42Crunch Platform release, January 13, 2022
This 42Crunch API Security Platform release improves security quality gates (SQGs), scan reports from API Conformance Scan, and the navigation in the platform.
New features
The following are the new features and improvements to the existing ones in this release.
Security quality gate improvements
By default, the details and quality criteria of SQGs — as well as the entry in the main navigation menu — are only visible to organization administrators. However, organization administrators can now expose SQG details and criteria so that they are visible to all users in their organization as read-only. For more details, see Define security quality gates.
You also now get a reminder to check that there are no conflicts between SQGs and customization rules if you apply both to same APIs. This is to avoid picking issue IDs as fail-on criteria in your SQG but then excluding those checks in your customization rule. See Security quality gates and customization rules.
Backward compatibility for scan reports
We have added backward compatibility for older style scan reports, so you can now view them on the UI without having to rerun the scan first.
In addition, we have fixed a bug where Conformance Scan used URL-encoded Content-Type
in the request body even when the API definition explicitly allowed reserved characters.
UX improvements to search and navigation in the platform
We have improved the search in Find API and navigation in the platform:
- The search in Find API now retains your search results, so that you do not have to search again between checking the found APIs.
- The behavior of the back button has been changed: instead of navigating to an upper level in the platform hierarchy, the back button now behaves like the back button in a browser, taking you back to the page you arrived from.
In addition, the self-registration email is again rendered properly in Yahoo! mail.
Compatibility
This section lists the compatible Docker images for some of the features of 42Crunch API Security Platform, as well as other possible compatibility details.
API Firewall images
This release is compatible with the following API Firewall images:
42crunch/apifirewall:v1.0.13
- Upgrade to
httpd
2.4.52 (CVE-2021-44224, CVE-2021-44790). - Upgrade to
openssl
1.1.1m. - Various small improvements.
- Upgrade to
42crunch/apifirewall:v1.0.12
- Support for
x-42c-access-control-based-on-ip-range_0.1
andx-42c-set-client-ip_0.1
. - Improved matching to allow filtering API calls by IP or network addresses.
- Fixed setting the request path when
$TARGET_URL
contains a basepath. - Upgrade to Apache
httpd
2.4.51 (CVE-2021-42013).
- Support for
42crunch/apifirewall:v1.0.11
GUARDIAN_BLOCKING_LEVEL
andGUARDIAN_DEFAULT_API_BLOCKING_LEVEL
environment variables.- Upgrade to Apache
httpd
2.4.50 (CVE-2021-41524, CVE-2021-41773).
42crunch/apifirewall:v1.0.10
- Fixed cookie attribute parsing in responses.
- Upgrade to Apache
httpd
2.4.48 (CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438). - Updated platform CA chain.
42crunch/apifirewall:v1.0.9-1
- Fixed handling
UTF-8
patterns in JSON schemas. - Upgrade to
openSSL-1.1.1l
(CVE-2021-3711, CVE-2021-3712). - Updated platform CA chain.
- Fixed handling
All previous image versions have been deprecated and are not compatible with this version of the platform.
When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.
Conformance Scan images
This release is compatible with the following Conformance Scan images for running it on-premises:
42crunch/scand-agent:v1.15.0
- Fixed URL-encoded
Content-Type
in the request body when reserved characters are allowed.
- Fixed URL-encoded
42crunch/scand-agent:v1.14.1
- Improvements to scan report.
- New environment variable
REPORT_FULL
for scan report. - Skipping operations (methods) with customization rules.
- Generating scan configuration now properly handles JSON numbers for schemas of the type
integer
ornumber
. - String generator in Conformance Scan now properly handles
\b
and other ASCII character classes. - Upgraded Golang
crypto/ssh
component (CVE-2020-29652).
Known issues
This release has the following known issues.
Creation date of API Firewall instance currently not shown on the UI
The date when a particular API Firewall was created is not currently shown on the UI. This information is still correctly stored in the platform backend, but a communication mismatch has temporarily removed it from the UI.
We are working to fix this as soon as possible.
Security quality gate status not shown for regular users
The status of SQGs (did the API pass or fail the quality criteria) on the API summary tab is currently not visible to regular users, only organization administrators, regardless of are SQGs exposed to all user or not.
This will be fixed in the next release.
Empty report tab for on-premises scan shows scan report from the platform
If you have never scanned your API by running Conformance Scan on premises, but have run the scan in 42Crunch Platform, the report tab for on-premises scan shows the scan report from the scan run in the platform instead of being empty. In other cases (if you have never run Conformance Scan in the platform, or you have run the scan both on-premises and in the platform), the scan report tabs correctly reflects the status of reports.
This will be fixed in the next release.
Transferring users' assets also shown when deleting user accounts with no assets
When you delete a user account, you must choose a new owner for assets related to that account, even when the account in question has no assets to transfer at all. In effect, this means that you select a new owner, but there is nothing to transfer to them. The user account is successfully deleted.
This will be fixed in a future release.
Promoting organization administrators resets sharing permissions
Currently, if you promote new organization administrators, their permissions to share API collections are automatically reset to sharing only with named teams and users. If you want to allow the new organization administrators to share with everyone in your organization again, you must re-enable it in the user permissions. The permissions of existing organization administrators are not affected.
This will be fixed in a future release.
Automatic sharing with everyone not possible for new SSO users
Currently, the sharing permissions for new users onboarded to 42Crunch Platform through single sing-on (SSO) integration are automatically set to sharing only with named teams and users. If you want to allow the users to share with everyone in your organization, you must enable it in the user permissions. The permissions of existing users in your organization have been retained as they were.
This will be fixed in a future release.
Conformance Scan string limits may conflict with minLength or maxLength values
By default, Conformance Scan limits the maximum length for strings in the requests it sends during the scan to 4096
. If the properties minLength
or maxLength
or the length limits in a regular expression that you have defined for an API operation in your API definition conflict with this limit, it causes issues during the scan.
If the minimum length required is longer than the string length limit allowed in Conformance Scan, the scan cannot create the happy path request for that operation to establish a baseline. If the maximum length allowed in the API is longer than the allowed string length limit in Conformance Scan, the scan can create the happy path request but not the actual request during the scan.
In both cases, the operation is shown as a skipped operation in the scan report, but for different reasons. You must fix the operation in your API definition before it can be successfully scanned.
Regular expression lookaheads may cause issues
If your API definition has regular expressions with either positive or negative lookaheads defined, these may cause weird behavior, for example, in Conformance Scan.