42Crunch Platform release, June 6, 2023

This 42Crunch API Security Platform release brings improvements to API Conformance Scan and several bug fixes.

New features

The following are the new features and improvements to the existing ones in this release.

Improvements to API Conformance Scan

We have made several improvements to Conformance Scan:

  • Faster scan configuration generation, especially for more complicated API definitions.
  • Better memory handling when generating array items of the type file for scan requests.
  • Better handling of expired customization rules.

Improvements to JSON schema validation for UTF-8 strings

We have improved the JSON schema validation for UTF-8 strings. The previously used function occasionally interpreted some characters erroneously, which could result in strings that in fact conformed to the defined JSON schema being considered longer than they actually were. We have now changed the used function and UTF-8 strings are now correctly validated.

Depending on your API, this may affect the results from API Security Audit and Conformance Scan, because the UTF-8 strings are now correctly handled during audit and scan.

Improvements to URL decoding

Previously, how URL decoding was handled could cause problems for correctly resolving JSON references, especially with IDE integration plugins. The backend now correctly decodes the full JSON reference.

This update does not change the audit score of your APIs, but it may change what issue on the OpenAPI format Security Audit reports. Previously, problems in URL decoding could have lead Security Audit not being able to resolve the target of a JSON reference (a structural issue), but because the URL is now correctly decoded, the JSON reference is now analyzed, for example, for characters not allowed in the names of the target objects (a semantic issue).

More variables for configuring API Firewall instances

You can now separately configure variables for the connection between the protected API and API Firewall, and API Firewall and backend services, giving you more granular control.

For more details, see API-specific API Firewall variables.

Fix to tag management on APIs

We have fixed a bug that prevented regular users from removing tags from their APIs even when organization administrators had enabled this in the tag category settings.

Now, if organization administrators do not restrict who can manage tags on APIs, all regular users can apply and remove tags on APIs that they have read/write access to. Organization administrators can also still choose to restrict tag management, in which case only they can tag and untag APIs.

For more details, see Category settings.

JSON summaries from CI/CD plugins

You can now configure the CI/CD integration plugin to write a summary as a JSON file on how the CI/CD run went when your CI/CD pipeline triggers the plugin. This gives you more details on individual plugin runs in a format that you can easily share or store for record keeping.

For more details, see the instructions for your CI/CD system under Integrate CI/CD solutions with 42Crunch Platform.

Changed behavior

  • By default, API tokens and IDE tokens now both expire three months after they are created, but you can change this if necessary. You cannot set the expiration date further than January 2038.
  • Names . and .. are no longer allowed for objects — such as tags or tag categories — in 42Crunch Platform.

Compatibility

This section lists the compatible Docker images for some of the features of 42Crunch API Security Platform, as well as other possible compatibility details.

API Firewall images

This release is compatible with the following API Firewall images:

  • 42crunch/apifirewall:v1.0.23
    • Health check over SSL
    • The environment variable PLATFORM_HOST
    • Fixed the handling of multipart/form-data requests
    • Upgrade to openssl-1.1.1t
    • Upgrade to httpd-2.5.55
    • Upgrade to apr-util-1.6.3
  • 42crunch/apifirewall:v1.0.22
    • Fixed JWT signature validation
    • Allow plain string content definition
    • Upgrade to openssl-1.1.1s
    • Upgrade to libexpat 2.5.0
    • Upgrade to libapreq 2.17
    • Upgrade to libjansson 2.14
    • Upgrade to libjose 11
    • Upgrade to libmaxminddb 1.7.1
  • 42crunch/apifirewall:v1.0.21
    • Fixed content handling in non-body parameters
    • HTTP status response code synchronization with Conformance Scan default expectations
  • 42crunch/apifirewall:v1.0.20
    • Upgrade to openssl-1.1.1o (CVE-2022-2274, CVE-2022-2097)
    • Fixed decreasing the number of active instances when firewall shuts down abruptly
  • 42crunch/apifirewall:v1.0.19
    • Upgrade to httpd-2.4.54 (CVE-2022-26377, CVE-2022-28330, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404, CVE-2022-30522, CVE-2022-30556, CVE-2022-31813)
  • 42crunch/apifirewall:v1.0.18
    • Upgrade to openssl-1.1.1o (CVE-2022-0778, CVE-2022-1292, CVE-2022-1343, CVE-2022-1434, CVE-2022-1473)
    • Proper handling of the properties readOnly and writeOnly from the OpenAPI Specification (OAS) in schemas
  • 42crunch/apifirewall:v1.0.17
    • Upgrade to httpd-2.4.53 (CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, CVE-2022-23943)
  • 42crunch/apifirewall:v1.0.16
    • Fixed parsing multipart/form-data
    • Fixed rejecting requests that include a request body when the targeted API operation does not define a corresponding body
    • Upgrade to expat-2.4.4 (CVE-2022-23852, CVE-2022-23990)
  • 42crunch/apifirewall:v1.0.13
    • Upgrade to httpd-2.4.52 (CVE-2021-44224, CVE-2021-44790)
    • Upgrade to openssl-1.1.1m
    • Various small improvements
  • 42crunch/apifirewall:v1.0.12
    • Support for x-42c-access-control-based-on-ip-range_0.1 and x-42c-set-client-ip_0.1
    • Improved matching to allow filtering API calls by IP or network addresses
    • Fixed setting the request path when $TARGET_URL contains a basepath
    • Upgrade to Apache httpd-2.4.51 (CVE-2021-42013)
  • 42crunch/apifirewall:v1.0.11
    • GUARDIAN_BLOCKING_LEVEL and GUARDIAN_DEFAULT_API_BLOCKING_LEVEL environment variables
    • Upgrade to Apache httpd-2.4.50 (CVE-2021-41524, CVE-2021-41773)
  • 42crunch/apifirewall:v1.0.10
    • Fixed cookie attribute parsing in responses
    • Upgrade to Apache httpd-2.4.48 (CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438)
    • Updated platform CA chain
  • 42crunch/apifirewall:v1.0.9-1
    • Fixed handling UTF-8 patterns in JSON schemas
    • Upgrade to openSSL-1.1.1l (CVE-2021-3711, CVE-2021-3712)
    • Updated platform CA chain

All previous image versions have been deprecated and are no longer supported.

