@contrast/core 1.32.3 → 1.34.0

package/lib/agent-info.js

@@ -15,10 +15,11 @@
 
 'use strict';
 
+const { randomUUID } = require('crypto');
 const { name: agentName, version: agentVersion } = require('../package.json');
 
 module.exports = function init(core) {
-  // default to version of core
+  // default to name and version of core
   if (!core.agentName) {
     core.agentName = agentName;
   }
@@ -26,5 +27,10 @@ module.exports = function init(core) {
     core.agentVersion = agentVersion;
   }
 
+  // default to a new random UUID
+  if (!core.reportingInstance) {
+    core.reportingInstance = randomUUID();
+  }
+
   return core;
 };

package/lib/app-info.js

@@ -167,7 +167,7 @@ module.exports = function (core) {
 
     for (dir of dirs) {
       try {
-        packageFile = findPackageJsonSync({ cwd: dir });
+        packageFile = process.env.npm_package_json ?? findPackageJsonSync({ cwd: dir });
         packageData = require(packageFile);
         break;
       } catch (err) {} // eslint-disable-line no-empty

package/lib/app-info.test.js

@@ -0,0 +1,82 @@
+'use strict';
+
+const sinon = require('sinon');
+const { expect } = require('chai');
+const proxyquire = require('proxyquire');
+const mocks = require('@contrast/test/mocks');
+
+describe('core app-info', function () {
+  let os, core, appInfo;
+
+  beforeEach(function () {
+    core = mocks.core();
+    core.config = mocks.config();
+    core.config.server.type = 'Node.js';
+    core.config.server.environment = 'PRODUCTION';
+    core.logger = mocks.logger();
+    core.config.server.name = 'zoing';
+
+    os = {
+      type: sinon.stub().returns('Linux'),
+      platform: sinon.stub().returns('linux'),
+      arch: sinon.stub().returns('x64'),
+      release: sinon.stub().returns('1.23.45'),
+      hostname: sinon.stub().returns('hostname'),
+    };
+
+    appInfo = proxyquire(
+      './app-info',
+      {
+        os,
+        process: {
+          ...process,
+          argv: ['node', __filename],
+          version: 'v14.17.5'
+        }
+      }
+    )(core);
+  });
+
+  it('builds out app data from os and process information', function () {
+    expect(appInfo).to.deep.include({
+      os: {
+        type: 'Linux',
+        platform: 'linux',
+        architecture: 'x64',
+        release: '1.23.45'
+      },
+      hostname: 'hostname',
+      indexFile: __filename,
+      serverVersion: undefined,
+      node_version: 'v14.17.5',
+      appPath: '/',
+      serverName: 'zoing',
+      serverType: 'Node.js',
+      serverEnvironment: 'PRODUCTION',
+      group: undefined,
+      metadata: undefined
+    });
+  });
+
+  it("instantiates with _errors if package con't be found at provided app_root", function() {
+    const { npm_package_json } = process.env;
+    delete process.env.npm_package_json;
+
+    core.config.agent.node.app_root = '/no/package/at/this/path';
+    appInfo = proxyquire(
+      './app-info',
+      {
+        os,
+        process: {
+          ...process,
+          argv: ['node', ''],
+          version: 'v14.17.5'
+        }
+      }
+    );
+    const fn = () => appInfo(core);
+    expect(fn).throws('unable to locate application package.json');
+
+    process.env.npm_package_json = npm_package_json;
+  });
+});

package/lib/capture-stacktrace.test.js

@@ -0,0 +1,55 @@
+'use strict';
+
+const { expect } = require('chai');
+const mocks = require('@contrast/test/mocks');
+
+describe('core capture-stacktrace', function g() {
+  let core;
+
+  beforeEach(function () {
+    core = mocks.core();
+    core.config = mocks.config();
+    require('./capture-stacktrace')(core);
+  });
+
+  it('appends a stack getter property', function () {
+    const obj = { foo: 'bar' };
+    core.captureStacktrace(obj);
+    const desc = Object.getOwnPropertyDescriptor(obj, 'stack');
+    expect(typeof desc.get).to.equal('function');
+  });
+
+  it('generates a stacktrace from given options', function () {
+    (function outer() {
+      (function inner() {
+        const obj = {};
+        core.captureStacktrace(obj, { constructorOpt: inner });
+        expect(obj.stack[0]).to.have.property('method', 'outer');
+        expect(obj.stack).to.have.lengthOf(10);
+      })();
+    })();
+  });
+
+  describe('createSnapshot', function () {
+    it('prepends desired frames', function() {
+      const frame = { foo: 'bar' };
+      const stub = function stub() { };
+
+      const snapshot = core.createSnapshot({ prependFrames: [frame, stub] });
+      const result = snapshot();
+      expect(result[0]).to.equal(frame);
+      expect(result[1]).to.have.property('method', 'stub');
+    });
+
+    it('handles `eval`', function () {
+      const snapshot = eval('core.createSnapshot()');
+      const result = snapshot();
+
+      expect(result).to.have.length(10);
+      const evalFrame = result[3];
+      expect(evalFrame).to.have.property('eval').that.is.not.undefined;
+      expect(evalFrame).to.have.property('file').that.matches(/capture-stacktrace.test.js$/);
+      expect(evalFrame).to.have.property('method', 'eval');
+    });
+  });
+});

