42Crunch Platform release, May 17, 2022

This 42Crunch API Security Platform release introduces the auditor role, exporting API collection details, admin-only tags, and several improvements to API Security Audit, API Conformance Scan, and other platform features.

New features

The following are the new features and improvements to the existing ones in this release.

Auditor role

In addition to regular users and organization administrators, there is now a third user role available in 42Crunch Platform: the auditor role. Auditor is a special role that provides read-only access to everything that an organization administrator would see in their organization. However, aside from their own user profile, auditors cannot have read/write access to any data: they can view everything, but not modify it.

The auditor role is directed to users external to the organization but who have a clear business need to verify the organization's data, such as an official, accredited auditor monitoring the organization's compliance.

For more details, see User roles.

API collection details export

Organization administrators and auditors can now export a list of API collections and collection details in their organizations, either in JSON or CSV format.

• Get an overall view of API collections in your organization, who owns them, and if they have been shared to other users: the exported details include, for example, UUIDs for both API collections and their owners, the sharing status of the collections.
• Check that your company policies, national or international standards, or legislation are being adhered to.
• Get a list of the email addressed of collection owners so that you can easily communicate, for example, actions required from them.

For more details, see Sharing APIs and access level.

Admin-only tags

Organization administrators can now restrict some tag categories so that regular users cannot apply or remove the tags from APIs, only organization administrators can. This can be useful for tags that enforce things organization wide, such as audit rules for mandatory categories.

For more details, see Category settings.

New checks in Security Audit

There have been a few updates to the checks in Security Audit:

• We have added two new checks, warning-sample-undefined and v3-warning-sample-undefined, to the Best practices category. These checks help to achieve best performance with Conformance Scan: by ensuring that sample values for schemas and parameters are provided in the API definition, you also ensure that the happy path requests setting the baseline do not fail simply because the scan could not generate a valid value for a complex object. These checks do not affect your audit score, but you can enforce them as criteria for security quality gates (SQGs). For more details, see:
  • OASv2: No sample values or examples provided for API Conformance Scan
  • OASv3: No sample values or examples provided for API Conformance Scan
• Security Audit no longer raises an issue on missing maximum length on strings if the length limits have been defined in the regular expression in pattern. However, to ensure that pattern can indeed restrict the length of accepted strings, Security Audit now strictly requires regular expressions to be wrapped with ^ and $. Depending on your APIs, these changes may affect your audit score and SQGs.
• Security Audit now correctly raises an issue on format if properties of the type number are defined as strings. Depending on your APIs, this may affect your audit score and SQGs.

Improvements to Conformance Scan

Users in the free Community organization can now create API tokens to run Conformance Scan on premises, making it possible also for them to write scripts and automate scanning APIs.

We have also continued to work on improving the scan report and issue details:

• The filter "Operations not tested" is now working, and you can quickly find all cases where Conformance Scan could not complete testing.
• The title of the issue details now reflects the test result (did the received HTTP status code or response body conformity pass or fail) so you can quickly focus on what needs fixing.
• The issue details now show what response codes Conformance Scan expected for a particular test. See Expected and unexpected HTTP status codes.
• Test results where only problems in conformity were found now get the default severity of Medium instead of None to better reflect that they could still pose a security risk.
• The test parameter-header-contenttype-wrong-scan now also includes the HTTP status code 415 on the list of expected HTTP response codes, not just 400.

In addition, we have fixed two bugs:

• When run on-premises, Conformance Scan ignored the flow rate defined in the scan configuration. Now, scan correctly uses the defined flow rate.
• Applying a scan customization rule (for example, the default scan rule) that defined custom headers and another scan rule that did not to the same API caused a conflict and the scan failed. This has now been fixed.

For more details, see API Conformance Scan.

Fixes to security quality gates

The sliders for setting the accepted severity level in SQGs have been updated based on user feedback.

In addition, we have fixed the handling of API tokens when CI/CD integration plugins fetch the approval report from 42Crunch Platform.