When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.

Conformance Scan images

This release is compatible with the following Conformance Scan images for running it on-premises:

  • 42crunch/scand-agent:v1.22.9
    • Performance improvements to scan configuration generation
    • Better memory handling when generating array items of the type file for scan requests
    • Better handling of expired customization rules
    • Improved JSON schema validation for UTF-8 strings
  • 42crunch/scand-agent:v1.22.8
    • Upgrade to Golang 1.20.4 (CVE-2022-41716, CVE-2022-41717, CVE-2022-41720, CVE-2022-41722, CVE-2022-41723, CVE-2022-41724, CVE-2022-41725, CVE-2023-24532, CVE-2023-24534, CVE-2023-24536, CVE-2023-24537, CVE-2023-24538, CVE-2023-24539, CVE-2023-24540, CVE-2023-29400)
  • 42crunch/scand-agent:v1.22.7
    • Updates to regular expression library
  • 42crunch/scand-agent:v1.22.6
    • Fixed regular expressions handling

      In some rare cases, certain regular expression patterns could send the on-premises scan to an infinite loop, and the process would not finish. This image version fixes that, so if you are experiencing on-premises scan hanging, we recommend upgrading from the previous scan images to this one.

  • 42crunch/scand-agent:v1.22.4
    • Improved array iteration
  • 42crunch/scand-agent:v1.22.3
    • Improved handling of redirects (HTTP 3XX) in API responses
  • 42crunch/scand-agent:v1.22.2
    • Accept header included in all requests
    • Increase to maximum scan report size
  • 42crunch/scand-agent:v1.22.1
    • Fixed a bug in handling oneOf and anyOf
  • 42crunch/scand-agent:v1.22.0
    • Fixed a bug in skipping response body analysis with scan rules
  • 42crunch/scand-agent:v1.21.1
    • Fixed a bug in applying the default scan customization rule of the organization
  • 42crunch/scand-agent:v1.20.2
    • Internal cleanup and refactoring
  • 42crunch/scand-agent:v1.20.1
    • Percentages in the filter bar of the scan report

All previous image versions have been deprecated and are no longer supported.

Deprecated components

There are no new deprecations in this release. For the list of current deprecations, see List of deprecated images and endpoints.

Known issues

This release has the following known issues.

Scan customization rules may lead to no response codes being accepted.

In some cases, scan rules can lead to HTTP status response codes in API responses that are normally expected (for example, HTTP 401 or HTTP 404) to be treated as unexpected. This in turn can lead to a false positive in the scan results.

By default, the expected HTTP status response codes that are defined in scan rules applied to the scanned API take preference over the response codes that Conformance Scan would otherwise expect. However, this can cause problems in scan process if your scan rule only skips header or response body analysis but does not define any expected response codes, either for happy path requests or for particular test IDs. This results in the scan rule to have null defined as the expected response code, and because the scan rule takes preference over the default scan behavior, no response codes except null are accepted. This in turn means that some tests are incorrectly flagged as returning unexpected response codes when they were in fact successful.

We are currently investigating the best way how to reconcile the designed behavior of Conformance Scan and scan rules in these cases, and this issue will be fixed in a future release.

Auditor can be made a team lead

Currently, organization administrators can make an auditor a team lead. As team leads, auditors can add and remove users in the team, which could affect who has access to API collections shared with the team.

When sharing API collections, the UI shows that an auditor could be given the right to edit the collection. However, auditors never get read/write access to any APIs or API collections shared with their team and cannot edit any APIs when they log in, regardless of the permission shown in sharing.

These will be fixed in a future release.

Data dictionary duplication

Duplicating a data dictionary does not yet duplicate the values in it.

This will be fixed in a future release.

YAML conversion shown regardless of the format of API definition

Converting API format on the list of APIs in an API collection currently always shows as "Convert to YAML" regardless of the format (JSON or YAML) of your API definition. However, despite the text shown, your API is correctly converted from JSON to YAML or from YAML to JSON.

This will be fixed in a future release.

Conformance Scan string limits may conflict with minLength or maxLength values

By default, Conformance Scan limits the maximum length for strings in the requests it sends during the scan to 4096. If the properties minLength or maxLength or the length limits in a regular expression that you have defined for an API operation in your API definition conflict with this limit, it causes issues during the scan.

If the minimum length required is longer than the string length limit allowed in Conformance Scan, the scan cannot create the happy path request for that operation to establish a baseline. If the maximum length allowed in the API is longer than the allowed string length limit in Conformance Scan, the scan can create the happy path request but not the actual request during the scan.

In both cases, the operation is shown as a skipped operation in the scan report, but for different reasons. You must fix the operation in your API definition before it can be successfully scanned.

Regular expression lookaheads may cause issues

If your API definition has regular expressions with either positive or negative lookaheads defined, these may cause weird behavior, for example, in Conformance Scan.