package/lib/contrast-methods.test.js

@@ -0,0 +1,299 @@
+'use strict';
+
+const sinon = require('sinon');
+const { expect } = require('chai');
+const mocks = require('@contrast/test/mocks');
+const patcher = require('@contrast/patcher');
+
+const { stringify } = JSON;
+
+const title = (method, args, expected) =>
+  `${method}(${args.map(stringify).join(', ')}) = ${stringify(expected)}`;
+
+describe('core contrast-methods', function () {
+  let core, contrastMethods, api;
+
+  beforeEach(function () {
+    core = mocks.core();
+    core.logger = mocks.logger();
+    core.patcher = patcher(core);
+    sinon.spy(core.patcher, 'patch');
+    contrastMethods = require('./contrast-methods')(core);
+    api = contrastMethods.api;
+  });
+
+  const GENERIC_TESTS = [{}, null, 1, 'two', undefined];
+
+  describe('.api', function () {
+    describe('.eval()', function () {
+      GENERIC_TESTS.forEach((arg) => {
+        it(title('eval', [arg], arg), function () {
+          expect(api.eval(arg)).to.equal(arg);
+        });
+      });
+    });
+
+    const ADD_TESTS = [
+      [[1, 2], 3],
+      [[1, '2'], '12'],
+      [['foo', 'bar'], 'foobar'],
+    ];
+
+    describe('.addAssign()', function () {
+      ADD_TESTS.forEach(([args, expected]) => {
+        it(title('addAssign', args, expected), function () {
+          expect(api.addAssign(...args)).to.equal(expected);
+        });
+      });
+    });
+
+    describe('.add()', function () {
+      ADD_TESTS.forEach(([args, expected], i) => {
+        it(title('add', args, expected), function () {
+          expect(api.add(...args)).to.equal(expected);
+        });
+      });
+    });
+
+    const obj1 = { foo: 'bar' };
+    const obj2 = { foo: 'bar' };
+    const EQ_TESTS = [
+      [['', ''], true, true],
+      [['foo', 'foo'], true, true],
+      [['foo', 'bar'], false, false],
+      [[1, 1], true, true],
+      [[1, 2], false, false],
+      [[1, '1'], true, false],
+      [[obj1, obj1], true, true],
+      [[obj1, obj2], false, false],
+    ];
+
+    describe('.eqEq()', function () {
+      EQ_TESTS.forEach(([args, expected]) => {
+        it(title('eqEq', args, expected), function () {
+          expect(api.eqEq(...args)).to.equal(expected);
+        });
+      });
+    });
+
+    describe('.eqEqEq()', function () {
+      EQ_TESTS.forEach(([args, _, expected]) => {
+        it(title('eqEqEq', args, expected), function () {
+          expect(api.eqEqEq(...args)).to.equal(expected);
+        });
+      });
+    });
+
+    describe('.notEq()', function () {
+      EQ_TESTS.forEach(([args, expected]) => {
+        it(title('notEq', args, !expected), function () {
+          expect(api.notEq(...args)).to.equal(!expected);
+        });
+      });
+    });
+
+    describe('.notEqEq()', function () {
+      EQ_TESTS.forEach(([args, _, expected]) => {
+        it(title('notEqEq', args, !expected), function () {
+          expect(api.notEqEq(...args)).to.equal(!expected);
+        });
+      });
+    });
+
+    describe('.forceCopy()', function () {
+      GENERIC_TESTS.forEach((arg) => {
+        it(title('forceCopy', [arg], arg), function () {
+          expect(api.forceCopy(arg)).to.equal(arg);
+        });
+      });
+    });
+
+    describe('.cast()', function () {
+      GENERIC_TESTS.forEach((arg) => {
+        it(title('cast', [arg], arg), function () {
+          expect(api.cast(arg)).to.equal(arg);
+        });
+      });
+    });
+
+    describe('.tag()', function () {
+      const bar = 'bar';
+      const baz = 'baz';
+
+      [
+        [[['']], ``], // eslint-disable-line quotes
+        [[['foo']], `foo`], // eslint-disable-line quotes
+        [[['', ''], bar], `${bar}`],
+        [[['foo', ''], bar], `foo${bar}`],
+        [[['foo', 'boo'], bar], `foo${bar}boo`],
+        [[['foo', 'boo', ''], bar, baz], `foo${bar}boo${baz}`],
+        [[['foo', 'boo', '.'], bar, baz], `foo${bar}boo${baz}.`],
+      ].forEach(([args, template]) => {
+        it(title('tag', args, template), function () {
+          expect(api.tag(...args)).to.equal(template);
+        });
+      });
+    });
+
+    describe('.Function()', function () {
+      it('patches the Function global', function () {
+        expect(core.patcher.patch).to.have.been.calledWithExactly(Function, {
+          name: 'global.Function',
+          patchType: 'rewrite-injection',
+          funcKey: 'rewrite-injection:global.Function',
+        });
+      });
+
+      it('acts as a function constructor', function () {
+        const fn = api.Function('return "hello world"');
+
+        expect(fn()).to.equal('hello world');
+      });
