42Crunch Platform release, December 14, 2023

This 42Crunch API Security Platform release brings new report format for API Conformance Scan v2, new checks for API Security Audit, and simplifies how security quality gates (SQGs) and customization rules work.

New features

The following are the new features and improvements to the existing ones in this release.

Improvements to Conformance Scan

There have been several improvement to Conformance Scan, both to Scan v1 and Scan v2.

For both scan versions, you can now choose which of the scan configurations an API has yields results that best reflect the overall quality of the API implementation and set that as the reference scan configuration. The results of the reference scan configuration are the ones shown on the list of APIs in the API collection as well as on the API summary tab. You can still view the reports from all scan configurations on through the list of scan reports. For more details, see Reference scan configuration.

In addition, if your API is very large or complex so that it takes a very long time for Conformance Scan to finish scanning it, the scan now provides a heartbeat check back to 42Crunch Platform to ensure the connection stays active until the scan process has finished and the scan report has been sent to the platform.

Both scan versions now also properly handle the property explode, and you can now copy the scan token of associated with the scan configuration directly as part of the Docker command to run Conformance Scan on premises.

We have also removed a check that could result in the scan report from on-premises scan being lost if times on the platform and the client machine did not match.

Improvements to Scan v2

Scan v2 now providers a new, improved and clarified scan report UI:

An example screenshot of the scan report.

  • A graphical, at-a-glance view of the key statistics of the scan
  • More structured deep-dive into the details of individual issues: separate tabs for the summary of the test performed, the request sent, and the response received
  • Improved filters for narrowing what is shown in the issue list

For more details, see Scan report.

The tests parameter-header-contenttype-wrong-scan and partial-security-accepted are now included in Scan v2 as well.

We have also enhanced limits for runtime settings:

  • Scan logs now clearly indicate when a runtime limit has been reached while suppressing excessive repetition of the same issue
  • Additional settings for controlling the scan report size (requires 42crunch/scand-agent:v2.0.3 or higher):
    • reportIncludeRequestBody
    • reportIncludeResponseBody
    • reportMaxRequestSizeHappyPath
    • reportMaxRequestSizeTest

For more details, see Settings for Scan v2.

In addition, the generation of very small and very large numbers has been improved and the generation of number enum in test requests fixed. Numeric values that exceed the limits of float64 data type are now presented as strings to allow successfully processing the scan report.

Improvements to Scan v1

The scan now consumes example and x-42c-sample defined in parameters or request bodies.

New checks to Security Audit

Security Audit now detects values that are not valid for the property multipleOf according to the OpenAPI Specification (OAS). For more details, see:

In addition, we have introduced a limit to the depth of consecutive schema references. Now, for any given schema in your OpenAPI definition, Security Audit follows and checks the first six nested JSON references to other schemas before it calculates the score. Any further references that the schema might have are ignored. This is to avoid excessive loops between the schemas when calculating the audit score.

Depending on your API, this might affect the audit score.

New setting for SQG behavior

We have implemented a new setting for handling the criteria for SQGs in Security Audit and Conformance Scan. This allows organization administrators to choose how the default SQGs β€” which are automatically applied to all APIs in your organization β€”and the ones associated with tags are treated:

  • To simplify the possible combinations of criteria, you can choose to ignore the default SQGs if an API is tagged for another SQG of the same type (audit or scan). This is the recommended option.
  • If needed, you can also continue to allow combining the default SQGs with the ones applied with tags.

To prevent sudden breaking changes, we have retained the existing behavior so that default SQGs continue to be combined with the tag-based ones.

For more details, see Manage handling of criteria from default and tag-based SQGs.

Improvements to displaying API collection accesses

All access levels to API collections are now correctly shown, for example, on the list of API collections and match the actual sharing details. In addition, owners of API collections can now see that they have full access to those collections also in the dropdown lists of collections, such as when configuring to run Scan v1 42Crunch Platform.

An example screenshot showing the four possible access levels a user can have to API collections.

Easier listing of users' APIs

Organization administrators can now click the number of APIs that a particular user has to see which APIs in which collections those are. This makes it easier, for example, to change the owners of those APIs before removing the user account.

A screenshot showing the Users tab from the organization settings.

Compatibility

This section lists the compatible Docker images for some of the components of 42Crunch API Security Platform, as well as other possible compatibility details.

