Introduction

This article describes the known issues of recent releases of Lucent Sky AVM.

More Information

This is a list of known issues of the current and previous releases of Lucent Sky AVM, including the symptoms, impacted versions, workarounds, and fixes.

Licensing

When a pending scan is deleted, the entire pending scan queue becomes stuck

When a pending scan is deleted, sometimes the entire pending scan queue becomes stuck. The occurrence of this issue is extremely rare.

This is due to a timing bug in queue management.

This issue impacts 1903, and has been fixed in 1912 MR.

Pre-analysis

Extended pre-analysis time for certain applications

When analyzing certain applications, especially those with large resource files, the pre-analysis time is greatly extended.

This issue impacts 1909 MR and SU1, and has been fixed in 1912 MR.

Build

.NET web site scan failed with result -49999990

When scanning a .NET web site, the scan failed with the result code -49999990. Additionally, the compilation logs include the following error:

An unexpected error has occurred. The correlation ID is c8ebd46a-f8dc-43b8-a94c-dd9c046c5b1c.`

This is an issue related to the way .NET web sites are detected.

This issue impacts 1810, and has been fixed in 1811 MR.

Ant log entries were saved to the generic scan log file instead of Ant log file

When building a Java application with Ant, build log entries were saved to the generic log file (ScanId.log) instead of Ant log file (ScanId-Ant.log). Additionally, when a scan failed due to Ant build errors, Ant log is not available to download on the Web UI.

This issue impacts 1811 SU3, and has been fixed in 1903 MR.

The Configuration and OutputPath build properties cannot be set with scan arguments

When building a .NET applications, if the BuildProperties scan argument contains Configuration or OutputPath, the scan will either fail to start or ignore the build properties.

This issue impacts versions between 1903 MR and 1906 MR, and has been fixed in 1909 MR.

Ant build fails when a custom runtime is selected

When building a Java application with Ant and a custom runtime is selected, the build fails because JSP compilation issues.

This issue is due to the built-in Tomcat runtime being unavailable when a custom runtime is selected.

This issue impacts 1912 MR, and has been fixed in 1912 SU1.

Maven build does not save build output to log files

When building a Java application with Maven, the build output might not be properly save to log files.

This issue is due to an issue in the encoding conversion mechanism for log files.

This issue impacts 1912 MR and SU1, and has been fixed in 2003 MR.

Ant build fails after scanning Java applications with certain dependencies

After scanning a Java application with certain dependencies, Ant build fails on any subsequent scans.

This issue is due a reconfiguration mechanism being triggered with incorrect parameters.

This issue impacts 2003 MR and earlier, and has been fixed in 2006 MR.

Ant build failed when scanning Java applications with no .java file

When scanning certain Java application with no .java file, Ant build fails.

This issue impacts 2009 MR and earlier, and has been fixed in 2009 SU1.

Analysis

Scan appears to be stuck when analyzing applications with certain minimized JavaScript code

When scanning applications that contain JavaScript code files that were minimized with a few combination of minimizer and parameters, the scan might appear to be stuck for an exceedingly long time.

To workaround this issue, manually exclude the impacted files from the scan.

This issue impacts versions from 1806 to 1906 MR, and has been fixed in 1909 MR.

Suppressed results reappear in C# applications scanned with source code analysis

When scanning a C# application with only source code analysis, previously suppressed results may reappear.

This is an issue related to the suppression algorithm in C# source code analysis engine.

This issue impacts versions between 1807 and 1811 MR, and has been fixed in 1811 SU1.

Scanning .NET Core projects fails with result code -62300001 (BinaryAnalysis_Error_ValidILNotFound)

When scanning some .NET Core projects with explicitly specified project file, the scan might fail with result code -62300001 (BinaryAnalysis_Error_ValidILNotFound).

This is an issue related to the binary file detection mechanisms. When a project file was explicitly specified, Lucent Sky AVM uses the project file to locate the primary assembly file of the project. Some .NET Core project do not specify a primary assembly file in their project files.

To workaround this issue, do not explicitly specify a project file and let Lucent Sky AVM automatically detect it.

This issue impacts 1811 MR and SU1, and has been fixed in 1811 SU2.

Files skipped during Python analysis marked as analyzed

When syntax errors in a Python file caused it to be skipped during Python analysis, the file is still marked as being analyzed.

This issue impacts versions between 1909 MR and 1912 SU1, and has been fixed in 2003 MR.

