Lucent Sky AVM version 2112 release notes

2022/2/14 |

Lucent Sky AVM version 2112 releases

Lucent Sky AVM version 2112 SU1

New features in 2112 SU1

Pre-analysis

  • Performance improvements to the pre-analysis algorithms

Binary analysis

  • Improvements to direct binary analysis for .NET And Java applications

Remediation

  • Improved remediation for PHP applications

Administration

  • Improved error handling during the update process

Issues fixed in 2112 SU1

  • We fixed an issue where activation error messages do not accurately represent the underlying error
  • We fixed an issue where the ROI page on the Web UI returns an error

Lucent Sky AVM version 2112 MR

New features in 2112 MR

Technology stack

  • Support for .NET 6
  • Support for Java 17
  • Support for Java application developed with Groovy
  • Support for ActionScript

Build

  • Compatibility improvements for applications using Ant builds
  • Compatibility improvements for JDK IL generation algorithms
  • Compatibility improvements for ASP.NET, JSP, and PHP webpages

Binary analysis

  • Performance and scalability improvements for the secondary binary analysis engine
  • Accuracy improvements for the JDK binary analysis engine
  • General improvements for the binary analysis engines

Source code analysis

  • Performance improvements for the dataflow source code analysis engine
  • General improvements for the source code analysis engines

Dependency analysis

  • Improved performance for minified ECMAScript libraries
  • General improvements for the dependency analysis engine

Remediation

  • Forth-generation remediation engine is generally-available
  • Accuracy and performance improvements to the remediation algorithms
  • Update guidance is available for vulnerable dependencies

Reporting

  • History for individual result is available on the Web UI, HTML, and PDF reports
  • New scoring logic for remediation confidence
  • Support for CWE 4.6 and OWASP Top 10 2021
  • More accurate reporting for CWE-311 and its child categories
  • Dependencies with CVE are reported as CWE-1104 when the corresponding CWE rules are disabled by weakness policies
  • Dark mode is available for HTML reports
  • Improved syntax highlighting for HTML and PDF reports

Interface

  • Dark mode is available on the Web UI
  • Scan progress is visible on the application and scan index pages
  • Improved syntax highlighting for the Web UI
  • Accessibility and usability improvements to the Web UI
  • The CLI supports scriptable configuration of WCF endpoints

Administration

  • Improvements for the update process

Issues fixed in 2112 MR

  • We fixed an issue where the CLI help text is inconsistent
  • We fixed an issue where the 'Information' field is missing in the HTML report
  • We fixed an issue where some OWASP Mobile Top 10 mappings were missing
  • We fixed an issue where some multiple class-scoped results in the same class appear as a single result
  • We fixed an issue where some results in Java applications appear as multiple results
  • We fixed an issue where Gradle logs are not available on the Web UI when build failed

Breaking changes in 2112 MR

Build

  • Built-in runtime .NET 5.0 renamed to .NET Core 3.1

    No functional change. Both the .NET Core 3.1 runtime and the new .NET 6.0 runtime use the latest MSBuild.

  • JDK 14 updated to JDK 17

    No functional change. Custom runtimes and applications using JDK 14 will be migrated to JDK 17 automatically. If these runtimes or applications need to use JDK 11, contact Lucent Sky support.

  • Maven updated to 3.8.4

    Breaking change. Custom repositories using HTTP are no longer supported due to changes in Maven 3.8. Migrate custom repositories to HTTPS to enable customer repositories using HTTP in Maven settings.

  • Custom PHP runtime is no longer supported

    Breaking change. Support for custom PHP runtime is removed as it was for the legacy PHP source code analysis engine. Existing custom PHP runtimes will be migrated to the built-in PHP runtime automatically.

Analysis

  • Analysis mode migrated to scan arguments

    Breaking change. Analysis mode has been migrated from the AnalysisMode property (Scan.Create.AnalysisMode) to part of the Arguments property (Project.Create.Arguments, Project.Edit.Arguments, and Scan.Create.Arguments). Third-party tools relying on the API and the CLI might need to be updated.

  • Legacy PHP source code analysis engine is no longer available

    Breaking change. Applications set to explicitly use the legacy PHP source code analysis engine (analysis engine ID 14) will be migrated to use the default PHP source code analysis engine, and may have different analysis results.

Reporting

  • Individual result history

    No functional change. Individual result history is not available for scans completed prior to updating to version 2112 MR unless a manual migration is performed.

  • New confidence scoring logic

    Breaking change. Scan results prior to 2112 MR will be recalculated automatically using the new scoring logic. However, third-party tools relying on the XML report need to be updated. The following table illustrates the changes of the scoring logic:

    Score Value 2112 MR and later Score Meaning 2112 MR and later Score Value prior to 2112 MR Score Meainng prior to 2112 MR
    13 High confidence Instant Fix 3 High confidence Instant Fix
    12 High confidence Instant Fix 2 High confidence Instant Fix
    11 Low confidence Instant Fix 1 Low confidence Instant Fix
    1 Contextual remediation suggestion New to 2112 MR  
    0 Basic remediation suggestion 0 Remediation suggestion

Interface

  • CLI command for creating scans

    Breaking change. The Mode argument for the Scan.Create method has been deprecated. To create scans with intelligent analysis, remove the Mode argument from the command. To create scans with comprehensive analysis, remove the Mode argument from the command and add AnalysisMode,comprehensive to the Arguments argument.