Known issues of Lucent Sky AVM

2023/10/19 |

This article describes the known issues of recent releases of Lucent Sky AVM.

Known Issues

This is a list of known issues of the current and previous releases of Lucent Sky AVM, including the symptoms, impacted versions, workarounds, and fixes.

Licensing

When a pending scan is deleted, the entire pending scan queue becomes stuck

When a pending scan is deleted, sometimes the entire pending scan queue becomes stuck. The occurrence of this issue is extremely rare. This is due to a timing bug in queue management.

This issue impacts 1903, and has been fixed in 1912 MR.

Pre-analysis

Extended pre-analysis time for certain applications

When analyzing certain applications, especially those with large resource files, the pre-analysis time is greatly extended.

This issue impacts 1909 MR and SU1, and has been fixed in 1912 MR.

Scan appears to be stuck during pre-analysis

When certain I/O errors occurred during pre-analysis, the scan appears to be stuck in the pre-analysis stage. Running the scan again resolves the issue.

This issue impacts versions between 2006 SU1 and 2112 SU1, and has been fixed in 2203 MR.

Misclassification of certain Python dependencies

When scanning Python applications, some dependencies are not properly classified as dependencies.

This issue impacts 2212 MR and earlier, and has been fixed in 2212 SU1.

Build

.NET web site scan failed with result -49999990

When scanning a .NET web site, the scan failed with the result code -49999990. Additionally, the compilation logs include the following error:

An unexpected error has occurred. The correlation ID is c8ebd46a-f8dc-43b8-a94c-dd9c046c5b1c.`

This is an issue related to the way .NET web sites are detected.

This issue impacts 1810, and has been fixed in 1811 MR.

Ant log entries were saved to the generic scan log file instead of Ant log file

When building a Java application with Ant, build log entries were saved to the generic log file (ScanId.log) instead of Ant log file (ScanId-Ant.log). Additionally, when a scan failed due to Ant build errors, Ant log is not available to download on the Web UI.

This issue impacts 1811 SU3, and has been fixed in 1903 MR.

The Configuration and OutputPath build properties cannot be set with scan arguments

When building a .NET applications, if the BuildProperties scan argument contains Configuration or OutputPath, the scan will either fail to start or ignore the build properties.

This issue impacts versions between 1903 MR and 1906 MR, and has been fixed in 1909 MR.

Ant build fails when a custom runtime is selected

When building a Java application with Ant and a custom runtime is selected, the build fails because JSP compilation issues. This issue is due to the built-in Tomcat runtime being unavailable when a custom runtime is selected.

This issue impacts 1912 MR, and has been fixed in 1912 SU1.

Maven build does not save build output to log files

When building a Java application with Maven, the build output might not be properly save to log files. This issue is due to an issue in the encoding conversion mechanism for log files.

This issue impacts 1912 MR and SU1, and has been fixed in 2003 MR.

Ant build fails after scanning Java applications with certain dependencies

After scanning a Java application with certain dependencies, Ant build fails on any subsequent scans. This issue is due a reconfiguration mechanism being triggered with incorrect parameters.

This issue impacts 2003 MR and earlier, and has been fixed in 2006 MR.

Ant build failed when scanning Java applications with no .java file

When scanning certain Java application with no .java file, Ant build fails.

This issue impacts 2009 MR and earlier, and has been fixed in 2009 SU1.

Unable to download Gradle logs when build failed

When an application using Gradle failed to build, Gradle logs are not available on the Web UI.

This issue impacts 2006 MR to 2009 MR, and has been fixed in 2112 MR.

Unable to locate Build Tools for Visual Studio 2022

When the instance only has certain versions of Build Tools for Visual Studio 2022 installed, scanning some .NET applications might fail due to MSBuild is not found.

This issue impacts 2109 MR to 2112 SU1, and has been fixed in 2203 MR.

The 'WebAppPath' scan argument has no effect

When scanning Java applications with certain web application structures, specifying the WebAppPath scan argument has no effect.

This issue impacts 2306 MR and earlier, and has been fixed in 2309 MR.

Analysis

Scan appears to be stuck when analyzing applications with certain minimized JavaScript code

When scanning applications that contain JavaScript code files that were minimized with a few combination of minimizer and parameters, the scan might appear to be stuck for an exceedingly long time.

