Skip to main content

Delivered Roadmap 2022-2023

What's New?

Stay up-to-date with the latest features released every quarter.


Sonatype Lifecycle

Sonatype Repository Firewall

Sonatype Advanced Legal (ALP)

Sonatype Lifecycle2023 Q3

July 2023 to September 2023

Releases 165 to 167

Embracing Inclusion with Legacy Violations

The feature Policy Violation Grandfathering is replaced with Legacy Violations, to refer to policy violations that can be deferred during onboarding and prioritized to be remediated later. Rel 167

Handling Remediated Vulnerabilities

Revised error messages now indicate that a vulnerability has been remediated, when a previously occurring policy violation does not exist anymore, after remediations. Users are prompted to run new scans to detect newer and latest vulnerabilities. Rel 166.

Python Analysis Improvements

To align with the format changes of poetry.lock file from versions 1.5.1 onwards, devDependencies will automatically be excluded for poetry versions 1.5.1 and higher. Rel 166

Horizontal Scaling for IQ HA Deployments

IQ Server HA deployments can be configured to auto-scale to match the workload demands. This capability utilizes the native Kubernetes HorizontalPodAutoScaler feature that deploys more pods in response to increased load or scales back to the configured minimum (2 pods) when the workload decreases. Rel 166

Generate and Analyze SBOMs in SPDX format

The newSPDX REST API generates SBOMs in both XML and JSON outputs for all supported component formats. Users can also generate the SBOM (in JSON format) from the Application Scan Report page. Rel 165

Users can analyze SPDX SBOMs in Lifecycle and generate application composition reports. This can also be done by using the Third-Party Scan REST API. Rel 166

Waiver Requests with Webhooks

Waiver Requests can be sent for approval with a simple one-click submit by configuring a webhook for the Waiver Request Event. Once the webhook is configured, users can send a waiver request by clicking on the Submit button on the Request Waiver page, instead of manually copy-pasting the curl command containing waiver details, to share the waiver details with the approver. Rel 165

Dashboard Pagination

Users can view more rows with fewer clicks on the Violations tab of the Lifecycle Dashboard. Rel 165

Users can easily navigate to multiple pages to browse over all policy violations, components, applications, and waivers, that are relevant to the applied filter. This improvement removes the previous limit of viewing only 100 rows of data on the dashboard. Rel 166

Why did my IQ Server database migration fail?

Error messages on export logs generated during to capture IQ Server database migrations will now indicate the exact root causes of database migration failures. Rel 165

Sonatype Lifecycle2023 Q2

April 2023 to June 2023

Releases 159 to 164

Analysis of conaninfo.txt file

The improved analysis for Conan dependencies now handles the scenario of duplicate dependencies. By giving higher precedence to dependencies under the "full_requires" section over those under the "requires" section of the conaninfo.txt file, duplicates are eliminated. Rel 163

Distinct and Distinguishable Component Identification in SBOMs

SBOM generation for all supported ecosystems ensures that components in a binary file, that have the same coordinates, but different hashes do not appear as different components. Rel 163

The response for CycloneDX REST API has been tweaked to include a predefined parent component name as a placeholder if the application evaluation report does not contain any project data. Rel 163

Robust Execution Cycles for Default Branch Monitoring

Users can now use default branch monitoring more effectively, without unexpected exits that occur upon encountering errors. Rel 162

Data Retrieval for Scan Reports

Choose the right scan reports by specifying the dev. stage and count of most recent reports using the Reports REST API.

Extended Compatibility with the Latest Java/Chrome Versions,non-English, Case-sensitive, and Wildcard Character-sets.

Sonatype IQ Server now extends evaluation to applications and components written in the newer Java versions, Java 19 and Java 20. Rel 162

The latest Google Chrome versions are compatible with IQ Server. Rel 162

Users can create and download application reports containing non-English characters without making modifications to their IQ Server elements named in native/local languages. Rel 162

Sonatype (Nexus) IQ for SCM now supports wildcard characters found in Markdown across the supported developer platforms. Rel 163

Sonatype IQ Server/Lifecycle handles case-sensitive characters in the exact same manner as GitHub. Rel 163

When Are Upgrades for Waived Components Available?

