42Crunch Platform release, February 2, 2022

This 42Crunch API Security Platform release introduces the completely re-designed scan reports on API Conformance Scan, and improves security quality gate (SQG) visibility.

New features

The following are the new features and improvements to the existing ones in this release.

Fully re-designed scan report in Conformance Scan

The scan report has been completely overhauled to provide more meaningful information:

  • New "Critical to Success" filter bar helps you to focus on the most critical things first.

    The screenshot shows an example filter row for results from a scan. The results on response codes and contract conformance are ordered from the worst cases on the left to those where everything is good on the right. The filter bar also shows the percentage of each result class from the total number of tests run.

  • Follow your progress as you fix the issues and the test results move towards the all-green on the right.
  • Find out what issues from the OWASP API Security Top 10 list the scan uncovered in your API.
  • Found issues now show how severe they are, so you can be sure you are fixing the most critical things first.

An example of a scan report

To see this latest version of scan report with the "Critical to Success" filter bar, you need to scan your API again. Otherwise, you see the old style can report with the bars charts for paths above the list of found issues. If running Conformance Scan on premises, you need 42crunch/scand-agent:v1.16.0 or later to get the new style scan report.

To properly show the progress in fixing found issues, the default behavior of scan has been changed: it no longer omits the issues where no problems were found from the scan report, but includes everything by default to make it easy for you to verify that an issue indeed got fixed.

For more details on the new scan report and how results are divided on the "Critical to Success" bar, see Scan report and Response validation.

In addition, if you have never run Conformance Scan on-premises, the on-premises scan tab again correctly shows that, instead of showing the report from a scan run in 42Crunch Platform.

Security quality gate visibility

The details and quality criteria of SQGs, their status, and the approval reports are now visible to everyone in an organization by default. However, organization administrators can still choose to restrict the visibility of SQG details so that they are only visible to organization administrators. See Define security quality gates.

The SQG status of an API is now shown already in the API list in an API collection.

The API collection pictured shows five APIs, two of which have passed all SQGs applied to them, while the remaining three show they have failed some of the SQGs.

Automatic default customization rules for Security Audit and Conformance Scan

Like with SQGs, each organization now gets an empty default audit rule and a default scan rule out of the box.

These rules cannot be deleted, but you can edit them as you want. If your organization already had a default audit or scan rule, the existing rules have been retained.

For more details, see Default customization rules.

Configuring API Firewall to connect to 42Crunch Platform through a HTTPS proxy

If the connection from the API Firewall instance protecting your API to 42Crunch Platform must go through a HTTPS proxy, you can use the environment variable to point API Firewall to the correct proxy server.

For more details, see Set API Firewall connect to the platform through a HTTPS proxy.

In addition, the creation date of API Firewall instances is again properly shown on the UI.

Support for security quality gates in the CI/CD integration plugin for Azure Pipelines

If you have integrated your Azure Pipelines CI/CD with 42Crunch Platform using the integration plugin, the plugin now automatically checks the status of all SQGs applied to the APIs it found when it run. If any of the SQGs were failed, the build automatically fails too, so you can be sure no bad APIs can slip into your codebase.

For more details, see Integrate Security Audit with Azure Pipelines.

Currently, only Azure Pipelines integration supports SQGs, with other CI/CD integration plugins following shortly.

Compatibility

This section lists the compatible Docker images for some of the features of 42Crunch API Security Platform, as well as other possible compatibility details.

API Firewall images

This release is compatible with the following API Firewall images:

