42Crunch Platform release, April 4, 2022

This 42Crunch API Security Platform release adds data dictionaries and improves on the checks related to schema definitions in API Security Audit and value generation in API Conformance Scan.

New features

The following are the new features and improvements to the existing ones in this release.

Data dictionaries

Organization administrators can now compile dictionaries of data formats, such as regular expressions, used in their organization:

• Create a single source of truth for data formats, such as strings, integers, or enums, in your APIs.
• Unify your formats to be consistent to narrow down the attack surface — define once, reuse may times.
• Publish your data dictionaries to all users in your organization, so that your developers can view the formats and align their APIs.

We will continue to improve on this feature in future releases. For more details, see Data dictionaries.

More granularity to schema checks in Security Audit

We have split the schema checks into two according to the direction of the API traffic: the old issue IDs beginning with schema- or v3-schema- have now been replaced with new issue IDs beginning with schema-request-/v3-schema-request- and schema-response-/v3-schema-response-. This better reflects the different nature and risk that data definition issues in schemas can have depending on are the schemas used for input or output.

The checks themselves or how Security Audit performs them has not changed. However, because numeric values in API responses do not pose a security risk, Security Audit no longer raises an issue if a numeric schema in API response does not have format, minimum, or maximum defined. This can affect the audit score of your APIs.

The old issue IDs beginning with schema- or v3-schema- are deprecated and no longer raised. If you have included any of these IDs in your security quality gates (SQGs) or audit rules, make sure to update your SQGs and audit rules to use the new issue IDs.

Improvements to value generation in Conformance Scan

Conformance Scan now uses a default generator to generate valid values for standard formats defined in the OpenAPI Specification (OAS), such as date and time, email addresses, IP addresses, host names. This ensures that happy path requests are successful and improves on the test data. If you have provided sample values or examples, Conformance Scan continues to use those instead of generating the values. For more details, see Generating values for parameters.

In addition, there have been a couple of smaller improvements to the new scan report:

• The issue details now always shows what HTTP status code the scanned API returned, even for fully successful tests, for easy verification.
• Some wordings in issues have been clarified.
• If you have run Conformance Scan on premises and specified REPORT_FULL=false to restrict the scan report scope, the filter bar in the scan report now reminds you that this is why the results from fully successful tests are not included.

Smaller improvements

There have also been some smaller improvements:

• Find API now provides more search criteria you can use to find your APIs and API collections.
• The code examples in documentation for applying additional protections to your APIs have been checked and corrected.
• The UI no longer incorrectly shows an error when updating your name in your profile.

Compatibility

This section lists the compatible Docker images for some of the features of 42Crunch API Security Platform, as well as other possible compatibility details.

API Firewall images

This release is compatible with the following API Firewall images:

• 42crunch/apifirewall:v1.0.17
  • Upgrade to httpd 2.4.53 (CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, CVE-2022-23943).
• 42crunch/apifirewall:v1.0.16
  • Fixed parsing multipart/form-data.
  • Fixed rejecting requests that include a request body when the targeted API operation does not define a corresponding body.
  • Upgrade to expat-2.4.4 (CVE-2022-23852, CVE-2022-23990).
• 42crunch/apifirewall:v1.0.13
  • Upgrade to httpd 2.4.52 (CVE-2021-44224, CVE-2021-44790).
  • Upgrade to openssl 1.1.1m.
  • Various small improvements.
• 42crunch/apifirewall:v1.0.12
  • Support for x-42c-access-control-based-on-ip-range_0.1 and x-42c-set-client-ip_0.1.
  • Improved matching to allow filtering API calls by IP or network addresses.
  • Fixed setting the request path when $TARGET_URL contains a basepath.
  • Upgrade to Apache httpd 2.4.51 (CVE-2021-42013).
• 42crunch/apifirewall:v1.0.11
  • GUARDIAN_BLOCKING_LEVEL and GUARDIAN_DEFAULT_API_BLOCKING_LEVEL environment variables.
  • Upgrade to Apache httpd 2.4.50 (CVE-2021-41524, CVE-2021-41773).
• 42crunch/apifirewall:v1.0.10
  • Fixed cookie attribute parsing in responses.
  • Upgrade to Apache httpd 2.4.48 (CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438).
  • Updated platform CA chain.
• 42crunch/apifirewall:v1.0.9-1
  • Fixed handling UTF-8 patterns in JSON schemas.
  • Upgrade to openSSL-1.1.1l (CVE-2021-3711, CVE-2021-3712).
  • Updated platform CA chain.

