@contrast/config 1.33.0 → 1.35.0

package/lib/common.js

@@ -39,8 +39,18 @@ const {
     UNTRUSTED_DESERIALIZATION,
     XXE,
   },
+  primordials: { StringPrototypeToLowerCase },
+  get,
+  isString,
 } = require('@contrast/common');
 
+function coerceLowerCase(path) {
+  return function(remoteData) {
+    const value = get(remoteData, path);
+    if (value && isString(value)) return StringPrototypeToLowerCase.call(value);
+  };
+}
+
 function protectModeReader(ruleId) {
   return function (msg) {
     const remoteSetting = msg?.protect?.rules?.[ruleId];
@@ -62,20 +72,12 @@ const ConfigSource = {
   USER_CONFIGURATION_FILE: 'USER_CONFIGURATION_FILE',
 };
 
+// these should return `undefined` if there is no remote value corresponding to the effective config name.
 const mappings = {
-  // server features
-  'agent.logger.level': (remoteData) => remoteData.logger?.level?.toLowerCase?.(),
-  'agent.logger.path': (remoteData) => remoteData.logger?.path,
-  'application.session_id': (remoteData) => remoteData?.settings?.assessment?.session_id,
-  'agent.security_logger.syslog.enable': (remoteData) => remoteData.security_logger?.syslog?.enable,
-  'agent.security_logger.syslog.ip': (remoteData) => remoteData.security_logger?.syslog?.ip,
-  'agent.security_logger.syslog.port': (remoteData) => remoteData.security_logger?.syslog?.port,
-  'agent.security_logger.syslog.facility': (remoteData) => remoteData.security_logger?.syslog?.facility,
-  'agent.security_logger.syslog.severity_exploited': (remoteData) => remoteData.security_logger?.syslog?.severity_exploited?.toLowerCase(),
-  'agent.security_logger.syslog.severity_blocked': (remoteData) => remoteData.security_logger?.syslog?.severity_blocked?.toLowerCase(),
-  'agent.security_logger.syslog.severity_probed': (remoteData) => remoteData.security_logger?.syslog?.severity_probed?.toLowerCase(),
+  // agent startup (v1) or application startup (ng fallback)
+  'application.session_id': (remoteData) =>
+    remoteData.identification?.session_id ?? remoteData.settings?.assessment?.session_id,
   // application settings
-  'assess.enable': (remoteData) => remoteData.assess?.enable,
   'protect.enable': (remoteData) => remoteData.protect?.enable,
   'protect.rules.cmd-injection.mode': protectModeReader(CMD_INJECTION),
   'protect.rules.cmd-injection-command-backdoors.mode': protectModeReader(CMD_INJECTION_COMMAND_BACKDOORS),
@@ -92,6 +94,27 @@ const mappings = {
   'protect.rules.unsafe-file-upload.mode': protectModeReader(UNSAFE_FILE_UPLOAD),
   'protect.rules.untrusted-deserialization.mode': protectModeReader(UNTRUSTED_DESERIALIZATION),
   'protect.rules.xxe.mode': protectModeReader(XXE),
+  // server features
+  'assess.enable': (remoteData) => remoteData.assess?.enable,
+  'assess.probabilistic_sampling.enable': (remoteData) => remoteData.assess?.sampling?.enable,
+  'assess.probabilistic_sampling.base_probability': (remoteData) => {
+    const request_frequency = remoteData.assess?.sampling?.request_frequency;
+    if (request_frequency > 0) {
+      const baseProbability = 1 / request_frequency;
+      if (!isNaN(baseProbability)) return baseProbability;
+    }
+  },
+  'agent.logger.level': coerceLowerCase('logger.level'),
+  'agent.logger.path': (remoteData) => remoteData.logger?.path,
+  'agent.security_logger.syslog.enable': (remoteData) => remoteData.security_logger?.syslog?.enable,
+  'agent.security_logger.syslog.ip': (remoteData) => remoteData.security_logger?.syslog?.ip,
+  'agent.security_logger.syslog.port': (remoteData) => remoteData.security_logger?.syslog?.port,
+  'agent.security_logger.syslog.facility': (remoteData) => remoteData.security_logger?.syslog?.facility,
+  'agent.security_logger.syslog.severity_exploited': coerceLowerCase('security_logger.syslog.severity_exploited'),
+  'agent.security_logger.syslog.severity_blocked': coerceLowerCase('security_logger.syslog.severity_blocked'),
+  'agent.security_logger.syslog.severity_probed': coerceLowerCase('security_logger.syslog.severity_probed'),
+  'server.environment': (remoteData) => remoteData.environment,
+
 };
 
