42Crunch Platform release, August 10, 2021

This 42Crunch API Security Platform release introduces labelling your APIs using tags, new vendor extensions for API Security Audit, and bug fixes to API Conformance Scan.

New features

The following are the new features and improvements to the existing ones in this release.

Tags

You can now create tags and label your APIs in 42Crunch Platform.

  • Virtually group APIs into logical units across different API collections.
  • Add categories and tags that reflect your business and needs.

For more details, see Tags.

New vendor extensions to Security Audit

We have added new x-42c vendor extensions to the OpenAPI Specification (OAS) to Security Audit.

The extensions let you tweak how the scoring algorithm in Security Audit weighs different elements in your API definition when calculating the audit score for it.

For more details, see Extensions for Security Audit.

We have also fixed a bug that caused Security Audit incorrectly flag readOnly and writeOnly both being set to true in a schema object when this was not the case. This fix does not affect the audit score of your API, but may affect the structural validity of your APIs.

Improvements to Conformance Scan

We have removed the limitations to JSON complexity from Conformance Scan. You can now scan any OpenAPI definition as long as the file size is under 10 MB.

However, if your API definition is very complex, such as includes arrays with over 256 items, Conformance Scan logs a warning in the scan logs, because the complexity might cause issues later on. For more details, see Scan API conformance.

We have also fixed a bug in scan timeout which caused the scan to ignore the default request timeout (30 seconds) if the scanned API did not respond in time.

Improved search in Find API

We have improved the search in Find API, so that you can now search using any part of the API name.

Automatic reactivation of users through single sign-on (SSO)

Enterprise customers who have integrated 42Crunch Platform with their company SSO solution can now enable automatic reactivation of user accounts: if a user's access to 42Crunch Platform has been deactivated and is then reactivated in the SSO solution, the user's access to the platform is automatically reinstated after the next successful SSO login to it.

To enable this feature, contact our support or your 42Crunch account manager. For more details on SSO integration, see Single sign-on integration.

Compatibility

This section lists the compatible Docker images for some of the features of 42Crunch API Security Platform, as well as other possible compatibility details.

API Firewall images

This release is compatible with the following API Firewall images:

  • 42crunch/apifirewall:v1.0.8
    • Fixed the parsing of array parameters with OASv2 when no collectionFormat is specified.
    • Fixed sending transaction logs to the platform when log destination is set to PLATFORM+STDOUT.
  • 42crunch/apifirewall:v1.0.7
    • Fixed loading of path parameters with different definitions in each operation.
    • Upgrade to httpd-2.4.48 (CVE-2021-31618, CVE-2021-30641, CVE-2021-26691, CVE-2021-26690, CVE-2020-35452, CVE-2020-13950, CVE-2020-13938, CVE-2019-17567).
  • 42crunch/apifirewall:v1.0.6
    • Fixed blocking query parameters that are not defined in the API definition of the protected API.
    • Fixed invalid decoding of multipart/form-data.
  • 42crunch/apifirewall:v1.0.5
    • Upgrade to openssl-1.1.1k (CVE-2021-3450, CVE-2021-3449).
  • 42crunch/apifirewall:v1.0.4
    • Compatibility with the new platform.
    • Improved error messages on unrecoverable errors.
    • Fixed memory leak on restart (schema regex).
    • Fixed possible crash with large response bodies.
    • Improved the engine performance of regular expressions.
    • Fixed the handling of form-data and x-www-form-urlencoded payloads with OAS v3.
    • Harmonized console logs.
    • Support for sending logs to STDOUT.

All previous image versions have been deprecated and are not compatible with this version of the platform.

When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.

Conformance Scan images

This release is compatible with the following Conformance Scan images for running it on-premises:

  • 42crunch/scand-agent:v1.10.0
    • Fixed bug with default request timeout.
  • 42crunch/scand-agent:v1.9.4
    • Fixed serialization of array objects in query string parameters.
    • Changed behavior in log upload.
  • 42crunch/scand-agent:v1.8.6
    • Fixed happy path request generation with the value from default or x-42c-sample.
  • 42crunch/scand-agent:v1.8.3 
    • Removed the unnecessary JSON complexity check.
    • Scan configurations can be pushed with API key in addition to session ID.
  • 42crunch/scand-agent:v1.8.1 
    • Improved JSON schema library.
    • Improved messages.
    • Case-insensitive header name evaluation.
    • Option to reuse values sent during the happy path requests as a basic example (can cause problems if the API has some value constraints, like unique ID, email, or name, as the scan could be unable to generate a value for a really specific case).
  • 42crunch/scand-agent:v1.7.4
    • Fixed handling of multipleOf when its range is [0;0.50].
  • 42crunch/scand-agent:v1.6.0
    • This version replaces 42crunch/scand-agent:v1.5.2-bugfix01.
    • Environment variables for communication through proxy to both platform and APIs.
    • Scan handles null value in API response.
  • 42crunch/scand-agent:v1.5.1
    • New test partial_security_accepted for testing how missing security requirements are handled.
    • TLS configuration allows a remote server to repeatedly request renegotiation.
    • Improved handling of slashes (/) and wildcards like application/* in test requests and JSON encoder.
    • Masked credentials and other small improvements in scan logs.
    • More details shown when a happy path request fails
    • Improved generation of strings, numbers, integers, and arrays.
    • Support for proxy configuration.

Known issues

This release has the following known issues.

Security Audit does not verify the format of vendor extensions

At the moment, Security Audit does not verify that you have used the correct format for vendor extensions to the OpenAPI Specification (OAS). According to the OAS, the field names of vendor extensions must begin with x-. However, Security Audit does not flag it as an error if the field name is missing the x-.

This will be fixed in a future release.

Conformance Scan string limits may conflict with minLength or maxLength values

By default, Conformance Scan limits the maximum length for strings in the requests it sends during the scan to 4096. If the properties minLength or maxLength or the length limits in a regular expression that you have defined for an API operation in your API definition conflict with this limit, it causes issues during the scan.

If the minimum length required is longer than the string length limit allowed in Conformance Scan, the scan cannot create the happy path request for that operation to establish a baseline. If the maximum length allowed in the API is longer than the allowed string length limit in Conformance Scan, the scan can create the happy path request but not the actual request during the scan.

In both cases, the operation is shown as a skipped operation in the scan report, but for different reasons. You must fix the operation in your API definition before it can be successfully scanned.

Regular expression lookaheads may cause issues

If your API definition has regular expressions with either positive or negative lookaheads defined, these may cause weird behavior, for example, in Conformance Scan.