Skip to main content

2016 Release Notes


Sonatype encourages using the most current IQ Server release and not trailing behind for more than six months.


The IQ Server 1.24 release contains the following updates:

IQ Server Authorization for Tools

The IQ Server provides extended functionality to a number of tools (e.g. Nexus Repository Manager, Nexus IQ for Hudson/Jenkins 1.x, Nexus IQ for Bamboo, IQ for Eclipse, CLM for Maven, etc.). Authentication and authorization were added in version 1.14 of IQ Server, but disabled by default for backward compatibility.

Starting in version 1.24, this is now enabled by default; it forces tools to provide authentication details. While not recommended, if you need to preserve previous functionality, the IQ Server can be configured to allow anonymous access for all tools.

The affected tools include:

  • Nexus IQ for Bamboo

  • Nexus IQ CLI

  • Nexus IQ for Hudson/Jenkins 1.x

  • IQ for IDEA

  • IQ for Eclipse

  • CLM for Maven

  • IQ for Nexus Repository Manager

  • CLM for SonarQube

Lifecycle Container Analysis

You can now use the Nexus IQ CLI to evaluate Docker images in a Twistlock environment. Twistlock version 1.5.56 or newer is required for this integration.

Export Dashboard Results

The Dashboard’s View menu now has an Export Violations Data button that lets you download data displayed in the current view to a .CSV file for use in spreadsheets.

Saved Filters

The Filter menu on the left side of the Dashboard has a new Manage Filters menu. From here you can save Dashboard filter criteria allowing for recall and repeated use. Multiple saved filters can be created using different names.

Risk Severity Heatmap in Dashboard Results

The Dashboard Results now provide a heatmap representation of risk to highlight areas of concern. Results with lower risk are a light shade of blue and results with higher risk are a darker shade.

Updated IQ Server Plugins

The IntelliJ IDEA Plugin has been updated to support the global configuration of the IQ Server.

Security Fixes

Fixed a cross-site scripting (XSS) vulnerability exposed via the display of usernames.

Notable Bug Fixes

Fixed a problem with the Audit tab not showing some non-Java component changes.


The IQ Server 1.23 release contains the following updates:

A New Look for the Dashboard

The Dashboard has a new look that reduces visual noise and makes it easier to see the overall health of components used in your development cycle.

New Dashboard Filter for Organizations

The Filter menu on the left side of the Dashboard has a new filter called Organizations. It allows you to view violations from one or more organizations, which includes violations from any applications attached to the organization(s).

Component Intelligence for JavaScript Now Available

IQ Server now provides JavaScript component data for application evaluations just like it does for Java components (in addition to the existing npm JavaScript package support for repositories). Refer to the in-product announcement for known issues and updates.

Removed REST APIs v1

REST APIs v1 had the limitation of working only with Maven components while v2 works with any Java components and (as of IQ Server 1.23) JavaScript components. Be sure to review the paths or URLs in your REST calls, and update them to v2 as needed. Any remaining v1 calls will return a “404 Not Found” message.

Updated Plugins

The following plugins were updated to resolve a vulnerability: Sonatype CLM for Maven, Nexus IQ for Bamboo, and Nexus IQ for Hudson/Jenkins 1.x.

Security Fixes

  • Fixed a vulnerability with IQ Server causing resource leaks in a rare scenario that is unlikely to occur in most environments.

  • Fixed an IQ Server local user account authentication vulnerability that uses a highly complex theoretical attack approach.

  • Fixed an XML external entity (XXE) vulnerability affecting the Maven plugin and CI plugins.


The IQ Server 1.22 release contains the following updates:

Enhanced Configuration for Proprietary Components

Proprietary components can now be defined at any level in the system hierarchy: Root organization, organization, or application. In addition, the configuration features for proprietary components have moved from the System Preferences menu to the Organization & Policy area.

If you use any of the following plug-ins, it’s recommended that you install the latest version of the plug-in to take advantage of the changes to proprietary components configuration:

  • Nexus IQ for Bamboo

  • Nexus IQ for Hudson/Jenkins 1.x

  • Sonatype CLM for Maven

Improved Dashboard Filters

On the Dashboard, it’s now easier to see which filters are active and which are not. The following filter behaviors have been added:

When all items of a filter are selected, a total count is shown.

When only some items of a filter are selected, a counter (e.g. "2 of 4") is displayed.

When no filter items are available for selection, the filter is disabled.

Rebranded Roles and Permissions

The names of a few security roles and permissions have been updated as follows:

The CLM Administrator is now the Policy Administrator.

The Edit CLM Elements permission is now Edit IQ Elements.

The View CLM Elements permission is now View IQ Elements.

New Quick Start Guide

A Quick Start Guide for Nexus IQ Server has been added to the documentation. It’ll help you get IQ Server up and running in minutes for the purpose of trying out its features before installing it in your development environment.


The IQ Server 1.21 release contains the following updates:

Nexus Firewall

The ability to send notifications when a new component violates policy in an audited repository has been added.


  • Added a new plugin for IntelliJ IDEA called IQ for IDEA. For details, see the IQ for IDEA chapter.

  • Added an integration for Atlassian JIRA with the ability to create JIRA tickets via IQ Server Notifications. For details, see Notifications in the Basic Policy Management chapter.

