Lucent Sky AVM version 2303 release notes

2023/4/13 |

Lucent Sky AVM version 2303 releases

Lucent Sky AVM version 2303 MR

New features in 2303 MR

Technology stack

  • Support for Go 1.20
  • Support for PHP 8.2

Build

  • Improvements to the Java build process

Binary analysis

  • Improved Intelligent Analysis efficiency for Java applications
  • General improvements for JSF and JSP analysis
  • Improved support for custom security libraries

Source code analysis

  • General improvements on C#, C/C++, ECMAScript, Go, PHP, and VB.NET source code analysis engines
  • Improved support for custom security libraries
  • Improved handling of minified and obfuscated source code

Dependency analysis

  • General improvements on the dependency analysis engines

Remediation

  • General improvements on the remediation engines

Reporting

  • Support for CSV, JSON, and SARIF report formats
  • Improved context on reports and scan details for results without statement due to missing source code or symbols
  • Additional build information available on on reports and scan details

Weakness policies

  • Support for CWE 4.10
  • Separate security standard weakness policies for PCI DSS v3.2.1 and PCI DSS v4.0

Interface

  • .NET Standard 2.0 support for the API
  • Support for pulling source code from Git and TFVC repositories for scanning
  • Improved handling of network issues in the CLI
  • Performance improvements for the CLI and the Web UI

Issues fixed in 2303 MR

  • We fixed an issue where browsers might become unresponsive when using the Web UI to view results containing complex ECMAScript statements
  • We fixed an issue where browsers might become unresponsive when viewing HTML reports containing complex ECMAScript statements
  • We fixed an issue where certain methods of the CLI are incompatible with macOS with Mono 6.12
  • We fixed an issue where false positives were reported when certain security functions are used to remediate vulnerabilities
  • We fixed an issue where XML reports might have inconsistent SBOM information
  • We fixed an issue where incomplete dependency update guidance not available for certain vulnerable dependencies
  • We fixed an issue where known minified ECMAScript files are being analyzed with source code analysis when Intelligent Analysis is enabled

Breaking changes in 2303 MR

Analysis

  • Legacy PHP analysis engine removed

    Potential breaking change. The legacy PHP analysis engine has been removed. Scan arguments specifying the legacy PHP analysis engine will be migrated to use the default PHP analysis engine. As telemetry indicates that the legacy PHP analysis engine has been used in less than 0.0001% of scans in the past 12 months, most customers are not expected to be impacted by this change.

Weakness policies

  • PCI DSS security standard weakness policy split into v3.2.1 and v4.0

    Potential breaking change. The PCI DSS secuirty standard weakness policy (PCIDSS) has been split into two, one for PCI DSS v3.2.1 (PCIDSS3) and one for PCI DSS v4.0 (PCIDSS4). Current weakness policy settings utilizing PCIDSS will be migrated to PCIDSS4.