+    });
+
+    describe('.Number()', function () {
+      it('patches the Number global', function () {
+        expect(core.patcher.patch).to.have.been.calledWithExactly(Number, {
+          name: 'global.Number',
+          patchType: 'rewrite-injection',
+          funcKey: 'rewrite-injection:global.Number',
+        });
+      });
+
+      it('Number(14)', function () {
+        const result = api.Number(14);
+
+        expect(typeof result).to.equal('number');
+        expect(result).to.equal(14);
+      });
+
+      it("Number('14')", function () {
+        const result = api.Number('14');
+
+        expect(typeof result).to.equal('number');
+        expect(result).to.equal(14);
+      });
+
+      it("Number('boo')", function () {
+        const result = api.Number('boo');
+
+        expect(typeof result).to.equal('number');
+        expect(result).to.be.NaN;
+      });
+    });
+
+    describe('.Object()', function () {
+      it('patches the Object global', function () {
+        expect(core.patcher.patch).to.have.been.calledWithExactly(Object, {
+          name: 'global.Object',
+          patchType: 'rewrite-injection',
+          funcKey: 'rewrite-injection:global.Object',
+        });
+      });
+
+      it('Object(null)', function () {
+        const result = api.Object(null);
+
+        expect(typeof result).to.equal('object');
+        expect(result).not.to.equal({});
+        expect(result).to.deep.equal({});
+        expect(result.toString()).to.equal('[object Object]');
+      });
+
+      it("Object({ foo: 'bar' })", function () {
+        const obj = { foo: 'bar' };
+        const result = api.Object(obj);
+
+        expect(typeof result).to.equal('object');
+        expect(result).to.equal(obj);
+        expect(result.toString()).to.equal('[object Object]');
+      });
+
+      it("Object('boo')", function () {
+        const str = 'boo';
+        const result = api.Object(str);
+
+        expect(typeof result).to.equal('object');
+        expect(result == str).to.be.true;
+        expect(result === str).to.be.false;
+        expect(result.toString()).to.equal(str);
+      });
+    });
+
+    describe('.String()', function () {
+      it('patches the String global', function () {
+        expect(core.patcher.patch).to.have.been.calledWithExactly(String, {
+          name: 'global.String',
+          patchType: 'rewrite-injection',
+          funcKey: 'rewrite-injection:global.String',
+        });
+      });
+
+      it("String('boo')", function () {
+        const str = 'boo';
+        const result = api.String(str);
+
+        expect(typeof result).to.equal('string');
+        expect(result).to.equal(str);
+      });
+
+      it('String(14)', function () {
+        const result = api.String(14);
+
+        expect(typeof result).to.equal('string');
+        expect(result).to.equal('14');
+      });
+
+      it("String({ foo: 'bar' })", function () {
+        const result = api.String({ foo: 'bar' });
+
+        expect(typeof result).to.equal('string');
+        expect(result).to.equal('[object Object]');
+      });
+    });
+  });
+
+  describe('.getGlobal()', function () {
+    it('returns global', function () {
+      expect(contrastMethods.getGlobal()).to.equal(global);
+    });
+  });
+
+  describe('.install()', function () {
+    let globalMock;
+
+    beforeEach(function () {
+      globalMock = {};
+      sinon.stub(contrastMethods, 'getGlobal').returns(globalMock);
+    });
+
+    it('installs on global a single time', function () {
+      expect(globalMock).not.to.have.property('ContrastMethods');
+
+      contrastMethods.install();
+      expect(globalMock).to.have.property('ContrastMethods', api);
+      expect(contrastMethods.getGlobal).to.have.been.calledOnce;
+
+      expect(() => {
+        delete globalMock.ContrastMethods;
+      }).throw("Cannot delete property 'ContrastMethods'");
+
+      contrastMethods.install();
+      expect(globalMock).to.have.property('ContrastMethods', api);
+      expect(contrastMethods.getGlobal).to.have.been.calledOnce;
+    });
+
+    it('logs an error when global.ContrastMethods cannot be injected', function () {
+      Object.defineProperty(globalMock, 'ContrastMethods', {
+        configurable: false,
+        value: 'does not matter for test',
+      });
+
+      contrastMethods.install();
+      expect(core.logger.error).to.have.been.calledWith(
+        sinon.match(Error),
+        'Unable to define global.ContrastMethods',
+      );
+    });
+  });
+});

package/lib/index.d.ts

@@ -13,7 +13,7 @@
  * way not consistent with the End User License Agreement.
  */
 