Other improvements

There have also been other smaller improvements throughout the platform:

• The landing page of the platform has been updated for improved readability and to quickly get useful add-ons, such as IDE extensions and CI/CD plugins. There is also an RSS feed that organization administrators can manage. See System preferences.
• Organization administrators can now add format entries of the type number as well as define example and default values in their data dictionaries. We have also improved how entries for enums are added. For more details, see Data dictionaries.
• If you have defined naming conventions for APIs or API collection in your organization, you can now provide more details on them on an external web page rather than directly in 42Crunch Platform. See System preferences.
• Users in organizations that have integrated 42Crunch Platform into their single sign-on (SSO) can now initiate password change in the platform and in some cases use the 3rd party login (aka social login) options. See Single sign-on integration for businesses.
• When deleting a user from an organization, transferring user assets is no longer automatically shown for users that do not have any assets.
• A bug in creating protection configuration has been fixed.

Docker image for CI/CD integration

The CI/CD integration plugin REST API Static Security Testing is now also available as a generic Docker image so that you can run Security Audit in a Docker container on systems that do not have a dedicated plugin.

For more details, see Integrate Security Audit with CI/CD using a Docker image.

Deprecated features

The following have been deprecated and will be removed in the future:

• The current version of the CLI (beta) is not compatible with the latest platform versions and is deprecated. We are working on the new version of the CLI.
• The current versions of CI/CD plugins will be deprecated, because the API endpoints they call to use SQGs will be replaced by new endpoints. The current CI/CD plugin versions will stop functioning on August 1st, 2022.

Compatibility

This section lists the compatible Docker images for some of the features of 42Crunch API Security Platform, as well as other possible compatibility details.

API Firewall images

This release is compatible with the following API Firewall images:

• 42crunch/apifirewall:v1.0.18
  • Upgrade to openssl-1.1.1o (CVE-2022-0778, CVE-2022-1292, CVE-2022-1343, CVE-2022-1434, CVE-2022-1473)
  • Proper handling of the properties readOnly and writeOnly from the OpenAPI Specification (OAS) in schemas.
• 42crunch/apifirewall:v1.0.17
  • Upgrade to httpd 2.4.53 (CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, CVE-2022-23943).
• 42crunch/apifirewall:v1.0.16
  • Fixed parsing multipart/form-data.
  • Fixed rejecting requests that include a request body when the targeted API operation does not define a corresponding body.
  • Upgrade to expat-2.4.4 (CVE-2022-23852, CVE-2022-23990).
• 42crunch/apifirewall:v1.0.13
  • Upgrade to httpd 2.4.52 (CVE-2021-44224, CVE-2021-44790).
  • Upgrade to openssl 1.1.1m.
  • Various small improvements.
• 42crunch/apifirewall:v1.0.12
  • Support for x-42c-access-control-based-on-ip-range_0.1 and x-42c-set-client-ip_0.1.
  • Improved matching to allow filtering API calls by IP or network addresses.
  • Fixed setting the request path when $TARGET_URL contains a basepath.
  • Upgrade to Apache httpd 2.4.51 (CVE-2021-42013).
• 42crunch/apifirewall:v1.0.11
  • GUARDIAN_BLOCKING_LEVEL and GUARDIAN_DEFAULT_API_BLOCKING_LEVEL environment variables.
  • Upgrade to Apache httpd 2.4.50 (CVE-2021-41524, CVE-2021-41773).
• 42crunch/apifirewall:v1.0.10
  • Fixed cookie attribute parsing in responses.
  • Upgrade to Apache httpd 2.4.48 (CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438).
  • Updated platform CA chain.
• 42crunch/apifirewall:v1.0.9-1
  • Fixed handling UTF-8 patterns in JSON schemas.
  • Upgrade to openSSL-1.1.1l (CVE-2021-3711, CVE-2021-3712).
  • Updated platform CA chain.

All previous image versions have been deprecated and are not compatible with this version of the platform.

When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.

