42Crunch Platform release, March 3, 2022
This 42Crunch API Security Platform release introduces the new audit report in API Security Audit and adds support for security quality gates (SQGs) to all CI/CD integration plugins.
New features
The following are the new features and improvements to the existing ones in this release.
Fully re-designed audit report in Security Audit
The audit report has been restructured so you can home in on the biggest issues faster:
- Get a summary on the most common issues in your API and how many times they occurred for better awareness on areas that you need to focus on.
- Spot the opportunities for increasing your audit score quickly by fixing the issues that take away most points.
- Easily switch between the report overview and the list of all issues.
- Filter the shown issues with more granularity.
To avoid cluttering the report up, multiple instances of a single issue are now grouped together by default. You can still see where exactly in your API they occurred by clicking each instance.
For more details on the new scan report, see Audit report.
Support for security quality gates in all CI/CD integration plugins
We have expanded the support for SQGs to all our CI/CD integration plugins. If you have integrated your CI/CD pipeline with 42Crunch Platform using the integration plugin, the plugin now automatically checks the status of all SQGs applied to the APIs it found when it run. If any of the SQGs were failed, the build automatically fails too, so you can be sure no bad APIs can slip into your codebase.
All plugins now also let you specify the syntax for default collection names and change the root directory that the plugins uses. For more details, see Integrate CI/CD solutions with 42Crunch Platform.
Severity levels in security quality gates
SQGs now allow setting no restrictions for severity levels, so you can now move severity restrictions from the default SQG to another SQG that you apply with tags, if the default SQG interferes with your CI/CD too much on immature APIs. Note that this merely hides the quality issues from the SQG, and you need to remember to manually tag your APIs to apply the tighter quality criteria later.
For more details, see Edit a default security quality gate.
Naming conventions for API and API collection names
Organization administrators can now define regular expressions to set a specific naming conventions for APIs and API collections. If set, the naming convention is applied in addition to the pattern already imposed by 42Crunch Platform.
If you have integrated API Security Audit to your CI/CD pipeline with the integration plugin, pay attention that you do not define a naming convention that conflicts with the one that the plugin uses, especially if you have changed the default collection name. This could prevent the integration plugin from working properly, which could disrupt your CI/CD.
For more details, see System preferences.
New parameters in JWT validation
We have added new versions for the JWT validation protections. These versions add new optional parameters for more granular configuring of the accepted tokens and JWK.
You can also continue using the existing versions of the JWT validation protections. You only need to reconfigure API Firewall to use the new protection versions if you want to take advantage of the new parameters.
For more details, see JWT validation.
Smaller improvements
There have also been some smaller improvements:
- You can now add descriptions of what each of your tag categories are for to give context on their usage. See Create new tags and categories.
- The UI no longer shows the delete action for default customization rules.
- We have clarified how regular expressions can cause conflicts when API Conformance Scan generates values it uses in the scan. See Conflicts from regular expressions.
Compatibility
This section lists the compatible Docker images for some of the features of 42Crunch API Security Platform, as well as other possible compatibility details.
API Firewall images
This release is compatible with the following API Firewall images:
42crunch/apifirewall:v1.0.16
- Fixed parsing
multipart/form-data
. - Fixed rejecting requests that include a request body when the targeted API operation does not define a corresponding body.
- Upgrade to
expat-2.4.4
(CVE-2022-23852, CVE-2022-23990).
- Fixed parsing
42crunch/apifirewall:v1.0.13
- Upgrade to
httpd
2.4.52 (CVE-2021-44224, CVE-2021-44790). - Upgrade to
openssl
1.1.1m. - Various small improvements.
- Upgrade to
42crunch/apifirewall:v1.0.12
- Support for
x-42c-access-control-based-on-ip-range_0.1
andx-42c-set-client-ip_0.1
. - Improved matching to allow filtering API calls by IP or network addresses.
- Fixed setting the request path when
$TARGET_URL
contains a basepath. - Upgrade to Apache
httpd
2.4.51 (CVE-2021-42013).