The Upgrade Available indicator on the Waivers Dashboard will indicate when a safe-to-use version of the component is being recommended by the Sonatype Research Team. Users can remediate the violation by upgrading to the recommended component version and removing the waiver. Rel 159

Users can configure their Lifecycle instances to monitor for the availability of waived components from the System Preferences menu or use the new property waivedComponentUpgradeMonitoringEnabled to configure using the Configurations REST API. Rel 162

Sonatype IQ Server HA General Availability

Sonatype IQ Server for High Availability (HA) previously launched with release 155 for limited access, is now available to all customers. Rel 159

Navigating Orgs and Applications in N-level Hierarchy

Users can navigate to a specific organization or application by entering its name in the search filter located in the tree view showing the inheritance hierarchy. Rel 159

Tooltips in the filter search results display data such as the name of the parent organization, the number of sub-organizations linked to the parent, and the total number of applications contained in the selected organization. Rel 159

SCM Integrations Improvement

Threat levels of policy violations that are fixed are included in the pull request comments. Rel 159

The create or update buttons on The SCM configuration page will be visible to users, as applicable, making the users aware if they are modifying an existing SCM configuration. Rel 162

Improvements to Authentication

We have improved the validation of GitLab access tokens to enable seamless integrations with SCM. Rel 159

Users using LDAP for authentication in a multi-realm environment can log in to the IQ Server. Rel 162

LDAP authentication of users in multi-realm environments has

Graceful Shutdown of Nodes In Kubernetes Cluster

We have improved the node shutdown process of IQ Server in a cluster environment, to prevent IQ Server outages. Rel 160

Meet Sonatype Lifecycle

Announcing Nexus Lifecycle is now Sonatype Lifecycle. This release brings over new product names and logos. Rel 160

Vulnerability Data is now Customizable

Security experts can augment Sonatype Vulnerability Data with their company security regulations to create customized vulnerability attributes that match their specific environments. The customized vulnerability attributes can be used to build constraints for policies in Lifecycle and help prioritize remediations. Rel 161

The new Vulnerability Custom Attributes REST API (experimental) extends the ability to customize the vulnerability data, beyond the UI.Rel 161

Build and Rebuild your N-level Hierarchy

The Move Organizations feature lets users manage a multi-level hierarchy or create a new multi-level hierarchy from an existing single level, by moving an entire branch of a parent organization (consisting of other organizations and applications) to a different level in the organizational hierarchy. Rel 161

The Organizations REST API supports the Move Organizations feature. Rel 161

Sonatype Lifecycle 2023 Q1

January 2023 to March 2023

Releases 152 to 158

Add Custom Security Vulnerability Groups

Users can use the Vulnerability Groups REST API (experimental) to organize vulnerability IDs into custom groups. These groups can then be used as a condition within a policy constraint to aid in risk management and remediation. Rel. 152

Find Security-Reachable Components With Call-Flow

IQ CLI includes experimental flags that will enable call flow analysis on application scans. Components with security vulnerabilities occurring within reachable code will be flagged as "Security-Reachable". Rel. 152

Select Fast Track or Deep Dive

Set policy conditions to check whether a component has undergone Fast Track or Deep Dive research.Rel. 152

Verify the authenticity of the Sonatype IQ Docker image with Docker Content Trust

Docker image consumers can now use the trusted, signed Sonatype IQ Docker image, now available to inspect at the Docker Hub. Rel. 152

View Repository Waivers on the Dashboard

The Waivers View on the Dashboard includes Repository waivers.Rel. 152

Waive all versions of a component with Root Org Scope

A waiver applied to one version of a component can now be applied to all future versions of that component at the root level. Rel. 152

Add Custom Security Vulnerability Groups

Users can use the Vulnerability Groups REST API (experimental) to organize vulnerability IDs into custom groups. These groups can then be used as a condition within a policy constraint to aid in risk management and remediation. Rel. 152

Advanced Vulnerability Detection and Deep Dive

Violation details contain two new labels, Deep Dive (indicates the vulnerability data includes Sonatype researched details and recommendations) and Advance Vulnerability Detection (indicates that the vulnerability has been detected from an embedded dependency) Rel. 152