-import { AppInfo, Messages } from '@contrast/common';
+import { AppInfo, Messages, SystemInfo } from '@contrast/common';
 
 interface Frame {
   eval: string | undefined;
@@ -32,6 +32,7 @@ interface CreateSnapshotOpts {
 export interface Core {
   agentName: string;
   agentVersion: string;
+  reportingInstance: string;
 
   appInfo: AppInfo;
 
@@ -44,5 +45,5 @@ export interface Core {
 
   sensitiveDataMasking: any;
 
-  getSystemInfo(): any;
+  getSystemInfo(): Promise<SystemInfo>;
 }

package/lib/sensitive-data-masking/index.test.js

@@ -0,0 +1,163 @@
+'use strict';
+
+const { describe } = require('mocha');
+const { expect } = require('chai');
+const dataMaskingFactory = require('../sensitive-data-masking');
+const mocks = require('@contrast/test/mocks');
+const { Event, Rule } = require('@contrast/common');
+
+describe('core sensitive-data-masking', function () {
+  let core, sdMasking, reqData, parsedParams, parsedCookies, parsedQuery, parsedBody, protect, resultsMap, trackRequest;
+
+  const ssn = '123-12-1234';
+  const cvv = '123';
+  const routingNumber = '123123123';
+  const apiToken = '$123-abcd<456*def';
+  const policy = require('../../test/resources/sensitive-data-policy');
+
+  beforeEach(function () {
+    core = mocks.core();
+    core.config = mocks.config();
+    core.logger = mocks.logger();
+    core.protect = mocks.protect();
+    core.config.api.enable = false;
+
+    reqData = {
+      uriPath: `/test/${cvv}/stuff`,
+      queries: `apiToken=${apiToken}&foo=bar`,
+      headers: [
+        'routingAccNum',
+        routingNumber,
+      ],
+    };
+    parsedQuery = { ssn };
+    parsedParams = { cvv };
+    parsedCookies = { ssn };
+    parsedBody = { ssn, input: '../../etc/passwd' };
+
+    trackRequest = true;
+    resultsMap = {
+      'sql-injection': [
+        {
+          value: apiToken,
+          score: 10,
+          ruleId: Rule.SQL_INJECTION,
+          path: [],
+          mappedId: 'sql-injection',
+          key: 'apiToken',
+          inputType: 'HeaderValue',
+          idsList: [
+            'worth-watching'
+          ],
+          exploitMetadata: [],
+          blocked: false
+        },
+        {
+          value: ssn,
+          score: 10,
+          ruleId: Rule.SQL_INJECTION,
+          path: [],
+          mappedId: 'sql-injection',
+          key: 'ssn',
+          inputType: 'JsonValue',
+          idsList: [],
+          exploitMetadata: [],
+          blocked: false
+        },
+      ],
+    };
+
+    protect = {
+      reqData,
+      parsedQuery,
+      parsedParams,
+      parsedCookies,
+      parsedBody,
+      resultsMap,
+      trackRequest
+    };
+    sdMasking = dataMaskingFactory(core);
+  });
+
+  it('logs when no policy is in server-settings message', function () {
+    core.messages.emit(Event.SERVER_SETTINGS_UPDATE, {});
+    expect(sdMasking.policy.keywordSets).to.be.empty;
+    expect(sdMasking.policy.idMap).to.be.empty;
+  });
+
+  it('handler is noop if no settings have been published', function () {
+    const store = { protect };
+
+    core.messages.emit(Event.PROTECT, store);
+
+    expect(reqData.uriPath).to.contain(cvv);
+    expect(reqData.queries).to.contain(apiToken);
+    expect(reqData.headers[1]).to.equal(routingNumber);
+    expect(parsedCookies).to.have.property('ssn', ssn);
+    expect(parsedQuery).to.have.property('ssn', ssn);
+    expect(parsedParams).to.have.property('cvv', cvv);
+    expect(protect.parsedBody).to.have.property('ssn', ssn);
+    expect(
+      resultsMap['sql-injection'][0]
+    ).to.have.property('value', apiToken);
+    expect(
+      store.protect.resultsMap['sql-injection'][1]
+    ).to.have.property('value', ssn);
+  });
+
+  it('handles protect message', function () {
+    const store = { protect };
+
+    core.messages.emit(Event.SERVER_SETTINGS_UPDATE, { sensitive_data_masking_policy: policy });
+    expect(core.logger.trace).to.have.been.calledWith('updating sensitive data masking policy');
+    expect(parsedCookies).to.have.property('ssn', ssn);
+
+    core.messages.emit(Event.PROTECT, store);
+
+    expect(reqData.uriPath).to.equal('/test/contrast-redacted-financial-info/stuff');
+    expect(reqData.queries).to.equal('apiToken=contrast-redacted-authentication-info&foo=bar');
+    expect(reqData.headers[1]).to.equal('contrast-redacted-financial-info');
+    expect(parsedCookies).to.have.property('ssn', 'contrast-redacted-government-id');
+    expect(parsedQuery).to.have.property('ssn', 'contrast-redacted-government-id');
+    expect(parsedParams).to.have.property('cvv', 'contrast-redacted-financial-info');
+    expect(protect.parsedBody).to.equal('contrast-redacted-body');
+    expect(
+      resultsMap['sql-injection'][0]
+    ).to.have.property('value', 'contrast-redacted-authentication-info');
+    expect(
+      store.protect.resultsMap['sql-injection'][1]
+    ).to.have.property('value', 'contrast-redacted-government-id');
+  });
+
+  it('policy controls masking of attack vectors and body', function () {
+    const store = { protect };
+    core.messages.emit(Event.SERVER_SETTINGS_UPDATE, {
+      sensitive_data_masking_policy: {
+        ...policy,
+        mask_http_body: false,
+        mask_attack_vector: false,
+      }
+    });
+    expect(core.logger.trace).to.have.been.calledWith('updating sensitive data masking policy');
+    expect(parsedCookies).to.have.property('ssn', ssn);
+
+    core.messages.emit(Event.PROTECT, store);
+
+    expect(reqData.uriPath).to.equal('/test/contrast-redacted-financial-info/stuff');
+    expect(reqData.queries).to.equal('apiToken=contrast-redacted-authentication-info&foo=bar');
+    expect(reqData.headers[1]).to.equal('contrast-redacted-financial-info');
+    expect(parsedCookies).to.have.property('ssn', 'contrast-redacted-government-id');
+    expect(parsedQuery).to.have.property('ssn', 'contrast-redacted-government-id');
+    expect(parsedParams).to.have.property('cvv', 'contrast-redacted-financial-info');
+    expect(protect.parsedBody).to.deep.equal({
+      ssn: 'contrast-redacted-government-id',
+      input: '../../etc/passwd'
+    });
+    expect(
+      resultsMap['sql-injection'][0]
+    ).to.have.property('value', apiToken);
+    expect(
+      store.protect.resultsMap['sql-injection'][1]
+    ).to.have.property('value', ssn);
+  });
+});

