Get started with Lucent Sky AVM Web UI

2024/1/20 |

Lucent Sky AVM is a developer tool that identifies application vulnerabilities and directly remediates them in the source code. It is composed of four components, CLEAR Engine (the analysis and remediation engine), Web UI, CLI, and IDE extensions.

This article describes the basic features of the Web UI, and guides you through the process of scanning an application using the Web UI. To learn about other functionalities of the Web UI, view the following article in the Lucent Sky Knowledge Base:
Lucent Sky AVM Web UI reference

In this article, you will learn how to:

  • Create a zip file containing the source code of an application.
  • Scan an application
  • Review the identified result and their Instant Fixes
  • Download the remediated source code
  • Download the report

At the end, you will be able to use the Web UI to scan applications and generate remediated source code and reports.

Prerequisites

  • Web browser - The latest version of Google Chrome, Microsoft Edge, and Mozilla Firefox are supported by the Web UI.

Create a zip file containing the source code of an application.

To learn about creating the source code archive of an application, view the following article in the Lucent Sky Knowledge Base:
Prepare an application scanning

Scan an application

  1. Go to the Web UI in your browser, and then sign in with your credentials.
  2. Under the Action Bar on the left, select New Application. Enter the name of the application, and optionally enter one or more tags (separated by commas) to categorize the application. Then, select the application framework and select Create. You can also change the default build, analysis and, remediation parameters for this application by selecting More Options. You can change these parameters at a later stage as well.
  3. Select Static Code Analysis for Analysis Method. Then, select Archive File for Source Code, and select Browse… to select the archive file containing the source code of the application. You can also change the build, analysis, and remediation parameters for this application by selecting More Options. Finally, select Upload.

    To learn more about scan options, view the following article in the Lucent Sky Knowledge Base: Scan an application with advanced options

  4. The web page will refresh itself. An Application Box will display the name of the application and the progress of the scan. There are 10 stages:

    • Extracting
    • Queued
    • Checking
    • Preparing analysis
    • Building
    • Analyzing (S-1)
    • Analyzing (S-2)
    • Analyzing (S-3)
    • Analyzing (S-4)
    • Analyzing (S-5)
  5. Depends on the size and complexity of the application, the scan can take anytime from a few seconds to a few hours to complete. Generally, it takes around 30 minutes to scan an application with a millions line of code.
  6. Once the scan is completed, the Application Box will display three numbers in the format of A + R / T. A is the number of vulnerabilities requiring developer action, R is the number of results that can be automatically remediated, and T is the total number of results.

Review the identified result and their Instant Fixes or remediation suggestions

  1. Select the Application Box of the application you want to review. You will be taken to the Scan Summary page.
  2. The Scan Summary page has three parts: Efficiency Snapshot, Vulnerabilities, and Additional Information.

    • Efficiency Snapshot shows the mitigation cost and programming hours saved by automatically mitigating the vulnerabilities in this application.
    • Vulnerabilities pie chart shows the distribution of vulnerability categories, as well as the number of vulnerabilities in each category. Clicking a vulnerability slice or a vulnerability box next to the pie chart will take you to the Vulnerability List page.
    • Additional Information shows information about this scan, as well as the number of vulnerabilities compared with the previous scan of the same application.
  3. The Vulnerability List page is a list of all the vulnerabilities in that category. Clicking a vulnerability will take you to the Vulnerability Details page.
  4. The title of the Vulnerability Details page shows the category, the file and line number of the vulnerability. The Statements shows the flow of the vulnerability in the application. A vulnerability will also have an Instant Fix or a Suggestion - An Instant Fix indicates that the vulnerability can be remediated by replacing the source code at the indicated file and line number with the code snippet, while a Suggestion provides contextual guidance for developers to remediate the vulnerability.

To learn about suppressing a result so it does not appear in a future scan, view the following article in the Lucent Sky Knowledge Base:
Suppress results from appearing in future scans

Download the remediated source code

  1. Select the Application Box of the application you want to review. You will be taken to the Scan Summary page.
  2. Under the Action Bar on the left, select Remediate. In the pop-up dialog, choose if you want to include mitigation information and original source code in the generated source code as comments. The generated source code might be similar to

     Response.Write(HtmlEncode(Request["foo"])); // CWE79 remediated (confidence: 13). OriginalStatement: "Response.Write(Request["Foo"]);".
    

    where CWE79 remediated (confidence: 13) is the remediation information and OriginalStatement: "Response.Write(Request["Foo"]);" is the original source code.

  3. Select Remediate. Once the remediated source code has been generated, select Download.

Download the report

  1. Select the Application Box of the application you want to review. You will be taken to the Scan Summary page.
  2. Under the Action Bar on the left, select Report. In the pop-up dialog, choose the format of the report, then select Generate. Once the report has been generated, select Download.