42Crunch Platform release, April 4, 2022
This 42Crunch API Security Platform release adds data dictionaries and improves on the checks related to schema definitions in API Security Audit and value generation in API Conformance Scan.
New features
The following are the new features and improvements to the existing ones in this release.
Data dictionaries
Organization administrators can now compile dictionaries of data formats, such as regular expressions, used in their organization:
- Create a single source of truth for data formats, such as strings, integers, or enums, in your APIs.
- Unify your formats to be consistent to narrow down the attack surface — define once, reuse may times.
- Publish your data dictionaries to all users in your organization, so that your developers can view the formats and align their APIs.
We will continue to improve on this feature in future releases. For more details, see Data dictionaries.
More granularity to schema checks in Security Audit
We have split the schema checks into two according to the direction of the API traffic: the old issue IDs beginning with schema-
or v3-schema-
have now been replaced with new issue IDs beginning with schema-request-
/v3-schema-request-
and schema-response-
/v3-schema-response-
. This better reflects the different nature and risk that data definition issues in schemas can have depending on are the schemas used for input or output.
The checks themselves or how Security Audit performs them has not changed. However, because numeric values in API responses do not pose a security risk, Security Audit no longer raises an issue if a numeric schema in API response does not have format
, minimum
, or maximum
defined. This can affect the audit score of your APIs.
The old issue IDs beginning with schema-
or v3-schema-
are deprecated and no longer raised. If you have included any of these IDs in your security quality gates (SQGs) or audit rules, make sure to update your SQGs and audit rules to use the new issue IDs.
Improvements to value generation in Conformance Scan
Conformance Scan now uses a default generator to generate valid values for standard formats defined in the OpenAPI Specification (OAS), such as date and time, email addresses, IP addresses, host names. This ensures that happy path requests are successful and improves on the test data. If you have provided sample values or examples, Conformance Scan continues to use those instead of generating the values. For more details, see Generating values for parameters.
In addition, there have been a couple of smaller improvements to the new scan report:
- The issue details now always shows what HTTP status code the scanned API returned, even for fully successful tests, for easy verification.
- Some wordings in issues have been clarified.
- If you have run Conformance Scan on premises and specified
REPORT_FULL=false
to restrict the scan report scope, the filter bar in the scan report now reminds you that this is why the results from fully successful tests are not included.
Smaller improvements
There have also been some smaller improvements:
- Find API now provides more search criteria you can use to find your APIs and API collections.
- The code examples in documentation for applying additional protections to your APIs have been checked and corrected.
- The UI no longer incorrectly shows an error when updating your name in your profile.
Compatibility
This section lists the compatible Docker images for some of the features of 42Crunch API Security Platform, as well as other possible compatibility details.
API Firewall images
This release is compatible with the following API Firewall images:
42crunch/apifirewall:v1.0.17
- Upgrade to
httpd
2.4.53 (CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, CVE-2022-23943).
- Upgrade to
42crunch/apifirewall:v1.0.16
- Fixed parsing
multipart/form-data
. - Fixed rejecting requests that include a request body when the targeted API operation does not define a corresponding body.
- Upgrade to
expat-2.4.4
(CVE-2022-23852, CVE-2022-23990).
- Fixed parsing
42crunch/apifirewall:v1.0.13
- Upgrade to
httpd
2.4.52 (CVE-2021-44224, CVE-2021-44790). - Upgrade to
openssl
1.1.1m. - Various small improvements.
- Upgrade to
42crunch/apifirewall:v1.0.12
- Support for
x-42c-access-control-based-on-ip-range_0.1
andx-42c-set-client-ip_0.1
. - Improved matching to allow filtering API calls by IP or network addresses.
- Fixed setting the request path when
$TARGET_URL
contains a basepath. - Upgrade to Apache
httpd
2.4.51 (CVE-2021-42013).
- Support for
42crunch/apifirewall:v1.0.11
GUARDIAN_BLOCKING_LEVEL
andGUARDIAN_DEFAULT_API_BLOCKING_LEVEL
environment variables.- Upgrade to Apache
httpd
2.4.50 (CVE-2021-41524, CVE-2021-41773).
