42Crunch Platform release, May 25, 2020

This 42Crunch Platform release includes updates and changes to API Security Audit and the articles on found issues. In addition, we have released a plugin for integrating Security Audit with CI/CD in Jenkins.

New features

The following are the new features and improvements to the existing ones in this release.

Improvements to Security Audit checks

We have moved some checks in Security Audit around, and added some new checks:

  • Checks that URLs and emails have proper format have been moved from Semantics to Best practices.
  • For the OpenAPI Specification (OAS) v3, check that the API definition includes at least one server has been moved from Structure to Semantics.
  • For OAS v2, audit now checks that the API definition includes at least one host.
  • Audit now checks that media type objects used to describe request bodies and responses have a schema.

Jenkins integration for Security Audit

You can now automate Security Audit of your OpenAPI definitions directly in your CI/CD in Jenkins. REST API Static Security Testing plugin provides a custom build step you can add to your pipeline and configure as needed.

For more details, see CI/CD integrations.

Compatibility

This release is compatible with the following API Firewall images:

  • 42crunch/apifirewall:v0.16.11
    • Upgrade to latest openssl security fix (1.1.1g)
    • Better logging of shared cache loading failure
    • Ability to configure timeout between API Firewall and backend endpoint distinctly
  • 42crunch/apifirewall:v0.16.13
    • A bug in response validation in OASv3 that caused API Firewall to load an empty schema instead of the one specified for some media types fixed
    • More robust UUID generator
  • 42crunch/apifirewall:v0.17.0
    • Improvements to the syntax of protections
    • Internal optimizations
  • 42crunch/apifirewall:v0.17.2
    • Deserialization of parameters defined as combined types (allOf, anyOf, oneOf) fixed
    • cookies_in and cookies_out moved in their own sections in transaction log
    • The format of transaction logs for security validation errors fixed to match what the UI expects

All previous image versions have been deprecated and are not compatible with this version of the platform.

When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.

Known issues

This release has the following known issues.

Removing an API does not stop the API Firewall instance

If you delete an API from 42Crunch Platform and that API has an active API Firewall instance protecting it, API Firewall continues to run unless you specifically stop it. Same happens if the protection token that the API Firewall instance uses is deleted or otherwise becomes invalid.

This will be fixed in a future release.