42Crunch Platform release, June 24, 2022

This 42Crunch API Security Platform release adds security quality gates (SQGs) to API Conformance Scan and brings further improvements to the scan report and other features.

New features

The following are the new features and improvements to the existing ones in this release.

Security quality gates for Conformance Scan

Organization administrators can now define SQGs for Conformance Scan that APIs in their organization must pass when scanned.

  • Set the baseline for the acceptance criteria on how well the API implementation must conform to the contract set out in the API definition.
  • Get assurances that APIs comply to your security standards, and clear indicators when they do not.
  • Have a clear starting point for what to fix in your API implementation first.

In addition to the existing default SQG for Security Audit out of the box, each organization now also gets a default SQG for Conformance Scan.

We have also made other improvements to SQGs:

  • The default SQGs are now visible to users in the free community organization, so they too can now benefit from the quality control that SQGs provide. These SQGs are maintained by 42Crunch.
  • Changes to SQGs applied to an API are now correctly updated on the API summary tab after you view the audit report, instead of having to rerun the audit.

For more details, see Security quality gates.

Improvements in scan report

We have added some more UX improvements to the scan report:

  • The filter bar above the result list now includes percentages, so that you can see at a glance what seem to be the most common problem areas in your APIs. The percentages also help when defining the criteria for scan SQGs.
  • You can now view the latest scan report from the API summary tab regardless if it was run on 42Crunch Platform or on premises. Previously, API summary tab would open the scan report from the latest scan in 42Crunch Platform.
  • API summary tab now shows where (in the platform or on premises) the latest scan was run.

For more details, see Scan report.

Improvements in API Security Audit

We have fixed a couple of bugs in Security Audit:

  • Empty paths (allowed in the OpenAPI Specification (OAS)) caused the algorithm misappropriate weight on them when calculating the audit score, leading to a score that did not realistically represent the actual quality of the API definition. This has now been remediated, and this can affect your audit score.
  • Empty paths also caused empty filters in the audit report on the UI. This has also now been fixed.
  • Poor performance of the parsing library caused significant lag when importing or auditing large APIs, as well as when viewing the details of found issues. The parsing library for JSON and YAML has now been improved upon.

Improvements to executive dashboard

We have clarified how executive dashboard handle APIs that have not been audited or scanned after breaking changes to the reporting of found issues have taken place.

Previously, any APIs that lacked metadata that had been introduced in the reporting after they were last audited were incorrectly labeled as APIs without a valid OpenAPI definition, even though the API definition would have been a perfectly valid OpenAPI definition.

This has now been clarified and the dashboard clearly shows that the problem is either an outdated audit or that the file cannot be audited at all due to, for example, problems in the JSON or YAML structure that prevent Security Audit from properly opening and consuming the file.

For more details, see Executive dashboard.

Opening exported audit reports with IDE extensions

You can now open audit reports exported from 42Crunch Platform in Visual Studio Code or Jetbrains IntelliJ IDEA with the IDE integration extension OpenAPI (Swagger) Editor. Just open the audited API definition in your IDE and load the report from a file.

For more details, see IDE integration.

Changed behavior

  • Organization administrators can no longer restrict the visibility of SQG details from regular user in their organization. To be able to view more information on the failed criteria helps users to better address the quality issues in their API definitions.
  • Data dictionaries have been removed from the free community platform for the time being.
  • The checks on empty paths (paths-pathitem-empty and v3-paths-pathitem-empty) no longer affect the audit score, because the OAS allows paths to be empty. This means that the algorithm in Security Audit now correctly weighs found issues even if the API definition includes empty paths and the audit score reflects the actual quality of the OpenAPI definition. Depending on your API, this can affect the audit score. The issue IDs and checks have been retained, though, so you can still, for example, use them as rejection criteria in your SQGs.

Compatibility

This section lists the compatible Docker images for some of the features of 42Crunch API Security Platform, as well as other possible compatibility details.

