42Crunch Platform release, May 25, 2020
This 42Crunch Platform release includes updates and changes to API Security Audit and the articles on found issues. In addition, we have released a plugin for integrating Security Audit with CI/CD in Jenkins.
New features
The following are the new features and improvements to the existing ones in this release.
Improvements to Security Audit checks
We have moved some checks in Security Audit around, and added some new checks:
- Checks that URLs and emails have proper format have been moved from Semantics to Best practices.
- For the OpenAPI Specification (OAS) v3, check that the API definition includes at least one server has been moved from Structure to Semantics.
- For OAS v2, audit now checks that the API definition includes at least one host.
- Audit now checks that media type objects used to describe request bodies and responses have a schema.
Jenkins integration for Security Audit
You can now automate Security Audit of your OpenAPI definitions directly in your CI/CD in Jenkins. REST API Static Security Testing plugin provides a custom build step you can add to your pipeline and configure as needed.
For more details, see CI/CD integrations.
Compatibility
This release is compatible with the following API Firewall images:
42crunch/apifirewall:v0.16.11
- Upgrade to latest
openssl
security fix (1.1.1g) - Better logging of shared cache loading failure
- Ability to configure timeout between API Firewall and backend endpoint distinctly
- Upgrade to latest
42crunch/apifirewall:v0.16.13
- A bug in response validation in OASv3 that caused API Firewall to load an empty schema instead of the one specified for some media types fixed
- More robust UUID generator
42crunch/apifirewall:v0.17.0
- Improvements to the syntax of protections
- Internal optimizations
42crunch/apifirewall:v0.17.2
- Deserialization of parameters defined as combined types (
allOf
,anyOf
,oneOf
) fixed cookies_in
andcookies_out
moved in their own sections in transaction log- The format of transaction logs for security validation errors fixed to match what the UI expects
- Deserialization of parameters defined as combined types (
All previous image versions have been deprecated and are not compatible with this version of the platform.
When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.
Known issues
This release has the following known issues.
Removing an API does not stop the API Firewall instance
If you delete an API from 42Crunch Platform and that API has an active API Firewall instance protecting it, API Firewall continues to run unless you specifically stop it. Same happens if the protection token that the API Firewall instance uses is deleted or otherwise becomes invalid.
This will be fixed in a future release.