 /*

package/lib/common.test.js

@@ -0,0 +1,183 @@
+'use strict';
+
+const { expect } = require('chai');
+const { ProtectRuleMode } = require('@contrast/common');
+const { mappings } = require('./common');
+
+describe('config effective value mappings', function () {
+  describe('"simple" mappings', function() {
+    const simplyMappedNames = [
+      'assess.enable',
+      'agent.logger.path',
+      'agent.security_logger.syslog.enable',
+      'agent.security_logger.syslog.ip',
+      'agent.security_logger.syslog.port',
+      'agent.security_logger.syslog.facility',
+      'server.environment',
+      'protect.enable',
+    ];
+
+    it('"simple" mappings will return any value for corresponding remote setting (todo: validation for each)', function () {
+      ['', 'foo', null, 0.3, 3, {}, [], true, false].forEach((val) => {
+        const remoteData = {
+          // server
+          assess: {
+            enable: val,
+            sampling: { enable: val }
+          },
+          logger: {
+            path: val,
+          },
+          security_logger: {
+            syslog: {
+              enable: val,
+              ip: val,
+              port: val,
+              facility: val,
+              serverity_exploited: val,
+              serverity_blocked: val,
+              exploited_probed: val,
+            }
+          },
+          environment: val,
+          // app
+          protect: {
+            enable: val,
+          },
+        };
+
+        for (const name of simplyMappedNames) {
+          const result = mappings[name](remoteData);
+          expect(result).to.equal(val);
+        }
+      });
+    });
+
+    it('"simple" mappings will return `undefined` if there is no corresponding remote setting', function () {
+      for (const name of simplyMappedNames) {
+        expect(mappings[name]({})).to.equal(undefined);
+      }
+    });
+  });
+
+  describe('maps \'assess.probabilistic_sampling.base_probability\'', function() {
+    [
+      {
+        desc: 'sets value by inverting request_frequency',
+        remoteData: {
+          assess: { sampling: { request_frequency: 20 } }
+        },
+        expected: 1 / 20,
+      },
+      {
+        desc: 'ignores and returns undefined if request_frequency is 0',
+        remoteData: {
+          assess: { sampling: { request_frequency: 0 } }
+        },
+        expected: undefined,
+      },
+      {
+        desc: 'ignores and returns undefined if calculating probability gives NaN',
+        remoteData: {
+          assess: { sampling: { request_frequency: 'forty five' } }
+        },
+        expected: undefined,
+      },
+      {
+        desc: 'ignores and returns undefined if value is negative',
+        remoteData: {
+          assess: { sampling: { request_frequency: -12 } }
+        },
+        expected: undefined,
+      },
+    ].forEach(({ desc, remoteData, expected }) => {
+      it(desc, function() {
+        expect(mappings['assess.probabilistic_sampling.base_probability'](remoteData)).to.equal(expected);
+      });
+    });
+  });
+
+  describe('maps Protect rule modes', function() {
+    [
+      {
+        tsValue: 'OFF',
+        expected: ProtectRuleMode.OFF,
+      },
+      {
+        tsValue: 'MONITORING',
+        expected: ProtectRuleMode.MONITOR,
+      },
+      {
+        tsValue: 'BLOCKING',
+        expected: ProtectRuleMode.BLOCK,
+      },
+      {
+        tsValue: 'BLOCK_AT_PERIMETER',
+        expected: ProtectRuleMode.BLOCK_AT_PERIMETER,
+      },
+      {
+        tsValue: 'FOO',
+        expected: undefined
+      },
+    ].forEach(({ desc, tsValue, expected }) => {
+      [
+        'protect.rules.cmd-injection.mode',
+        'protect.rules.cmd-injection-command-backdoors.mode',
+        'protect.rules.cmd-injection-semantic-chained-commands.mode',
+        'protect.rules.cmd-injection-semantic-dangerous-paths.mode',
+        'protect.rules.method-tampering.mode',
+        'protect.rules.nosql-injection.mode',
+        'protect.rules.nosql-injection-mongo.mode',
+        'protect.rules.path-traversal.mode',
+        'protect.rules.path-traversal-semantic-file-security-bypass.mode',
+        'protect.rules.reflected-xss.mode',
+        'protect.rules.sql-injection.mode',
+        'protect.rules.ssjs-injection.mode',
+        'protect.rules.unsafe-file-upload.mode',
+        'protect.rules.untrusted-deserialization.mode',
+        'protect.rules.xxe.mode',
+      ].forEach((fullName) => {
+        const ruleName = /rules\.(.*)\.mode/.exec(fullName)[1];
+        it(`sets ${ruleName} to ${expected} when value is ${tsValue}`, function() {
+          expect(mappings[fullName]({
+            protect: {
+              rules: {
+                [ruleName]: { mode: tsValue },
+              }
+            }
+          })).to.equal(expected);
+        });
+      });
+    });
+  });
+
+  describe('maps security logger severity levels (lowercase)', function() {
+    [
+      {
+        tsValue: 'FOO',
+        expected: 'foo',
+      },
+      {
+        tsValue: '',
+        expected: undefined,
+      }
+    ].forEach(({ tsValue, expected }) => {
+      [
+        'agent.security_logger.syslog.severity_exploited',
+        'agent.security_logger.syslog.severity_blocked',
+        'agent.security_logger.syslog.severity_probed',
+      ].forEach((fullName) => {
+        const severity = fullName.substr(fullName.lastIndexOf('.') + 1);
+        it(`maps to ${expected} when tsValue is ${tsValue}`, function() {
+          expect(mappings[fullName]({
+            security_logger: {
+              syslog: {
+                [severity]: tsValue,
+              },
+            }
+          })).to.equal(expected);
+        });
+      });
+    });
+  });
+});