package/lib/system-info/cloud-provider-metadata.js

@@ -0,0 +1,146 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+// @ts-check
+'use strict';
+
+const { default: axios } = require('axios');
+const METADATA_ENDPOINT_ADDRESS = 'http://169.254.169.254';
+
+/** @param {number} ms */
+const abort = (ms) => {
+  const abortController = new AbortController();
+  setTimeout(() => abortController.abort(), ms);
+  return abortController.signal;
+};
+
+/** @param {number} ms */
+const delay = (ms) => new Promise(resolve => setTimeout(resolve, ms));
+
+const FETCHERS = {
+  /** @see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html */
+  async AWS() {
+    try {
+      const { data: token } = await axios({
+        method: 'PUT',
+        url: new URL('/latest/api/token', METADATA_ENDPOINT_ADDRESS).href,
+        headers: {
+          'X-aws-ec2-metadata-token-ttl-seconds': '300'
+        },
+        proxy: false, // proxies should not be used in any cloud provider.
+        signal: abort(5000),
+      });
+      const { data: document } = await axios({
+        method: 'GET',
+        url: new URL('/latest/dynamic/instance-identity/document', METADATA_ENDPOINT_ADDRESS).href,
+        headers: {
+          'X-aws-ec2-metadata-token': token
+        },
+        proxy: false,
+        signal: abort(5000),
+      });
+
+      if (document) {
+        const { region, accountId, instanceId } = document;
+        return {
+          provider: 'aws',
+          id: `arn:aws:ec2:${region}:${accountId}:instance/${instanceId}`,
+        };
+      }
+    } catch {
+      // ignore, return null
+    }
+
+    return null;
+  },
+  /** @see https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=linux */
+  async Azure() {
+    try {
+      const { data: resourceId } = await axios({
+        method: 'GET',
+        url: new URL('/metadata/instance/compute/resourceId?api-version=2021-02-01&format=text', METADATA_ENDPOINT_ADDRESS).href,
+        headers: {
+          Metadata: 'true'
+        },
+        proxy: false,
+        signal: abort(5000),
+      });
+
+      if (resourceId) {
+        return {
+          provider: 'azure',
+          id: resourceId,
+        };
+      }
+    } catch {
+      // ignore, return null
+    }
+
+    return null;
+  },
+  /** @see https://cloud.google.com/compute/docs/metadata/querying-metadata */
+  async GCP() {
+    try {
+      const { data: id } = await axios({
+        method: 'GET',
+        url: new URL('/computeMetadata/v1/instance/id?alt=text', METADATA_ENDPOINT_ADDRESS).href,
+        headers: {
+          'Metadata-Flavor': 'Google'
+        },
+        // id is a numerical value too big to handle as a js `number`, so we
+        // need to make sure we don't try to parse the response value.
+        transformResponse: (res) => res,
+        proxy: false,
+        signal: abort(5000)
+      });
+
+      if (id) {
+        return { provider: 'gcp', id };
+      }
+    } catch (err) {
+      // retry after 1 second on 503
+      if (err?.response?.status === 503) {
+        await delay(1000);
+        return this.GCP();
+      }
+      // otherwise ignore, return null
+    }
+
+    return null;
+  }
+};
+
+module.exports = {
+  /**
+   * If passed a `provider`, set by the `inventory.gather_metadata_via` config
+   * option, we will only try to retrieve metadata from that cloud provider. If
+   * no provider is passed, we will attempt all endpoints in parallel, returning
+   * the first result or `null` if none resolve within 5 seconds.
+   *
+   * @param {import('@contrast/config').Config['inventory']['gather_metadata_via']} provider
+   * @returns {Promise<{ provider: string, id: string } | null>}
+   */
+  async getCloudProviderMetadata(provider) {
+    if (provider && FETCHERS[provider]) return FETCHERS[provider]();
+
+    const results = await Promise.allSettled(Object.values(FETCHERS).map(fn => fn()));
+    for (const result of results) {
+      if (result.status === 'fulfilled' && result.value !== null) {
+        return result.value;
+      }
+    }
+
+    return null;
+  }
+};