Environment variables for Sonatype Container Scanning are optional

Setting environment variables for scanning Sonatype Container with Sonatype Lifecycle is optional. Rel. 152

Delete Older Scan Files

Users can choose to retain or delete older scan files using the property purgeScanFiles for Configuration REST API - v2. Older scan files that are retained can be promoted to other stages using Promote Scan API -v2. Rel. 152

Run npm Application Analysis Effectively

Using a POST and DELETE request, users can choose to enable/disable scanning development dependencies and optional dependencies in manifest and lock files of JavaScript packages. Rel. 153

Launching Sonatype IQ Server High Availability

Users can configure the Sonatype IQ Server for High Availability (HA). Currently offered on AWS and on-premises, the HA installations will enable recovery from failures or disruptions with near-zero downtime. Rel. 154

View Most Relevant Repository Details

Run a multi-column sort in the Repository Results View to retrieve the most relevant repository details. Rel. 154

Vendor Data and Software Name in SBOM

The SBOM generated from CycloneDX REST API - v2 will now include the vendor name (Sonatype) and software name (Sonatype IQ Server version). Rel. 154

Reuse your Filters for Lifecycle Reports

We have improved persisting and resetting filter values to match the navigation steps to and from the Reports view page. Rel. 154

Create Multi-level Hierarchies in Lifecycle Organizations

Users can set up organizations at different levels (N- levels) of hierarchy, to mimic their company's organizational structure and business units. Users can utilize the N-level Org model to create context-sensitive policies and remediation steps that apply locally to their domain. Rel. 156

Clean up of Older Scan Files

Setting the purgeScanFiles property ofConfiguration REST API to null will pause the retention of new scan files and clean up the retained older scan files.

Override Policy Notifications for Inherited Policies

Using this option, change the pre-configured policy notification settings for the desired DevSecOps pipeline stage. This improvement also offers the flexibility of changing the recipient type and recipient emails, if applicable, from what was set at the parent level. Rel 158

Extended Support for SAML Users and Groups

SAML users and groups to allow them to be discoverable via searches in the UI.Rel 158

Clone Repositories using SSH Protocol

When cloning a repository, users can use the SSH protocol for Automatic Source Control Monitoring (SCM)Rel 158

Compatibility with New Atlassian API Tokens

We have updated our backend to stay compatible with the increased length of Atlassian API tokens for Jira configurations 158

Sonatype Lifecycle2022 Q4

October 2022 to December 2022

Releases 145 to 151

View Lifecycle Waivers on the Dashboard

Policy waivers will now be readily available for review on the dashboard. The Export Waivers Data button generates a .csv file populated with all the waivers' data that is retrieved based on the dashboard filter settings. Rel. 148

Retrieve a Policy Waiver

The Policy Waiver REST API - v2 can retrieve details on a single waiver by passing the policyWaiverID in the GET method.Rel. 148

View Dependency Graph in SBOM

We have refactored CycloneDX REST API - v2 to include the dependency graph in SBOM, per CycloneDX specification. Rel. 148

Configurable Option to Enable Scanning of pom.xml

The configurable option to enable scanning of pom.xml files, for scan targets that could contain manifest files, in rare situations.Rel. 149

Performance Improvements to Lifecycle Dashboard

Improved performance of underlying queries for the Dashboard page, to offer a fast and comprehensive risk profile of your applications.Rel. 149

Analyze Open-source Behavior with Data Insights

Analyses from Data Insights uncover open-source component usage patterns across your organization. Rel. 150

Updates to Nexus Container Scanning with Nexus IQ CLI

Scanning local images does not require providing environmental variables. Rel. 150

Data Architecture Improvements

Improvements to the existing data architecture for Nexus IQ Server and HDS to prevent database locking issues due to concurrent transactions on shared resources.Rel. 151

Sonatype Repository Firewall 2023 Q3

July 2023 to September 2023

Releases 165 to 167

Guided Setup

The Firewall Guided Setup simplifies onboarding Nexus Repository Manager repositories to enable users to get started with the Firewall in a few easy steps. Rel 167

Path Forward Instructions when a Component Download is Blocked

The App Sec team can set meaningful remediation messages and directives for the developers when they cannot download quarantined components blocked by the Sonatype Repository Firewall. Rel 165

Easy Search and Discovery of Repositories

The Repository Manager interface shows repositories logically grouped under the respective Repository Manager.

