Conflicting 'x-42c' vendor extensions applied to the API

Issue ID: v3-validation-x-42c-extensions-conflict

Description

Your API has conflicting x-42c vendor extensions applied to it. These extensions usually apply some directives that tell 42Crunch Platform how to treat your APIs as they are processed by platform services. If these directives in an API conflict with each other, the platform cannot distinguish which of the directives it should follow and consequently your API cannot be reliably processed.

You might have either defined the conflicting extensions directly in your OpenAPI definition, or the extensions might have been added through customization rules that your API has been tagged for. The most common case is that an API ends up having both x-42c-no-authentication and x-42c-accept-empty-security applied to it, leading Security Audit not knowing how to process the security checks on the API.

For more details, see x-42c extensions.

Example

The following is an example of how this issue could look in your API definition. The API has the extension x-42c-accept-empty-security defined on the global level, but the extension x-42c-no-authentication has also been defined in an operation, leading to a conflict:

{
    "openapi": "3.0.0",
    // ...
    "x-42c-accept-empty-security": true, 
    // ...
    "post": {
        "description": "Creates a new pet in the store. Duplicates are allowed.",
        "operationId": "createPets",
        "x-42c-no-authentication": true,
        "tags": [
            "pets"
        ]
    }
}

Even if the extension x-42c-accept-empty-security was removed from this API, an audit rule that the API was tagged for could also apply it and cause the conflict because of the x-42c-no-authentication on the operation level:

The screenshot shows the example Petstore API in 42Crunch Platform with a tag that applies the conflicting extension through a customization rule.

It is also possible that no extensions are defined directly in the OpenAPI definition, but all are applied through tags or come from the default customization rules.

Remediation

Make sure that the unnecessary extensions causing the conflict are removed from the API so that it can be reliably processed. Remember to also check any rules that tags could be applying to your API.

{
    "openapi": "3.0.0",
    // ...
    "x-42c-accept-empty-security": true,
    // ...
    "post": {
        "description": "Creates a new pet in the store. Duplicates are allowed.",
        "operationId": "createPets",
        "security": [
        ],
        "tags": [
            "pets"
        ]
    }
}