42Crunch Platform release, July 22, 2020
This 42Crunch Platform release brings improvements to the documentation of API Protection, as well as some UX and performance improvements in the platform.
New features
The following are the new features and improvements to the existing ones in this release.
Improved documentation for API Protection and API Firewall
You can now use the IDs of Security Audit checks when you fine-tune the REST API Static Security Testing CI/CD plugin.
- API Firewall has been split to its own page under API Protection to allow adding more details without the page getting overly long.
- Plenty of more info added on API Firewall, such as details on TLS and deployment configuration. See API Firewall.
- Description of how exactly API Firewall does validate requests and responses has been added. See How API Firewall validates API traffic.
- The instructions how to deploy API Firewall have been simplified, and links to both the detailed guides and the resources for different environments in our public resources repository have been included. See Protect APIs.
- If you do not have certificates you could use when configuring TLS for API Firewall, we have now included few options how you could do this. See How to generate certificate/key pair for TLS configuration?.
- All deployment properties used to configure an API Firewall have been collected to a single page for easy reference regardless of your chosen deployment environment. See API Firewall variables.
Read/Write access for organization administrators
Organization administrators now have full access to all API collections in their organization. This allows the organization administrators to remove user accounts that are no longer needed but that still have API collections.
For more details, see Users and organizations.
Account settings clarified
We have also restructured the account settings under your user profile.
- Settings for organization administrators have been split to their own dedicated section.
- You can now access each settings tab directly under your user name.
For more details, see Users and organizations.
Improved performance
We have made some adjustments to the performance and application resiliency in 42Crunch Platform:
- The UI now pre-loads and caches data when navigating transaction logs, so that the data is already there when you need it.
- In the rare case that the platform fails to load your organization or user account, you now get a notification that lets you reload it.
Compatibility
This release is compatible with the following API Firewall images:
42crunch/apifirewall:v0.16.11- Upgrade to latest
opensslsecurity fix (1.1.1g) - Better logging of shared cache loading failure
- Ability to configure timeout between API Firewall and backend endpoint distinctly
- Upgrade to latest
42crunch/apifirewall:v0.16.13- A bug in response validation in OASv3 that caused API Firewall to load an empty schema instead of the one specified for some media types fixed
- More robust UUID generator
42crunch/apifirewall:v0.17.0- Improvements to the syntax of protections
- Internal optimizations
42crunch/apifirewall:v0.17.2- Deserialization of parameters defined as combined types (
allOf,anyOf,oneOf) fixed cookies_inandcookies_outmoved in their own sections in transaction log- The format of transaction logs for security validation errors fixed to match what the UI expects
- Deserialization of parameters defined as combined types (
42crunch/apifirewall:v0.17.3- Possible desynchronizations when communicating with the platform fixed
42crunch/apifirewall:v0.17.4- Health Check service for frontend
42crunch/apifirewall:v0.17.7- A bug on OAuth2 security requirement erroneously blocking requests fixed
- A possible crash with
HEADrequests fixed
42crunch/apifirewall:v0.17.9- Path traversals above root now return
HTTP 404instead ofHTTP 400to avoid giving any clues about existing (or nonexistent) paths - Communication timeout with the platform adjusted
- Path traversals above root now return
42crunch/apifirewall:v0.17.11- A bug in
allOfvalidation fixed - Better connection recovery when communication with the platform is lost
- A bug in
42crunch/apifirewall:v0.17.14- A bug in the validation of security requirements when there is no parameter for the same
infixed - The request UUID always written on fault
- A possible crash in debug mode when validating the response fixed
- The validation of
requiredheader parameters fixed
- A bug in the validation of security requirements when there is no parameter for the same
All previous image versions have been deprecated and are not compatible with this version of the platform.
When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.
Known issues
This release has the following known issues.
Organization administrators see all API collections
All API collections in an organization are visible to all organization administrators like the collections were their own, both on the API Collections page and in the monitoring dashboards for API collections.
We recommend using more descriptive collection names that just organization and company name to be able to tell all collections apart. For more details on changing the names of API collections, see Rename API collections.
Removing an API does not stop the API Firewall instance
If you delete an API from 42Crunch Platform and that API has an active API Firewall instance protecting it, API Firewall continues to run unless you specifically stop it. Same happens if the protection token that the API Firewall instance uses is deleted or otherwise becomes invalid.
This will be fixed in a future release.