API Firewall images

This release is compatible with the following API Firewall images:

  • 42crunch/apifirewall:v1.0.25
    • Upgrade to go-1.21.1 (CVE-2023-39319, CVE-2023-39318, CVE-2023-3978, CVE-2023-29409)
    • Upgrade to openssl-1.1.1w (CVE-2023-4807, CVE-2023-3817, CVE-2023-3446)
  • 42crunch/apifirewall:v1.0.24
    • Upgrade to httpd-2.4.57 (CVE-2023-25690, CVE-2023-27522)
    • Upgrade to openssl-1.1.1u (CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464)
    • Support for multiple API key security schemes with the same name
    • Fixed the handling of content media-typedeclared as opaque string in response validation
    • Fixed request body handling when API Firewall is set to non-blocking mode.
    • Obfuscated headers (except Host) in transaction logs when the targeted API is unknown
    • New versions of JWT validation protections (x-42c-jwt-validation-ec_0.2, x-42c-jwt-validation-rsa_0.2, x-42c-jwt-validation-hmac_0.2)
      • Validating the scope claim of OAuth2 JWT tokens
      • Connecting to the JWKS server through a remote forward proxy
  • 42crunch/apifirewall:v1.0.23
    • Health check over SSL
    • The environment variable PLATFORM_HOST
    • Fixed the handling of multipart/form-data requests
    • Upgrade to openssl-1.1.1t
    • Upgrade to httpd-2.5.55
    • Upgrade to apr-util-1.6.3
  • 42crunch/apifirewall:v1.0.22
    • Fixed JWT signature validation
    • Allowed plain string content definition
    • Upgrade to openssl-1.1.1s
    • Upgrade to libexpat 2.5.0
    • Upgrade to libapreq 2.17
    • Upgrade to libjansson 2.14
    • Upgrade to libjose 11
    • Upgrade to libmaxminddb 1.7.1
  • 42crunch/apifirewall:v1.0.21
    • Fixed content handling in non-body parameters
    • HTTP status response code synchronization with Conformance Scan default expectations
  • 42crunch/apifirewall:v1.0.20
    • Upgrade to openssl-1.1.1o (CVE-2022-2274, CVE-2022-2097)
    • Fixed decreasing the number of active instances when firewall shuts down abruptly
  • 42crunch/apifirewall:v1.0.19
    • Upgrade to httpd-2.4.54 (CVE-2022-26377, CVE-2022-28330, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404, CVE-2022-30522, CVE-2022-30556, CVE-2022-31813)
  • 42crunch/apifirewall:v1.0.18
    • Upgrade to openssl-1.1.1o (CVE-2022-0778, CVE-2022-1292, CVE-2022-1343, CVE-2022-1434, CVE-2022-1473)
    • Proper handling of the properties readOnly and writeOnly from the OpenAPI Specification (OAS) in schemas

All previous image versions have been deprecated and are no longer supported.

Conformance Scan images

This release is compatible with the following Conformance Scan images for running it on-premises.

Scan v2

  • 42crunch/scand-agent:v2.0.4
    • Numeric values exceeding the limits of float64 presented as strings
  • 42crunch/scand-agent:v2.0.3
    • Upgrade to Golang 1.21.5 (CVE-2023-45284, CVE-2023-45283, CVE-2023-39326, CVE-2023-45283)
    • New scan report
    • Tests parameter-header-contenttype-wrong-scan and partial-security-accepted
    • Support for reportIncludeRequestBody, reportIncludeResponseBody, reportMaxRequestSizeHappyPath, reportMaxRequestSizeTest
    • Improved logging for runtime limit
    • Heartbeat check

We highly recommend that you switch to the latest image version to take full advantage of the new features and security improvements. The following previous images remain compatible and can be used with this platform release:

  • 42crunch/scand-agent:v2.0.2
    • Support for text/plain as content type
    • Support for read-only properties
  • 42crunch/scand-agent:v2.0.1
    • Upgrade to Golang 1.20.7 (CVE-2023-39319, CVE-2023-39318, CVE-2023-3978, CVE-2023-29409)
    • Enhancements to generating random values from scan configuration
    • Tests for not allowed methods are omitted if a before block on a global level in the scan configuration is failing, or the scan configuration is set to run happy path tests only
  • 42crunch/scand-agent:v2.0.0
    • The new version of Conformance Scan

All previous image versions have been deprecated and are no longer supported.