package/lib/config.js

@@ -20,7 +20,7 @@ const path = require('path');
 const fs = require('fs');
 const os = require('os');
 const yaml = require('yaml');
-const { Event, get, set } = require('@contrast/common');
+const { Event, get, set, primordials: { ArrayPrototypeJoin, StringPrototypeToUpperCase, JSONParse } } = require('@contrast/common');
 const options = require('./options');
 const {
   ConfigSource: {
@@ -74,7 +74,7 @@ module.exports = class Config {
 
     // report all the errors found during initialization.
     if (this._errors.length) {
-      const errors = this._errors.map((e, ix) => `${ix + 1}) ${e.message}`).join('; ');
+      const errors = ArrayPrototypeJoin.call(this._errors.map((e, ix) => `${ix + 1}) ${e.message}`), '; ');
       throw new Error(`Errors found in configuration ${errors}`);
     }
 
@@ -104,7 +104,7 @@ module.exports = class Config {
       let parsedEnv;
 
       try {
-        parsedEnv = JSON.parse(env.pm2_env);
+        parsedEnv = JSONParse(env.pm2_env);
       } catch (_err) {
         const err = new Error(`Unable to parse pm2 environment variable: '${env.pm2_env}'`);
         err.cause = _err;
@@ -122,7 +122,7 @@ module.exports = class Config {
     }
 
     return Object.entries(env).reduce((acc, [key, val]) => {
-      const name = key.toUpperCase();
+      const name = StringPrototypeToUpperCase.call(key);
       if (name.startsWith('CONTRAST_')) {
         acc[name] = val;
       }
@@ -161,11 +161,12 @@ module.exports = class Config {
 
     const { _filepath } = this;
 
