Lucent Sky AVM version 2403 release notes

2024/5/1 |

Lucent Sky AVM version 2403 releases

Lucent Sky AVM version 2403 SU1

New features in 2403 SU1

Build

  • Compatibility improvements to analysis target detection algorithms

Binary analysis

  • Performance improvements for very large binary files
  • Compatibility improvements to opportunistic binary analysis algorithms

Weakness policies

  • Support for CWE 4.14

Interfaces

  • Improved UI/UX for binary analysis results when source code and symbols are unavailable

Issues fixed in 2403 SU1

  • We fixed an issue where certain binary files are excluded from license check on Lucent Sky AVM On-Demand instances
  • We fixed an issue where hash is missing for some files when advanced dependency discovery is enabled
  • We fixed an issue where opportunistic binary analysis is not triggered for certain ASP.NET applications

Lucent Sky AVM version 2403 MR

New features in 2403 MR

Technology stack

  • Support for .NET 8

Build

  • Improved MSBuild support for .NET Framework applications

    .NET Framework applications will use the MSBuild bundled with .NET Framework 4.8 by default, instead of the MSBuild builded with the .NET Framework running CLEAR Engine. In addition, it is possible to use the MSBuild bundled with .NET Framework 3.5 by setting the MSBuild scan argument to 2.

  • Automatic Java source path detection

    If the Java source path of a Java application is not at a conventional location (such as src/main/java) and nor specified in the JavaSourcePath argument, build engine will attempt to detect the correct Java source path instead of failing the scan. If a valid Java source path could not be found, the hybrid analysis engine will use contextual information to correlated binary files and source code files.

  • General improvements on the .NET build engine
  • General improvements on on the Java build engine

    • Build caching for Java applications are enabled by default
    • Performance and compatibility improvements for Ant projects
    • Support for using wildcard to specify multiple build artifacts for Maven projects

Binary analysis

  • Improvements on direct binary analysis for Java applications

    • Support for JSP when using direct binary analysis
    • Additional context and improved performance when using direct binary analysis on Java binaries without source code
    • Support for automatic Java source path detection and Java source path hints (by explicitly specifying the JavaSourcePath scan argument) when using direct binary analysis on Java binaries without source code
  • Improved context and diagnosis on direct binary analysis with missing or mismatching source code
  • General improvements on binary analysis engines
  • General improvements on opportunistic binary analysis

Source code analysis

  • Accuracy and performance improvements on the Android and iOS source code analysis engines
  • General improvements on the C/C++, ECMAScript, PHP, and Python source code analysis engines

Dependency analysis

  • Performance improvements when using Real-time Intelligence
  • Stability improvements

Hybrid analysis

  • Automatic Java source path detection

    If a valid Java source path is not available, either because the source code is not at a conventional location or because the source path was not specified, the hybrid analysis engine will use contextual information to correlated binary files and source code files.

  • General improvements on ML-augmented hybrid analysis

Remediation

  • General improvements on ML-augmented vulnerability remediation

Reporting

  • Support for generating SPDX reports alongside JSON reports

Weakness policies

  • Support for CWE 4.13

Interfaces

  • German and Japanese Web UI are now available on on-premise instances
  • General improvements on the Web UI

Administration

  • New installation of CLEAR Engine will use SQL Server 2022 by default
  • Process isolation is now available on on-premise instances and enabled by default
  • Support for Azure Monitor as an APM provider

Issues fixed in 2403 MR

  • We fixed an issue where certain PHP files caused unexpected errors during source code analysis
  • We fixed an issue where it is not possible to specify the build output path for MSBuild to the parent directory of its project file
  • We fixed an issue where it is not possible to specify the Java source path to the parent directory of its project file
  • We fixed an issue where the default settings for multi-factor authentication on on-premise instances is disabled instead of enabled
  • We fixed an issue where certain binary library files are counted toward the LOC license limit
  • We fixed an issue where validation fails unexpected when creating a new scan by uploading a directory
  • We fixed an issue where an incorrect build artifact was used for binary analysis on Java applications using certain custom JDK 1.8 runtimes
  • We fixed an issue where some results are missing filenames in Java application using sbt due to case sensitivity
  • We fixed an issue where results from certain precompiled JSP files are reported twice

Breaking changes in 2403 MR

  • Managed MSBuild and the MSBuild scan argument

    Potential breaking change. In version 2403, managed MSBuild has been deprecated. In previous versions, .NET Framework applications default to managed MSBuild and are built with the MSBuild bundled with the .NET Framework running CLEAR Engine. In version 2403, .NET Framework applications defaults to the MSBuild bundled with .NET Framework 4.8. In addition, two additional value are available for the MSBuild scan argument. Setting it to 4 (the default value, which is identical to Managed) indicates that MSBuild bundled with .NET Framework 4.8 should be used, while setting it to 2 indicates that MSBuild bundled with .NET Framework 3.5 should be used.

  • The default runtime for Java applications

    Potential breaking change. When creating a new Java application in version 2312 and earlier, it will use Tomcat 7 (Java SE 6) as the default runtime. In version 2403, it will use Tomcat 9 (Java SE 8) as the default runtime. This only affects newly created applications and does not change the selected runtime for existing applications.

  • Ant projects and their build artifacts

    Potential breaking change. In version 2312 and earlier, when building a Java application without a explictly specified build file, a template build file will be used alongside the application's own build file (if it has one) to improve compatibility of the build process. With improvements of the Java build engine in version 2403, this is no longer necessary and Ant projects with valid build files will be built only with their own build files. Ant projects without a build file will continue to use the template build file.

    Potential breaking change. In version 2312 and earlier, if no build artifact is specified and Ant produces multiple build artifacts, the first one produced will be used for binary analysis. In version 2403, the build engine searches for the primary build artifact in the build\jar directory, then in the build directory, and finally in the entire project directory.

  • The BuildOutputPath scan argument

    Potential breaking change. In version 2309, not setting the scan argument and setting it to empty both indicate that the build output path is not set. In version 2403, setting it to empty indicates that it should be set to the parent directory of the project file(s). For Java applications, setting it to empty will result in the scan arguments being invalid.

  • The JavaSourcePath scan argument

    Potential breaking change. In version 2309, not setting the scan argument and setting it to empty both indicate that the Java source path is not set. In version 2403, setting it to empty indicates that it should be set to the parent directory of the project file(s).

  • New Relic account and application linking

    Breaking change. In version 2309 and earlier, only New Relic is supported as an APM provider. As version 2403 adds support of additional APM providers, the linking schema has changed. Applications previously linked between Lucent Sky AVM and New Relic will be unlinked and need to be linked again.