API Firewall images

This release is compatible with the following API Firewall images:

  • 42crunch/apifirewall:v1.0.19
    • Upgrade to httpd-2.4.54 (CVE-2022-26377, CVE-2022-28330, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404, CVE-2022-30522, CVE-2022-30556, CVE-2022-31813)
  • 42crunch/apifirewall:v1.0.18
    • Upgrade to openssl-1.1.1o (CVE-2022-0778, CVE-2022-1292, CVE-2022-1343, CVE-2022-1434, CVE-2022-1473)
    • Proper handling of the properties readOnly and writeOnly from the OpenAPI Specification (OAS) in schemas.
  • 42crunch/apifirewall:v1.0.17
    • Upgrade to httpd 2.4.53 (CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, CVE-2022-23943).
  • 42crunch/apifirewall:v1.0.16
    • Fixed parsing multipart/form-data.
    • Fixed rejecting requests that include a request body when the targeted API operation does not define a corresponding body.
    • Upgrade to expat-2.4.4 (CVE-2022-23852, CVE-2022-23990).
  • 42crunch/apifirewall:v1.0.13
    • Upgrade to httpd-2.4.52 (CVE-2021-44224, CVE-2021-44790).
    • Upgrade to openssl 1.1.1m.
    • Various small improvements.
  • 42crunch/apifirewall:v1.0.12
    • Support for x-42c-access-control-based-on-ip-range_0.1 and x-42c-set-client-ip_0.1.
    • Improved matching to allow filtering API calls by IP or network addresses.
    • Fixed setting the request path when $TARGET_URL contains a basepath.
    • Upgrade to Apache httpd 2.4.51 (CVE-2021-42013).
  • 42crunch/apifirewall:v1.0.11
    • GUARDIAN_BLOCKING_LEVEL and GUARDIAN_DEFAULT_API_BLOCKING_LEVEL environment variables.
    • Upgrade to Apache httpd 2.4.50 (CVE-2021-41524, CVE-2021-41773).
  • 42crunch/apifirewall:v1.0.10
    • Fixed cookie attribute parsing in responses.
    • Upgrade to Apache httpd 2.4.48 (CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438).
    • Updated platform CA chain.
  • 42crunch/apifirewall:v1.0.9-1
    • Fixed handling UTF-8 patterns in JSON schemas.
    • Upgrade to openSSL-1.1.1l (CVE-2021-3711, CVE-2021-3712).
    • Updated platform CA chain.

All previous image versions have been deprecated and are not compatible with this version of the platform.

When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.

Conformance Scan images

This release is compatible with the following Conformance Scan images for running it on-premises:

  • 42crunch/scand-agent:v1.20.2
    • Internal cleanup and refactoring.
  • 42crunch/scand-agent:v1.20.1
    • Percentages in the filter bar of the scan report.
  • 42crunch/scand-agent:v1.19.3
    • Internal cleanup and refactoring.
  • 42crunch/scand-agent:v1.19.2
    • Fixed a bug in scan rule handing.
    • parameter-header-contenttype-wrong-scan now also expects HTTP status code 415.
    • API tokens for on-premises scan for community users.
    • Improvements to scan report and issue details.
    • Fixed honoring the flow rate defines in the scan configuration.
  • 42crunch/scand-agent:v1.18.0
    • Default generator for auto-generating values.
    • Improvements to scan report.
  • 42crunch/scand-agent:v1.17.0
    • Internal cleanup and refactoring.
  • 42crunch/scand-agent:v1.16.1
    • Internal cleanup and refactoring.
  • 42crunch/scand-agent:v1.16.0
    • Fully revamped scan report.
  • 42crunch/scand-agent:v1.15.0
    • Fixed URL-encoded Content-Type in the request body when reserved characters are allowed.
  • 42crunch/scand-agent:v1.14.1
    • Improvements to scan report.
    • New environment variable REPORT_FULL for scan report.
    • Skipping operations (methods) with customization rules.
    • Generating scan configuration now properly handles JSON numbers for schemas of the type integer or number.
    • String generator in Conformance Scan now properly handles \b and other ASCII character classes.
    • Upgraded Golang crypto/ssh component (CVE-2020-29652).