-    if (_filepath) {
+    // deliberately ignore /dev/null (linux) and \\.\\nul (windows)
+    if (_filepath && _filepath !== os.devNull) {
       let fileContents;
 
       try {
-        fileContents = fs.readFileSync(_filepath).toString('utf-8');
+        fileContents = fs.readFileSync(_filepath, 'utf-8');
       } catch (e) {
         const err = new Error(`Unable to read Contrast configuration file: '${_filepath}'`);
         err.cause = e;
@@ -242,9 +243,8 @@ module.exports = class Config {
     Array.from(this._effectiveMap.values()).forEach((v) => {
       let { value } = v;
       if (redact) value = this._redact(v.name, v.value);
-      if (value === undefined) value = null;
 
-      const redacted = { ...v, value: String(value) };
+      const redacted = { ...v, value: value !== null ? String(value) : null };
       effective_config.push(redacted);
       if (v.source === ENVIRONMENT_VARIABLE) environment_variable.push(redacted);
       if (v.source === CONTRAST_UI) contrast_ui.push(redacted);

package/lib/index.d.ts

@@ -262,35 +262,24 @@ export interface Config {
   };
 
   application: {
-    /** override the reported application name. */
+    /** Override the reported application name. */
     name?: string;
-    /** override the reported application path. Default: `'/'` */
+    /** Override the reported application path. Default: `'/'` */
     path: string;
-    /** override the reported application version */
+    /** Add the name of the application group with which this application should be associated in the Contrast UI. */
+    group?: string;
+    /** Add the application code this application should use in the Contrast UI. */
+    code?: string;
+    /** Override the reported application version. */
     version?: string;
-
-    /**
-     * Provide the ID of a session existing within Contrast UI.
-     * Default: `null`
-     */
-    session_id: string | null;
-
-    /**
-     * How to report the application's group for auto-grouping
-     */
-    group: string | null;
-
-    /**
-     * Comma-separated list of key=value pairs that are applied to each application reported by the agent.
-     */
-    metadata: string | null;
-
-    /**
-     * Provide metadata used to create a new session within Contrast UI.
-     * Default: `null`
-     */
-    session_metadata: string | null;
-
+    /** Apply labels to an application. Labels must be formatted as a comma-delimited list. Example - `label1,label2,label3` */
+    tags?: string;
+    /** Comma-separated list of key=value pairs that are applied to each application reported by the agent. */
+    metadata?: string;
+    /** Provide the ID of a session existing within Contrast UI. Exclusive with `session_metadata` */
+    session_id?: string;
+    /** Provide metadata used to create a new session within Contrast UI. Exclusive with `session_id` */
+    session_metadata?: string;
   };
 
   /** Reported server information overrides */

package/lib/index.test.js

@@ -371,11 +371,12 @@ describe('config', function () {
       // there needs to be a valid config file or env var set so config doesn't throw
       // an error.
       process.env.CONTRAST_CONFIG_PATH = path.resolve(__dirname, '../../test/fixtures/protect_contrast_security.yaml');
+      //process.env.CONTRAST__PROTECT__RULES__DISABLED_RULES = 'cmd-injection,sql-injection';
       config = require('.')(core);
 
       config.setValue('contrast_config_path', path.resolve(__dirname, '../../test/fixtures/protect_contrast_security.yaml'), ENVIRONMENT_VARIABLE);
       config.setValue('contrast__agent__stack_trace_limit', 20, ENVIRONMENT_VARIABLE);
-      config.setValue('contrast.protect.rules.disabled_rules', ['cmd-injection', 'sql-injection'], ENVIRONMENT_VARIABLE);
+      config.setValue('protect.rules.disabled_rules', ['cmd-injection', 'sql-injection'], ENVIRONMENT_VARIABLE);
       config.setValue('api.enable', true, ENVIRONMENT_VARIABLE);
       config.setValue('api.api_key', 'ABCDEFGHIJ', ENVIRONMENT_VARIABLE);
       config.setValue('api.service_key', 'KLMNOPQRST', ENVIRONMENT_VARIABLE);
@@ -407,11 +408,12 @@ describe('config', function () {
         const {
           config: {
             effective_config,
+            environment_variable,
           }
         } = result;
 