To workaround this issue, manually exclude the impacted files from the scan.

This issue impacts versions between 1806 and 1906 MR, and has been fixed in 1909 MR.

Suppressed results reappear in C# applications scanned with source code analysis

When scanning a C# application with only source code analysis, previously suppressed results may reappear.

This is an issue related to the suppression algorithm in C# source code analysis engine.

This issue impacts versions between 1807 and 1811 MR, and has been fixed in 1811 SU1.

Scanning .NET Core projects fails with result code -62300001 (BinaryAnalysis_Error_ValidILNotFound)

When scanning some .NET Core projects with explicitly specified project file, the scan might fail with result code -62300001 (BinaryAnalysis_Error_ValidILNotFound). This is an issue related to the binary file detection mechanisms. When a project file was explicitly specified, Lucent Sky AVM uses the project file to locate the primary assembly file of the project. Some .NET Core project do not specify a primary assembly file in their project files.

To workaround this issue, do not explicitly specify a project file and let Lucent Sky AVM automatically detect it.

This issue impacts 1811 MR and SU1, and has been fixed in 1811 SU2.

Files skipped during Python analysis marked as analyzed

When syntax errors in a Python file caused it to be skipped during Python analysis, the file is still marked as being analyzed.

This issue impacts versions between 1909 MR and 1912 SU1, and has been fixed in 2003 MR.

Some scan log entries of C/C++ applications are missing

When scanning a C/C++ application, some of all of the log entries might be missing

This issue impacts 2003 MR and SU1, and has been fixed in 2006 MR.

Results with the 'WebService' vector cannot be suppressed

When a result with the WebService vector is suppressed, it still appears in subsequent scans.

This issue impacts version between 1909 MR and 2003 MR, and has been fixed in 2006 MR.

Scan with custom rule package is stuck at Analysis S-3

Scan with a custom rule package might become stuck at Analysis S-3 (41%) if the custom rule package contains certain custom identification rules.

This issue impacts 2006 SU1, and has been fixed in 2009 MR.

Some valid custom binary analysis rules are rejected

Rule packages containing certain binary analysis rules are considered invalid.

This issue impacts versions between 1903 MR and 2009 MR, and has been fixed in 2009 SU1.

Known open source libraries included in source code analysis when 'SkipKnownSafeFiles' is enabled

Some known open source libraries included in source code analysis when the scan argument 'SkipKnownSafeFiles' is not set or set to true.

This issue impacts 2009 MR and SU1, and has been fixed in 2103 MR.

Additional results are identified in backup files containing vulnerable source code

If a backup file contains source code that is vulnerable to certain weaknesses, in addition to CWE-530, those weaknesses are also identified as if they exist in normal code files.

This issue impacts 2009 SU1, and has been fixed in 2103 MR.

Some ASP.NET files are scanned in an ASP scan

When the source code archive of an ASP scan contains ASP.NET files with certain files names, these files are scanned as ASP files.

This issue impacts versions between 2009 MR and 2103 MR, and has been fixed in 2106 MR.

Some PHP and Python files might not be fully analyzed when the storage repository is set to certain custom locations

When the storage repository is set to certain custom locations, some PHP and Python files might not be fully analyzed.

This issue impact versions between 2103 MR and 2106 MR, and has been fixed in 2109 MR.

Some multiple class-scoped results in the same class appear as a single result

When a class contains multiple class-scoped results, some of these results might appear as a single result.

This issue impacts versions between 2106 MR and 2109 MR, and has been fixed in 2112 MR.

Some results in JDK applications appear as multiple results

Some results in JDK applications identified by dataflow analysis might appear as multiple results with exact details.

This issue impacts versions between 1804 and 2109 MR, and has been fixed in 2112 MR.

Binary analysis completes with 'Warning_SymbolMissing (71200003)' even with symbol files

Binary analysis might complete with a 'Symbol files are missing or incompatible' warning even when symbol files were included in the source code archive.

This is due to an issue with the symbol detection mechanism.

This issue impacts 2112 SU1, and has been fixed in 2203 MR.

ECMAScript files mistakenly characterized as minified files

Some ECMAScript code files might be mistakenly characterized as minified files, therefore skipping some analyses.

