42Crunch Platform release, August 2, 2023

This 42Crunch API Security Platform release introduces a new version of API Conformance Scan.

New features

The following are the new features and improvements to the existing ones in this release.

New version of API Conformance Scan

We have introduced a new version of Conformance Scan, referred to as Scan v2. This first iteration of the new version shares the same core features and operation, but offers additional features and more flexibility.

  • Create multiple scan configurations for a single API, and edit and iterate on them as needed.
    • Latest scan report is stored for each scan configuration for easy comparison.
    • Scan configurations start based directly to the OpenAPI definition of your API, including the required authentication methods.
    • When you create or edit a scan configuration, it is automatically validated against OpenAPI definition of the API to find obvious misconfiguration already when designing the configuration.
  • Use new scan settings to control the scan process.
    • Optimize scan report size, for example, by skipping curl requests in the report.
    • Simplify the happy path requests by choosing to validate just the response code, not the response itself.
  • Create scan scenarios by defining chains of requests that depend on one another.
  • Configure values that change by environment and reuse the same scan configuration for the same API deployed, for example, your development and testing environments.

In addition, we have improved the behavior of Conformance Scan

  • The scan only validates fields defined as required in happy path requests, not all fields like before.
  • You are only prompted to provide authentication details for security requirements that are actually used in your API, not all methods defined your API definition like in the previous scan version.

Scan v2 is currently available only as Docker image for on-premises scan and does not yet support customization rules.

For backward compatibility and to avoid the adoption of the new version disrupting your day-to-day work, we have retained the previous version, Scan v1, and you can choose to continue to it for now, if you want. Results from Scan v1 continue to be used to represent the scan statistics of the API on API summary page and on the list of APIs in an API collection. Where applicable, the difference between the versions has been clearly indicated in this documentation

For more details, see API Conformance Scan.

Team management permission

Organization administrators can now grant regular users a permission to manage teams. If given this permission, the users can perform the same actions on any team in their organization as organization administrators would:

  • Create and delete teams
  • Add and remove users to any team
  • Change the name and the team leader of any team.

For more details, see Teams.

Defining a forward proxy in JWT protections

If you are using the JWT protections in your API Firewall instances and the traffic to JWKS endpoint should go through a forward proxy, the new _0.3 versions of JWT protections provide a parameter for defining the host:port of the forward proxy that API Firewall must connect through.

For more details, see JWT validation.

SARIF reports in the CI/CD integration for Azure Pipelines

You can now set the REST API Static Security Testing plugin for Azure Pipelines to generate a SARIF (Static Analysis Results Interchange Format) report when it runs ans then use the generated report in your downstream services.

For more details, see Generate a SARIF report.

Changed behavior

  • The navigation tabs for Conformance Scan run in 42Crunch Platform and on-premises have been combined into a single tab on the platform UI
    • You can now find all your scan results and configurations in one place.
    • How to navigate to your report from Scan v1 run on premises or the scan configuration for it has changed.
  • Auditors can no longer be made team leaders.
  • The audit scores are now rounded to two decimal places to improve their legibility. As a result, in some rare cases you might see a minor change to the audit score of your API.

Compatibility

This section lists the compatible Docker images for some of the components of 42Crunch API Security Platform, as well as other possible compatibility details.

We recommend that you update to the latest compatible versions as soon as possible to take the full advantage of the new features and security improvements.