All previous image versions have been deprecated and are not compatible with this version of the platform.

When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.

Conformance Scan images

This release is compatible with the following Conformance Scan images for running it on-premises:

• 42crunch/scand-agent:v1.18.0
  • Default generator for auto-generating values.
  • Improvements to scan report.
• 42crunch/scand-agent:v1.17.0
  • Internal cleanup and refactoring.
• 42crunch/scand-agent:v1.16.1
  • Internal cleanup and refactoring.
• 42crunch/scand-agent:v1.16.0
  • Fully revamped scan report.
• 42crunch/scand-agent:v1.15.0
  • Fixed URL-encoded Content-Type in the request body when reserved characters are allowed.
• 42crunch/scand-agent:v1.14.1
  • Improvements to scan report.
  • New environment variable REPORT_FULL for scan report.
  • Skipping operations (methods) with customization rules.
  • Generating scan configuration now properly handles JSON numbers for schemas of the type integer or number.
  • String generator in Conformance Scan now properly handles \b and other ASCII character classes.
  • Upgraded Golang crypto/ssh component (CVE-2020-29652).

Known issues

This release has the following known issues.

Data dictionary duplication and format support

Duplicating a data dictionary does not yet duplicate the values in it. In addition, data dictionaries do not yet support the following:

• Formats of the type number (only integers supported now)
• Integer enums (only string enums supported now)
• Setting default values

These will be fixed in a future release.

Filter for "Operations not tested" not yet working

The filter for showing the operations that Conformance Scan could not test is not yet working. However, you can still view the details for failed happy path requests through the path filter on the left.

This will be fixed in a future release.

YAML conversion shown regardless of the format of API definition

Converting API format currently shows as "Convert to YAML" regardless of the format (JSON or YAML) of your API definition. However, despite the text shown, your API is correctly converted from JSON to YAML or from YAML to JSON.

This will be fixed in a future release.

Transferring users' assets also shown when deleting user accounts with no assets

When you delete a user account, you must choose a new owner for assets related to that account, even when the account in question has no assets to transfer at all. In effect, this means that you select a new owner, but there is nothing to transfer to them. The user account is successfully deleted.

This will be fixed in a future release.

Promoting organization administrators resets sharing permissions

Currently, if you promote new organization administrators, their permissions to share API collections are automatically reset to sharing only with named teams and users. If you want to allow the new organization administrators to share with everyone in your organization again, you must re-enable it in the user permissions. The permissions of existing organization administrators are not affected.

This will be fixed in a future release.

Automatic sharing with everyone not possible for new SSO users

Currently, the sharing permissions for new users onboarded to 42Crunch Platform through single sing-on (SSO) integration are automatically set to sharing only with named teams and users. If you want to allow the users to share with everyone in your organization, you must enable it in the user permissions. The permissions of existing users in your organization have been retained as they were.

This will be fixed in a future release.

Conformance Scan string limits may conflict with minLength or maxLength values

By default, Conformance Scan limits the maximum length for strings in the requests it sends during the scan to 4096. If the properties minLength or maxLength or the length limits in a regular expression that you have defined for an API operation in your API definition conflict with this limit, it causes issues during the scan.

If the minimum length required is longer than the string length limit allowed in Conformance Scan, the scan cannot create the happy path request for that operation to establish a baseline. If the maximum length allowed in the API is longer than the allowed string length limit in Conformance Scan, the scan can create the happy path request but not the actual request during the scan.

In both cases, the operation is shown as a skipped operation in the scan report, but for different reasons. You must fix the operation in your API definition before it can be successfully scanned.

Regular expression lookaheads may cause issues

If your API definition has regular expressions with either positive or negative lookaheads defined, these may cause weird behavior, for example, in Conformance Scan.