This issue impacts versions between 2112 MR and 2206 MR, and has been fixed in 2206 SU1.

Remediated vulnerabilities in JDK applications reappear in subsequent scans

Certain CWE-89 vulnerabilities in JDK applications remediated using Application Protection Library reappear in subsequent scans.

This issue impacts all recent versions up to 2206 SU1, and has been fixed in 2209 MR.

.NET files scanned by source code analysis not marked as scanned

Certain .NET files are not marked as scanned by source code analysis even though they were successfully analyzed by source code analysis.

This issue impacts versions between 2103 MR and 2212 MR, and has been fixed in 2212 SU1.

False positive when certain security functions are used to remediate vulnerabilities

When a security function is used to remediate vulnerabilities .NET, Java, or Python applications in a certain way, the security function is not recognized and the result is still reported.

This issue impacts versions between 2106 MR and 2212 SU1, and has been fixed in 2303 MR.

CWE-90 in PHP applications identified as CWE-91

On rare circumstances, CWE-90 (LDAP injection) results in PHP applications are identified as CWE-91 (XML injection).

This issue impacts all recent versions up to 2212 SU1, and has been fixed in 2303 MR.

Reporting

The Priority attribute is set at an incorrect level in XML reports

When generating an XML report, the Priority attribute of a Result is sometime generated at the InstantFix node instead of the Result node.

This issue impacts 1811 MR, SU1, and SU2, and has been fixed in 1811 SU3.

JavaScript syntax highlighting is not available in HTML reports

Statements of JavaScript might not be properly highlighted in HTML reports. In addition, an error message 'Couldn't find brush for: jscript' might appear.

This issue impacts 1903 MR, and has been fixed in 1903 SU1.

The file list in the reports has incorrect analysis marking

The file list in the HTML, PDF, and XML reports might not have the correct marking to indicate the analyses conducted on files.

This issue impacts 1903 MR, and has been fixed in 1903 SU1.

TypeScript files were analyzed but missing from the analyzed file list

TypeScript files, even when analyzed successfully, are missing from the analyzed file list.

This issue impacts 2006 MR, and has been fixed in 2006 SU1.

The 'Information' field is missing in the HTML report

The 'Information' field, which includes anomaly that does not impact scan accuracy, is missing in the HTML report.

This issue impacts versions between 2103 MR and 2109 MR, and has been fixed in 2112 MR.

The 'Analysis Target' field shows 'Custom' when the analysis target was detected automatically in the HTML/PDF report

For some JDK applications, the 'Analysis Target' in HTML and PDF reports shows 'Custom' instead of 'Automatic' when the analysis target was not specified and was detected automatically.

This issue impacts versions between 2106 MR and 2109 MR, and has been fixed in 2203 MR.

Reports generated by on-prem instances with On-Demand licenses contain evaluation disclaimer

HTML and PDF reports generated by on-prem instances with On-Demand licenses may contain the "for evaluation purposes" disclaimer.

This issue impacts 2203 MR and SU1, and has been fixed in 2206 MR.

Inconsistent SBOM information in XML reports

For vulnerable dependencies from certain data sources, the SBOM information in XML reports might be inconsistent with their CPE IDs.

This issue impacts 2212 MR and SU1, and has been fixed in 2303 MR.

HTML reports containing results with complex ECMAScript statements cause browsers to become unresponsive

When viewing HTML reports containing complex ECMAScript statements, certain browsers might become unresponsive.

This issue impacts versions prior to 2212 SU1, and has been fixed in 2303 MR.

Ruby files not properly marked as scanned by source code analysis

When using certain analysis configurations, Ruby files are not properly marked as scanned by source code analysis.

This issue impacts versions prior to 2306 MR, and has been fixed in 2309 MR.

2022 CWE Top 25 not displayed in HTML and PDF reports

Label for CWE Top 25 2022 is missing for results belonging the category.

This issue impacts versions 2303 MR and 2306 MR, and has been fixed in 2309 MR.

Remediation

Remediation becomes stuck when paths in the application archive have more than 158 characters

The remediation process appears to stuck when the paths in the application archive have more than 158 characters.

This issue impacts all recent versions up to 1811 SU2, and has been fixed in 1811 SU3.