         expect(result.config).to.have.property('status', 'Success');
-        expect(effective_config).to.deep.include(
+        const expectedResults = [
           {
             canonical_name: 'api.enable',
             name: 'api.enable',
@@ -422,13 +424,13 @@ describe('config', function () {
             canonical_name: 'api.api_key',
             name: 'api.api_key',
             source: 'ENVIRONMENT_VARIABLE',
-            value: 'contrast-redacted-api.api_key',
+            value: 'ABCDEFGHIJ',
           },
           {
             canonical_name: 'api.service_key',
             name: 'api.service_key',
             source: 'ENVIRONMENT_VARIABLE',
-            value: 'contrast-redacted-api.service_key',
+            value: 'KLMNOPQRST',
           },
           {
             canonical_name: 'api.proxy.enable',
@@ -496,7 +498,37 @@ describe('config', function () {
             value: '150',
             source: 'DEFAULT_VALUE'
           }
-        );
+        ];
+
+        const failures = [];
+        let effective;
+        let envs;
+        const envFailures = [];
+
+        for (const expected of expectedResults) {
+          effective = effective_config.filter(i => i.canonical_name === expected.canonical_name);
+          expect(effective).an('array').lengthOf(1); // eslint-disable-line
+          effective = effective[0];
+          try {
+            expect(expected).to.deep.equal(effective);
+          } catch (e) {
+            failures.push({ expected, actual: effective });
+          }
+          if (expected.source !== 'ENVIRONMENT_VARIABLE') continue;
+
+          envs = environment_variable.filter(i => i.canonical_name === expected.canonical_name);
+          expect(envs).an('array')
+            .lengthOf(1, `Expected to find ${expected.name} in environment_variable`);
+          envs = envs[0];
+          try {
+            expect(expected).to.deep.equal(envs);
+          } catch (e) {
+            envFailures.push({ expected, actual: envs });
+          }
+        }
+        // this provides a useful error message
+        expect(failures).eql([]);
+        expect(envFailures).eql([]);
       });
 
       it('stringifies values and redacts api keys when `redact` is set to true', function () {
@@ -504,11 +536,13 @@ describe('config', function () {
         const {
           config: {
             effective_config,
+            environment_variable,
           }
         } = result;
 
         expect(result.config).to.have.property('status', 'Success');
-        expect(effective_config).to.deep.include(
+
+        const expectedResults = [
           {
             canonical_name: 'api.enable',
             name: 'api.enable',
@@ -593,7 +627,37 @@ describe('config', function () {
             value: '150',
             source: 'DEFAULT_VALUE'
           }
-        );
+        ];
+
+        const failures = [];
+        let effective;
+        let envs;
+        const envFailures = [];
+
+        for (const expected of expectedResults) {
+          effective = effective_config.filter(i => i.canonical_name === expected.canonical_name);
+          expect(effective).an('array').lengthOf(1); // eslint-disable-line
+          effective = effective[0];
+          try {
+            expect(expected).to.deep.equal(effective);
+          } catch (e) {
+            failures.push({ expected, actual: effective });
+          }
+          if (expected.source !== 'ENVIRONMENT_VARIABLE') continue;
+
+          envs = environment_variable.filter(i => i.canonical_name === expected.canonical_name);
+          expect(envs).an('array')
+            .lengthOf(1, `Expected to find ${expected.name} in environment_variable`);
+          envs = envs[0];
+          try {
+            expect(expected).to.deep.equal(envs);
+          } catch (e) {
+            envFailures.push({ expected, actual: envs });
+          }
+        }
+        // this provides a useful error message
+        expect(failures).eql([]);
+        expect(envFailures).eql([]);
       });
     });
   });

package/lib/options.js

@@ -20,7 +20,7 @@
 const os = require('os');
 const url = require('url');
 const path = require('path');
-const { Rule } = require('@contrast/common');
+const { Rule, primordials: { BufferFrom, BufferPrototypeToString, StringPrototypeReplace, StringPrototypeReplaceAll, StringPrototypeSplit, StringPrototypeToLowerCase, StringPrototypeToUpperCase, JSONParse } } = require('@contrast/common');
 const { ConfigSource: { DEFAULT_VALUE } } = require('./common');
 
