42Crunch Platform release, March 3, 2022

This 42Crunch API Security Platform release introduces the new audit report in API Security Audit and adds support for security quality gates (SQGs) to all CI/CD integration plugins.

New features

The following are the new features and improvements to the existing ones in this release.

Fully re-designed audit report in Security Audit

The audit report has been restructured so you can home in on the biggest issues faster:

  • Get a summary on the most common issues in your API and how many times they occurred for better awareness on areas that you need to focus on.
  • Spot the opportunities for increasing your audit score quickly by fixing the issues that take away most points.
  • Easily switch between the report overview and the list of all issues.
  • Filter the shown issues with more granularity.

Screenshot of an audit report

To avoid cluttering the report up, multiple instances of a single issue are now grouped together by default. You can still see where exactly in your API they occurred by clicking each instance.

For more details on the new scan report, see Audit report.

Support for security quality gates in all CI/CD integration plugins

We have expanded the support for SQGs to all our CI/CD integration plugins. If you have integrated your CI/CD pipeline with 42Crunch Platform using the integration plugin, the plugin now automatically checks the status of all SQGs applied to the APIs it found when it run. If any of the SQGs were failed, the build automatically fails too, so you can be sure no bad APIs can slip into your codebase.

All plugins now also let you specify the syntax for default collection names and change the root directory that the plugins uses. For more details, see Integrate CI/CD solutions with 42Crunch Platform.

Severity levels in security quality gates

SQGs now allow setting no restrictions for severity levels, so you can now move severity restrictions from the default SQG to another SQG that you apply with tags, if the default SQG interferes with your CI/CD too much on immature APIs. Note that this merely hides the quality issues from the SQG, and you need to remember to manually tag your APIs to apply the tighter quality criteria later.

For more details, see Edit a default security quality gate.

Naming conventions for API and API collection names

Organization administrators can now define regular expressions to set a specific naming conventions for APIs and API collections. If set, the naming convention is applied in addition to the pattern already imposed by 42Crunch Platform.

If you have integrated API Security Audit to your CI/CD pipeline with the integration plugin, pay attention that you do not define a naming convention that conflicts with the one that the plugin uses, especially if you have changed the default collection name. This could prevent the integration plugin from working properly, which could disrupt your CI/CD.

For more details, see System preferences.

New parameters in JWT validation

We have added new versions for the JWT validation protections. These versions add new optional parameters for more granular configuring of the accepted tokens and JWK.

You can also continue using the existing versions of the JWT validation protections. You only need to reconfigure API Firewall to use the new protection versions if you want to take advantage of the new parameters.

For more details, see JWT validation.

Smaller improvements

There have also been some smaller improvements:

  • You can now add descriptions of what each of your tag categories are for to give context on their usage. See Create new tags and categories.
  • The UI no longer shows the delete action for default customization rules.
  • We have clarified how regular expressions can cause conflicts when API Conformance Scan generates values it uses in the scan. See Conflicts from regular expressions.

Compatibility

This section lists the compatible Docker images for some of the features of 42Crunch API Security Platform, as well as other possible compatibility details.

API Firewall images

This release is compatible with the following API Firewall images:

  • 42crunch/apifirewall:v1.0.16
    • Fixed parsing multipart/form-data.
    • Fixed rejecting requests that include a request body when the targeted API operation does not define a corresponding body.
    • Upgrade to expat-2.4.4 (CVE-2022-23852, CVE-2022-23990).
  • 42crunch/apifirewall:v1.0.13
    • Upgrade to httpd 2.4.52 (CVE-2021-44224, CVE-2021-44790).
    • Upgrade to openssl 1.1.1m.
    • Various small improvements.
  • 42crunch/apifirewall:v1.0.12
    • Support for x-42c-access-control-based-on-ip-range_0.1 and x-42c-set-client-ip_0.1.
    • Improved matching to allow filtering API calls by IP or network addresses.
    • Fixed setting the request path when $TARGET_URL contains a basepath.
    • Upgrade to Apache httpd 2.4.51 (CVE-2021-42013).
  • 42crunch/apifirewall:v1.0.11
    • GUARDIAN_BLOCKING_LEVEL and GUARDIAN_DEFAULT_API_BLOCKING_LEVEL environment variables.
    • Upgrade to Apache httpd 2.4.50 (CVE-2021-41524, CVE-2021-41773).
  • 42crunch/apifirewall:v1.0.10
    • Fixed cookie attribute parsing in responses.
    • Upgrade to Apache httpd 2.4.48 (CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438).
    • Updated platform CA chain.
  • 42crunch/apifirewall:v1.0.9-1
    • Fixed handling UTF-8 patterns in JSON schemas.
    • Upgrade to openSSL-1.1.1l (CVE-2021-3711, CVE-2021-3712).
    • Updated platform CA chain.