package/lib/system-info/cloud-provider-metadata.test.js

@@ -0,0 +1,160 @@
+// @ts-check
+'use strict';
+
+const sinon = require('sinon');
+const { expect } = require('chai');
+const proxyquire = require('proxyquire');
+const { CanceledError } = require('axios');
+
+describe('core system-result cloud-provider-metadata', function () {
+  /** @type {sinon.SinonStub} */
+  let axios;
+  /** @type {import('./cloud-provider-metadata').getCloudProviderMetadata} */
+  let getCloudProviderMetadata;
+
+  beforeEach(function () {
+    axios = sinon.stub().rejects();
+
+    getCloudProviderMetadata = proxyquire('./cloud-provider-metadata', {
+      axios: { default: axios }
+    }).getCloudProviderMetadata;
+  });
+
+  describe('AWS', function () {
+    it('handles aws', async function () {
+      axios.onCall(0).resolves({ data: 'foo' });
+      axios.onCall(1).resolves({ data: { region: 'us-east1', accountId: '123456789', instanceId: 'i-012345678' } });
+
+      const result = await getCloudProviderMetadata('AWS');
+      expect(axios).to.have.callCount(2);
+      expect(axios).to.have.been.calledWithMatch({
+        method: 'PUT',
+        url: 'http://169.254.169.254/latest/api/token',
+        headers: {
+          'X-aws-ec2-metadata-token-ttl-seconds': '300'
+        },
+      });
+      expect(axios).to.have.been.calledWithMatch({
+        method: 'GET',
+        url: 'http://169.254.169.254/latest/dynamic/instance-identity/document',
+        headers: {
+          'X-aws-ec2-metadata-token': 'foo'
+        }
+      });
+      expect(result).to.deep.equal({
+        provider: 'aws',
+        id: 'arn:aws:ec2:us-east1:123456789:instance/i-012345678',
+      });
+    });
+
+    it('handles errors', async function () {
+      axios.onCall(0).resolves({ data: 'foo' });
+      axios.onCall(1).rejects();
+
+      const result = await getCloudProviderMetadata('AWS');
+      expect(axios).to.have.callCount(2);
+      expect(axios).to.have.been.calledWithMatch({
+        method: 'PUT',
+        url: 'http://169.254.169.254/latest/api/token',
+        headers: {
+          'X-aws-ec2-metadata-token-ttl-seconds': '300'
+        },
+        proxy: false,
+      });
+      expect(axios).to.have.been.calledWithMatch({
+        method: 'GET',
+        url: 'http://169.254.169.254/latest/dynamic/instance-identity/document',
+        headers: {
+          'X-aws-ec2-metadata-token': 'foo'
+        },
+        proxy: false,
+      });
+      expect(result).to.be.null;
+    });
+  });
+
+  describe('Azure', function () {
+    it('handles azure', async function () {
+      // example from azure docs: https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=linux#access-azure-instance-metadata-service
+      const id = '/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx/resourceGroups/macikgo-test-may-23/providers/Microsoft.Compute/virtualMachines/examplevmname';
+      axios.resolves({ data: id });
+
+      const result = await getCloudProviderMetadata('Azure');
+      expect(axios).to.have.callCount(1);
+      expect(axios).to.have.been.calledWithMatch({
+        method: 'GET',
+        url: 'http://169.254.169.254/metadata/instance/compute/resourceId?api-version=2021-02-01&format=text',
+        headers: {
+          Metadata: 'true'
+        },
+        proxy: false,
+      });
+      expect(result).to.deep.equal({ provider: 'azure', id });
+    });
+
+    it('handles errors', async function () {
+      axios.rejects();
+
+      const result = await getCloudProviderMetadata('Azure');
+      expect(axios).to.have.callCount(1);
+      expect(result).to.be.null;
+    });
+  });
+
+  describe('GCP', function () {
+    it('handles gcp', async function () {
+      axios.resolves({ data: '954399829989587067' });
+
+      const result = await getCloudProviderMetadata('GCP');
+      expect(axios).to.have.callCount(1);
+      expect(axios).to.have.been.calledWithMatch({
+        method: 'GET',
+        url: 'http://169.254.169.254/computeMetadata/v1/instance/id?alt=text',
+        headers: {
+          'Metadata-Flavor': 'Google'
+        },
+        proxy: false,
+      });
+      expect(result).to.deep.equal({ provider: 'gcp', id: '954399829989587067' });
+    });
+
+    it('retries if a 503 is returned', async function () {
+      axios.onCall(0).rejects({ response: { status: 503 } });
+      axios.onCall(1).resolves({ data: '954399829989587067' });
+
+      const result = await getCloudProviderMetadata('GCP');
+      expect(axios).to.have.callCount(2);
+      expect(result).to.deep.equal({ provider: 'gcp', id: '954399829989587067' });
+    });
+
+    it('handles misc errors', async function () {
+      axios.rejects();
+
+      const result = await getCloudProviderMetadata('GCP');
+      expect(axios).to.have.callCount(1);
+      expect(result).to.be.null;
+    });
+  });
+
+  describe('auto-detection', function () {
+    this.beforeEach(function () {
+      axios.rejects(new CanceledError('canceled'));
+    });
+
+    it('returns null if all responses timeout', async function () {
+      const result = await getCloudProviderMetadata(undefined);
+      expect(axios).to.have.callCount(3); // 1 aws + 1 azure + 1 gcp
+      expect(result).to.be.null;
+    });
+
+    it('handles a single valid response', async function () {
+      axios.withArgs(sinon.match({
+        url: 'http://169.254.169.254/metadata/instance/compute/resourceId?api-version=2021-02-01&format=text',
+      })).resolves({ data: 'azure-resource-identifier' });
+
+      const result = await getCloudProviderMetadata(undefined);
+      expect(axios).to.have.callCount(3); // 1 aws + 1 azure + 1 gcp
+      expect(result).to.deep.equal({ provider: 'azure', id: 'azure-resource-identifier' });
+    });
+  });
+});