  • Improved application analyzer (scanner) performance for all integrations.

  • Added support for Atlassian Bamboo 5.10, 5.11, and 5.12.

  • Rebranded the Bamboo plugin to Nexus IQ for Bamboo.

  • Rebranded the Hudson/Jenkins plugin to Nexus IQ for Hudson/Jenkins 1.x. If you have a prior version of the plugin installed (called Sonatype CLM for Hudson and Jenkins), then you must uninstall the older version before installing the new rebranded one.

IQ Server UI

In the Policy Editor, Notifications and Actions have been split into separate sections. See the Basic Policy Management chapter for details.

In the Organization & Policy area, two commands have been added to the Actions menu:

Add ID to Clipboard - To copy the Application ID to the Clipboard for easy use when configuring an IQ Server plugin.

Change App ID - To change the Application ID for use with IQ Server plugins.

The Application ID now appears next to the Application Name near the top of the Organization & Policy area.

In the Dashboard area, the design of filters has been updated.

IQ Server Log Files

The configuration file (config.yml) for IQ Server shipped with this release contains updated defaults for the number of log files to archive (archivedFileCount). To ease troubleshooting, both the server and request logs have been archived for the past 50 days. We recommend that customers with existing installations of IQ Server adopt this change for their configuration files after verifying that the disk holding the log files has sufficient free space left to account for the slight increase in storage requirements.


Pre-Authentication Deserialization Vulnerability - Versions of IQ Server prior to version 1.18 are vulnerable to remote code execution via a deserialization bug. The affected library was upgraded in IQ Server 1.18, reducing the impact, but other exploits involving deserialization may exist.

IQ Server 1.21 implements a complete fix by removing access to the deserialization functionality. We recommend you upgrade to IQ Server 1.21 as soon as possible.

HTTP Header Vulnerability - All previous versions of IQ Server up to and including 1.20 are vulnerable to an attack due to HTTP Host header value injection. We recommend you upgrade to IQ Server 1.21 as soon as possible.


The IQ Server 1.20 release contains the following updates:

Nexus Firewall

The Nexus Firewall solution now has the ability to release a component from quarantine. Also, you can now override a vulnerability of a repository component. For more details, see the IQ for Nexus Repository Manager chapter.

New User Interface for Configuration

IQ Server configuration features have a new user interface designed to make it easier to configure policies, organize system hierarchy, and manage user access. In the Organization & Policies area, several items have been renamed:

  • The Security tab is now the Access button.

  • Tags are now called Application Categories.

  • Labels are now called Component Labels.

Access Management

There are a few additions to managing user access:

  • For security access, a new built-in group called Authenticated Users has been added. It contains any user who is authenticated by a realm integrated with IQ Server. You can assign Authenticated Users to roles in the same way as individual users or other groups.

  • For user roles, there’s a new permission called Add Applications. It allows you to grant users the ability to create applications within the scope of an organization without granting them full owner permissions. This new permission has been added to the CLM Administrator and Owner roles as well as any custom role that grants permission to edit an organization. You may want to review custom roles and their assignments to verify permissions are set as desired.

  • For the login process, feedback is now provided when a login fails due to LDAP issues.

System Hierarchy

You now have the ability to move an application from one organization to another. This makes it easier to reorganize the IQ Server system hierarchy when needed.

Component Data

For component data, there’s a new license type called Not-Supported. It indicates that Sonatype or the target ecosystem does not currently support automated license collection for a component’s format.

In addition, the Sonatype Data Research group is now providing the following data:

  • Common Vulnerability Scoring (CVSS) for security issues that have reserved CVEs as of February 23, 2016.

  • Root Cause information in the vulnerability details view.

Nexus IQ for Bamboo

The Nexus IQ for Bamboo plug-in has been updated to version 1.0.6. It fixes an error that can occur when connecting the Bamboo plug-in to IQ Server over SSL.


The loading times for the Dashboard, Reporting, and Organization & Policies areas have been significantly reduced, especially for systems with large data sets. If you have hundreds or thousands of organizations and applications, you should see faster loading of the Dashboard, reports, and configuration features. The Dashboard also has simplified summary results at the top, which makes it easier for you to focus on the Risk section.


The IQ Server 1.19 release contains the following updates:

Ability to Augment Repository Component Data

Several changes were made to the Firewall solution:

  • In Repository Results, you can now waive violations, override licenses, and assign labels to repository components.

  • You can delete repositories in IQ Server.

  • Performance is improved when deleting Audit-enabled proxy repositories.

Enabled CLI for Auditor

Users of the Nexus Auditor solution can now access the Nexus IQ CLI features, which were previously available only for the Nexus Lifecycle solution.

npm Data Available in Firewall

npm packages are now supported in the Firewall. Available data includes identification, licenses, and vulnerabilities.

New Logo for IQ Server

IQ Server has a new icon that appears on the IQ Server toolbar and its browser tab.

Updated IQ Plugins

The scope of analytics information collected by IQ Server for proprietary packages is narrower. This change is incorporated into all IQ plugins.

Additional Data for Sonatype Vulnerability Types

The IQ Server Application Composition Report and Repository Results include additional information for Sonatype vulnerability types.

Support for SonarQube 5.2 and 5.3

The SonarQube plugin version 1.0.4 now includes support for SonarQube 5.2 and 5.3.