- Support for
42crunch/apifirewall:v1.0.11
GUARDIAN_BLOCKING_LEVEL
andGUARDIAN_DEFAULT_API_BLOCKING_LEVEL
environment variables.- Upgrade to Apache
httpd
2.4.50 (CVE-2021-41524, CVE-2021-41773).
42crunch/apifirewall:v1.0.10
- Fixed cookie attribute parsing in responses.
- Upgrade to Apache
httpd
2.4.48 (CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438). - Updated platform CA chain.
42crunch/apifirewall:v1.0.9-1
- Fixed handling
UTF-8
patterns in JSON schemas. - Upgrade to
openSSL-1.1.1l
(CVE-2021-3711, CVE-2021-3712). - Updated platform CA chain.
- Fixed handling
All previous image versions have been deprecated and are not compatible with this version of the platform.
When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.
Conformance Scan images
This release is compatible with the following Conformance Scan images for running it on-premises:
42crunch/scand-agent:v1.17.0
- Internal cleanup and refactoring.
42crunch/scand-agent:v1.16.1
- Internal cleanup and refactoring.
42crunch/scand-agent:v1.16.0
- Fully revamped scan report.
42crunch/scand-agent:v1.15.0
- Fixed URL-encoded
Content-Type
in the request body when reserved characters are allowed.
- Fixed URL-encoded
42crunch/scand-agent:v1.14.1
- Improvements to scan report.
- New environment variable
REPORT_FULL
for scan report. - Skipping operations (methods) with customization rules.
- Generating scan configuration now properly handles JSON numbers for schemas of the type
integer
ornumber
. - String generator in Conformance Scan now properly handles
\b
and other ASCII character classes. - Upgraded Golang
crypto/ssh
component (CVE-2020-29652).
Known issues
This release has the following known issues.
Filter for "Operations not tested" not yet working
The filter for showing the operations that Conformance Scan could not test is not yet working. However, you can still view the details for failed happy path requests through the path filter on the left.
This will be fixed in a future release.
YAML conversion shown regardless of the format of API definition
Converting API format currently shows as "Convert to YAML" regardless of the format (JSON or YAML) of your API definition. However, despite the text shown, your API is correctly converted from JSON to YAML or from YAML to JSON.
This will be fixed in a future release.
Transferring users' assets also shown when deleting user accounts with no assets
When you delete a user account, you must choose a new owner for assets related to that account, even when the account in question has no assets to transfer at all. In effect, this means that you select a new owner, but there is nothing to transfer to them. The user account is successfully deleted.
This will be fixed in a future release.
Promoting organization administrators resets sharing permissions
Currently, if you promote new organization administrators, their permissions to share API collections are automatically reset to sharing only with named teams and users. If you want to allow the new organization administrators to share with everyone in your organization again, you must re-enable it in the user permissions. The permissions of existing organization administrators are not affected.
This will be fixed in a future release.
Automatic sharing with everyone not possible for new SSO users
Currently, the sharing permissions for new users onboarded to 42Crunch Platform through single sing-on (SSO) integration are automatically set to sharing only with named teams and users. If you want to allow the users to share with everyone in your organization, you must enable it in the user permissions. The permissions of existing users in your organization have been retained as they were.
This will be fixed in a future release.
Conformance Scan string limits may conflict with minLength or maxLength values
By default, Conformance Scan limits the maximum length for strings in the requests it sends during the scan to 4096
. If the properties minLength
or maxLength
or the length limits in a regular expression that you have defined for an API operation in your API definition conflict with this limit, it causes issues during the scan.
If the minimum length required is longer than the string length limit allowed in Conformance Scan, the scan cannot create the happy path request for that operation to establish a baseline. If the maximum length allowed in the API is longer than the allowed string length limit in Conformance Scan, the scan can create the happy path request but not the actual request during the scan.
In both cases, the operation is shown as a skipped operation in the scan report, but for different reasons. You must fix the operation in your API definition before it can be successfully scanned.
Regular expression lookaheads may cause issues
If your API definition has regular expressions with either positive or negative lookaheads defined, these may cause weird behavior, for example, in Conformance Scan.