 /**
@@ -33,7 +33,7 @@ function castBoolean(value) {
   if (type !== 'string' && type !== 'boolean') {
     return;
   }
-  value = value.toString().toLowerCase();
+  value = StringPrototypeToLowerCase.call(value.toString());
   return value === 'true' || value === 't'
     ? true
     : value === 'false' || value === 'f'
@@ -61,11 +61,11 @@ function clearBaseCase(val) {
 const split = (val) => {
   if (val === '') return [];
   if (val === undefined) return val;
-  return val.split(',');
+  return StringPrototypeSplit.call(val, ',');
 };
 
-const uppercase = (val = '') => clearBaseCase(`${val}`.toUpperCase());
-const lowercase = (val = '') => clearBaseCase(`${val}`.toLowerCase());
+const uppercase = (val = '') => clearBaseCase(`${StringPrototypeToUpperCase.call(val)}`);
+const lowercase = (val = '') => clearBaseCase(`${StringPrototypeToLowerCase.call(val)}`);
 const parseNum = (val) => {
   const float = parseFloat(val);
   return clearBaseCase(Math.ceil(float));
@@ -129,7 +129,7 @@ const options = [
 
       if (uri.pathname) {
         // kill trailling /
-        uri.pathname = uri.pathname.replace(/\/+$/, '');
+        uri.pathname = StringPrototypeReplace.call(uri.pathname, /\/+$/, '');
 
