Lucent Sky AVM version 2606 releases
- Lucent Sky AVM version 2606 MR (build 12.3.6849)
Lucent Sky AVM version 2606 MR
New features in 2606 MR
Weakness policies
- Support for CWE 4.20, MISRA C 2023, 2025, and MISRA C++ 2023
Binary analysis
- General improvements in the C/C++ binary analysis engine
Source code analysis
-
Performance and other improvements across the C/C++, C#, ECMAScript, Go, Java, Lua, Objective-C, PHP, Python, Ruby, Rust, Swift, and VB.NET source code analysis engines
-
Multi-platform Go analysis
The updated Go analysis engine can scan Go applications targeting multiple operating systems and architectures. Specifying an operating system or architecture for Go applications is no longer required.
-
Custom C/C++ runtimes
Custom runtimes can be created for C/C++ applications, enabling easier management of shared standards, libraries, and platforms.
-
Expanded support for fourth-generation languages such as 4GL, EGL, and SQR
Dependency analysis
- Improved dependency discovery and analysis for C/C++ and ECMAScript dependency ecosystems
-
Improved ingestion of SBOMs generated by ecosystem tools
-
CVSS score estimation
When a vulnerability does not have a CVSS score, an estimated score is calculated using Secure Score algorithms. This allows the vulnerability to be properly filtered and processed according to its severity.
Remediation
-
Improvements in C/C++ remediation algorithms
The remediation algorithms can automatically discover security libraries in custom C/C++ runtimes and utilize them to remediate vulnerabilities.
-
Improvements in Guided Fix
The remediation algorithms have been improved so that Guided Fix, automatic remediation that requires human validation, is more accurate and better aligned with the original source code style.
-
General improvements in ML-augmented vulnerability remediation and explanations
Reporting
- UX improvements for JSON reports and CycloneDX and SPDX SBOM generation
- Improved PDF report quality and generation performance
Interfaces
-
Performance enhancements in the API and the Web UI
Further improvements to the I/O subsystem introduced in version 2603 provide faster and more consistent API performance, particularly on systems with slower IOPS and a large number of applications or scans.
-
Improved Express Scan
Autopilot has been renamed to Express Scan, with improvements including enhanced framework detection, directory upload support, and configurable defaults.
-
Improvements in the CLI
The Vulnerability interface is now supported by the CLI. In addition, the CLI gained the ability to output JSON directly to stdout.
-
Improvements in Lucent Sky AVM for IDE
IDE extensions have improved task and I/O management for better UX when scanning large applications or reviewing scans with a large number of results. In addition, Lucent Sky AVM CLI location defined in PATH is now recognized by IDE extensions.
Issues fixed in 2606 MR
- We fixed a bug where applications with very low LOC always have a very low Secure Score
- We fixed a bug where the dependency API model received by the CLI or Web UI might be corrupted
- We fixed a bug where certain binary files without extensions cannot be specified as analysis targets
- We fixed a bug where scans might fail when analyzing Ruby applications that contain invalid source code files
Breaking changes in 2606 MR
-
Dependency vector enabled by default
Potentially breaking change. When using the API, CLI, IDE extensions, or the Web UI to create a new application, the Dependency vector is enabled by default. To exclude it, explicitly specify the list of vectors to enable.
-
Built-in runtimes for Go
Potentially breaking change. The built-in Go (Linux) and Go (MacOS) runtimes have been removed, and the Go (Windows) runtime has been renamed to Go. Existing applications using the Linux and MacOS runtimes will be migrated to use the default Go runtime automatically. However, API calls and CLI scripts will fail if they attempt to create new applications using the Linux or MacOS runtime IDs. They must instead use the default Go runtime ID (
0000000000000000000b000000000101). -
CLI application list
The
application getlistmethod on the CLI will return a list of all applications, instead of just applications owned by the user. To return only applications owned by the user, include the argument--Filter "owner=my".