42Crunch Platform release, March 16, 2023

This 42Crunch API Security Platform release adds new features to CI/CD integration and a health check over SSL for API Firewall.

New features

The following are the new features and improvements to the existing ones in this release.

New features in CI/CD plugins

We have added new features to the CI/CD plugins you can use to integrate your CI/CD pipelines with 42Crunch Platform.

  • Use SQG criteria instead of the plugin criteria to determine if a CI/CD should fail or not.
  • Stop the plugin from failing a CI/CD pipeline, for example, when introducing it to a new pipeline: the plugin keeps reporting which APIs would have passed or failed but allows the pipeline jobs to complete, so you can start working towards the automatic quality control while still being able to deliver.
  • Ignore failures in case a network error prevents the integration plugin from communicating with 42Crunch Platform.
  • Add tags to APIs directly through the CI/CD pipeline (currently Bamboo plugin only).

How to configure these new features depends on your CI/CD, so for more details, see Integrate CI/CD solutions with 42Crunch Platform to find the integration instructions for your system.

In addition, we have added a new CI/CD system to the list of the supported integrations: Tekton CI/CD. For more details on integration with Tekton, see Integrate Security Audit with Tekton.

API Firewall health check over SSL connection

Previously API Firewall supported health check calls to ascertain the status of an instance only over HTTP connection. We have now added the option to configure the health to be done also over HTTPS connection. For more details, see Configure health check for API Firewall.

Other updates

There have also been other, smaller updates, for example, to improve the UX or as bug fixes:

  • You can now add descriptions to tags themselves, not just to the tag categories. In addition, you can also change tag names without having to create a new tag.
  • The maximum length for API collection names has been significantly increased.
  • The ordering of columns in the API Firewall transaction logs has been fixed.

Changed behavior

  • Security Audit no longer raises an issue on a missing pattern if the format of the object in question is binary. Depending on your APIs, this may increase your audit score.

Compatibility

This section lists the compatible Docker images for some of the features of 42Crunch API Security Platform, as well as other possible compatibility details.

API Firewall images

This release is compatible with the following API Firewall images:

  • 42crunch/apifirewall:v1.0.23
    • Health check over SSL
    • The environment variable PLATFORM_HOST
    • Fixed the handling of multipart/form-data requests
    • Upgrade to openssl-1.1.1t
    • Upgrade to httpd-2.5.55
    • Upgrade to apr-util-1.6.3
  • 42crunch/apifirewall:v1.0.22
    • Fixed JWT signature validation
    • Allow plain string content definition
    • Upgrade to openssl-1.1.1s
    • Upgrade to libexpat 2.5.0
    • Upgrade to libapreq 2.17
    • Upgrade to libjansson 2.14
    • Upgrade to libjose 11
    • Upgrade to libmaxminddb 1.7.1
  • 42crunch/apifirewall:v1.0.21
    • Fixed content handling in non-body parameters
    • HTTP status response code synchronization with Conformance Scan default expectations
  • 42crunch/apifirewall:v1.0.20
    • Upgrade to openssl-1.1.1o (CVE-2022-2274, CVE-2022-2097)
    • Fixed decreasing the number of active instances when firewall shuts down abruptly
  • 42crunch/apifirewall:v1.0.19
    • Upgrade to httpd-2.4.54 (CVE-2022-26377, CVE-2022-28330, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404, CVE-2022-30522, CVE-2022-30556, CVE-2022-31813)
  • 42crunch/apifirewall:v1.0.18
    • Upgrade to openssl-1.1.1o (CVE-2022-0778, CVE-2022-1292, CVE-2022-1343, CVE-2022-1434, CVE-2022-1473)
    • Proper handling of the properties readOnly and writeOnly from the OpenAPI Specification (OAS) in schemas
  • 42crunch/apifirewall:v1.0.17
    • Upgrade to httpd-2.4.53 (CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, CVE-2022-23943)
  • 42crunch/apifirewall:v1.0.16
    • Fixed parsing multipart/form-data
    • Fixed rejecting requests that include a request body when the targeted API operation does not define a corresponding body
    • Upgrade to expat-2.4.4 (CVE-2022-23852, CVE-2022-23990)
  • 42crunch/apifirewall:v1.0.13
    • Upgrade to httpd-2.4.52 (CVE-2021-44224, CVE-2021-44790)
    • Upgrade to openssl-1.1.1m
    • Various small improvements
  • 42crunch/apifirewall:v1.0.12
    • Support for x-42c-access-control-based-on-ip-range_0.1 and x-42c-set-client-ip_0.1
    • Improved matching to allow filtering API calls by IP or network addresses
    • Fixed setting the request path when $TARGET_URL contains a basepath
    • Upgrade to Apache httpd-2.4.51 (CVE-2021-42013)
  • 42crunch/apifirewall:v1.0.11
    • GUARDIAN_BLOCKING_LEVEL and GUARDIAN_DEFAULT_API_BLOCKING_LEVEL environment variables
    • Upgrade to Apache httpd-2.4.50 (CVE-2021-41524, CVE-2021-41773)
  • 42crunch/apifirewall:v1.0.10
    • Fixed cookie attribute parsing in responses
    • Upgrade to Apache httpd-2.4.48 (CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438)
    • Updated platform CA chain
  • 42crunch/apifirewall:v1.0.9-1
    • Fixed handling UTF-8 patterns in JSON schemas
    • Upgrade to openSSL-1.1.1l (CVE-2021-3711, CVE-2021-3712)
    • Updated platform CA chain

