Skip to main content

2017 Release Notes


Sonatype encourages using the most current IQ Server release and not trailing behind for more than six months.

1.42 (December)

Java 8 is now required for Nexus IQ Server and Nexus IQ CLI

Oracle Java 8 is now required in order to run Nexus IQ Server and Nexus IQ CLI (previously Java 7 was supported). Using prior versions of Java will fail with an UnsupportedClassVersionError on startup.

Organization REST API now supports creating organizations

The Organization REST API has been enhanced to allow the creation of new organizations via POST operations. The Organization REST API documentation provides more details on usage.

Nexus IQ CLI now displays scan fingerprinting performance information

The Nexus IQ CLI now displays the number of archives and files fingerprinted and the duration (in seconds) required to fingerprint them.

Nexus IQ Server forceBaseUrl option now works correctly with reverse proxies that change the web application context path

Nexus IQ Server 1.41 failed to load fonts and icons when running behind a reverse proxy that changed the web application context path. The forceBaseUrl option now works as intended in such circumstances.

1.41 (November)

Force baseUrl for user-facing URLs

Sonatype encourages the use of the X-Forwarded-Proto and X-Forwarded-Host headers set by proxies to match a user-facing URL. If you are not able to use these headers then please contact our customer support team for assistance on how to force the use of the baseUrl.

Support for evaluating Java 9 applications and components

The application and component evaluation have been updated to support Java 9 bytecode.

Support for the new Twistlock Console 2.2 in Nexus IQ CLI

We added support for the new Twistlock CLI tool. The new integration requires at least Twistlock 2.2.100. The old twistlock-scanner Twistlock CLI tool is not supported anymore. If you cannot update to at least Twistlock 2.2.100, you can still use previous versions of Nexus IQ CLI.

1.40 (November)

Configuring baseUrl no longer forces the application URL

Setting the baseURL will only change the application URL for email notifications. Requests from any application URL through IQ Server will be maintained. Specifically, proxies should make use of the X-Forwarded-Proto and X-Forwarded-Host headers to match a user-facing URL.

1.39 (October)

The IQ Server 1.39 release contains the following updates:

Success Metrics Performance

Repeated loads of a Success Metrics Report within the same aggregation interval will now load more quickly due to additional data caching within the IQ Server.

Always up-to-date Success Metrics

Success Metrics Reports can now be configured to update constantly. Previously, the reports would only update at the beginning of each calendar month. When creating a Success Metrics Report, the user may now choose the aggregation interval for the report, with options of "by calendar month" and "by most recent evaluation." This replaces the "daily aggregations" feature that was added to Success Metrics in the 1.36 release of IQ Server.

New Save Filter workflow

The Save Filter modal on the IQ Dashboard has been updated to help the user more clearly distinguish between overwriting an existing filter and saving a filter under a new name.

Improved Sorting of Dashboard Results

Manually sorting columns within the IQ Dashboard will now sort over the entire result set instead of only the limited number of rows that are displayed within the browser.

Security Fixes for IQ plugins

New versions of Maven, Hudson/Jenkins 1.x, and SonarQube plugins have been released to resolve vulnerable, but not exploitable, dependencies.

1.38 (October)

The IQ Server 1.38 release contains the following update:

Lifecycle XC Report Improvements

Component names in the Identified Components section of Lifecycle XC reports have been standardized across several of the supported ecosystems and formats. This improvement aims to bring further clarity to the user in recognizing the reported components.

1.37 (September)

The IQ Server 1.37 release contains the following updates:

Success Metrics reports for selected Organizations and Applications

Users can now configure Success Metrics reports for a specified scope made up of a selection of organizations and applications. The user may either specify exactly what they want or select an option to include all applications. Each user can now have multiple Success Metrics reports, whereas previously only a report for the entire Root Organization was available.

