42Crunch Platform release, October 8, 2024

This 42Crunch API Security Platform release brings UX improvements to API Conformance Scan and the API summary page.

New features

The following are the new features and improvements to the existing ones in this release.

Scan configurations and scan reports shown on the same page

Based on customer feedback, the scan configurations and scan reports have now been all combined on a single page.

  • No more switching between separate lists of scan configurations and scan reports
  • Quickly see which scan configurations you have used and when, or which you have not used and potentially could delete as unnecessary
  • Easily find the latest report for each scan configuration you have run

An example screenshot showing the Pixi API with four different scan configurations: one for Scan v1 in platform, one for Scan v1 on premises, and two configurations for Scan v2, one of which is not valid when compared against the OpenAPI defiinition of the API. The default scan configuration has been selected as the reference scan configuration.

Scan v1 configuration for running in 42Crunch Platform and on premises are shown together on the UI, because the underlying scan configuration for both is the same.

For more details, see Scan configuration.

Improvements to the API summary page

Based on customer feedback, we have added some tweaks to the updated API summary page:

  • API information has been moved to a more prominent position, so that you can more quickly find the important details of your API. We have retained the help resources at the bottom of the page, so that you can still the relevant documentation and tutorial videos easily.
  • The API details now also includes the UUID of the API collection where the API is located and you can quickly copy the UUID if you need to pass the information to someone.
  • The tag list has been made more visual:
    • You can now immediately see all tags that your API has.
    • The category colors are back to make it easier to identify different tags.
    • You can copy the category:tag value pair to clipboard simply by clicking a tag.
    • Hovering on a tag provides you more details about the tag and further actions you could do.

Other improvements

We have also fixed the following bugs:

  • A bug in security quality gates (SQGs) that prevented navigating from an issue on the SQG to-do list to the corresponding spot in the API definition.
  • A bug in API collection list that in certain cases would cause a collection to be listed twice. Now each API collection is only listed once.
  • A bug in Scan v1 on reporting excessive data exposure.

Compatibility

This section lists the compatible Docker images for some of the components of 42Crunch API Security Platform, as well as other possible compatibility details.

API Firewall images

This release is compatible with the following API Firewall images:

  • NEW: 42crunch/apifirewall:v1.1.5
    • Switch to the system certificate store to fix certificate authority renewal issue

All previous image versions have been deprecated and are no longer supported.

When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.

Conformance Scan images

This release is compatible with the following Conformance Scan images for running it on-premises.

Scan v2

  • NEW: 42crunch/scand-agent:v2.0.12
    • Fixed scan report timestamp

We highly recommend that you switch to the latest version to take the full advantage of the new features and security improvements. The following previous images remain compatible and can be used with this platform release:

  • 42crunch/scand-agent:v2.0.11
    • Upgrade to Golang v1.23.1 (CVE-2022-30635, CVE-2024-34155, CVE-2024-34156, CVE-2024-34158)
  • 42crunch/scand-agent:v2.0.10
    • New test response-body-badformat-scan
    • Fixed scan configuration creation when items is null
    • Fixed excessive data exposure reporting
  • 42crunch/scand-agent:v2.0.9
    • Scan v2 in v1-compatible mode
    • Support for Accept headers
    • Upgrade to Golang 1.22.5 (CVE-2024-24789, CVE-2024-24790, CVE-2024-24791)
  • 42crunch/scand-agent:v2.0.8
    • New test path-item-method-not-allowed-no-authn-scan
    • Support for apiConnectivityCheck, maxTimeoutRetryAttempts, and requestHeaderNameRequestType
    • Fixed implementation of reportIncludeRequestBody and reportIncludeResponseBody
    • Fixed handling of lookahead and lookbehind assertion references in regular expressions
  • 42crunch/scand-agent:v2.0.7
    • Upgrade to Golang 1.22.3 (CVE-2020-8559, CVE-2024-24788)
  • 42crunch/scand-agent:v2.0.6
    • Lax testing mode
    • Fixed generating conformance test requests when multiple required properties are defined
  • 42crunch/scand-agent:v2.0.4
    • Numeric values exceeding the limits of float64 presented as strings
  • 42crunch/scand-agent:v2.0.3
    • Upgrade to Golang 1.21.5 (CVE-2023-45284, CVE-2023-45283, CVE-2023-39326, CVE-2023-45283)
    • New scan report
    • Tests parameter-header-contenttype-wrong-scan and partial-security-accepted
    • Support for reportIncludeRequestBody, reportIncludeResponseBody, reportMaxRequestSizeHappyPath, reportMaxRequestSizeTest
    • Improved logging for runtime limit
    • Heartbeat check

All previous image versions have been deprecated and are no longer supported.

