Lucent Sky AVM version 2606 release notes

2026/06/30 |

Lucent Sky AVM version 2606 releases

Lucent Sky AVM version 2606 MR

New features in 2606 MR

Weakness policies

  • Support for CWE 4.20, MISRA C 2023, 2025, and MISRA C++ 2023

Binary analysis

  • General improvements in the C/C++ binary analysis engine

Source code analysis

  • Performance and other improvements across the C/C++, C#, ECMAScript, Go, Java, Lua, Objective-C, PHP, Python, Ruby, Rust, Swift, and VB.NET source code analysis engines

  • Multi-platform Go analysis

    The updated Go analysis engine can scan Go applications targeting multiple operating systems and architectures. Specifying an operating system or architecture for Go applications is no longer required.

  • Custom C/C++ runtimes

    Custom runtimes can be created for C/C++ applications, enabling easier management of shared standards, libraries, and platforms.

  • Expanded support for fourth-generation languages such as 4GL, EGL, and SQR

Dependency analysis

  • Improved dependency discovery and analysis for C/C++ and ECMAScript dependency ecosystems
  • Improved ingestion of SBOMs generated by ecosystem tools

  • CVSS score estimation

    When a vulnerability does not have a CVSS score, an estimated score is calculated using Secure Score algorithms. This allows the vulnerability to be properly filtered and processed according to its severity.

Remediation

  • Improvements in C/C++ remediation algorithms

    The remediation algorithms can automatically discover security libraries in custom C/C++ runtimes and utilize them to remediate vulnerabilities.

  • Improvements in Guided Fix

    The remediation algorithms have been improved so that Guided Fix, automatic remediation that requires human validation, is more accurate and better aligned with the original source code style.

  • General improvements in ML-augmented vulnerability remediation and explanations

Reporting

  • UX improvements for JSON reports and CycloneDX and SPDX SBOM generation
  • Improved PDF report quality and generation performance

Interfaces

  • Performance enhancements in the API and the Web UI

    Further improvements to the I/O subsystem introduced in version 2603 provide faster and more consistent API performance, particularly on systems with slower IOPS and a large number of applications or scans.

  • Improved Express Scan

    Autopilot has been renamed to Express Scan, with improvements including enhanced framework detection, directory upload support, and configurable defaults.

  • Improvements in the CLI

    The Vulnerability interface is now supported by the CLI. In addition, the CLI gained the ability to output JSON directly to stdout.

  • Improvements in Lucent Sky AVM for IDE

    IDE extensions have improved task and I/O management for better UX when scanning large applications or reviewing scans with a large number of results. In addition, Lucent Sky AVM CLI location defined in PATH is now recognized by IDE extensions.

Issues fixed in 2606 MR

  • We fixed a bug where applications with very low LOC always have a very low Secure Score
  • We fixed a bug where the dependency API model received by the CLI or Web UI might be corrupted
  • We fixed a bug where certain binary files without extensions cannot be specified as analysis targets
  • We fixed a bug where scans might fail when analyzing Ruby applications that contain invalid source code files

Breaking changes in 2606 MR

  • Dependency vector enabled by default

    Potentially breaking change. When using the API, CLI, IDE extensions, or the Web UI to create a new application, the Dependency vector is enabled by default. To exclude it, explicitly specify the list of vectors to enable.

  • Built-in runtimes for Go

    Potentially breaking change. The built-in Go (Linux) and Go (MacOS) runtimes have been removed, and the Go (Windows) runtime has been renamed to Go. Existing applications using the Linux and MacOS runtimes will be migrated to use the default Go runtime automatically. However, API calls and CLI scripts will fail if they attempt to create new applications using the Linux or MacOS runtime IDs. They must instead use the default Go runtime ID (0000000000000000000b000000000101).

  • CLI application list

    The application getlist method on the CLI will return a list of all applications, instead of just applications owned by the user. To return only applications owned by the user, include the argument --Filter "owner=my".