42Crunch Platform release, September 7, 2021

This 42Crunch API Security Platform release adds category settings for controlling tags, more granularity to sharing permissions, and a way to provide for longer API response time when running API Conformance Scan on premises.

New features

The following are the new features and improvements to the existing ones in this release.

Tags

When creating new categories, organization administrators can now select category settings for more flexibility in using them:

• Allow users to apply multiple tags from a category to an API
• Allow users to create new tags to a category when they are applying them to their APIs.

This means that you do not need to have all tags in separate categories simply to be able to apply them to the same API and that organization administrators do not have to create all the tags beforehand.

For more details, see Category settings.

More granular control on sharing permissions

Organization administrators now have more options to control how users can share API collections in their organization. The users can now be restricted from automatically sharing with everyone else in their organization, and instead can only share their collections with smaller teams or individual users.

By default, all organization administrators can share API collection with everyone in their organization.

The existing users retain their current permission, so if you want to stop some of them from sharing with everyone, you must edit their permissions. See Manage user permissions.

Improvements to API Security Audit

The check response-schema-undefined for OpenAPI Specification was incorrectly raised for HEAD or OPTIONS operations. This no longer happens, which depending on your API may affect your audit score.

We have also fixed a bug in validating examples against a schema when there is oneOf at the schema level. This does not affect your audit scores.

Override default timeout when running Conformance Scan on premises

By default, Conformance Scan waits for the API to respond within the 30 seconds before raising an timeout error, but if you are running Conformance Scan on premises and have an API that takes loner to respond than that, you can now use the environment variable SCAN-HTTP-TIMEOUT in your Docker command to override the default timeout and provide enough time for your API to respond.

For more details, see Scan API conformance.

We have also fixed bugs in scan occasionally generating a null body, and in the injection schema-uniqueitems-unique-scan. In addition, the extension x-42c-sample now supports null values.

Improved search in documentation

We have improved the search in the 42Crunch Platform documentation: you may now get a snippet of information with a link on relevant content. These snippets vary by the search word or phrase you used, as well as in content and length, but they all help you better home in on the information you were looking for.

Smaller improvements

In addition, we have also done some smaller improvements:

• Improvements to the email validation in user invites when SSO integration has been configured.
• The active and inactive options in action lists are now easier to tell apart.
• API token is now accepted credential for tag-related calls.

Generating schemas from samples in VS Code and IntelliJ IDE extensions

If you are using our IDE extensions for Microsoft Visual Studio Code (VS Code) or Jetbrains IntelliJ IDEA, you can now select a section in your OpenAPI definition and generate new schemas based on that sample.

For more details on the extensions, see IDE integration.

Compatibility

This section lists the compatible Docker images for some of the features of 42Crunch API Security Platform, as well as other possible compatibility details.

API Firewall images

This release is compatible with the following API Firewall images:

• 42crunch/apifirewall:v1.0.10
  • Fixed cookie attribute parsing in responses.
  • Upgrade to Apache httpd 2.4.48 (CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438).
  • Updated platform CA chain.
• 42crunch/apifirewall:v1.0.9-1
  • Fixed handling UTF-8 patterns in JSON schemas.
  • Upgrade to openSSL-1.1.1l (CVE-2021-3711, CVE-2021-3712).
  • Updated platform CA chain.
• 42crunch/apifirewall:v1.0.8-1
  • Fixed the parsing of array parameters with OASv2 when no collectionFormat is specified.
  • Fixed sending transaction logs to the platform when log destination is set to PLATFORM+STDOUT.
  • Updated platform CA chain.

All previous image versions have been deprecated and are not compatible with this version of the platform.

When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.

Conformance Scan images

This release is compatible with the following Conformance Scan images for running it on-premises:

• 42crunch/scand-agent:v1.11.1
  • Fixed a bug in scan occasionally generating a null body
  • Fixed a bug in the injection schema-uniqueitems-unique-scan.
  • Support for null values for the extension x-42c-sample.
• 42crunch/scand-agent:v1.10.0
  • Fixed bug with default request timeout.
• 42crunch/scand-agent:v1.9.4
  • Fixed serialization of array objects in query string parameters.
  • Changed behavior in log upload.
• 42crunch/scand-agent:v1.8.6
  • Fixed happy path request generation with the value from default or x-42c-sample.
• 42crunch/scand-agent:v1.8.3 
  • Removed the unnecessary JSON complexity check.
  • Scan configurations can be pushed with API key in addition to session ID.
• 42crunch/scand-agent:v1.8.1 
  • Improved JSON schema library.
  • Improved messages.
  • Case-insensitive header name evaluation.
  • Option to reuse values sent during the happy path requests as a basic example (can cause problems if the API has some value constraints, like unique ID, email, or name, as the scan could be unable to generate a value for a really specific case).
• 42crunch/scand-agent:v1.7.4
  • Fixed handling of multipleOf when its range is [0;0.50].
• 42crunch/scand-agent:v1.6.0
  • This version replaces 42crunch/scand-agent:v1.5.2-bugfix01.
  • Environment variables for communication through proxy to both platform and APIs.
  • Scan handles null value in API response.
• 42crunch/scand-agent:v1.5.1
  • New test partial_security_accepted for testing how missing security requirements are handled.
  • TLS configuration allows a remote server to repeatedly request renegotiation.
  • Improved handling of slashes (/) and wildcards like application/* in test requests and JSON encoder.
  • Masked credentials and other small improvements in scan logs.
  • More details shown when a happy path request fails
  • Improved generation of strings, numbers, integers, and arrays.
  • Support for proxy configuration.

Known issues

This release has the following known issues.

Promoting organization administrators resets sharing permissions

Currently, if you promote new organization administrators, their permissions to share API collections are automatically reset to sharing only with named teams and users. If you want to allow the new organization administrators to share with everyone in your organization again, you must re-enable it in the user permissions. The permissions of existing organization administrators are not affected.

This will be fixed in a future release.

Automatic sharing with everyone not possible for new SSO users

Currently, the sharing permissions for new users onboarded to 42Crunch Platform through single sing-on (SSO) integration are automatically set to sharing only with named teams and users. If you want to allow the users to share with everyone in your organization, you must enable it in the user permissions. The permissions of existing users in your organization have been retained as they were.

This will be fixed in a future release.

Existing tag categories allow applying multiple tags

As the category settings for controlling tagging APIs have been introduced, the following applies to all existing categories:

• All existing categories allow applying multiple tags from them to a single API.
• No existing category allows users creating tags to them when tagging APIs.

Because there is at the moment no way to edit the category after it has been created, if you do not want these default settings for your categories, you must delete the existing categories and re-create them with the settings you want. We are working to add editing categories in a future release.

Conformance Scan string limits may conflict with minLength or maxLength values

By default, Conformance Scan limits the maximum length for strings in the requests it sends during the scan to 4096. If the properties minLength or maxLength or the length limits in a regular expression that you have defined for an API operation in your API definition conflict with this limit, it causes issues during the scan.

If the minimum length required is longer than the string length limit allowed in Conformance Scan, the scan cannot create the happy path request for that operation to establish a baseline. If the maximum length allowed in the API is longer than the allowed string length limit in Conformance Scan, the scan can create the happy path request but not the actual request during the scan.

In both cases, the operation is shown as a skipped operation in the scan report, but for different reasons. You must fix the operation in your API definition before it can be successfully scanned.

Regular expression lookaheads may cause issues

If your API definition has regular expressions with either positive or negative lookaheads defined, these may cause weird behavior, for example, in Conformance Scan.