42Crunch Platform release, February 10, 2023

This 42Crunch API Security Platform release adds new checks to API Security Audit and provides improvements and bug fixes.

New features

The following are the new features and improvements to the existing ones in this release.

New checks in Security Audit

We have added new checks validation-external-reference and v3-validation-external-reference to Security Audit on external references.

Understand why and when external references outside your OpenAPI definition can be problematic.
Learn how you can either amend the issue or work around it.

For more details on these extensions and their differences, see:

We have also improved how regular expressions are treated in the audit: if the regular expression only has fixed or constant quantifiers and includes the anchors ^ and $, the API does not lose points over not having the property maxLength separately defined for the object. However, if the regular expression does not include the anchors or its quantifiers are not fixed (like in ^a.*b$), it could represent only a part of a larger string and therefore defining maxLength is required: in this case, missing maxLength would take away points from the audit score.

Improvements to Conformance Scan

We have improved the object generation and test requests that Conformance Scan does under the hood:

Better modifying an example that an array has to ensure that the generated items are unique.
Returning of arrays when multiple arrays are generated for a test request.
Support for empty arrays in test requests.
Tests that necessitate path parameters as required properties are no longer run.

New environment variable for API Firewall

If your organization has a dedicated platform URL and you do not access the platform at https://platform.42crunch.com, you can now use the API Firewall environment variable PLATFORM_HOST to store the host and port that API Firewall must use to access your platform instance as part of the deployment configuration. For more details, see API Firewall environment variables.

In addition, we have amended the guidance on some parts of API Firewall:

The descriptions of the API Firewall blocking levels have been updated both on the UI and in the documentation.
The impact of levels 4—0 has been clarified.
The recommendations for the firewall log destination in a production environment have been clarified.

We have also fixed an issue with displaying the details of API Firewall instance, and the instance view again works normally.

Fixes to security quality gate status

Issues with the status from security quality gates (SQGs) not being correctly reflected elsewhere have now been fixed:

The scan SQG status on the scan report tab now correctly reflects the latest changes in SQG even if the SQG was updated after the scan was last run.
The audit SQG status is now correctly updated on the API summary tab when the SQG criteria change, even without rerunning the audit.
The audit score badge color shown on the API summary tab now matches the status of the audit SQGs passing or failing in the latest audit.

Other updates

There have also been other, smaller updates, for example, to improve the UX or as bug fixes:

The search in the platform has been improved, with better handling of case sensitivity.
The issues in showing some API, API collection, and collection dashboard details have been resolved and the data is now again displayed correctly.

Changed behavior

API tokens have been phased out from the free Community organization and users there can no longer create new API tokens. For IDE integration in the Community organization, use IDE tokens instead.
On the platform UI, APIs cannot be shared directly upon import to 42Crunch Platform, if you want to share APIs, you must do that later. Note that this does not affect CI/CD plugins: if you have configured them to automatically share APIs to other users in your organization, this will continue to be the case.

Compatibility

This section lists the compatible Docker images for some of the features of 42Crunch API Security Platform, as well as other possible compatibility details.

API Firewall images

This release is compatible with the following API Firewall images:

42crunch/apifirewall:v1.0.23
- The environment variable PLATFORM_HOST
- Fixed the handling of multipart/form-data requests
- Upgrade to openssl-1.1.1t
- Upgrade to httpd-2.5.55
- Upgrade to apr-util-1.6.3
42crunch/apifirewall:v1.0.22
- Fixed JWT signature validation
- Allow plain string content definition
- Upgrade to openssl-1.1.1s
- Upgrade to libexpat 2.5.0
- Upgrade to libapreq 2.17
- Upgrade to libjansson 2.14
- Upgrade to libjose 11
- Upgrade to libmaxminddb 1.7.1
42crunch/apifirewall:v1.0.21
- Fixed content handling in non-body parameters
- HTTP status response code synchronization with Conformance Scan default expectations
42crunch/apifirewall:v1.0.20
- Upgrade to openssl-1.1.1o (CVE-2022-2274, CVE-2022-2097)
- Fixed decreasing the number of active instances when firewall shuts down abruptly
42crunch/apifirewall:v1.0.19
- Upgrade to httpd-2.4.54 (CVE-2022-26377, CVE-2022-28330, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404, CVE-2022-30522, CVE-2022-30556, CVE-2022-31813)
42crunch/apifirewall:v1.0.18
- Upgrade to openssl-1.1.1o (CVE-2022-0778, CVE-2022-1292, CVE-2022-1343, CVE-2022-1434, CVE-2022-1473)
- Proper handling of the properties readOnly and writeOnly from the OpenAPI Specification (OAS) in schemas
42crunch/apifirewall:v1.0.17
- Upgrade to httpd-2.4.53 (CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, CVE-2022-23943)
42crunch/apifirewall:v1.0.16
- Fixed parsing multipart/form-data
- Fixed rejecting requests that include a request body when the targeted API operation does not define a corresponding body
- Upgrade to expat-2.4.4 (CVE-2022-23852, CVE-2022-23990)
42crunch/apifirewall:v1.0.13
- Upgrade to httpd-2.4.52 (CVE-2021-44224, CVE-2021-44790)
- Upgrade to openssl-1.1.1m
- Various small improvements
42crunch/apifirewall:v1.0.12
- Support for x-42c-access-control-based-on-ip-range_0.1 and x-42c-set-client-ip_0.1
- Improved matching to allow filtering API calls by IP or network addresses
- Fixed setting the request path when $TARGET_URL contains a basepath
- Upgrade to Apache httpd-2.4.51 (CVE-2021-42013)
42crunch/apifirewall:v1.0.11
- GUARDIAN_BLOCKING_LEVEL and GUARDIAN_DEFAULT_API_BLOCKING_LEVEL environment variables
- Upgrade to Apache httpd-2.4.50 (CVE-2021-41524, CVE-2021-41773)
42crunch/apifirewall:v1.0.10
- Fixed cookie attribute parsing in responses
- Upgrade to Apache httpd-2.4.48 (CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438)
- Updated platform CA chain
42crunch/apifirewall:v1.0.9-1
- Fixed handling UTF-8 patterns in JSON schemas
- Upgrade to openSSL-1.1.1l (CVE-2021-3711, CVE-2021-3712)
- Updated platform CA chain