Some scan log entries of C/C++ applications are missing

When scanning a C/C++ application, some of all of the log entries might be missing

This issue impacts version between 2003 MR, and has been fixed in 2006 MR.

Results with the ‘WebService’ vector cannot be suppressed

When a result with the WebService vector is suppressed, it still appears in subsequent scans.

This issue impacts version between 1909 MR and 2003 MR, and has been fixed in 2006 MR.

Scan with custom rule package is stuck at Analysis S-3

Scan with a custom rule package might become stuck at Analysis S-3 (41%) if the custom rule package contains certain custom identification rules.

This issue impacts 2006 SU1, and has been fixed in 2009 MR.

Some valid custom binary analysis rules are rejected

Rule packages containing certain binary analysis rules are considered invalid.

This issue impacts 1903 MR and later, and has been fixed in 2009 SU1.

Known open source libraries included in source code analysis when ‘SkipKnownSafeFiles’ is enabled

Some known open source libraries included in source code analysis when the scan argument ‘SkipKnownSafeFiles’ is not set or set to true.

This issue impacts 2009 MR and SU1, and has been fixed in 2103 MR.

Additional results are identified in backup files containing vulnerable source code

If a backup file contains source code that is vulnerable to certain weaknesses, in addition to CWE-530, those weaknesses are also identified as if they exist in normal code files.

This issue impacts 2009 SU1, and has been fixed in 2103 MR.

Some ASP.NET files are scanned in an ASP scan

When the source code archive of an ASP scan contains ASP.NET files with certain files names, these files are scanned as ASP files.

This issue impacts 2009 MR and later, and has been fixed in 2106 MR.

Reporting

The Priority attribute is set at an incorrect level in XML reports

When generating an XML report, the Priority attribute of a Result is sometime generated at the InstantFix node instead of the Result node.

This issue impacts 1811 MR, SU1 and SU2, and has been fixed in 1811 SU3.

JavaScript syntax highlighting is not available in HTML reports

Statements of JavaScript might not be properly highlighted in HTML reports. In addition, an error message ‘Couldn’t find brush for: jscript’ might appear.

This issue impacts 1903 MR, and has been fixed in 1903 SU1.

The file list in the reports has incorrect analysis marking

The file list in the HTML, PDF, and XML reports might not have the correct marking to indicate the analyses conducted on files.

This issue impacts 1903 MR, and has been fixed in 1903 SU1.

TypeScript files were analyzed but missing from the analyzed file list

TypeScript files, even when analyzed successfully, are missing from the analyzed file list.

This issue impacts 2006 MR, and has been fixed in 2006 SU1.

Remediation

Remediation becomes stuck when paths in the application archive have more than 158 characters

The remediation process appears to stuck when the paths in the application archive have more than 158 characters.

This issue impacts all recent versions up to 1811 SU2, and has been fixed in 1811 SU3.

Remediated vulnerabilities in remediation information are displayed in the wrong order

When remediating an application with the ‘Include mitigation info’ option enabled, remediated vulnerabilities in remediation information are displayed in the wrong order (such as CWE359, CWE79 mitigated instead of CWE79, CWE359 mitigated).

This issue impacts 1906 MR, and has been fixed in 1906 SU1.

Interface

The Query method in the CLI is using the legacy priority calculation algorithm

The Query method in the CLI is using the legacy priority calculation algorithm. This results in inconsistency of the priority score between CLI queries and other interfaces and reports.

This issue impacts all versions between 1807 and 1811 SU2, and has been fixed in 1811 SU3.

Project list does not load when the Web UI is opened in the background

When opening the project list or the scan list, if the browser tab is in the background, the list does not load.

This is an issue related to the AJAX API calls.

This issue impacts 1811 MR and most earlier versions, and has been fixed in 1811 SU1.

System information shows version 1812 when the instance is running 1811 SU1

The system information page shows the current version as 1812 (5.8.4100) when the instance is running 1811 SU1 (5.8.4100). Additionally, the generated reports also show version 1812 instead of 1811 SU1.

This is an issue related to the new Minor Release/Servicing Update release rhythm.

This issue impacts 1811 SU1, and has been fixed in 1811 SU2.

Report and Remediate options appear in the Action Bar when they are not available

When viewing a completed scan on the Web UI, the Report and Remediate options appear in the Action Bar even though they are not available.

This issues impacts 1903 MR, and has been fixed in 1903 SU1.

