42Crunch Platform release, June 22, 2020
This 42Crunch Platform release adds more information on API Conformance Scan to the documentation, includes cookie parameters in the transaction logs data, and clarifies a couple of checks in API Security Audit.
In addition, we have released a custom pipe for integrating Security Audit with CI/CD in Atlassian Bitbucket Pipelines.
New features
The following are the new features and improvements to the existing ones in this release.
More details on how Conformance Scan works
We have added more details how Conformance Scan works:
- What are the steps in the scan process and what happens in each of them.
- How Conformance Scan generates the values it uses in the requests it sends.
- How you can use the vendor extension x-42c-sample to provide sample values for scans.
- What is a happy path request in a scan and why is it important.
- How Conformance Scan validates the responses from the scanned API.
For more details, see API Conformance Scan.
Cookies in transaction logs
Cookie parameters are now shown in the API Firewall transaction logs.
For more details, see Trace Explorer.
Updates to Security Audit checks
We have amended two checks in Security Audit for both OpenAPI Specification v2 and v3:
- The maximum defined for HTTP status codes has been changed to
599. The new check helps you ensure that your header parameters — that are not case-sensitive, unlike other parameters — are not considered equal. - The description of how schema can fail to restrict the type of accepted JSON values now details the two cases that could cause this.
Bitbucket Pipelines integration for Security Audit
You can now automate Security Audit of your OpenAPI definitions directly in your CI/CD in Atlassian Bitbucket Pipelines. The custom pipe REST API Static Security Testing provides a task you can add to your pipeline and configure as needed.
For more details, see CI/CD integrations.
Compatibility
This release is compatible with the following API Firewall images:
42crunch/apifirewall:v0.16.11- Upgrade to latest
opensslsecurity fix (1.1.1g) - Better logging of shared cache loading failure
- Ability to configure timeout between API Firewall and backend endpoint distinctly
- Upgrade to latest
42crunch/apifirewall:v0.16.13- A bug in response validation in OASv3 that caused API Firewall to load an empty schema instead of the one specified for some media types fixed
- More robust UUID generator
42crunch/apifirewall:v0.17.0- Improvements to the syntax of protections
- Internal optimizations
42crunch/apifirewall:v0.17.2- Deserialization of parameters defined as combined types (
allOf,anyOf,oneOf) fixed cookies_inandcookies_outmoved in their own sections in transaction log- The format of transaction logs for security validation errors fixed to match what the UI expects
- Deserialization of parameters defined as combined types (
42crunch/apifirewall:v0.17.3- Possible desynchronizations when communicating with the platform fixed
42crunch/apifirewall:v0.17.4- Health Check service for frontend
42crunch/apifirewall:v0.17.7- A bug on OAuth2 security requirement erroneously blocking requests fixed
- A possible crash with
HEADrequests fixed
All previous image versions have been deprecated and are not compatible with this version of the platform.
When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.
Known issues
This release has the following known issues.
Removing an API does not stop the API Firewall instance
If you delete an API from 42Crunch Platform and that API has an active API Firewall instance protecting it, API Firewall continues to run unless you specifically stop it. Same happens if the protection token that the API Firewall instance uses is deleted or otherwise becomes invalid.
This will be fixed in a future release.