All previous image versions have been deprecated and are no longer supported.

When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.

Conformance Scan images

This release is compatible with the following Conformance Scan images for running it on-premises:

42crunch/scand-agent:v1.22.6
- Fixed regular expressions handling
  In some rare cases, certain regular expression patterns could send the on-premises scan to an infinite loop, and the process would not finish. This image version fixes that, so if you are experiencing on-premises scan hanging, we recommend upgrading from the previous scan images to this one.
42crunch/scand-agent:v1.22.4
- Improved array iteration
42crunch/scand-agent:v1.22.3
- Improved handling of redirects (HTTP 3XX) in API responses
42crunch/scand-agent:v1.22.2
- Accept header included in all requests
- Increase to maximum scan report size
42crunch/scand-agent:v1.22.1
- Fixed a bug in handling oneOf and anyOf
42crunch/scand-agent:v1.22.0
- Fixed a bug in skipping response body analysis with scan rules
42crunch/scand-agent:v1.21.1
- Fixed a bug in applying the default scan customization rule of the organization
42crunch/scand-agent:v1.20.2
- Internal cleanup and refactoring
42crunch/scand-agent:v1.20.1
- Percentages in the filter bar of the scan report

All previous image versions have been deprecated and are no longer supported.

Deprecated components

There are no new deprecations in this release. For the list of current deprecations, see List of deprecated images and endpoints.

Known issues

This release has the following known issues.

Scan customization rules may lead to no response codes being accepted.

In some cases, scan rules can lead to HTTP status response codes in API responses that are normally expected (for example, HTTP 401 or HTTP 404) to be treated as unexpected. This in turn can lead to a false positive in the scan results.

By default, the expected HTTP status response codes that are defined in scan rules applied to the scanned API take preference over the response codes that Conformance Scan would otherwise expect. However, this can cause problems in scan process if your scan rule only skips header or response body analysis but does not define any expected response codes, either for happy path requests or for particular test IDs. This results in the scan rule to have null defined as the expected response code, and because the scan rule takes preference over the default scan behavior, no response codes except null are accepted. This in turn means that some tests are incorrectly flagged as returning unexpected response codes when they were in fact successful.

We are currently investigating the best way how to reconcile the designed behavior of Conformance Scan and scan rules in these cases, and this issue will be fixed in a future release.

Auditor can be made a team lead

Currently, organization administrators can make an auditor a team lead. As team leads, auditors can add and remove users in the team, which could affect who has access to API collections shared with the team.

When sharing API collections, the UI shows that an auditor could be given the right to edit the collection. However, auditors never get read/write access to any APIs or API collections shared with their team and cannot edit any APIs when they log in, regardless of the permission shown in sharing.

These will be fixed in a future release.

Data dictionary duplication

Duplicating a data dictionary does not yet duplicate the values in it.

This will be fixed in a future release.

YAML conversion shown regardless of the format of API definition

Converting API format currently shows as "Convert to YAML" regardless of the format (JSON or YAML) of your API definition. However, despite the text shown, your API is correctly converted from JSON to YAML or from YAML to JSON.

This will be fixed in a future release.

Conformance Scan string limits may conflict with minLength or maxLength values

By default, Conformance Scan limits the maximum length for strings in the requests it sends during the scan to 4096. If the properties minLength or maxLength or the length limits in a regular expression that you have defined for an API operation in your API definition conflict with this limit, it causes issues during the scan.

If the minimum length required is longer than the string length limit allowed in Conformance Scan, the scan cannot create the happy path request for that operation to establish a baseline. If the maximum length allowed in the API is longer than the allowed string length limit in Conformance Scan, the scan can create the happy path request but not the actual request during the scan.

In both cases, the operation is shown as a skipped operation in the scan report, but for different reasons. You must fix the operation in your API definition before it can be successfully scanned.

Regular expression lookaheads may cause issues

If your API definition has regular expressions with either positive or negative lookaheads defined, these may cause weird behavior, for example, in Conformance Scan.