This article describes how Lucent Sky AVM categorizes vulnerabilities, as well as the security standards and vulnerability lists supported by different versions of Lucent Sky AVM.
How Lucent Sky AVM categorizes vulnerabilities
Lucent Sky AVM uses CWE IDs as the primary categorization mechanism. CWE uses a cascading categorization scheme, meaning that some vulnerabilities can be categorized under more than one CWE IDs. For such vulnerabilities, the Lucent Sky team works with external experts and stakeholders in deciding which CWE ID should be used.
The goal is to use the CWE IDs with identifiable and unique definitions (for example, choosing CWE-201: Information Exposure Through Sent Data over CWE-200: Exposure of Sensitive Information to an Unauthorized Actor), while avoiding cluttering the scan results with hundreds of similar CWE IDs (for example, choosing CWE-22: Path Traversal over CWE-32: Path Traversal: '…' (Triple Dot)).
Supported security standards and vulnerability lists
This table denotes the security standards and vulnerability lists included in the Built-in rule package of Lucent Sky AVM.
| Standard1 | Version | Lucent Sky AVM versions2 | |
|---|---|---|---|
| CVE | All | ||
| CVSS | 3.1 | All | |
| CWE3 | 4.15 | All | |
| CWE Top 25 | 2023 | 2309 | |
| 2022 | All | ||
| 2021 | All | ||
| 2020 | All | ||
| 2019 | All | ||
| CWE/SANS Top 25 | 3.0 | All | |
| HIPAA4 | All | ||
| MISRA C4 | 2004 | All | |
| 2012 | All | ||
| MISRA C++4 | 2008 | All | |
| OWASP API Security Top 10 | 2019 | All | |
| OWASP ASVS | 4.0 | All | |
| OWASP Mobile Top 10 | 2016 | All | |
| 2014 | All | ||
| OWASP Top 10 | 2021 | All | |
| 2017 | All | ||
| 2013 | All | ||
| 2010 | All | ||
| PCI DSS5 | 4.0 | All | |
| 3.2.1 | All |
1. Most of the security standards and vulnerability lists include vulnerabilities beyond the scope of static code analysis. The inclusion of a specific standard or a list does not indicate the support of all vulnerabilities included in the standard or list. For more information about how Lucent Sky AVM can help organizations meet the requirements of these standards, contact Lucent Sky support.
2. Only includes supported Lucent Sky AVM versions (current as of the last revision date of this article). Also, only the then-current versions of certain security standards and vulnerability lists (such as CWE and CVSS) are supported by a specific version of Lucent Sky AVM. For the security standards, vulnerability lists, and their versions supported by a specific version of Lucent Sky AVM, contact Lucent Sky support.
3.
For a list of CWE vulnerability categories supported by Lucent Sky AVM, view the following article in the Lucent Sky Knowledge Base:
List of vulnerability categories supported by Lucent Sky AVM.
4. The Built-in rule package includes vulnerability categories that cover guidelines and rules in these standards, but these standards are not available as a predefined weakness policies group.
5.
To learn more about Lucent Sky AVM and PCI DSS compliance, view the following article in the Lucent Sky Knowledge Base:
Lucent Sky AVM for PCI DSS Compliance.