A new "Enablement" column indicates the specific protection features of the Sonatype Repository Firewall that are currently enabled for the repository.

Identify Repository Managers by assigning a custom human-readable name, in addition to the pre-assigned UUID. The custom Repository Manager name is visible throughout Lifecycle and Firewall instances.

Sonatype Repository Firewall 2023 Q2

April 2023 to June 2023

Releases 159 to 164

Disable Namespace Confusion Protection

Users can disable namespaces for the namespace confusion protection feature to unblock components of specific hosted public repositories if this protection is causing unnecessary blockers in the development cycles. Rel. 159

View More Info on Quarantined Components

We have improved the UI for Firewall users to clearly indicate policy violations due to quarantined components and other allowed versions of the quarantined component. Rel. 159

Locate that Quarantined Component Quickly!

Users can search for a specific quarantined component by entering the component name in the filter, without having to scroll through multiple pages. Rel. 160

Meet Sonatype Repository Firewall

Announcing Nexus Firewall is now Sonatype Repository Firewall. This release brings over new product names and logos. Rel 161

Set the Expiry Time for Quarantined Component Report

Users can configure the expiration time of the Quarantined Component Reporting Firewall using the quarnatinedComponentReportExpirationTimeInHours property in Configurations REST API. Rel 161

Sonatype Repository Firewall 2023 Q1

January 2023 to March 2023

Releases 152 to 158

Re-designed Firewall Repository Results and Repository Component Details Page

The view delivers meaningful insights into violation counts, component identification, and quarantined components with improved filtering, pagination, and UI.Rel. 152

Choose the time intervals to run the Automatic Quarantine Release

Users can choose how often Automatic Quarantine Release is scheduled to run using the property automaticQuarantineReleaseTimeIntervalInMinutes for Configuration REST API. Rel. 152

Performance Improvements

Users with large repositories of OSS components will experience a marked improvement in the loading times of the Firewall Repository Results page. Rel. 153

Search by Component

The Repository Results search by component functionality is now more responsive and will enable users to search by specifying multiple component coordinates. Rel. 153

Release Integrity: Why are some Versions of some Maven artifacts locked?

We have added malicious component protection for Java (Maven). Blocking of these components will continue until Next-Gen Firewall determines they are safe for your development pipelines. Rel. 154

Are Repositories Protected from Namespace Confusion?

Users can now view the proprietary namespaces from hosted repositories for which the namespace confusion protection is enabled. Rel. 156

July 2023 to September 2023

Releases 165 to 167

Discover More Observed Licenses

ALP has the expanded ability to detect observed licenses in other ecosystems besides Maven. Users with an Advanced Legal Pack (ALP) license and running Sonatype IQ Server release 165 (or higher) can detect and review observed licenses in npm, NuGet, PyPI, RubyGems, RPM, and Composer ecosystems, in addition to Maven. Rel 165

April 2023 to June 2023

Releases 159 to 164

Powerful and Easy Searches on the Applications

The UI logic for the filter on the Advanced Legal Pack (ALP) application page now allows it to reset contextually when navigating to a new application. Rel 162

Faster Attribution Reports

Generate Attribution Reports containing large no. of components, faster, without encountering gateway timeouts in reverse proxy environments.

January 2023 to March 2023

Releases 152 to 158

Component Dashboard

Review the risks and vulnerabilities of all components scanned by IQ Server on an intuitive dashboard. Rel. 134

Review Legal Obligations

Click on the “Review Obligations” button in the legal tab to view detailed component legal details from the component details page. Rel 134

October 2022 to December 2022

Releases 145 to 151

Performance Improvements in Attribution Reports

We have streamlined our data retrieval processes to generate these complex and data-intensive reports, faster. Rel. 145