1.36 (September)

The IQ Server 1.36 release contains the following updates:

Security Vulnerability Presence Policy Condition Replaced with Security Vulnerability Severity Policy Condition

In an effort to reduce redundant policy conditions, the Security Vulnerability present policy condition has been replaced by the Security Vulnerability Severity greater than or equal to 0 policy condition. Additionally, the Security Vulnerability absent policy condition has been removed. If any of your policies use the Security Vulnerability absent policy condition, contact our customer support team or your customer success representative for assistance in changing them before upgrading to ensure a successful migration.

Success Metrics

Success Metrics has been updated to calculate aggregations daily for new installations where historical data is limited.

1.35 (August)

The IQ Server 1.35 release contains the following updates:

Lifecycle XC

Lifecycle XC (Expanded Coverage) is a new capability of Nexus Lifecycle that utilizes OWASP dependency-check to provide basic coverage for additional languages. Specifically, Nexus IQ CLI features a new option to run in normal (Lifecycle) or XC mode. When XC mode is enabled Nexus IQ CLI will be configured to scan and analyze a different set of ecosystems and formats including Ruby, Swift, CocoaPods, and PHP. For more information, please see the Lifecycle XC topic.

Success Metrics Components tile

Success Metrics has been updated with a new Components tile that breaks down which components are used across most applications and which components have the most policy violations.

1.34 (July)

The IQ Server 1.34 release features support for Docker image evaluations natively using Nexus IQ tooling. Updates to the latest version of tools are required for Docker image evaluations. This includes:

Nexus IQ Tool

Minimum Required Version

Nexus IQ CLI


Nexus IQ for Bamboo


Nexus IQ for Jenkins 2


Nexus IQ for Hudson/Jenkins 1


An update to the Nexus IQ Server is not required. More information on performing Docker image evaluations is available in the Evaluating an Application section of the Nexus IQ CLI topic and the Docker Images section of Nexus Platform Plugin for Jenkins.

1.33 (July)

The IQ Server 1.33 release contains the following updates:

Support to Upgrade from Nexus Repository Manager 2 to 3 When Using Nexus Firewall

Nexus Repository Manager 3.5.0 enables you to upgrade from Nexus Repository Manager 2.14.5 and retain the state of any proxy repositories that use the audit or quarantine functionality of Nexus Firewall. This version of IQ Server is required to assist the upgrade process for those repositories using Nexus Firewall.

Success Metrics

In the toolbar, you can now find a link to Success Metrics, which summarizes important IQ Server activity over the last 12 months. The data is gathered for all organizations and applications you have access to. Please note that you need at least one month of historical evaluation data to generate Success Metrics. They can be disabled by the System Administrator via the System Preferences menu.

1.32 (July)

The IQ Server 1.32 release contains the following updates:

Nexus IQ CLI Supports Parameters from Files

Support for the Nexus IQ CLI to load parameters from files has been added. For more information, please see "Loading Parameters from a File" in the Nexus IQ CLI topic.

Nexus IQ CLI Requires Java 7

Starting with this version, Nexus IQ CLI requires Java 7 (was Java 6 before).

Policy Coordinate Condition Update with Support for Extension and Classifier

The policy coordinate condition has been updated to allow the extension and classifier coordinates to be specified when creating a Maven coordinate condition for a policy constraint. Inputting coordinates has also been changed such that required coordinates must have a value specified whereas optional coordinates can be left empty. For Maven, only the classifier coordinate is optional, and for A-Name only the qualifier coordinate is optional. A coordinate with an empty value will only match a component if it does not have that coordinate. A coordinate with a wildcard value will match a component with any value for that coordinate as well as if it did not have that coordinate.

Uncategorized Applications Filter on Dashboard

The Application Categories Filter on the Dashboard now has a new option: "No Category". This option allows the user to explicitly control whether they want applications that are not a member of any category to appear in the Dashboard results. Previously, uncategorized applications would never be included when any specific category filters were selected.

Security Fix for CI Plugins

Both Nexus IQ for Bamboo and Nexus IQ for Hudson/Jenkins 1.x suffered from a vulnerability related to the deserialization of XML files that could crash the JVM. This release provides updated versions of those two plugins to resolve the issue.