package/lib/system-info/index.js

@@ -12,52 +12,47 @@
  * engineered, modified, repackaged, sold, redistributed or otherwise used in a
  * way not consistent with the End User License Agreement.
  */
-
+// @ts-check
 'use strict';
 
-const path = require('path');
-const fs = require('fs');
+const fs = require('fs/promises');
 const os = require('os');
+const { getCloudProviderMetadata } = require('./cloud-provider-metadata');
 
-function isUsingPM2() {
-  const used = !!process.env.pmx;
-  let version;
-
-  for (const pathVar of ['npm_package_json', 'PWD']) {
-    const packagePath = process.env[pathVar];
-    if (packagePath) {
-      try {
-        version = require(path.join(packagePath, 'package.json')).dependencies['pm2'];
-      } catch (err) {
-        //
-      }
-    }
-    if (version) break;
+const MOUNTINFO_REGEX = /\/docker\/containers\/(.*?)\//;
+const CGROUP_REGEX = /:\/docker\/([^/]+)$/;
+
+function isUsingPM2(pkg) {
+  const result = { used: !!process.env.pmx, version: null };
+
+  if (pkg?.dependences?.['pm2']) {
+    result.version = pkg.dependencies['pm2'];
   }
 
-  return { used, ...(version && { version }) };
+  return result;
 }
 
-function isDocker() {
-  const MOUNTINFO_REGEX = /\/docker\/containers\/(.*?)\//;
-  const CGROUP_REGEX = /:\/docker\/([^/]+)$/;
-
+async function isDocker() {
   try {
-    const results = fs.readFileSync('/proc/self/mountinfo', 'utf8').match(MOUNTINFO_REGEX);
-    if (results) return { isDocker: true, containerID: results[1] };
+    const result = await fs.readFile('/proc/self/mountinfo', 'utf8');
+    // @ts-expect-error readFile with encoding returns a string, not a Buffer
+    const matches = result.match(MOUNTINFO_REGEX);
+    if (matches) return { isDocker: true, containerID: matches[1] };
   } catch (err) {
     // else check /proc/self/cgroup
   }
 
