42Crunch Platform release, June 16, 2021

This 42Crunch API Security Platform release introduces executive dashboards to the platform, full support for x‑nullable, and some improvements to API Conformance Scan.

New features

The following are the new features and improvements to the existing ones in this release.

Executive dashboards for organization administrators

We have added new executive dashboards that show the ongoing trends in the APIs in an organization. This gives organization administrators an overall view on what is going on in their organization.

An example screenshot showing the executive dashboard page populated with statistics.

To view executive dashboards, click Dashboard in the main menu of 42Crunch Platform.

The collection dashboards in API collections and security dashboards of APIs remain as is and accessible to all users, not just organization administrators.

For more details, see API monitoring.

Support for the x-nullable extension to the OpenAPI Specification

42Crunch Platform now fully supports the x‑nullable extension to the OpenAPI Specification (OAS) v2, a workaround for the lack of support for null type in JSON schemas.

Some tooling, such as all features in 42Crunch Platform, support this workaround, but the support is not universal. Using x‑nullable together with required in your schemas can also cause problems. For proper support, we recommend switching from OAS v2 to OAS v3.

For more details, see APIs and API collections.

If you are using the extension x‑nullable in your OpenAPI definitions, this update may affect the audit score of your APIs.

Better handling of non-JSON content types in Conformance Scan

We have improved how Conformance Scan handles request and response bodies where the content type is not JSON:

  • Request bodies in POST and PUT operations generated properly
  • Non-JSON response body processed as per usual

In addition, we have clarified and improved the error and other messages that Conformance Scan generates, and removed the limitations to regular expressions in the pattern property.

New UX improvements

In addition, there are also several smaller improvements to the user experience:

  • API collections must now be explicitly shared if created on the UI. The CI/CD plugins still support defining a default setting for sharing any new API collections that the plugin creates.
  • The search in Find API is no longer case-sensitive and also properly handles any characters that are not valid.
  • The JSON format of the API definition to be imported is validated already when you select the file on the UI.
  • Clarifications to documentation on managing passwords directly in 42Crunch Platform.

Updates to SonarQube integration

We have added instructions how to configure a custom quality gate for the REST API Static Security Testing plugin in SonarQube. You can now also exclude a particular SonarQube project from the plugin.

For more details, see Integrate Security Audit with SonarQube.

Sample AWS CloudFormation templates and deployment guide for API Firewall

We have added sample resources and a dedicated deployment guide for deploying API Firewall to Amazon ECS on AWS Fargate using AWS CloudFormation templates.

For more details, see Protect APIs.


This section lists the compatible Docker images for some of the features of 42Crunch API Security Platform, as well as other possible compatibility details.

API Firewall images

This release is compatible with the following API Firewall images:

  • 42crunch/apifirewall:v1.0.7
    • Fixed loading of path parameters with different definitions in each operation.
    • Upgrade to httpd-2.4.48 (CVE-2021-31618, CVE-2021-30641, CVE-2021-26691, CVE-2021-26690, CVE-2020-35452, CVE-2020-13950, CVE-2020-13938, CVE-2019-17567).
  • 42crunch/apifirewall:v1.0.6
    • Fixed blocking query parameters that are not defined in the API definition of the protected API.
    • Fixed invalid decoding of multipart/form-data.
  • 42crunch/apifirewall:v1.0.5
    • Upgrade to openssl-1.1.1k (CVE-2021-3450, CVE-2021-3449).
  • 42crunch/apifirewall:v1.0.4
    • Compatibility with the new platform.
    • Improved error messages on unrecoverable errors.
    • Fixed memory leak on restart (schema regex).
    • Fixed possible crash with large response bodies.
    • Improved the engine performance of regular expressions.
    • Fixed the handling of form-data and x-www-form-urlencoded payloads with OAS v3.
    • Harmonized console logs.
    • Support for sending logs to STDOUT.

All previous image versions have been deprecated and are not compatible with this version of the platform.

When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.

Conformance Scan images

This release is compatible with the following Conformance Scan images for running it on-premises:

  • 42crunch/scand-agent:v1.8.6
    • Fixed happy path request generation with the value from default or x-42c-sample.
  • 42crunch/scand-agent:v1.8.3 
    • Removed the unnecessary JSON complexity check.
    • Scan configurations can be pushed with API key in addition to session ID.
  • 42crunch/scand-agent:v1.8.1 
    • Improved JSON schema library.
    • Improved messages.
    • Case-insensitive header name evaluation.
    • Option to reuse values sent during the happy path requests as a basic example (can cause problems if the API has some value constraints, like unique ID, email, or name, as the scan could be unable to generate a value for a really specific case).
  • 42crunch/scand-agent:v1.7.4
    • Fixed handling of multipleOf when its range is [0;0.50].
  • 42crunch/scand-agent:v1.6.0
    • This version replaces 42crunch/scand-agent:v1.5.2-bugfix01.
    • Environment variables for communication through proxy to both platform and APIs.
    • Scan handles null value in API response.
  • 42crunch/scand-agent:v1.5.1
    • New test partial_security_accepted for testing how missing security requirements are handled.
    • TLS configuration allows a remote server to repeatedly request renegotiation.
    • Improved handling of slashes (/) and wildcards like application/* in test requests and JSON encoder.
    • Masked credentials and other small improvements in scan logs.
    • More details shown when a happy path request fails
    • Improved generation of strings, numbers, integers, and arrays.
    • Support for proxy configuration.

Known issues

This release has the following known issues.

Security Audit does not verify the format of vendor extensions

At the moment, Security Audit does not verify that you have used the correct format for vendor extensions to the OpenAPI Specification (OAS). According to the OAS, the field names of vendor extensions must begin with x-. However, Security Audit does not flag it as an error if the field name is missing the x-.

This will be fixed in a future release.

Conformance Scan string limits may conflict with minLength or maxLength values

By default, Conformance Scan limits the maximum length for strings in the requests it sends during the scan to 4096. If the properties minLength or maxLength or the length limits in a regular expression that you have defined for an API operation in your API definition conflict with this limit, it causes issues during the scan.

If the minimum length required is longer than the string length limit allowed in Conformance Scan, the scan cannot create the happy path request for that operation to establish a baseline. If the maximum length allowed in the API is longer than the allowed string length limit in Conformance Scan, the scan can create the happy path request but not the actual request during the scan.

In both cases, the operation is shown as a skipped operation in the scan report, but for different reasons. You must fix the operation in your API definition before it can be successfully scanned.

Regular expression lookaheads may cause issues

If your API definition has regular expressions with either positive or negative lookaheads defined, these may cause weird behavior, for example, in Conformance Scan.