42Crunch Platform release, July 9, 2020
This 42Crunch Platform release introduces issue IDs of the checks that API Security Audit runs, and how they can be used in automating Security Audit in your CI/CD pipeline. We have also changed a couple of Security Audit checks and done some minor UX improvements in the platform.
New features
The following are the new features and improvements to the existing ones in this release.
Issue IDs for Security Audit checks in CI/CD plugins
You can now use the IDs of Security Audit checks when you fine-tune the REST API Static Security Testing CI/CD plugin.
- Check the issue IDs in the issue descriptions in your audit report.
- List the IDs of the issues you do not want to let through your CI/CD pipeline as a
fail_on
condition in the configuration file of your CI/CD plugin. - If any of the listed issues crop up when your pipeline builds, the task on the pipeline fails and flags the found issues in its report.
For more details, see our configuration samples in our Resources repository in GitHub for fine-tuning your integration plugin.
Updates to Security Audit checks
We have moved some checks in Security Audit:
- The check on the property
allowEmptyValue
has been moved to Semantics. This applies to both OpenAPI Specification (OAS) v2 and v3. -
The check on the property
allowReserved
has been moved to Semantics. This applies only to OAS v3.
UX improvements
In addition, there have been several small improvements, such as aligning date and time format throughout the platform.
Compatibility
This release is compatible with the following API Firewall images:
42crunch/apifirewall:v0.16.11
- Upgrade to latest
openssl
security fix (1.1.1g) - Better logging of shared cache loading failure
- Ability to configure timeout between API Firewall and backend endpoint distinctly
- Upgrade to latest
42crunch/apifirewall:v0.16.13
- A bug in response validation in OASv3 that caused API Firewall to load an empty schema instead of the one specified for some media types fixed
- More robust UUID generator
42crunch/apifirewall:v0.17.0
- Improvements to the syntax of protections
- Internal optimizations
42crunch/apifirewall:v0.17.2
- Deserialization of parameters defined as combined types (
allOf
,anyOf
,oneOf
) fixed cookies_in
andcookies_out
moved in their own sections in transaction log- The format of transaction logs for security validation errors fixed to match what the UI expects
- Deserialization of parameters defined as combined types (
42crunch/apifirewall:v0.17.3
- Possible desynchronizations when communicating with the platform fixed
42crunch/apifirewall:v0.17.4
- Health Check service for frontend
42crunch/apifirewall:v0.17.7
- A bug on OAuth2 security requirement erroneously blocking requests fixed
- A possible crash with
HEAD
requests fixed
42crunch/apifirewall:v0.17.9
- Path traversals above root now return
HTTP 404
instead ofHTTP 400
to avoid giving any clues about existing (or nonexistent) paths - Communication timeout with the platform adjusted
- Path traversals above root now return
All previous image versions have been deprecated and are not compatible with this version of the platform.
When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.
Known issues
This release has the following known issues.
Removing an API does not stop the API Firewall instance
If you delete an API from 42Crunch Platform and that API has an active API Firewall instance protecting it, API Firewall continues to run unless you specifically stop it. Same happens if the protection token that the API Firewall instance uses is deleted or otherwise becomes invalid.
This will be fixed in a future release.