All previous image versions have been deprecated and are no longer supported.

When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.

Conformance Scan images

This release is compatible with the following Conformance Scan images for running it on-premises:

  • 42crunch/scand-agent:v1.22.7
    • Updates to regular expression library
  • 42crunch/scand-agent:v1.22.6
    • Fixed regular expressions handling

      In some rare cases, certain regular expression patterns could send the on-premises scan to an infinite loop, and the process would not finish. This image version fixes that, so if you are experiencing on-premises scan hanging, we recommend upgrading from the previous scan images to this one.

  • 42crunch/scand-agent:v1.22.4
    • Improved array iteration
  • 42crunch/scand-agent:v1.22.3
    • Improved handling of redirects (HTTP 3XX) in API responses
  • 42crunch/scand-agent:v1.22.2
    • Accept header included in all requests
    • Increase to maximum scan report size
  • 42crunch/scand-agent:v1.22.1
    • Fixed a bug in handling oneOf and anyOf
  • 42crunch/scand-agent:v1.22.0
    • Fixed a bug in skipping response body analysis with scan rules
  • 42crunch/scand-agent:v1.21.1
    • Fixed a bug in applying the default scan customization rule of the organization
  • 42crunch/scand-agent:v1.20.2
    • Internal cleanup and refactoring
  • 42crunch/scand-agent:v1.20.1
    • Percentages in the filter bar of the scan report

All previous image versions have been deprecated and are no longer supported.

Deprecated components

There are no new deprecations in this release. For the list of current deprecations, see List of deprecated images and endpoints.

Known issues

This release has the following known issues.

Scan customization rules may lead to no response codes being accepted.

In some cases, scan rules can lead to HTTP status response codes in API responses that are normally expected (for example, HTTP 401 or HTTP 404) to be treated as unexpected. This in turn can lead to a false positive in the scan results.

By default, the expected HTTP status response codes that are defined in scan rules applied to the scanned API take preference over the response codes that Conformance Scan would otherwise expect. However, this can cause problems in scan process if your scan rule only skips header or response body analysis but does not define any expected response codes, either for happy path requests or for particular test IDs. This results in the scan rule to have null defined as the expected response code, and because the scan rule takes preference over the default scan behavior, no response codes except null are accepted. This in turn means that some tests are incorrectly flagged as returning unexpected response codes when they were in fact successful.

We are currently investigating the best way how to reconcile the designed behavior of Conformance Scan and scan rules in these cases, and this issue will be fixed in a future release.

Auditor can be made a team lead

Currently, organization administrators can make an auditor a team lead. As team leads, auditors can add and remove users in the team, which could affect who has access to API collections shared with the team.

When sharing API collections, the UI shows that an auditor could be given the right to edit the collection. However, auditors never get read/write access to any APIs or API collections shared with their team and cannot edit any APIs when they log in, regardless of the permission shown in sharing.

These will be fixed in a future release.

Data dictionary duplication

Duplicating a data dictionary does not yet duplicate the values in it.

This will be fixed in a future release.

YAML conversion shown regardless of the format of API definition

Converting API format currently shows as "Convert to YAML" regardless of the format (JSON or YAML) of your API definition. However, despite the text shown, your API is correctly converted from JSON to YAML or from YAML to JSON.

This will be fixed in a future release.

Conformance Scan string limits may conflict with minLength or maxLength values

By default, Conformance Scan limits the maximum length for strings in the requests it sends during the scan to 4096. If the properties minLength or maxLength or the length limits in a regular expression that you have defined for an API operation in your API definition conflict with this limit, it causes issues during the scan.

If the minimum length required is longer than the string length limit allowed in Conformance Scan, the scan cannot create the happy path request for that operation to establish a baseline. If the maximum length allowed in the API is longer than the allowed string length limit in Conformance Scan, the scan can create the happy path request but not the actual request during the scan.

In both cases, the operation is shown as a skipped operation in the scan report, but for different reasons. You must fix the operation in your API definition before it can be successfully scanned.

Regular expression lookaheads may cause issues

If your API definition has regular expressions with either positive or negative lookaheads defined, these may cause weird behavior, for example, in Conformance Scan.