   try {
-    const results = fs.readFileSync('/proc/self/cgroup', 'utf8').match(CGROUP_REGEX);
-    if (results) return { isDocker: true, containerID: results[1] };
+    const result = await fs.readFile('/proc/self/cgroup', 'utf8');
+    // @ts-expect-error readFile with encoding returns a string, not a Buffer
+    const matches = result.match(CGROUP_REGEX);
+    if (matches) return { isDocker: true, containerID: matches[1] };
   } catch (err) {
     // else check /.dockerenv
   }
 
   try {
-    const result = fs.statSync('/.dockerenv');
+    const result = await fs.stat('/.dockerenv');
     if (result) return { isDocker: true, containerID: null };
   } catch (err) {
     // if there's not such file we can conclude it's not docker env
@@ -70,13 +65,20 @@ module.exports = function(core) {
   const {
     agentName,
     agentVersion,
-    config
+    config,
+    appInfo,
   } = core;
 
   // have values default to null so all required keys get serialized
-  core.getSystemInfo = function() {
-    const appPath = process.cwd();
+  core.getSystemInfo = async function getSystemInfo() {
+    // memoize for subsequent lookups
+    if (core._systemInfo) return core._systemInfo;
 
+    const cpus = os.cpus();
+    const totalmem = os.totalmem();
+    const freemem = os.freemem();
+
+    /** @type {import('@contrast/common').SystemInfo} */
     const info = {
       ReportDate: new Date().toISOString(),
       MachineName: os.hostname(),
@@ -95,7 +97,8 @@ module.exports = function(core) {
         },
       },
       Node: {
-        Version: process.version
+        Path: process.execPath,
+        Version: process.version,
       },
       OperatingSystem: {
         Architecture: os.arch(),
@@ -103,22 +106,34 @@ module.exports = function(core) {
         Version: os.release(),
         KernelVersion: os.version(),
         CPU: {
-          Type: os.cpus()[0].model,
-          Count: os.cpus().length,
+          Type: cpus[0].model,
+          Count: cpus.length,
         }
       },
       Host: {
-        Docker: isDocker(),
-        PM2: isUsingPM2(),
+        Docker: await isDocker(),
+        PM2: isUsingPM2(appInfo.pkg),
         Memory: {
-          Total: (os.totalmem() / 1e6).toFixed(0).concat(' MB'),
-          Free: (os.freemem() / 1e6).toFixed(0).concat(' MB'),
-          Used: ((os.totalmem() - os.freemem()) / 1e6).toFixed(0).concat(' MB'),
+          Total: (totalmem / 1e6).toFixed(0).concat(' MB'),
+          Free: (freemem / 1e6).toFixed(0).concat(' MB'),
+          Used: ((totalmem - freemem) / 1e6).toFixed(0).concat(' MB'),
         }
       },
-      Application: appPath ? require(path.join(appPath, 'package.json')) : null,
+      Application: appInfo.pkg,
+      Cloud: {
+        Provider: null,
+        ResourceID: null,
+      }
     };
 
-    return info;
+    if (config.server.discover_cloud_resource) {
+      const metadata = await getCloudProviderMetadata(config.inventory.gather_metadata_via);
+      if (metadata) {
+        info.Cloud.Provider = metadata.provider;
+        info.Cloud.ResourceID = metadata.id;
+      }
+    }
+
+    return core._systemInfo = info;
   };
 };

package/lib/system-info/index.test.js

@@ -0,0 +1,34 @@
+'use strict';
+
+const sinon = require('sinon');
+const { expect } = require('chai');
+const proxyquire = require('proxyquire');
+
+describe('core system-info', function () {
+  let core;
+
+  beforeEach(function () {
+    core = require('@contrast/test/mocks/core')();
+    core.config = require('@contrast/test/mocks/config')();
+
+    proxyquire('.', {
+      './cloud-provider-metadata': {
+        getCloudProviderMetadata: sinon.stub().resolves(null)
+      }
+    })(core);
+  });
+
+  it('returns a properly structured object', async function () {
+    const info = await core.getSystemInfo();
+
+    expect(info).to.not.be.undefined;
+    expect(info).to.haveOwnProperty('ReportDate');
+    expect(info).to.haveOwnProperty('MachineName');
+    expect(info).to.haveOwnProperty('Contrast');
+    expect(info).to.haveOwnProperty('Node');
+    expect(info).to.haveOwnProperty('OperatingSystem');
+    expect(info).to.haveOwnProperty('Host');
+    expect(info).to.haveOwnProperty('Application');
+    expect(info).to.haveOwnProperty('Cloud');
+  });
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/core",
-  "version": "1.32.3",
+  "version": "1.34.0",
   "description": "Preconfigured Contrast agent core services and models",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -16,8 +16,9 @@
     "test": "../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.21.3",
+    "@contrast/common": "1.23.0",
     "@contrast/find-package-json": "^1.0.0",
-    "@contrast/fn-inspect": "^4.0.0"
+    "@contrast/fn-inspect": "^4.0.0",
+    "axios": "^1.6.8"
   }
 }