Scan v1

  • NEW: 42crunch/scand-agent:v1.22.20
    • Fixed excessive data exposure reporting

We highly recommend that you switch to the latest version to take the full advantage of the new features and security improvements. The following previous images remain compatible and can be used with this platform release:

  • 42crunch/scand-agent:v1.22.19
    • Upgrade to Golang v1.23.1 (CVE-2022-30635, CVE-2024-34155, CVE-2024-34156, CVE-2024-34158)
    • Happy path tests included in the number of tests
  • 42crunch/scand-agent:v1.22.18
    • Fixed scan configuration creation when items is null
  • 42crunch/scand-agent:v1.22.17
    • Upgrade to Golang 1.22.5 (CVE-2024-24789, CVE-2024-24790, CVE-2024-24791)
  • 42crunch/scand-agent:v1.22.16
    • Upgrade to Golang 1.22.3 (CVE-2020-8559, CVE-2024-24788)
  • 42crunch/scand-agent:v1.22.15
    • Fixed handling of query parameters in request generation
    • Fixed generating conformance test requests when multiple required properties are defined
  • 42crunch/scand-agent:v1.22.14
    • Upgrade to Golang 1.21.5 (CVE-2023-39326, CVE-2023-45283)
  • 42crunch/scand-agent:v1.22.13
    • Upgrade to Golang 1.21.3 (CVE-2023-45284, CVE-2023-45283)
    • Heartbeat check to keep the connection to 42Crunch Platform active in case of extremely long scans
    • Fixed handling of example and x-42c-sample
  • 42crunch/scand-agent:v1.22.12
    • Support for text/plain as content type
    • Support for read-only properties
  • 42crunch/scand-agent:v1.22.11
    • Upgrade to Golang 1.20.7 (CVE-2023-39319, CVE-2023-39318, CVE-2023-3978, CVE-2023-29409)
    • Fixed handling of < and > characters in the request payload
    • Improved handling of content not supported by Conformance Scan
  • 42crunch/scand-agent:v1.22.9
    • Performance improvements to scan configuration generation
    • Better memory handling when generating array items of the type file for scan requests
    • Better handling of expired customization rules
    • Improved JSON schema validation for UTF-8 strings
  • 42crunch/scand-agent:v1.22.8
    • Upgrade to Golang 1.20.4 (CVE-2022-41716, CVE-2022-41717, CVE-2022-41720, CVE-2022-41722, CVE-2022-41723, CVE-2022-41724, CVE-2022-41725, CVE-2023-24532, CVE-2023-24534, CVE-2023-24536, CVE-2023-24537, CVE-2023-24538, CVE-2023-24539, CVE-2023-24540, CVE-2023-29400)
  • 42crunch/scand-agent:v1.22.7
    • Updates to regular expression library
  • 42crunch/scand-agent:v1.22.6
    • Fixed regular expressions handling

      In some rare cases, certain regular expression patterns could send the on-premises scan to an infinite loop, and the process would not finish. This image version fixes that, so if you are experiencing on-premises scan hanging, we recommend upgrading from the previous scan images to this one.

  • 42crunch/scand-agent:v1.22.4
    • Improved array iteration

All previous image versions have been deprecated and are no longer supported.

Deprecated components

The following have been deprecated and will be removed in the future.

Deprecated API Firewall images

The following versions of the API Firewall Docker image have been deprecated and will be removed in October 2024:

  • 42crunch/apifirewall:v1.1.4
  • 42crunch/apifirewall:v1.1.3
  • 42crunch/apifirewall:v1.1.3
  • 42crunch/apifirewall:v1.1.2
  • 42crunch/apifirewall:v1.1.1
  • 42crunch/apifirewall:v1.0.25
  • 42crunch/apifirewall:v1.0.24
  • 42crunch/apifirewall:v1.0.23
  • 42crunch/apifirewall:v1.0.22
  • 42crunch/apifirewall:v1.0.21
  • 42crunch/apifirewall:v1.0.20
  • 42crunch/apifirewall:v1.0.19
  • 42crunch/apifirewall:v1.0.18

See Deprecated API Firewall images.

Known issues

This release has the following known issues.

Manage teams permission not shown on list of users

The permission to manage teams is not yet shown on the list of users in your organization, but you can view all permissions that a user has by clicking the permission column. This permission also does not yet have a shortcut that you could use when searching by permission.

These will be fixed in a future release.

Changing tagging on an API may trigger an unrelated error on the UI

Sometimes applying tags to or removing them from an API may trigger an unrelated error on failing to fetch the SQG approval report for the API. This happens if the API in question has been scanned on-premises and the scan has finished after you arrived on the API Summary page, because the UI cannot find the latest on-premises scan report and the associated approval report. Refreshing the page gets the latest reports and resolves the issue.

Tagging and untagging the API is not affected by this error: tags get correctly applied and removed in any case.

This will be fixed in a future release.

Data dictionary duplication

Duplicating a data dictionary does not yet duplicate the values in it.

This will be fixed in a future release.

Scan customization rules may lead to no response codes being accepted.

In some cases, scan rules can lead to HTTP status response codes in API responses that are normally expected (for example, HTTP 401 or HTTP 404) to be treated as unexpected. This in turn can lead to a false positive in the scan results.

By default, the expected HTTP status response codes that are defined in scan rules applied to the scanned API take preference over the response codes that Conformance Scan would otherwise expect. However, this can cause problems in scan process if your scan rule only skips header or response body analysis but does not define any expected response codes, either for happy path requests or for particular test IDs. This results in the scan rule to have null defined as the expected response code, and because the scan rule takes preference over the default scan behavior, no response codes except null are accepted. This in turn means that some tests are incorrectly flagged as returning unexpected response codes when they were in fact successful.

We are currently investigating the best way how to reconcile the designed behavior of Conformance Scan and scan rules in these cases, and this issue will be fixed in a future release.