Logs from scans conducted on versions before 1912 MR is unavailable on the CLI or the Web UI

When downloading logs from scans that were conducted on versions before 1912 MR using the CLI or the Web UI, an error message indicates the log files are not available

This issue is due to the change of log naming schemes in 1912 MR. To workaround this issue, download the log files from the instance running CLEAR Engine.

This issues impacts 1909 SU1 and earlier versions, when updated to 1912 MR or later versions.

Multi-line remediation suggestion shows irrelevant line number

If a remediation suggestion has multiple lines, irrelevant line numbers are shown for the second and higher lines. This is a cosmetic issue and does not impact remediated source code.

This issue impacts 1909 SU1 and earlier versions, and has been fixed in 1912 MR.

Error when navigating to a result hidden due to license limitation

When navigating to a result hidden due to license limitation, the page shows the following message:

An error has occurred.

This issue impacts 1909 SU1 and earlier versions, and has been fixed in 1912 MR.

Error 36001062 occurred when downloading logs using the CLI or the Web UI

When downloading logs using the CLI or the Web UI, error 36001062 occurred.

This issue is due to a bug in log4net, a logging library used by Lucent Sky AVM.

This issues impacts 1912 MR and SU1, and has been fixed in 2003 MR.

The batch delete function on the Web UI returns DATA_ERROR even when the operation completed successfully

When deleting applications in batch on the Web UI, the operation sometimes return a data error even when it has completed successfully.

This issue impacts all currently supported versions. To workaround this issue, ignore the returned data error message.

Guest users are unable to sign in on the Web UI

If a user belongs to the Guests group and not any other group, they are unable to sign in to the Web UI.

This issue impacts 2003 MR, and has been fixed in 2006 MR.

The name of arguments of the CLI is case sensitive

The name of arguments of the CLI is case sensitive, while it should be case-insensitive.

This issue impacts 2003 MR, and has been fixed in 2006 MR.

Web UI is stuck in a redirect loop after password is changed

When the password is changed on the Web UI, either through Settings > Account or Settings > Users, the user is sometime stuck in a redirect loop.

This issue is due to the authentication token cached by the Web UI not being updated properly.

To workaround this issue, close the browser and sign in to the Web UI again.

This issue impacts 2006 MR, and has been fixed in 2006 SU1.

7-Zip files with long paths are not properly detected

7-Zip files with entries exceeding the path length limit are not detected, causing the upload to fail.

The issue impacts 2006 MR and later, and has been fixed in 2009 SU1.

Incorrect ‘No Data’ and ‘No Scan’ information on the application list page

‘No Data’ is shown on the application list page even with low data mode disabled, while ‘No Scan’ is shown on the application list page with low data mode enabled.

This issue impacts 2009 MR, and has been fixed in 2009 SU1.

The application list page fails to load project information on Internet Explorer

On Internet Explorer, the application list page fails to load project information. The project boxes are stuck at ‘Loading’.

This issue impacts 2006 MR and later, and has been fixed in 2103 MR.

Clicking the pie chart on the scan details page redirects to the homepage.

When clicking a result category on the pie chart on the scan details page, you are redirected to the homepage.

This issue impacts 2009 MR and later, and has been fixed in 2103 MR.

Filtering applications by scan status on the application list page does not work

No application is shown on the application list page when filtering by scan status.

This issue impacts 2009 MR and later, and has been fixed in 2103 MR.

Build might fail when scanning Ant projects in the Eclipse plug-in

When using the Eclipse plug-in the scan Ant projects, build might fail if the system running Eclipse and the system running CLER Engine are set to different time zones.

This issue impacts 2006 MR and later, and has been fixed in 2103 MR.

The Eclipse plug-in and Visual Studio extension do not support Instant Fixes with mixed newline characters

If an Instant Fix contains multiple lines with mixed newline characters (for example, a mix of CRLF and LF), the Instant Fix cannot be applied in either the Eclipse plug-in or Visual Studio extension.

This issue impacts 2103 MR and earlier, and is expected to be fixed in 2109 MR. A hotfix is available.

Queued scans show as ‘Checking’ instead of ‘Queuing’

A scan in the pending scan queue might shows ‘Checking’ instead of ‘Queuing’ on the Web UI.

This issue impacts 2106 MR, and is expected to be fixed in 2109 MR.

Administration

Unable to update from Lucent Sky AVM version 1807

When updating an instance running Lucent Sky AVM version 1807, the update process failed with the error message:

SkyAnalyzer.Engine.Installer has stopped working.

