42Crunch Platform release, December 5, 2024

Platform version: v1.40.x

This 42Crunch API Security Platform release brings initial support for the OpenAPI Specification (OAS) v3.1.x and improvements to reporting security issues when using mutual TLS (mTLS).

New features

The following are the new features and improvements to the existing ones in this release.

Initial support for the OAS v3.1.x

You can now import OpenAPI definitions that follow the OAS v3.1.x to 42Crunch Platform and run API Security Audit on them.

At this point, Security Audit supports the following features for API definitions that state they follow the OAS v3.1.x:

The property type can now be an array, so arrays in type are no longer flagged during audit.
null is now supported, so type can now be null.
Webhooks are now validated for the correct structure in Security Audit. They do not affect the audit score.
- If the API definition has at least one webhook defined, paths are optional and so in this case the property paths can be empty.
Examples in schemas are now defined in examples, the singular example has been deprecated in v3.1.x
The structure of the license object now has a new identifier field.
contentEncoding and contentMediaType properties to better describe file uploads are supported.

More changes and checks specific to OAS v3.1.x will be introduced in future releases. API Conformance Scan and API Protection do not yet support the OAS v3.1.x.

For more details, see Key changes between v3.0.x and v3.1.x.

Changed severity levels in Security Audit with mTLS

Security Audit now downgrades the severity of non-mTLS security issues to Info, if the API definition correctly uses the vendor extension x-42c-mtls to indicate that the API is protected with mTLS.

This allows using severity levels as criteria in security quality gates (SQGs) without false positives from irrelevant security issues causing the SQGs to fail. Security Audit continues to report data validation issues and security issues related to defining mTLS at their normal severity level, so they will not slip through SQGs despite this change.

For more details on mTLS, see x-42c-mtls.

In addition, Security Audit no longer reports a structural issue for API definitions following the OAS v2 if they define both minimum and exclusiveMinimum, these properties can appear side by side. We have also fixed a regression on null enums on API definitions following the OAS v3.0.x.

Improvements to API Conformance Scan

The default value that Conformance Scan uses for the maximum report size has been aligned to 20 MB across all scan versions.

Scan v2 only

Scan v2 now has three kinds of status badges that reflect how the test went:

Success: The test ran successfully and found no issues in the API implementation
Failed: Test ran successfully and found issues in the API implementation
Error: An error occurred when running the test

We have also improved on how Conformance Scan handles variables and properties when generating the test request:

For variables that include a static text in addition to placeholder values (for example, Bearer in Bearer {{AccessToken}}), the scan now only substitutes the placeholder value ({{AccessToken}}), leaving the static text (Bearer) intact.
We have fixed a bug where the scan was unable to delete schemas that were referenced elsewhere.

Other improvements

We have improved the conversion of APIs from JSON to YAML. Previously, in some cases the conversion might augment regular expressions with additional safe characters. This meant that the resulting regular expression could appear different to the original one, which could be confusing. The upgraded conversion no longer does this, so that the regular expressions look the same even after the conversion.

Compatibility

This section lists the compatible Docker images for some of the components of 42Crunch API Security Platform, as well as other possible compatibility details.

API Firewall images

This release is compatible with the following API Firewall images:

We highly recommend that you switch to the latest version to take the full advantage of the new features and security improvements. The following previous images remain compatible and can be used with this platform release:

42crunch/apifirewall:v1.1.6
- Upgrade to openssl-3.3.2-r1 CVE-2024-9143)
42crunch/apifirewall:v1.1.5
- Switch to the system certificate store to fix certificate authority renewal issue

All previous image versions have been deprecated and are no longer supported.

When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.

Conformance Scan images

This release is compatible with the following Conformance Scan images for running it on-premises.

Scan v2

NEW: 42crunch/scand-agent:v2.0.15
- Fixed replacement of placeholder texts in variables when generating test requests
- Fixed generation of properties in test requests
- Fixed regression on null enums

42crunch/scand-agent:v2.0.13
- A new property in the scan report to indicate if running a scan test succeeded or not
42crunch/scand-agent:v2.0.12
- Fixed scan report timestamp
42crunch/scand-agent:v2.0.11
- Upgrade to Golang v1.23.1 (CVE-2022-30635, CVE-2024-34155, CVE-2024-34156, CVE-2024-34158)
42crunch/scand-agent:v2.0.10
- New test response-body-badformat-scan
- Fixed scan configuration creation when items is null
- Fixed excessive data exposure reporting
42crunch/scand-agent:v2.0.9
- Scan v2 in v1-compatible mode
- Support for Accept headers
- Upgrade to Golang 1.22.5 (CVE-2024-24789, CVE-2024-24790, CVE-2024-24791)
42crunch/scand-agent:v2.0.8
- New test path-item-method-not-allowed-no-authn-scan
- Support for apiConnectivityCheck, maxTimeoutRetryAttempts, and requestHeaderNameRequestType
- Fixed implementation of reportIncludeRequestBody and reportIncludeResponseBody
- Fixed handling of lookahead and lookbehind assertion references in regular expressions
42crunch/scand-agent:v2.0.7
- Upgrade to Golang 1.22.3 (CVE-2020-8559, CVE-2024-24788)
42crunch/scand-agent:v2.0.6
- Lax testing mode
- Fixed generating conformance test requests when multiple required properties are defined
42crunch/scand-agent:v2.0.4
- Numeric values exceeding the limits of float64 presented as strings
42crunch/scand-agent:v2.0.3
- Upgrade to Golang 1.21.5 (CVE-2023-45284, CVE-2023-45283, CVE-2023-39326, CVE-2023-45283)
- New scan report
- Tests parameter-header-contenttype-wrong-scan and partial-security-accepted
- Support for reportIncludeRequestBody, reportIncludeResponseBody, reportMaxRequestSizeHappyPath, reportMaxRequestSizeTest
- Improved logging for runtime limit
- Heartbeat check

All previous image versions have been deprecated and are no longer supported.

