42Crunch Platform release, July 9, 2020

This 42Crunch Platform release introduces issue IDs of the checks that API Security Audit runs, and how they can be used in automating Security Audit in your CI/CD pipeline. We have also changed a couple of Security Audit checks and done some minor UX improvements in the platform.

New features

The following are the new features and improvements to the existing ones in this release.

Issue IDs for Security Audit checks in CI/CD plugins

You can now use the IDs of Security Audit checks when you fine-tune the REST API Static Security Testing CI/CD plugin.

  • Check the issue IDs in the issue descriptions in your audit report.
  • List the IDs of the issues you do not want to let through your CI/CD pipeline as a fail_on condition in the configuration file of your CI/CD plugin.
  • If any of the listed issues crop up when your pipeline builds, the task on the pipeline fails and flags the found issues in its report.

For more details, see our configuration samples in our Resources repository in GitHub for fine-tuning your integration plugin.

Updates to Security Audit checks

We have moved some checks in Security Audit:

  • The check on the property allowEmptyValue has been moved to Semantics. This applies to both OpenAPI Specification (OAS) v2 and v3.

  • The check on the property allowReserved has been moved to Semantics. This applies only to OAS v3.

UX improvements

In addition, there have been several small improvements, such as aligning date and time format throughout the platform.

Compatibility

This release is compatible with the following API Firewall images:

  • 42crunch/apifirewall:v0.16.11
    • Upgrade to latest openssl security fix (1.1.1g)
    • Better logging of shared cache loading failure
    • Ability to configure timeout between API Firewall and backend endpoint distinctly
  • 42crunch/apifirewall:v0.16.13
    • A bug in response validation in OASv3 that caused API Firewall to load an empty schema instead of the one specified for some media types fixed
    • More robust UUID generator
  • 42crunch/apifirewall:v0.17.0
    • Improvements to the syntax of protections
    • Internal optimizations
  • 42crunch/apifirewall:v0.17.2
    • Deserialization of parameters defined as combined types (allOf, anyOf, oneOf) fixed
    • cookies_in and cookies_out moved in their own sections in transaction log
    • The format of transaction logs for security validation errors fixed to match what the UI expects
  • 42crunch/apifirewall:v0.17.3
    • Possible desynchronizations when communicating with the platform fixed
  • 42crunch/apifirewall:v0.17.4
    • Health Check service for frontend
  • 42crunch/apifirewall:v0.17.7
    • A bug on OAuth2 security requirement erroneously blocking requests fixed
    • A possible crash with HEAD requests fixed
  • 42crunch/apifirewall:v0.17.9
    • Path traversals above root now return HTTP 404 instead of HTTP 400 to avoid giving any clues about existing (or nonexistent) paths
    • Communication timeout with the platform adjusted

All previous image versions have been deprecated and are not compatible with this version of the platform.

When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.

Known issues

This release has the following known issues.

Removing an API does not stop the API Firewall instance

If you delete an API from 42Crunch Platform and that API has an active API Firewall instance protecting it, API Firewall continues to run unless you specifically stop it. Same happens if the protection token that the API Firewall instance uses is deleted or otherwise becomes invalid.

This will be fixed in a future release.