Remediated vulnerabilities in remediation information are displayed in the wrong order

When remediating an application with the 'Include mitigation info' option enabled, remediated vulnerabilities in remediation information are displayed in the wrong order (such as CWE359, CWE79 mitigated instead of CWE79, CWE359 mitigated).

This issue impacts 1906 MR, and has been fixed in 1906 SU1.

Incomplete dependency update guidance not available for certain vulnerable dependencies

Dependency update guidance might be incomplete, such as missing version information, for certain vulnerable dependencies.

This issue impacts versions between 2212 MR and SU1, and has been fixed in 2303 MR.

Interface

Empty argument in the CLI being treated as not present

When setting an argument in the CLI to an empty string, the argument is being treated as not present instead of empty.

This is due to some shells parsing an empty string ("") as a null character.

To workaround this issue, supply a space character to the argument. For example, to set the Value argument to empty, use --Value " " instead of --Value "".

The Query method in the CLI is using the legacy priority calculation algorithm

The Query method in the CLI is using the legacy priority calculation algorithm. This results in inconsistency of the priority score between CLI queries and other interfaces and reports.

This issue impacts versions between 1807 and 1811 SU2, and has been fixed in 1811 SU3.

Project list does not load when the Web UI is opened in the background

When opening the project list or the scan list, if the browser tab is in the background, the list does not load. This is an issue related to the AJAX API calls.

This issue impacts 1811 MR and most earlier versions, and has been fixed in 1811 SU1.

System information shows version 1812 when the instance is running 1811 SU1

The system information page shows the current version as 1812 (5.8.4100) when the instance is running 1811 SU1 (5.8.4100). Additionally, the generated reports also show version 1812 instead of 1811 SU1. This is an issue related to the new Minor Release/Servicing Update release rhythm.

This issue impacts 1811 SU1, and has been fixed in 1811 SU2.

Report and Remediate options appear in the Action Bar when they are not available

When viewing a completed scan on the Web UI, the Report and Remediate options appear in the Action Bar even though they are not available.

This issues impacts 1903 MR, and has been fixed in 1903 SU1.

Logs from scans conducted on versions before 1912 MR is unavailable on the CLI or the Web UI

When downloading logs from scans that were conducted on versions before 1912 MR using the CLI or the Web UI, an error message indicates the log files are not available. This issue is due to the change of log naming schemes in 1912 MR.

To workaround this issue, download the log files from the instance running CLEAR Engine.

This issues impacts all versions earlier than 1912 MR when updated to 1912 MR or later versions.

Multi-line remediation suggestion shows irrelevant line number

If a remediation suggestion has multiple lines, irrelevant line numbers are shown for the second and higher lines. This is a cosmetic issue and does not impact remediated source code.

This issue impacts all recent versions up to 1909 SU1, and has been fixed in 1912 MR.

Error when navigating to a result hidden due to license limitation

When navigating to a result hidden due to license limitation, the page shows the following message:

An error has occurred.

This issue impacts all recent versions up to 1909 SU1, and has been fixed in 1912 MR.

Error 36001062 occurred when downloading logs using the CLI or the Web UI

When downloading logs using the CLI or the Web UI, error 36001062 occurred. This issue is due to a bug in log4net, a logging library used by Lucent Sky AVM.

This issues impacts 1912 MR and SU1, and has been fixed in 2003 MR.

The batch delete function on the Web UI returns DATA_ERROR even when the operation completed successfully

When deleting applications in batch on the Web UI, the operation sometimes return a data error even when it has completed successfully. The error message can be ignored safely.

This issue impacts all currently supported versions.

Guest users are unable to sign in on the Web UI

If a user belongs to the Guests group and not any other group, they are unable to sign in to the Web UI.

This issue impacts 2003 MR, and has been fixed in 2006 MR.

The name of arguments of the CLI is case sensitive

The name of arguments of the CLI is case sensitive, while it should be case-insensitive.

This issue impacts 2003 MR, and has been fixed in 2006 MR.

Web UI is stuck in a redirect loop after password is changed

When the password is changed on the Web UI, either through Settings > Account or Settings > Users, the user is sometime stuck in a redirect loop. This issue is due to the authentication token cached by the Web UI not being updated properly.

To workaround this issue, close the browser and sign in to the Web UI again.