API Firewall images

This release is compatible with the following API Firewall images:

  • 42crunch/apifirewall:v1.0.24
    • Upgrade to httpd-2.4.57 (CVE-2023-25690, CVE-2023-27522)
    • Upgrade to openssl-1.1.1u (CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464)
    • Support for multiple API key security schemes with the same name
    • Fixed the handling of content media-typedeclared as opaque string in response validation
    • Fixed request body handling when API Firewall is set to non-blocking mode.
    • Obfuscated headers (except Host) in transaction logs when the targeted API is unknown
    • New versions of JWT validation protections (x-42c-jwt-validation-ec_0.3, x-42c-jwt-validation-rsa_0.3, x-42c-jwt-validation-hmac_0.3)
      • Validating the scope claim of OAuth2 JWT tokens
      • Connecting to the JWKS server through a remote forward proxy
  • 42crunch/apifirewall:v1.0.23
    • Health check over SSL
    • The environment variable PLATFORM_HOST
    • Fixed the handling of multipart/form-data requests
    • Upgrade to openssl-1.1.1t
    • Upgrade to httpd-2.5.55
    • Upgrade to apr-util-1.6.3
  • 42crunch/apifirewall:v1.0.22
    • Fixed JWT signature validation
    • Allowed plain string content definition
    • Upgrade to openssl-1.1.1s
    • Upgrade to libexpat 2.5.0
    • Upgrade to libapreq 2.17
    • Upgrade to libjansson 2.14
    • Upgrade to libjose 11
    • Upgrade to libmaxminddb 1.7.1
  • 42crunch/apifirewall:v1.0.21
    • Fixed content handling in non-body parameters
    • HTTP status response code synchronization with Conformance Scan default expectations
  • 42crunch/apifirewall:v1.0.20
    • Upgrade to openssl-1.1.1o (CVE-2022-2274, CVE-2022-2097)
    • Fixed decreasing the number of active instances when firewall shuts down abruptly
  • 42crunch/apifirewall:v1.0.19
    • Upgrade to httpd-2.4.54 (CVE-2022-26377, CVE-2022-28330, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404, CVE-2022-30522, CVE-2022-30556, CVE-2022-31813)
  • 42crunch/apifirewall:v1.0.18
    • Upgrade to openssl-1.1.1o (CVE-2022-0778, CVE-2022-1292, CVE-2022-1343, CVE-2022-1434, CVE-2022-1473)
    • Proper handling of the properties readOnly and writeOnly from the OpenAPI Specification (OAS) in schemas

All previous image versions have been deprecated and are no longer supported.

When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.

Conformance Scan images

This release is compatible with the following Conformance Scan images for running it on-premises. All previous image versions have been deprecated and are no longer supported.

Scan v1

  • 42crunch/scand-agent:v1.22.9
    • Performance improvements to scan configuration generation
    • Better memory handling when generating array items of the type file for scan requests
    • Better handling of expired customization rules
    • Improved JSON schema validation for UTF-8 strings
  • 42crunch/scand-agent:v1.22.8
    • Upgrade to Golang 1.20.4 (CVE-2022-41716, CVE-2022-41717, CVE-2022-41720, CVE-2022-41722, CVE-2022-41723, CVE-2022-41724, CVE-2022-41725, CVE-2023-24532, CVE-2023-24534, CVE-2023-24536, CVE-2023-24537, CVE-2023-24538, CVE-2023-24539, CVE-2023-24540, CVE-2023-29400)
  • 42crunch/scand-agent:v1.22.7
    • Updates to regular expression library
  • 42crunch/scand-agent:v1.22.6
    • Fixed regular expressions handling

      In some rare cases, certain regular expression patterns could send the on-premises scan to an infinite loop, and the process would not finish. This image version fixes that, so if you are experiencing on-premises scan hanging, we recommend upgrading from the previous scan images to this one.

  • 42crunch/scand-agent:v1.22.4
    • Improved array iteration

Scan v2

  • 42crunch/scand-agent:v2.0.0
    • The new version of Conformance Scan.

Deprecated components

The following have been deprecated and will be removed in the future.

Deprecated API Firewall images

The following versions of the API Firewall Docker image have been deprecated and will be removed in January 2024:

  • 42crunch/apifirewall:v1.0.17
  • 42crunch/apifirewall:v1.0.16
  • 42crunch/apifirewall:v1.0.13
  • 42crunch/apifirewall:v1.0.12
  • 42crunch/apifirewall:v1.0.11
  • 42crunch/apifirewall:v1.0.10
  • 42crunch/apifirewall:v1.0.9-1

See Deprecated API Firewall images.

