding, 'sample.input.type', '_');
   const path = _.get(finding, 'sample.input.documentPath', '_');
   const name = _.get(finding, 'sample.input.name', '_');
 
-  /* This is what defines uniqueness in reporting */
+  // this string is the key to the map
   const memoPath = `${type}.${path}.${name}`;
-  const existing = memo[memoPath];
 
-  memo[memoPath] = !existing ? finding : rankFindings(existing, finding);
+  const existing = memo[memoPath];
+  // if it exists, rank it against the new finding
+  memo[memoPath] = existing ? rankFindings(existing, finding) : finding;
 
+  // memo returned despite having side effects because this function is
+  // called using reduce.
   return memo;
-};
+}
 
 /**
- * Functions for sample aggregation and ranking.
- */
-/**
- * From a collection of findings, will return a filtered
- * collection without low-scoring samples. Low-scoring
- * samples are not confirmed attacks. BUT, we DO want to
- * report on findings if they were effective, always.
- * @param   {object[]} findings
- * @returns {object[]}
- */
-const filterLowScoring = (findings = []) =>
-  _.filter(
-    findings,
-    (finding) =>
-      // Virtual Patch findings do not have inputs but always create a WW sample.
-      // Make sure they were effective.
-      (!finding.sample.input && finding.sample.effective) ||
-      /* Don't include low-scoring ineffective attacks.           */
-      !(!finding.sample.effective && !finding.sample.confirmedAttack)
-  );
-
-/**
- * Accepts a collection of findings and returns a new
- * collection whose samples are unique with respect to
- * input type and path of the finding per input type. Any
- * duplicate findings for the same type and path will be
- * filtered to only include  the one with the highest
- * points/effectiveness ranking.
+ * Accepts a collection of findings and returns a new collection whose samples
+ * are unique with respect to input type and path of the finding per input type.
+ * Any duplicate findings for the same type and path will be filtered to only
+ * include the one with the highest points/effectiveness ranking.
  * @param   {object[]} findings The findings to aggregate.
+ * @param   {function} wwFilter filter to check if a sample should be saved.
  * @returns {object[]}
+ *
+ * effective, but not blocked, becomes PROBED.
+ *
  */
-const aggregate = (findings = []) =>
-  _.values(_.reduce(filterLowScoring(findings), rankIntoMap, {}));
+function aggregate(findings, wwFilter) {
+  // separate the findings into effective and ineffective
+  // but marked as worth-watching by agent-lib. if not in
+  // one of the two lists, the finding is not relevant.
+  const effective = [];
+  const wwFindings = [];
+  // and the rest were not agent-lib worth-watching or effective
+  for (const finding of findings) {
+    const { sample } = finding;
+    if (sample.confirmedAttack || sample.effective) {
+      effective.push(finding);
+    } else if (finding.rule.agentLibBit && sample.assessment.results.importance === IMPORTANCE.WORTH_WATCHING) {
+      //console.log(finding.rule.id, s.results)
+      wwFindings.push(finding);
+    }
+  }
+
+  // do we need to run any inputs through the full scoring (not the abbreviated
+  // worth-watching scoring)?
+  if (wwFindings.length) {
+    for (const finding of wwFindings) {
+      if (wwFilter(finding)) {
+        finding.sample.assessment.results.importance = IMPORTANCE.DEFINITE;
+        // put this in the "effective list", even though it wasn't effective, so it
+        // will be reported as PROBED.
+        effective.push(finding);
+      }
+    }
+  }
+
+  return _.values(effective.reduce(rankIntoMap, {}));
+}
 
 module.exports = {
   aggregate