This issue impacts 2006 MR, and has been fixed in 2006 SU1.

7-Zip files with long paths are not properly detected

7-Zip files with entries exceeding the path length limit are not detected, causing the upload to fail.

The issue impacts versions between 2006 MR and 2009 MR, and has been fixed in 2009 SU1.

Incorrect 'No Data' and 'No Scan' information on the application list page

'No Data' is shown on the application list page even with low data mode disabled, while 'No Scan' is shown on the application list page with low data mode enabled.

This issue impacts 2009 MR, and has been fixed in 2009 SU1.

The application list page fails to load project information on Internet Explorer

On Internet Explorer, the application list page fails to load project information. The project boxes are stuck at 'Loading'.

This issue impacts versions between 2006 MR and 2009 MR, and has been fixed in 2103 MR.

Clicking the pie chart on the scan details page redirects to the homepage.

When clicking a result category on the pie chart on the scan details page, you are redirected to the homepage.

This issue impacts 2009 MR and SU1, and has been fixed in 2103 MR.

Filtering applications by scan status on the application list page does not work

No application is shown on the application list page when filtering by scan status.

This issue impacts 2009 MR and SU1, and has been fixed in 2103 MR.

Build might fail when scanning Ant projects in the Eclipse plug-in

When using the Eclipse plug-in the scan Ant projects, build might fail if the system running Eclipse and the system running CLER Engine are set to different time zones.

This issue impacts versions between 2006 MR and 2009 MR, and has been fixed in 2103 MR.

The Eclipse plug-in and Visual Studio extension do not support Instant Fixes with mixed newline characters

If an Instant Fix contains multiple lines with mixed newline characters (for example, a mix of CRLF and LF), the Instant Fix cannot be applied in either the Eclipse plug-in or Visual Studio extension.

This issue impacts all recent version up to 2103 MR, has been fixed in 2106 MR.

Queued scans show as 'Checking' instead of 'Queuing'

A scan in the pending scan queue might shows 'Checking' instead of 'Queuing' on the Web UI.

This issue impacts 2106 MR, and has been fixed in 2109 MR.

The ROI page on the Web UI returns an error

When visiting the ROI page, the Web UI might return an error.

This issue impacts 2112 MR, and has been fixed in 2112 SU1.

Unable to create scan or edit application in the application list page

After idling on the application list page for an extended period of time, the create scan and edit application icons may no longer be available. The options return after refresh the page.

This issue impacts versions between 2006 MR and 2112 SU1, and has been fixed in 2203 MR.

Unable to search for application names or tags using certain special characters

When searching for application names or tags, if the search term contains certain special characters, these characters are removed.

This issue impacts versions between 2203 MR and 2206 MR, and has been fixed in 2206 SU1.

Unable to use the Network vector when creating a scan in IDE extensions

When creating a scan using Visual Studio extension or Eclipse plug-in, if the scan vectors contain the Network vector, the scan cannot be created.

This issue impacts versions between 2203 MR and 2209 MR, and has been fixed in 2212 MR.

Unresponsive web UI when viewing results with complex ECMAScript statements

When viewing results containing complex ECMAScript statements, the web UI might become unresponsive on certain browsers.

This issue impacts versions prior to 2212 SU1, and has been fixed in 2303 MR.

The CLI is incompatible with macOS through Mono

Certain methods of the CLI does not run on certain recent versions of macOS with Mono 6.12.0.

This issue impacts version 2212 SU1, and has been fixed in 2303 MR.

Administration

Unable to update from Lucent Sky AVM version 1807

When updating an instance running Lucent Sky AVM version 1807, the update process failed with the error message:

SkyAnalyzer.Engine.Installer has stopped working.

This is an issue related to the data migration process. Although it prevents the direct update from Lucent Sky AVM version 1807 to version 1811, it will not cause any data loss.

To workaround this issue, first uninstall Lucent Sky AVM version 1807, then install Lucent Sky AVM version 1811.

This issue impacts 1811 MR, and has been fixed in 1811 SU1.

Web UI update fails if storage root is set to a drive other than C:\

When updating an instance using the Web UI, the update fails if storage root is set to a drive other than C:\.

This issue impacts all recent versions up to 1811 SU1, and has been fixed in 1811 SU2.