All previous image versions have been deprecated and are not compatible with this version of the platform.

When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.

Conformance Scan images

This release is compatible with the following Conformance Scan images for running it on-premises:

  • 42crunch/scand-agent:v1.17.0
    • Internal cleanup and refactoring.
  • 42crunch/scand-agent:v1.16.1
    • Internal cleanup and refactoring.
  • 42crunch/scand-agent:v1.16.0
    • Fully revamped scan report.
  • 42crunch/scand-agent:v1.15.0
    • Fixed URL-encoded Content-Type in the request body when reserved characters are allowed.
  • 42crunch/scand-agent:v1.14.1
    • Improvements to scan report.
    • New environment variable REPORT_FULL for scan report.
    • Skipping operations (methods) with customization rules.
    • Generating scan configuration now properly handles JSON numbers for schemas of the type integer or number.
    • String generator in Conformance Scan now properly handles \b and other ASCII character classes.
    • Upgraded Golang crypto/ssh component (CVE-2020-29652).

Known issues

This release has the following known issues.

Filter for "Operations not tested" not yet working

The filter for showing the operations that Conformance Scan could not test is not yet working. However, you can still view the details for failed happy path requests through the path filter on the left.

An example screenshot showing scanned and skipped operations on the filter sidebar.

This will be fixed in a future release.

YAML conversion shown regardless of the format of API definition

Converting API format currently shows as "Convert to YAML" regardless of the format (JSON or YAML) of your API definition. However, despite the text shown, your API is correctly converted from JSON to YAML or from YAML to JSON.

This will be fixed in a future release.

Transferring users' assets also shown when deleting user accounts with no assets

When you delete a user account, you must choose a new owner for assets related to that account, even when the account in question has no assets to transfer at all. In effect, this means that you select a new owner, but there is nothing to transfer to them. The user account is successfully deleted.

This will be fixed in a future release.

Promoting organization administrators resets sharing permissions

Currently, if you promote new organization administrators, their permissions to share API collections are automatically reset to sharing only with named teams and users. If you want to allow the new organization administrators to share with everyone in your organization again, you must re-enable it in the user permissions. The permissions of existing organization administrators are not affected.

This will be fixed in a future release.

Automatic sharing with everyone not possible for new SSO users

Currently, the sharing permissions for new users onboarded to 42Crunch Platform through single sing-on (SSO) integration are automatically set to sharing only with named teams and users. If you want to allow the users to share with everyone in your organization, you must enable it in the user permissions. The permissions of existing users in your organization have been retained as they were.

This will be fixed in a future release.

Conformance Scan string limits may conflict with minLength or maxLength values

By default, Conformance Scan limits the maximum length for strings in the requests it sends during the scan to 4096. If the properties minLength or maxLength or the length limits in a regular expression that you have defined for an API operation in your API definition conflict with this limit, it causes issues during the scan.

If the minimum length required is longer than the string length limit allowed in Conformance Scan, the scan cannot create the happy path request for that operation to establish a baseline. If the maximum length allowed in the API is longer than the allowed string length limit in Conformance Scan, the scan can create the happy path request but not the actual request during the scan.

In both cases, the operation is shown as a skipped operation in the scan report, but for different reasons. You must fix the operation in your API definition before it can be successfully scanned.

Regular expression lookaheads may cause issues

If your API definition has regular expressions with either positive or negative lookaheads defined, these may cause weird behavior, for example, in Conformance Scan.