Scan v1

NEW: 42crunch/scand-agent:v1.22.21
- Default value maximum scan report size 20 MB to align with Scan v2

42crunch/scand-agent:v1.22.20
- Fixed excessive data exposure reporting
42crunch/scand-agent:v1.22.19
- Upgrade to Golang v1.23.1 (CVE-2022-30635, CVE-2024-34155, CVE-2024-34156, CVE-2024-34158)
- Happy path tests included in the number of tests
42crunch/scand-agent:v1.22.18
- Fixed scan configuration creation when items is null
42crunch/scand-agent:v1.22.17
- Upgrade to Golang 1.22.5 (CVE-2024-24789, CVE-2024-24790, CVE-2024-24791)
42crunch/scand-agent:v1.22.16
- Upgrade to Golang 1.22.3 (CVE-2020-8559, CVE-2024-24788)
42crunch/scand-agent:v1.22.15
- Fixed handling of query parameters in request generation
- Fixed generating conformance test requests when multiple required properties are defined
42crunch/scand-agent:v1.22.14
- Upgrade to Golang 1.21.5 (CVE-2023-39326, CVE-2023-45283)
42crunch/scand-agent:v1.22.13
- Upgrade to Golang 1.21.3 (CVE-2023-45284, CVE-2023-45283)
- Heartbeat check to keep the connection to 42Crunch Platform active in case of extremely long scans
- Fixed handling of example and x-42c-sample
42crunch/scand-agent:v1.22.12
- Support for text/plain as content type
- Support for read-only properties
42crunch/scand-agent:v1.22.11
- Upgrade to Golang 1.20.7 (CVE-2023-39319, CVE-2023-39318, CVE-2023-3978, CVE-2023-29409)
- Fixed handling of < and > characters in the request payload
- Improved handling of content not supported by Conformance Scan
42crunch/scand-agent:v1.22.9
- Performance improvements to scan configuration generation
- Better memory handling when generating array items of the type file for scan requests
- Better handling of expired customization rules
- Improved JSON schema validation for UTF-8 strings
42crunch/scand-agent:v1.22.8
- Upgrade to Golang 1.20.4 (CVE-2022-41716, CVE-2022-41717, CVE-2022-41720, CVE-2022-41722, CVE-2022-41723, CVE-2022-41724, CVE-2022-41725, CVE-2023-24532, CVE-2023-24534, CVE-2023-24536, CVE-2023-24537, CVE-2023-24538, CVE-2023-24539, CVE-2023-24540, CVE-2023-29400)
42crunch/scand-agent:v1.22.7
- Updates to regular expression library
42crunch/scand-agent:v1.22.6
- Fixed regular expressions handling
  In some rare cases, certain regular expression patterns could send the on-premises scan to an infinite loop, and the process would not finish. This image version fixes that, so if you are experiencing on-premises scan hanging, we recommend upgrading from the previous scan images to this one.
42crunch/scand-agent:v1.22.4
- Improved array iteration

All previous image versions have been deprecated and are no longer supported.

Known issues

This release has the following known issues.

Manage teams permission not shown on list of users

The permission to manage teams is not yet shown on the list of users in your organization, but you can view all permissions that a user has by clicking the permission column. This permission also does not yet have a shortcut that you could use when searching by permission.

These will be fixed in a future release.

Changing tagging on an API may trigger an unrelated error on the UI

Sometimes applying tags to or removing them from an API may trigger an unrelated error on failing to fetch the SQG approval report for the API. This happens if the API in question has been scanned on-premises and the scan has finished after you arrived on the API Summary page, because the UI cannot find the latest on-premises scan report and the associated approval report. Refreshing the page gets the latest reports and resolves the issue.

Tagging and untagging the API is not affected by this error: tags get correctly applied and removed in any case.

This will be fixed in a future release.

Data dictionary duplication

Duplicating a data dictionary does not yet duplicate the values in it.

This will be fixed in a future release.

Scan customization rules may lead to no response codes being accepted.

In some cases, scan rules can lead to HTTP status response codes in API responses that are normally expected (for example, HTTP 401 or HTTP 404) to be treated as unexpected. This in turn can lead to a false positive in the scan results.

By default, the expected HTTP status response codes that are defined in scan rules applied to the scanned API take preference over the response codes that Conformance Scan would otherwise expect. However, this can cause problems in scan process if your scan rule only skips header or response body analysis but does not define any expected response codes, either for happy path requests or for particular test IDs. This results in the scan rule to have null defined as the expected response code, and because the scan rule takes preference over the default scan behavior, no response codes except null are accepted. This in turn means that some tests are incorrectly flagged as returning unexpected response codes when they were in fact successful.

We are currently investigating the best way how to reconcile the designed behavior of Conformance Scan and scan rules in these cases, and this issue will be fixed in a future release.