Conformance Scan images

This release is compatible with the following Conformance Scan images for running it on-premises:

• 42crunch/scand-agent:v1.19.3
  • Internal cleanup and refactoring.
• 42crunch/scand-agent:v1.19.2
  • Fixed a bug in scan rule handing.
  • parameter-header-contenttype-wrong-scan now also expects HTTP status code 415.
  • API tokens for on-premises scan for community users.
  • Improvements to scan report and issue details.
  • Fixed honoring the flow rate defines in the scan configuration.
• 42crunch/scand-agent:v1.18.0
  • Default generator for auto-generating values.
  • Improvements to scan report.
• 42crunch/scand-agent:v1.17.0
  • Internal cleanup and refactoring.
• 42crunch/scand-agent:v1.16.1
  • Internal cleanup and refactoring.
• 42crunch/scand-agent:v1.16.0
  • Fully revamped scan report.
• 42crunch/scand-agent:v1.15.0
  • Fixed URL-encoded Content-Type in the request body when reserved characters are allowed.
• 42crunch/scand-agent:v1.14.1
  • Improvements to scan report.
  • New environment variable REPORT_FULL for scan report.
  • Skipping operations (methods) with customization rules.
  • Generating scan configuration now properly handles JSON numbers for schemas of the type integer or number.
  • String generator in Conformance Scan now properly handles \b and other ASCII character classes.
  • Upgraded Golang crypto/ssh component (CVE-2020-29652).

All previous image versions have been deprecated and are not compatible with this version of the platform.

Known issues

This release has the following known issues.

Auditor can be made a team lead

Currently, organization administrators can make an auditor a team lead. As team leads, auditors can add and remove users in the team, which could affect who has access to API collections shared with the team. Note that auditors themselves never get read/write access to any APIs or API collections shared with their team.

Auditors cannot use Find API to search APIs that have not been shared with them (either personally, with teams they are in, or everyone in the organization). If organization administrators restrict the visibility of SQGs, auditors cannot view them.

These will be fixed in a future release.

SQG status not updating on the API summary page

When there are changes to the SQGs applied to an API, for example, you tag the API to apply a new SQG, the SQG status on the audit report is correctly updated, but the API summary tab still shows the previous SQG status. When you rerun the audit, the status on the API summary tab is correctly updated.

This will be fixed in a future release.

Data dictionary duplication

Duplicating a data dictionary does not yet duplicate the values in it. This will be fixed in a future release.

YAML conversion shown regardless of the format of API definition

Converting API format currently shows as "Convert to YAML" regardless of the format (JSON or YAML) of your API definition. However, despite the text shown, your API is correctly converted from JSON to YAML or from YAML to JSON.

This will be fixed in a future release.

Limited sharing not possible when importing APIs

Users who only have the permission to share API collections with named users and teams cannot share API collections they create when importing APIs. They can, however, share them as per usual after completing the import.

This will be fixed in a future release.

Automatic sharing with everyone not possible for new SSO users

Currently, the sharing permissions for new users onboarded to 42Crunch Platform through single sing-on (SSO) integration are automatically set to sharing only with named teams and users. If you want to allow the users to share with everyone in your organization, you must enable it in the user permissions. The permissions of existing users in your organization have been retained as they were.

This will be fixed in a future release.

Conformance Scan string limits may conflict with minLength or maxLength values

By default, Conformance Scan limits the maximum length for strings in the requests it sends during the scan to 4096. If the properties minLength or maxLength or the length limits in a regular expression that you have defined for an API operation in your API definition conflict with this limit, it causes issues during the scan.

If the minimum length required is longer than the string length limit allowed in Conformance Scan, the scan cannot create the happy path request for that operation to establish a baseline. If the maximum length allowed in the API is longer than the allowed string length limit in Conformance Scan, the scan can create the happy path request but not the actual request during the scan.

In both cases, the operation is shown as a skipped operation in the scan report, but for different reasons. You must fix the operation in your API definition before it can be successfully scanned.

Regular expression lookaheads may cause issues

If your API definition has regular expressions with either positive or negative lookaheads defined, these may cause weird behavior, for example, in Conformance Scan.