42Crunch Platform release, June 16, 2021
This 42Crunch API Security Platform release introduces executive dashboards to the platform, full support for x‑nullable, and some improvements to API Conformance Scan.
New features
The following are the new features and improvements to the existing ones in this release.
Executive dashboards for organization administrators
We have added new executive dashboards that show the ongoing trends in the APIs in an organization. This gives organization administrators an overall view on what is going on in their organization.
To view executive dashboards, click Dashboard in the main menu of 42Crunch Platform.
The collection dashboards in API collections and security dashboards of APIs remain as is and accessible to all users, not just organization administrators.
For more details, see API monitoring.
Support for the x-nullable extension to the OpenAPI Specification
42Crunch Platform now fully supports the x‑nullable extension to the OpenAPI Specification (OAS) v2, a workaround for the lack of support for null type in JSON schemas.
Some tooling, such as all features in 42Crunch Platform, support this workaround, but the support is not universal. Using x‑nullable together with required in your schemas can also cause problems. For proper support, we recommend switching from OAS v2 to OAS v3.
For more details, see APIs and API collections.
If you are using the extension x‑nullable in your OpenAPI definitions, this update may affect the audit score of your APIs.
Better handling of non-JSON content types in Conformance Scan
We have improved how Conformance Scan handles request and response bodies where the content type is not JSON:
- Request bodies in
POSTandPUToperations generated properly - Non-JSON response body processed as per usual
In addition, we have clarified and improved the error and other messages that Conformance Scan generates, and removed the limitations to regular expressions in the pattern property.
New UX improvements
In addition, there are also several smaller improvements to the user experience:
- API collections must now be explicitly shared if created on the UI. The CI/CD plugins still support defining a default setting for sharing any new API collections that the plugin creates.
- The search in Find API is no longer case-sensitive and also properly handles any characters that are not valid.
- The JSON format of the API definition to be imported is validated already when you select the file on the UI.
- Clarifications to documentation on managing passwords directly in 42Crunch Platform.
Updates to SonarQube integration
We have added instructions how to configure a custom quality gate for the REST API Static Security Testing plugin in SonarQube. You can now also exclude a particular SonarQube project from the plugin.
For more details, see Integrate Security Audit with SonarQube.
Sample AWS CloudFormation templates and deployment guide for API Firewall
We have added sample resources and a dedicated deployment guide for deploying API Firewall to Amazon ECS on AWS Fargate using AWS CloudFormation templates.
For more details, see Protect APIs.
Compatibility
This section lists the compatible Docker images for some of the features of 42Crunch API Security Platform, as well as other possible compatibility details.
API Firewall images
This release is compatible with the following API Firewall images:
42crunch/apifirewall:v1.0.7- Fixed loading of path parameters with different definitions in each operation.
- Upgrade to
httpd-2.4.48(CVE-2021-31618, CVE-2021-30641, CVE-2021-26691, CVE-2021-26690, CVE-2020-35452, CVE-2020-13950, CVE-2020-13938, CVE-2019-17567).
42crunch/apifirewall:v1.0.6- Fixed blocking query parameters that are not defined in the API definition of the protected API.
- Fixed invalid decoding of
multipart/form-data.
42crunch/apifirewall:v1.0.5- Upgrade to
openssl-1.1.1k(CVE-2021-3450, CVE-2021-3449).
- Upgrade to
42crunch/apifirewall:v1.0.4- Compatibility with the new platform.
- Improved error messages on unrecoverable errors.
- Fixed memory leak on restart (schema regex).
- Fixed possible crash with large response bodies.
- Improved the engine performance of regular expressions.
- Fixed the handling of
form-dataandx-www-form-urlencodedpayloads with OAS v3. - Harmonized console logs.
- Support for sending logs to STDOUT.
All previous image versions have been deprecated and are not compatible with this version of the platform.
When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.
Conformance Scan images
This release is compatible with the following Conformance Scan images for running it on-premises:
42crunch/scand-agent:v1.8.6- Fixed happy path request generation with the value from
defaultorx-42c-sample.
- Fixed happy path request generation with the value from
42crunch/scand-agent:v1.8.3- Removed the unnecessary JSON complexity check.
- Scan configurations can be pushed with API key in addition to session ID.
42crunch/scand-agent:v1.8.1- Improved JSON schema library.
- Improved messages.
- Case-insensitive header name evaluation.
- Option to reuse values sent during the happy path requests as a basic example (can cause problems if the API has some value constraints, like unique ID, email, or name, as the scan could be unable to generate a value for a really specific case).
42crunch/scand-agent:v1.7.4- Fixed handling of
multipleOfwhen its range is[0;0.50].
- Fixed handling of
42crunch/scand-agent:v1.6.0- This version replaces
42crunch/scand-agent:v1.5.2-bugfix01. - Environment variables for communication through proxy to both platform and APIs.
- Scan handles
nullvalue in API response.
- This version replaces
42crunch/scand-agent:v1.5.1- New test
partial_security_acceptedfor testing how missing security requirements are handled. - TLS configuration allows a remote server to repeatedly request renegotiation.
- Improved handling of slashes (
/) and wildcards likeapplication/*in test requests and JSON encoder. - Masked credentials and other small improvements in scan logs.
- More details shown when a happy path request fails
- Improved generation of strings, numbers, integers, and arrays.
- Support for proxy configuration.
- New test
Known issues
This release has the following known issues.
Security Audit does not verify the format of vendor extensions
At the moment, Security Audit does not verify that you have used the correct format for vendor extensions to the OpenAPI Specification (OAS). According to the OAS, the field names of vendor extensions must begin with x-. However, Security Audit does not flag it as an error if the field name is missing the x-.
This will be fixed in a future release.
Conformance Scan string limits may conflict with minLength or maxLength values
By default, Conformance Scan limits the maximum length for strings in the requests it sends during the scan to 4096. If the properties minLength or maxLength or the length limits in a regular expression that you have defined for an API operation in your API definition conflict with this limit, it causes issues during the scan.
If the minimum length required is longer than the string length limit allowed in Conformance Scan, the scan cannot create the happy path request for that operation to establish a baseline. If the maximum length allowed in the API is longer than the allowed string length limit in Conformance Scan, the scan can create the happy path request but not the actual request during the scan.
In both cases, the operation is shown as a skipped operation in the scan report, but for different reasons. You must fix the operation in your API definition before it can be successfully scanned.
Regular expression lookaheads may cause issues
If your API definition has regular expressions with either positive or negative lookaheads defined, these may cause weird behavior, for example, in Conformance Scan.