  • 42crunch/apifirewall:v1.0.13
    • Upgrade to httpd 2.4.52 (CVE-2021-44224, CVE-2021-44790).
    • Upgrade to openssl 1.1.1m.
    • Various small improvements.
  • 42crunch/apifirewall:v1.0.12
    • Support for x-42c-access-control-based-on-ip-range_0.1 and x-42c-set-client-ip_0.1.
    • Improved matching to allow filtering API calls by IP or network addresses.
    • Fixed setting the request path when $TARGET_URL contains a basepath.
    • Upgrade to Apache httpd 2.4.51 (CVE-2021-42013).
  • 42crunch/apifirewall:v1.0.11
    • GUARDIAN_BLOCKING_LEVEL and GUARDIAN_DEFAULT_API_BLOCKING_LEVEL environment variables.
    • Upgrade to Apache httpd 2.4.50 (CVE-2021-41524, CVE-2021-41773).
  • 42crunch/apifirewall:v1.0.10
    • Fixed cookie attribute parsing in responses.
    • Upgrade to Apache httpd 2.4.48 (CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438).
    • Updated platform CA chain.
  • 42crunch/apifirewall:v1.0.9-1
    • Fixed handling UTF-8 patterns in JSON schemas.
    • Upgrade to openSSL-1.1.1l (CVE-2021-3711, CVE-2021-3712).
    • Updated platform CA chain.

All previous image versions have been deprecated and are not compatible with this version of the platform.

When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.

Conformance Scan images

This release is compatible with the following Conformance Scan images for running it on-premises:

  • 42crunch/scand-agent:v1.16.0
    • Fully revamped scan report.
  • 42crunch/scand-agent:v1.15.0
    • Fixed URL-encoded Content-Type in the request body when reserved characters are allowed.
  • 42crunch/scand-agent:v1.14.1
    • Improvements to scan report.
    • New environment variable REPORT_FULL for scan report.
    • Skipping operations (methods) with customization rules.
    • Generating scan configuration now properly handles JSON numbers for schemas of the type integer or number.
    • String generator in Conformance Scan now properly handles \b and other ASCII character classes.
    • Upgraded Golang crypto/ssh component (CVE-2020-29652).

Known issues

This release has the following known issues.

Filter for "Operations not tested" not yet working

The filter for showing the operations that Conformance Scan could not test is not yet working. However, you can still view the details for failed happy path requests through the path filter on the left.

An example screenshot showing scanned and skipped operations on the filter sidebar.

This will be fixed in a future release.

UI allows deleting default customization rules

The UI still shows the option to delete even default customization rules. However, the implementation no longer allows this, so you get an error if you try it.

The option will be removed from the UI in next release.

YAML conversion shown regardless of the format of API definition

Converting API format currently shows as "Convert to YAML" regardless of the format (JSON or YAML) of your API definition. However, despite the text shown, your API is correctly converted from JSON to YAML or from YAML to JSON.

This will be fixed in a future release.

Transferring users' assets also shown when deleting user accounts with no assets

When you delete a user account, you must choose a new owner for assets related to that account, even when the account in question has no assets to transfer at all. In effect, this means that you select a new owner, but there is nothing to transfer to them. The user account is successfully deleted.

This will be fixed in a future release.

Promoting organization administrators resets sharing permissions

Currently, if you promote new organization administrators, their permissions to share API collections are automatically reset to sharing only with named teams and users. If you want to allow the new organization administrators to share with everyone in your organization again, you must re-enable it in the user permissions. The permissions of existing organization administrators are not affected.

This will be fixed in a future release.

Automatic sharing with everyone not possible for new SSO users

Currently, the sharing permissions for new users onboarded to 42Crunch Platform through single sing-on (SSO) integration are automatically set to sharing only with named teams and users. If you want to allow the users to share with everyone in your organization, you must enable it in the user permissions. The permissions of existing users in your organization have been retained as they were.

This will be fixed in a future release.

Conformance Scan string limits may conflict with minLength or maxLength values

By default, Conformance Scan limits the maximum length for strings in the requests it sends during the scan to 4096. If the properties minLength or maxLength or the length limits in a regular expression that you have defined for an API operation in your API definition conflict with this limit, it causes issues during the scan.

If the minimum length required is longer than the string length limit allowed in Conformance Scan, the scan cannot create the happy path request for that operation to establish a baseline. If the maximum length allowed in the API is longer than the allowed string length limit in Conformance Scan, the scan can create the happy path request but not the actual request during the scan.

In both cases, the operation is shown as a skipped operation in the scan report, but for different reasons. You must fix the operation in your API definition before it can be successfully scanned.

Regular expression lookaheads may cause issues

If your API definition has regular expressions with either positive or negative lookaheads defined, these may cause weird behavior, for example, in Conformance Scan.