Deprecated Conformance Scan images

The following versions of the 42crunch/scand-agent Docker image have been deprecated and will be removed in January 2024:

  • 42crunch/scand-agent:v1.22.3
  • 42crunch/scand-agent:v1.22.2
  • 42crunch/scand-agent:v1.22.1
  • 42crunch/scand-agent:v1.22.0
  • 42crunch/scand-agent:v1.21.1
  • 42crunch/scand-agent:v1.20.2
  • 42crunch/scand-agent:v1.20.1

See Deprecated API Conformance Scan images.

Known issues

This release has the following known issues.

Logs from on-premise scan not currently viewable in 42Crunch Platform

Because of merging the two scan tabs and therefore the changed navigation, the logs produced by Conformance Scan when run on premises are not currently visible on the platform UI. However, the logs continue to be produced when scan runs and you can still choose a different log destination than the platform, see Set on-premises scan to write logs to a file.

This will be fixed in the next release.

SQG status not shown in the Scan v2 report

The scan report from running Conformance Scan using a Scan v2 configuration does not yet show the security quality gate (SQG) report on the scan report page. However, Scan v2 does already support SQGs and the SQG status (passed/failed) is correctly shown in the list of scan reports.

This will be fixed in the next release.

Manage teams permission not shown on list of users

The permission to manage teams is not yet shown on the list of users in your organization, but you can view all permissions that a user has by clicking the permission column. This permission also does not yet have a shortcut that you could use when searching by permission.

These will be fixed in a future release.

Scan customization rules may lead to no response codes being accepted.

In some cases, scan rules can lead to HTTP status response codes in API responses that are normally expected (for example, HTTP 401 or HTTP 404) to be treated as unexpected. This in turn can lead to a false positive in the scan results.

By default, the expected HTTP status response codes that are defined in scan rules applied to the scanned API take preference over the response codes that Conformance Scan would otherwise expect. However, this can cause problems in scan process if your scan rule only skips header or response body analysis but does not define any expected response codes, either for happy path requests or for particular test IDs. This results in the scan rule to have null defined as the expected response code, and because the scan rule takes preference over the default scan behavior, no response codes except null are accepted. This in turn means that some tests are incorrectly flagged as returning unexpected response codes when they were in fact successful.

We are currently investigating the best way how to reconcile the designed behavior of Conformance Scan and scan rules in these cases, and this issue will be fixed in a future release.

Data dictionary duplication

Duplicating a data dictionary does not yet duplicate the values in it.

This will be fixed in a future release.

YAML conversion shown regardless of the format of API definition

Converting API format on the list of APIs in an API collection currently always shows as "Convert to YAML" regardless of the format (JSON or YAML) of your API definition. However, despite the text shown, your API is correctly converted from JSON to YAML or from YAML to JSON.

This will be fixed in a future release.

Conformance Scan string limits may conflict with minLength or maxLength values

By default, Conformance Scan limits the maximum length for strings in the requests it sends during the scan to 4096. If the properties minLength or maxLength or the length limits in a regular expression that you have defined for an API operation in your API definition conflict with this limit, it causes issues during the scan.

If the minimum length required is longer than the string length limit allowed in Conformance Scan, the scan cannot create the happy path request for that operation to establish a baseline. If the maximum length allowed in the API is longer than the allowed string length limit in Conformance Scan, the scan can create the happy path request but not the actual request during the scan.

In both cases, the operation is shown as a skipped operation in the scan report, but for different reasons. You must fix the operation in your API definition before it can be successfully scanned.

Regular expression lookaheads may cause issues

If your API definition has regular expressions with either positive or negative lookaheads defined, these may cause weird behavior, for example, in Conformance Scan.