42Crunch Platform release, July 15, 2021
This 42Crunch API Security Platform release adds two new checks for the OpenAPI Specification (OAS) v3 to API Security Audit, and some improvements to API Conformance Scan.
New features
The following are the new features and improvements to the existing ones in this release.
New checks to Security Audit
Security Audit has new checks for OAS v3: v3-validation-reference-securityscheme and v3-validation-reference-securityscheme-unresolved to validate the references to security schemes.
These checks do not affect your audit score, but may affect the structural validity of your APIs.
For more details, see:
- Security scheme cannot be a JSON reference that points outside '#/components/securitySchemes'
- Target of the JSON reference of the security scheme does not exist
Improvements to Conformance Scan
We have removed the limitations to JSON complexity from Conformance Scan. You can now scan any OpenAPI definition as long as the file size is under 10 MB.
The serialization of query string parameters in scan has been improved, and Conformance Scan now also properly serializes array objects.
We have also changed how Conformance Scan handles scan logs when ran on-premises. To avoid overly verbose logs and traffic, Conformance Scan now only uploads ERROR and CRITICAL logs to 42Crunch Platform. For more details, see Running Conformance Scan on premises.
New UX improvements
In addition, there are also several smaller improvements to the user experience:
- To avoid losing your hard work, Security Editor now requires confirmation if you try to navigate to another page before saving your changes.
- If you want to close a dialog on the UI without completing it, you can now close all of them by pressing the Esc button.
Eclipse integration
We have released a version of our extension plugin REST API Static Security Testing for Eclipse IDE. The plugin makes creating and navigating OpenAPI definitions (v2 and v3) quicker and easier, and integrates API Security Audit directly to your Eclipse.
For more details, see Eclipse integration.
Compatibility
This section lists the compatible Docker images for some of the features of 42Crunch API Security Platform, as well as other possible compatibility details.
API Firewall images
This release is compatible with the following API Firewall images:
42crunch/apifirewall:v1.0.8- Fixed the parsing of array parameters with OASv2 when no
collectionFormatis specified. - Fixed sending transaction logs to the platform when log destination is set to
PLATFORM+STDOUT.
- Fixed the parsing of array parameters with OASv2 when no
42crunch/apifirewall:v1.0.7- Fixed loading of path parameters with different definitions in each operation.
- Upgrade to
httpd-2.4.48(CVE-2021-31618, CVE-2021-30641, CVE-2021-26691, CVE-2021-26690, CVE-2020-35452, CVE-2020-13950, CVE-2020-13938, CVE-2019-17567).
42crunch/apifirewall:v1.0.6- Fixed blocking query parameters that are not defined in the API definition of the protected API.
- Fixed invalid decoding of
multipart/form-data.
42crunch/apifirewall:v1.0.5- Upgrade to
openssl-1.1.1k(CVE-2021-3450, CVE-2021-3449).
- Upgrade to
42crunch/apifirewall:v1.0.4- Compatibility with the new platform.
- Improved error messages on unrecoverable errors.
- Fixed memory leak on restart (schema regex).
- Fixed possible crash with large response bodies.
- Improved the engine performance of regular expressions.
- Fixed the handling of
form-dataandx-www-form-urlencodedpayloads with OAS v3. - Harmonized console logs.
- Support for sending logs to STDOUT.
All previous image versions have been deprecated and are not compatible with this version of the platform.
When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.
Conformance Scan images
This release is compatible with the following Conformance Scan images for running it on-premises:
42crunch/scand-agent:v1.9.4- Fixed serialization of array objects in query string parameters.
- Changed behavior in log upload.
42crunch/scand-agent:v1.8.6- Fixed happy path request generation with the value from
defaultorx-42c-sample.
- Fixed happy path request generation with the value from
42crunch/scand-agent:v1.8.3- Removed the unnecessary JSON complexity check.
- Scan configurations can be pushed with API key in addition to session ID.
42crunch/scand-agent:v1.8.1- Improved JSON schema library.
- Improved messages.
- Case-insensitive header name evaluation.
- Option to reuse values sent during the happy path requests as a basic example (can cause problems if the API has some value constraints, like unique ID, email, or name, as the scan could be unable to generate a value for a really specific case).
42crunch/scand-agent:v1.7.4- Fixed handling of
multipleOfwhen its range is[0;0.50].
- Fixed handling of
42crunch/scand-agent:v1.6.0- This version replaces
42crunch/scand-agent:v1.5.2-bugfix01. - Environment variables for communication through proxy to both platform and APIs.
- Scan handles
nullvalue in API response.
- This version replaces
42crunch/scand-agent:v1.5.1- New test
partial_security_acceptedfor testing how missing security requirements are handled. - TLS configuration allows a remote server to repeatedly request renegotiation.
- Improved handling of slashes (
/) and wildcards likeapplication/*in test requests and JSON encoder. - Masked credentials and other small improvements in scan logs.
- More details shown when a happy path request fails
- Improved generation of strings, numbers, integers, and arrays.
- Support for proxy configuration.
- New test
Known issues
This release has the following known issues.
Security Audit does not verify the format of vendor extensions
At the moment, Security Audit does not verify that you have used the correct format for vendor extensions to the OpenAPI Specification (OAS). According to the OAS, the field names of vendor extensions must begin with x-. However, Security Audit does not flag it as an error if the field name is missing the x-.
This will be fixed in a future release.
Conformance Scan string limits may conflict with minLength or maxLength values
By default, Conformance Scan limits the maximum length for strings in the requests it sends during the scan to 4096. If the properties minLength or maxLength or the length limits in a regular expression that you have defined for an API operation in your API definition conflict with this limit, it causes issues during the scan.
If the minimum length required is longer than the string length limit allowed in Conformance Scan, the scan cannot create the happy path request for that operation to establish a baseline. If the maximum length allowed in the API is longer than the allowed string length limit in Conformance Scan, the scan can create the happy path request but not the actual request during the scan.
In both cases, the operation is shown as a skipped operation in the scan report, but for different reasons. You must fix the operation in your API definition before it can be successfully scanned.
Regular expression lookaheads may cause issues
If your API definition has regular expressions with either positive or negative lookaheads defined, these may cause weird behavior, for example, in Conformance Scan.