All previous image versions have been deprecated and are not compatible with this version of the platform.

Known issues

This release has the following known issues.

Occasional issues with displaying some API, API collection, and collection dashboard details

There are some occasional issue with how APIs, API collections, and dashboards are displayed:

  • If you have more than one API collection and you go view an API, occasionally the API you previously viewed is shown.
  • If you go to view an API by searching, the details on the API summary tab can misappropriate the API to an API collection you viewed previously.
  • If you have very many APIs in one API collection and you go view the collection dashboard, the names of the APIs are not shown on the charts.
  • APIs that have not yet been scanned are shown in the API Conformance Scan chart in API collection, which may give the wrong impression that scan did not find any issues in them.

These issues are related merely to how the data is shown on the UI, and the underlying data in the backend is still correct. The issues do not happen consistently, and we are currently investigating them further. They will be fixed in a future release.

SQG status not updating on the API summary page

When there are changes to the SQGs applied to an API, for example, you tag the API to apply a new SQG, the SQG status on the audit report is correctly updated, but the API summary tab still shows the previous SQG status. When you rerun the audit, the status on the API summary tab is correctly updated.

In some circumstances the audit score badge shown on the API summary tab is not correctly updated to match the status of the audit SQGs passing or failing. This issue does not happen consistently, and we are currently investigating it.

These will be fixed in a future release.

Auditor can be made a team lead

Currently, organization administrators can make an auditor a team lead. As team leads, auditors can add and remove users in the team, which could affect who has access to API collections shared with the team. Note that auditors themselves never get read/write access to any APIs or API collections shared with their team.

Auditors cannot use Find API to search APIs that have not been shared with them (either personally, with teams they are in, or everyone in the organization). Auditors also cannot view the executive dashboards.

These will be fixed in a future release.

Data dictionary duplication

Duplicating a data dictionary does not yet duplicate the values in it. In addition, in some cases the input validation on the UI can behave unexpectedly.

These will be fixed in a future release.

YAML conversion shown regardless of the format of API definition

Converting API format currently shows as "Convert to YAML" regardless of the format (JSON or YAML) of your API definition. However, despite the text shown, your API is correctly converted from JSON to YAML or from YAML to JSON.

This will be fixed in a future release.

Limited sharing not possible when importing APIs

Users who only have the permission to share API collections with named users and teams cannot share API collections they create when importing APIs. They can, however, share them as per usual after completing the import.

This will be fixed in a future release.

Automatic sharing with everyone not possible for new SSO users

Currently, the sharing permissions for new users onboarded to 42Crunch Platform through single sing-on (SSO) integration are automatically set to sharing only with named teams and users. If you want to allow the users to share with everyone in your organization, you must enable it in the user permissions. The permissions of existing users in your organization have been retained as they were.

This will be fixed in a future release.

Conformance Scan string limits may conflict with minLength or maxLength values

By default, Conformance Scan limits the maximum length for strings in the requests it sends during the scan to 4096. If the properties minLength or maxLength or the length limits in a regular expression that you have defined for an API operation in your API definition conflict with this limit, it causes issues during the scan.

If the minimum length required is longer than the string length limit allowed in Conformance Scan, the scan cannot create the happy path request for that operation to establish a baseline. If the maximum length allowed in the API is longer than the allowed string length limit in Conformance Scan, the scan can create the happy path request but not the actual request during the scan.

In both cases, the operation is shown as a skipped operation in the scan report, but for different reasons. You must fix the operation in your API definition before it can be successfully scanned.

Regular expression lookaheads may cause issues

If your API definition has regular expressions with either positive or negative lookaheads defined, these may cause weird behavior, for example, in Conformance Scan.