Get started with Lucent Sky AVM Web UI

2024/01/29 |

Lucent Sky AVM is a developer tool that identifies application vulnerabilities and directly remediates them in the source code. It is composed of four components, CLEAR Engine (the analysis and remediation engine), Web UI, CLI, and IDE extensions.

This article describes the basic features of the Web UI, and guides you through the process of scanning an application using the Web UI. To learn about other functionalities of the Web UI, view the following article in the Lucent Sky Knowledge Base:
Lucent Sky AVM Web UI reference

In this article, you will learn how to:

  • Create a zip file containing the source code of an application.
  • Scan an application
  • Review the identified result and their Instant Fixes
  • Download the remediated source code
  • Download the report

At the end, you will be able to use the Web UI to scan applications and generate remediated source code and reports.

Prerequisites

  • Web browser - The latest version of Google Chrome, Microsoft Edge, and Mozilla Firefox are supported by the Web UI.

Create a zip file containing the source code of an application.

To learn about creating the source code archive of an application, view the following article in the Lucent Sky Knowledge Base:
Prepare an application scanning

Scan an application

  1. Go to the Web UI in your browser, and then sign in with your credentials.
  2. Under the Action Bar on the left, select New Application. Enter the name of the application, and optionally enter one or more tags (separated by commas) to categorize the application. Then, select the application framework and select Create. You can also change the default build, analysis and, remediation parameters for this application by selecting More Options. You can change these parameters at a later stage as well.

  3. Select Static Code Analysis for Analysis Method. Then, select Archive File for Source Code, and select Browse… to select the archive file containing the source code of the application. You can also change the build, analysis, and remediation parameters for this application by selecting More Options. Finally, select Upload.

    To learn more about scan options, view the following article in the Lucent Sky Knowledge Base: Scan an application with advanced options

  4. The web page will refresh itself. An Application Box will display the name of the application and the progress of the scan. There are 11 stages:

    • Queued
    • Extracting
    • Checking
    • Preparing analysis
    • Building
    • Analyzing (S-1)
    • Analyzing (S-2)
    • Analyzing (S-3)
    • Analyzing (S-4)
    • Analyzing (S-5)
    • Analyzing (S-6)
  5. Depends on the size and complexity of the application, the scan can take anytime from a few seconds to a few hours to complete. Generally, it takes around 30 minutes to scan an application with a millions line of code.
  6. Once the scan is completed, the Application Box will display three numbers in the format of M + A / T. M is the number of vulnerabilities requiring developer action, A is the number of results that can be automatically remediated, and T is the total number of results.

Review the identified result and their Instant Fixes or remediation suggestions

  1. Select the Application Box of the application you want to review. You will be taken to the Scan Summary page.

  2. The Scan Summary page has three parts: Secure Score and Efficiency Snapshot, Vulnerabilities, and Additional Information.

    • Secure Score and Efficiency Snapshot includes the Secure Score of the application, and the remediation cost and time saved by automatic remediation.
    • Vulnerabilities includes a chart showing the distribution of vulnerabilities by their priorities, and a chart showing the distribution of vulnerability by CWE classification. Selecting a priority category or a CWE category will navigate to the Vulnerability List page showing vulnerabilities of the selected category.
    • Additional Information includes information about this scan, as well as the number of vulnerabilities compared with the previous scan of the same application.
  3. The Vulnerability List page is a list of all the vulnerabilities in that category. Selecting a vulnerability will take you to the Vulnerability Details page.

  4. The title of the Vulnerability Details page shows the classification and the file and line number of the vulnerability. The Statements shows the flow of the vulnerability in the application. The Instant Fix, Guided Fix, Guided Update, or Suggestion shows how to fix the vulnerability.

    • Instant Fix remediates the vulnerability directly, and the developer can apply it to the file and line shown to fix the vulnerability
    • Guided Fix is remediation guidance generated specifically for the vulnerability, and the developer can follow its guidance to fix the vulnerability
    • Guided Update is guidance for updating software components, and the developer can follow its guidance to update the vulnerable software components to a secure version
    • Suggestion is a general description on how to fix the vulnerability

To learn about suppressing a result so it does not appear in a future scan, view the following article in the Lucent Sky Knowledge Base:
Suppress results from appearing in future scans

Download the remediated source code

  1. Select the Application Box of the application you want to review. You will be taken to the Scan Summary page.

  2. Under the Action Bar on the left, select Remediate. In the pop-up dialog, choose if you want to include remediation information and original source code in the generated source code as comments. The generated source code might be similar to

     Response.Write(HtmlEncode(Request["foo"])); // CWE79 remediated (confidence: 13). OriginalStatement: "Response.Write(Request["Foo"]);".

    where CWE79 remediated (confidence: 13) is the remediation information and OriginalStatement: "Response.Write(Request["Foo"]);" is the original source code.

  3. Select Remediate. Once the remediated source code has been generated, select Download.

Download the report

  1. Select the Application Box of the application you want to review. You will be taken to the Scan Summary page.
  2. Under the Action Bar on the left, select Report. In the pop-up dialog, choose the format of the report, then select Generate. Once the report has been generated, select Download.