42crunch/apifirewall:v1.0.10
- Fixed cookie attribute parsing in responses.
- Upgrade to Apache
httpd
2.4.48 (CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438). - Updated platform CA chain.
42crunch/apifirewall:v1.0.9-1
- Fixed handling
UTF-8
patterns in JSON schemas. - Upgrade to
openSSL-1.1.1l
(CVE-2021-3711, CVE-2021-3712). - Updated platform CA chain.
- Fixed handling
All previous image versions have been deprecated and are not compatible with this version of the platform.
When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.
Conformance Scan images
This release is compatible with the following Conformance Scan images for running it on-premises:
42crunch/scand-agent:v1.18.0
- Default generator for auto-generating values.
- Improvements to scan report.
42crunch/scand-agent:v1.17.0
- Internal cleanup and refactoring.
42crunch/scand-agent:v1.16.1
- Internal cleanup and refactoring.
42crunch/scand-agent:v1.16.0
- Fully revamped scan report.
42crunch/scand-agent:v1.15.0
- Fixed URL-encoded
Content-Type
in the request body when reserved characters are allowed.
- Fixed URL-encoded
42crunch/scand-agent:v1.14.1
- Improvements to scan report.
- New environment variable
REPORT_FULL
for scan report. - Skipping operations (methods) with customization rules.
- Generating scan configuration now properly handles JSON numbers for schemas of the type
integer
ornumber
. - String generator in Conformance Scan now properly handles
\b
and other ASCII character classes. - Upgraded Golang
crypto/ssh
component (CVE-2020-29652).
Known issues
This release has the following known issues.
Data dictionary duplication and format support
Duplicating a data dictionary does not yet duplicate the values in it. In addition, data dictionaries do not yet support the following:
- Formats of the type
number
(only integers supported now) - Integer enums (only string enums supported now)
- Setting
default
values
These will be fixed in a future release.
Filter for "Operations not tested" not yet working
The filter for showing the operations that Conformance Scan could not test is not yet working. However, you can still view the details for failed happy path requests through the path filter on the left.
This will be fixed in a future release.
YAML conversion shown regardless of the format of API definition
Converting API format currently shows as "Convert to YAML" regardless of the format (JSON or YAML) of your API definition. However, despite the text shown, your API is correctly converted from JSON to YAML or from YAML to JSON.
This will be fixed in a future release.
Transferring users' assets also shown when deleting user accounts with no assets
When you delete a user account, you must choose a new owner for assets related to that account, even when the account in question has no assets to transfer at all. In effect, this means that you select a new owner, but there is nothing to transfer to them. The user account is successfully deleted.
This will be fixed in a future release.
Promoting organization administrators resets sharing permissions
Currently, if you promote new organization administrators, their permissions to share API collections are automatically reset to sharing only with named teams and users. If you want to allow the new organization administrators to share with everyone in your organization again, you must re-enable it in the user permissions. The permissions of existing organization administrators are not affected.
This will be fixed in a future release.
Automatic sharing with everyone not possible for new SSO users
Currently, the sharing permissions for new users onboarded to 42Crunch Platform through single sing-on (SSO) integration are automatically set to sharing only with named teams and users. If you want to allow the users to share with everyone in your organization, you must enable it in the user permissions. The permissions of existing users in your organization have been retained as they were.
This will be fixed in a future release.
Conformance Scan string limits may conflict with minLength or maxLength values
By default, Conformance Scan limits the maximum length for strings in the requests it sends during the scan to 4096
. If the properties minLength
or maxLength
or the length limits in a regular expression that you have defined for an API operation in your API definition conflict with this limit, it causes issues during the scan.
If the minimum length required is longer than the string length limit allowed in Conformance Scan, the scan cannot create the happy path request for that operation to establish a baseline. If the maximum length allowed in the API is longer than the allowed string length limit in Conformance Scan, the scan can create the happy path request but not the actual request during the scan.
In both cases, the operation is shown as a skipped operation in the scan report, but for different reasons. You must fix the operation in your API definition before it can be successfully scanned.
Regular expression lookaheads may cause issues
If your API definition has regular expressions with either positive or negative lookaheads defined, these may cause weird behavior, for example, in Conformance Scan.