The source of CLEAR Engine events is shown as 'Service1' in Windows Events

The source of events generated by CLEAR Engine is shown as 'Service1' instead of 'CLEAR Engine' in Windows Events.

This issue impacts 1811 MR and SU1, and has been fixed in 1811 SU2.

Rule package is not properly installed when CLEAR Engine setup was interrupted and resumed

When installing CLEAR Engine for the first time, if the setup program was interrupted and resumed, the rule package might not be properly installed.

To workaround this issue, do not resume the setup program if it was interrupted. Instead, uninstall the installed components, delete the installation directory (C:\Program Files\Lucent Sky), and start the setup program again.

This issue impacts 1903 MR and SU1, and has been fixed in 1906 MR. Instances that were updated to 1903 MR or SU1 from an earlier version are not impacted.

The 'DiagnosticSettings' and 'MaxDegreeOfParallelism' settings are not preserved during an update

If the DiagnosticSettings setting is set in SkyAnalyzer.config, it is reset to the default value (empty) when updating to a new version. If the MaxDegreeOfParallelism setting is set in SkyAnalyzer.config, it is reset to the default value 1 when updating to a new version.

This issue impacts all recent versions up to 1909 SU1, and has been fixed in 1912 MR.

Licenses might expire up to 12 hours earlier than the expiration date

If the instance has its system clock set to a time zone other than UTC, the installed license might show as expired up to 12 hours earlier than the expiration date shown on the license information page. This is caused by how the licensing mechanism converts system clock to UTC.

This issue impacts versions between 1909 MR and 2003 MR, and has been fixed in 2006 MR.

The 'Encoding' setting is not preserved during an update

If the Encoding setting is set in SkyAnalyzer.config, it is reset to the default value (empty) when updating to a new version.

This issue impacts all recent versions up to 2003 MR, and has been fixed in 2006 MR.

Some log entries may not appear in scan logs when multiple scans are running concurrently

If multiple scans are running concurrently, some log entries might be missing in scan logs.

This issue impacts 2003 MR, and has been fixed in 2006 MR.

Long path support is inconsistent on Windows Server 2019

Long path support is inconsistent on some instances running on Windows Server 2019 (build 17763).

This issue impacts all recent versions up to 2003 MR, and has been fixed in 2006 MR.

The 'CLEAR Engine' service failed to start after updating to 2006 MR

On systems with certain regional settings, the 'CLEAR Engine' service failed to start after updating to 2006 MR, and Windows Event Viewer has the following message: Startup validation failed. (-31101)

This issue impacts 2006 MR, and has been fixed in 2006 SU1.

Timestamp of a rule package is not properly updated

When the rule files of a rule package is updated, its timestamp is not updated.

This issue impacts all recent versions up to 2006 MR, and has been fixed in 2006 SU1.

Unable to update to 2006 SU1 or 2009 MR on systems without a valid license

On systems without a valid license, updating to 2006 SU1 or 2009 MR failed with error -131000.

To workaround this issue, restore the configuration files in C:\Program Files\Lucent Sky\CLEAR Engine, then use SkyAnalyzer.Engine.Installer.exe in the update package to install a license before updating.

This issue impacts all recent versions up to 2009 MR, and has been fixed in 2009 SU1. However, as it is not possible to update to 2009 SU1 without upgrading to 2009 MR first, it is required to apply the workaround above, or skip 2009 MR and upgrade to 2103 MR or later directly.

Setup program does not request administrator privileges

When running the setup program without administrator privileges, it does not request administrator privileges on certain systems.

To workaround this issue, right-click Setup.bat and select Run as administrator.

This issue impacts all recent versions up to 2009 MR, and has been fixed in 2009 SU1.

Some ongoing scans not marked as failed after CLEAR Engine restarted

On certain circumstances, scans that are ongoing when the CLEAR Engine restarted are stuck in their then-status and not marked as failed

This issue impacts versions between 2006 MR and 2103 MR, and has been fixed in 2106 MR.

Online activation returns unexpected error for communication issues

When online activation fails due to issues communicating with the activation servers, an unexpected error (-999) is returned instead of the correct error code.

To workaround this issue, make sure there is Internet connectivity before attempting online activation or use offline activation.

This issue impacts all recent versions up to 2209 MR, and has been fixed in 2212 MR.