Scan v1

  • 42crunch/scand-agent:v1.22.14
    • Upgrade to Golang 1.21.5 (CVE-2023-39326, CVE-2023-45283)
  • 42crunch/scand-agent:v1.22.13
    • Upgrade to Golang 1.21.3 (CVE-2023-45284, CVE-2023-45283)
    • Heartbeat check to keep the connection to 42Crunch Platform active in case of extremely long scans
    • Fixed handling of example and x-42c-sample

We highly recommend that you switch to the latest image version to take full advantage of the new features and security improvements. The following previous images remain compatible and can be used with this platform release:

  • 42crunch/scand-agent:v1.22.12
    • Support for text/plain as content type
    • Support for read-only properties
  • 42crunch/scand-agent:v1.22.11
    • Upgrade to Golang 1.20.7 (CVE-2023-39319, CVE-2023-39318, CVE-2023-3978, CVE-2023-29409)
    • Fixed handling of < and > characters in the request payload
    • Improved handling of content not supported by Conformance Scan
  • 42crunch/scand-agent:v1.22.9
    • Performance improvements to scan configuration generation
    • Better memory handling when generating array items of the type file for scan requests
    • Better handling of expired customization rules
    • Improved JSON schema validation for UTF-8 strings
  • 42crunch/scand-agent:v1.22.8
    • Upgrade to Golang 1.20.4 (CVE-2022-41716, CVE-2022-41717, CVE-2022-41720, CVE-2022-41722, CVE-2022-41723, CVE-2022-41724, CVE-2022-41725, CVE-2023-24532, CVE-2023-24534, CVE-2023-24536, CVE-2023-24537, CVE-2023-24538, CVE-2023-24539, CVE-2023-24540, CVE-2023-29400)
  • 42crunch/scand-agent:v1.22.7
    • Updates to regular expression library
  • 42crunch/scand-agent:v1.22.6
    • Fixed regular expressions handling

      In some rare cases, certain regular expression patterns could send the on-premises scan to an infinite loop, and the process would not finish. This image version fixes that, so if you are experiencing on-premises scan hanging, we recommend upgrading from the previous scan images to this one.

  • 42crunch/scand-agent:v1.22.4
    • Improved array iteration

All previous image versions have been deprecated and are no longer supported.

Changed behavior

Depending on your APIs, the new Security Audit checks validation-property-multipleof-positive and v3-validation-property-multipleof-positive may mean that they no longer are marked as having a valid OpenAPI definition.

Deprecated components

The following have been deprecated and will be removed in the future.

Deprecated features

The legacy version of Conformance Scan (Scan v1) is now deprecated and will be removed in June 2024. Until the removal, security updates and fixes for severe issues will be provided, but no new development will take place. New features are developed only for Scan v2.

Deprecated Conformance Scan images

The following versions of the 42crunch/scand-agent Docker image have been deprecated and will be removed in June 2024 (including any future Scan v1 image versions). Until the removal, security updates and fixes for severe issues will be provided, but no new development will take place.

  • 42crunch/scand-agent:v1.22.14
  • 42crunch/scand-agent:v1.22.13
  • 42crunch/scand-agent:v1.22.12
  • 42crunch/scand-agent:v1.22.11
  • 42crunch/scand-agent:v1.22.9
  • 42crunch/scand-agent:v1.22.8
  • 42crunch/scand-agent:v1.22.7
  • 42crunch/scand-agent:v1.22.6
  • 42crunch/scand-agent:v1.22.4

See Deprecated API Conformance Scan images.

Known issues

This release has the following known issues.

Scan result summary refer to critical issues when none were found

The scan tile on the API summary tab can confusingly refer to critical issues that the scan found when in fact the highest severity in the found issues might be just "High".

We are currently working on clarifying the tiles on the API summary and this will be fixed in the next release.

Only reference scan configuration shows SQG status in the scan report

Currently, the scan report summary shows the SQG status for only on the report of the reference scan configuration. When viewing other reports, the scan summary incorrectly shows that the API would not have any SQGs applied to it. However, SQGs are still being correctly applied and the SQG status correctly shown for each report in the list of scan reports.

This will be fixed in a future release.

Manage teams permission not shown on list of users

The permission to manage teams is not yet shown on the list of users in your organization, but you can view all permissions that a user has by clicking the permission column. This permission also does not yet have a shortcut that you could use when searching by permission.

These will be fixed in a future release.

Data dictionary duplication

Duplicating a data dictionary does not yet duplicate the values in it.

This will be fixed in a future release.

Scan customization rules may lead to no response codes being accepted.

In some cases, scan rules can lead to HTTP status response codes in API responses that are normally expected (for example, HTTP 401 or HTTP 404) to be treated as unexpected. This in turn can lead to a false positive in the scan results.

By default, the expected HTTP status response codes that are defined in scan rules applied to the scanned API take preference over the response codes that Conformance Scan would otherwise expect. However, this can cause problems in scan process if your scan rule only skips header or response body analysis but does not define any expected response codes, either for happy path requests or for particular test IDs. This results in the scan rule to have null defined as the expected response code, and because the scan rule takes preference over the default scan behavior, no response codes except null are accepted. This in turn means that some tests are incorrectly flagged as returning unexpected response codes when they were in fact successful.

We are currently investigating the best way how to reconcile the designed behavior of Conformance Scan and scan rules in these cases, and this issue will be fixed in a future release.