         if (!uri.pathname.endsWith('Contrast')) {
           uri.pathname += 'Contrast';
@@ -163,7 +163,7 @@ const options = [
     fn(value, cfg, source) {
       try {
         // parse the base64 encoded value
-        const parsed = JSON.parse(Buffer.from(value, 'base64').toString('utf8'));
+        const parsed = JSONParse(BufferPrototypeToString.call(BufferFrom(value, 'base64'), 'utf8'));
         // set the top level `api` keys only if they aren't already present.
         // since this value comes after the others, they should be set first if present in the config file or environment.
         ['url', 'api_key', 'service_key', 'user_name'].forEach(key => {
@@ -439,7 +439,7 @@ Example - \`/opt/Contrast/contrast.log\` creates a log in the \`/opt/Contrast\`
     name: 'agent.node.cmd_ignore_list',
     arg: '<commands>',
     default: '',
-    fn: (arg) => arg.split(',').filter((v) => v),
+    fn: (arg) => StringPrototypeSplit.call(arg, ',').filter((v) => v),
     desc: 'comma-separated list of commands that will not startup the agent if agent is required; npm* will ignore all npm executables but not your application\'s scripts'
   },
   {
@@ -533,6 +533,29 @@ Example - \`/opt/Contrast/contrast.log\` creates a log in the \`/opt/Contrast\`
     fn: castBoolean,
     desc: 'Include this property to determine if the Assess feature should be enabled. If this property is not present, the decision is delegated to the Contrast UI.',
   },
+  {
+    name: 'assess.probabilistic_sampling.enable',
+    arg: '[true]',
+    default: false,
+    fn: castBoolean,
+    desc: 'Set to true to enable sampling of requests for dataflow and other Assess features',
+  },
+  {
+    name: 'assess.probabilistic_sampling.base_probability',
+    arg: '<probability>',
+    fn: (val) => {
+      const p = parseFloat(val);
+      if (p >= 0 && p <= 1) return p;
+
+      if (val && val != 'undefined') {
+        throw new Error('Invalid option: assess.probabilistic_sampling.base_probability', {
+          cause: `${val} is not not in interval 0 <= p <= 1. value as float: ${p}`
+        });
+      }
+    },
+    default: 0.01,
+    desc: 'A value p within the interval [0, 1]. Each request will share same probability p of being sampled.',
+  },
   {
     name: 'assess.tags',
     arg: '<tags>',
@@ -611,7 +634,7 @@ Example - \`label1, label2, label3\``,
   {
     name: 'application.name',
     arg: '<name>',
-    desc: "Override the reported application name. Defaults to the `name` field from an application's `package.json`",
+    desc: 'Override the reported application name.',
   },
   {
     name: 'application.path',
@@ -619,33 +642,41 @@ Example - \`label1, label2, label3\``,
     default: '/',
     desc: 'Override the reported application path.',
   },
+  {
+    name: 'application.group',
+    arg: '<group>',
+    desc: 'Add the name of the application group with which this application should be associated in the Contrast UI.',
+  },
+  {
+    name: 'application.code',
+    arg: '<code>',
+    desc: 'Add the application code this application should use in the Contrast UI.'
+  },
   {
     name: 'application.version',
     arg: '<version>',
-    desc: "Override the reported application version. Defaults to the `version` field from an application's `package.json`",
+    desc: 'Override the reported application version.',
+  },
+  {
+    name: 'application.tags',
+    arg: '<tags>',
+    desc: 'Apply labels to an application. Labels must be formatted as a comma-delimited list. Example - `label1,label2,label3`'
+  },
+  {
+    name: 'application.metadata',
+    arg: '<metadata>',
+    desc: 'Define a set of `key=value` pairs (which conforms to RFC 2253) for specifying user-defined metadata associated with the application. The set must be formatted as a comma-delimited list of `key=value` pairs. Example - `business-unit=accounting, office=Baltimore`',
   },
   {
     name: 'application.session_id',
     arg: '<session_id>',
-    default: null,
     desc: 'Provide the ID of a session which already exists in the Contrast UI. Vulnerabilities discovered by the agent are associated with this session. If an invalid ID is supplied, the agent will be disabled. This option and `application.session_metadata` are mutually exclusive; if both are set, the agent will be disabled.',
   },
   {
     name: 'application.session_metadata',
     arg: '<session_metadata>',
-    default: null,
     desc: 'Provide metadata which is used to create a new session ID in the Contrast UI. Vulnerabilities discovered by the agent are associated with this new session. This value should be formatted as `key=value` pairs (conforming to RFC 2253). Available key names for this configuration are branchName, buildNumber, commitHash, committer, gitTag, repository, testRun, and version. This option and `application.session_id` are mutually exclusive; if both are set the agent will be disabled.',
   },
-  {
-    name: 'application.group',
-    arg: '<tags>',
-    desc: "how to report the application's group for auto-grouping",
-  },
-  {
-    name: 'application.metadata',
-    arg: '<metadata>',
-    desc: 'comma-separated list of key=value pairs that are applied to each application reported by the agent.',
-  },
   // server
   {
     name: 'server.name',
@@ -686,10 +717,11 @@ Example - \`label1, label2, label3\``,
     fn: castBoolean,
     desc: 'Set to `false` to disable detection of cloud provider metadata such as resource identifiers.'
   },
-].map((opt) => Object.assign(opt, {
-  env: `CONTRAST__${opt.name.toUpperCase().replaceAll('.', '__')
-    .replaceAll('-', '_')}`
-}));
+].map((opt) => {
+  let env = StringPrototypeReplaceAll.call(StringPrototypeToUpperCase.call(opt.name), '.', '__');
+  env = StringPrototypeReplaceAll.call(env, '-', '_');
+  return Object.assign(opt, { env: `CONTRAST__${env}` });
+});
 
 module.exports = options;
 module.exports.clearBaseCase = clearBaseCase;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/config",
-  "version": "1.33.0",
+  "version": "1.35.0",
   "description": "An API for discovering Contrast agent configuration data",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -17,7 +17,7 @@
     "test": "../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.25.0",
+    "@contrast/common": "1.26.0",
     "yaml": "^2.2.2"
   }
 }