This is an issue related to the data migration process. Although it prevents the direct update from Lucent Sky AVM version 1807 to version 1811, it will not cause any data loss.

To workaround this issue, first uninstall Lucent Sky AVM version 1807, then install Lucent Sky AVM version 1811.

This issue impacts 1811 MR and has been fixed in 1811 SU1.

Web UI update fails if storage root is set to a drive other than C:\

When updating an instance using the Web UI, the update fails if storage root is set to a drive other than C:\.

This issue impacts 1811 SU1 and earlier releases, and has been fixed in 1811 SU2.

The source of CLEAR Engine events is shown as ‘Service1’ in Windows Events

The source of events generated by CLEAR Engine is shown as ‘Service1’ instead of ‘CLEAR Engine’ in Windows Events.

This issue impacts 1811 MR and SU1, and has been fixed in 1811 SU2.

Rule package is not properly installed when CLEAR Engine setup was interrupted and resumed

When installing CLEAR Engine for the first time, if the setup program was interrupted and resumed, the rule package might not be properly installed.

To workaround this issue, do not resume the setup program if it was interrupted. Instead, uninstall the installed components, delete the installation directory (C:\Program Files\Lucent Sky), and start the setup program again.

This issue impacts 1903 MR and SU1, and has been fixed in 1906 MR. Instances that were updated to 1903 MR or SU1 from an earlier version are not impacted.

The ‘DiagnosticSettings’ and ‘MaxDegreeOfParallelism’ settings are not preserved during an update

If the DiagnosticSettings setting is set in SkyAnalyzer.config, it is reset to the default value (empty) when updating to a new version.

If the MaxDegreeOfParallelism setting is set in SkyAnalyzer.config, it is reset to the default value 1 when updating to a new version.

This issue impacts 1909 SU1 and earlier releases, and has been fixed in 1912 MR.

Licenses might expire up to 12 hours earlier than the expiration date

If the instance has its system clock set to a time zone other than UTC, the installed license might show as expired up to 12 hours earlier than the expiration date shown on the license information page.

This is caused by how the licensing mechanism converts system clock to UTC.

This issue impacts 1909 MR and later releases, and has been fixed in 2006 MR.

The ‘Encoding’ setting is not preserved during an update

If the Encoding setting is set in SkyAnalyzer.config, it is reset to the default value (empty) when updating to a new version.

This issue impacts 2003 MR and earlier releases, and has been fixed in 2006 MR.

Some log entries may not appear in scan logs when multiple scans are running concurrently

If multiple scans are running concurrently, some log entries might be missing in scan logs.

This issue impacts 2003 MR, and has been fixed in 2006 MR.

Long path support is inconsistent on Windows Server 2019

Long path support is inconsistent on some instances running on Windows Server 2019 (build 17763).

This issue impacts 2003 MR and earlier releases, and has been fixed in 2006 MR.

The ‘CLEAR Engine’ service failed to start after updating to 2006 MR

On systems with certain regional settings, the ‘CLEAR Engine’ service failed to start after updating to 2006 MR, and Windows Event Viewer has the following message: Startup validation failed. (-31101)

This issue impacts 2006 MR and has been fixed in 2006 SU1.

Timestamp of a rule package is not properly updated

When the rule files of a rule package is updated, its timestamp is not updated.

This issue impacts 2006 MR and earlier releases, and has been fixed in 2006 SU1.

Unable to update to 2006 SU1 or 2009 MR on systems without a valid license

On systems without a valid license, updating to 2006 SU1 or 2009 MR failed with error -131000.

This issue impacts 2009 MR and earlier releases, and has been fixed in 2009 SU1. However, as it is not possible to update to 2009 SU1 without updating to 2009 MR first, a workaround is required. To workaround this issue, restore the configuration files in C:\Program Files\Lucent Sky\CLEAR Engine, then use SkyAnalyzer.Engine.Installer.exe in the update package to install a license before updating.

Setup program does not request administrator privileges

When running the setup program without administrator privileges, it does not request administrator privileges on certain systems.

This issue impacts 2009 MR and earlier releases, and has been fixed in 2009 SU1. To workaround this issue, right-click Setup.bat and select Run as administrator.

Some ongoing scans not marked as failed after CLEAR Engine restarted

On certain circumstances, scans that are ongoing when the CLEAR Engine restarted are stuck in their then-status and not marked as failed

This issue impacts 2006 MR and later releases, and has been fixed in 2106 MR.