Updated Minimum Requirements for CI Plugins

To facilitate the aforementioned security fix, version 1.4.0 of Nexus IQ for Bamboo now requires at least Bamboo 5.10 as host runtime. This also implies a requirement on Java 8 as needed to run Bamboo.

Likewise, version 2.18.0 of Nexus IQ for Hudson/Jenkins 1.x requires Java 8 as runtime, and versions of Hudson before 3.2.0 are no longer supported.

Please note that in the next few months, we plan to adopt Java 8 as the minimum runtime requirement for all other client integrations and IQ Server itself.

1.31 (June)

The IQ Server 1.31 release contains the following update:

IQ for Visual Studio

Support for the Nexus IQ Extension for Microsoft Visual Studio has been added to the IQ Server. The extension can be installed from within Microsoft Visual Studio using the Extensions Manager or from the Visual Studio Marketplace.

1.30 (May)

The IQ Server 1.30 release contains the following updates:

Customizable System Notice

In the system preferences, system administrators can now configure a system notice. When enabled, the system notice will be displayed in the login dialog as well as on top of every page of the web UI.

Dashboard UI Improvements

The Violations tab on the Dashboard has been enhanced for easier readability. Results are now shown in a single row, and the Latest Report link has its own column for simple access.

1.29 (May)

The IQ Server 1.29 release contains the following update:

Optional changes to dashboard filter defaults

This release includes an option to change the behavior of the initial dashboard state to alleviate performance concerns. Contact the product team if you’re interested in trying this feature and providing feedback.

1.28 (May)

The IQ Server 1.28 release contains the following update:

PyPI data available in Nexus Firewall

PyPI packages are now supported in Nexus Firewall. Available data includes identification, licenses, and security vulnerabilities.

1.27 (April)

The IQ Server 1.27 release contains the following updates:

Dashboard Filtering by Violation State

The Dashboard now allows you to filter its views by the state of a policy violation. That is, you can also include waived violations in your reviews of application health. Likewise, you can exclude all open violations and focus on the effects from policy waivers.

CSRF Protection for REST API when using Reverse Proxy Authentication

This release extends protection against cross-site request forgery (CSRF) to cover the case where the public REST API of IQ Server is exposed via reverse proxy authentication. As a consequence, clients accessing the REST API in combination with reverse proxy authentication need to be updated to include additional HTTP headers in their requests to IQ Server when these requests can alter data.

Reduction of Ongoing Disk Space Growth

To reduce the storage requirements, especially during long-term use, this version of IQ Server no longer archives the binary fingerprints (sonatype-work/clm-server/scan) for all application evaluations. Going forward, only the binary fingerprints for the most recent evaluation of a given application and stage are kept on disk. The fingerprints used for a previous application evaluation at the same stage are automatically deleted.

Session Timeout Reset

To address security requirements, the IQ Server user interface now resets to the login state upon session expiration. This results in a loss of in-progress changes when your session times out. The session expires after thirty minutes of inactivity. To avoid loss of changes, complete all tasks prior to the timeout.

1.26 (March)

The IQ Server 1.26 release contains the following updates:

PKI Authentication for Integrations

Tools and plugins can be configured to use PKI authentication, which delegates authentication to the Java Virtual Machine (JVM). A reverse proxy server is required when using PKI authentication.

Nexus IQ for Jenkins 2.x

A new Nexus IQ for Jenkins 2.x plugin is now available. For Pipeline projects, Nexus IQ for Jenkins 2.x allows for more advanced customization and automation for evaluating a Jenkins Workspace. Nexus IQ for Jenkins 2.x is best suited for new users running Jenkins 2.x.

Security Advisory

In this release, protection was added to reverse proxy authentication to address Cross-Site Request Forgery (CSRF) attacks at integration API endpoints. CSRF protection is now enabled specifically for requests authenticated via reverse proxy authentication, including SSO and PKI authentication.

All integrations in the 1.26 release support CSRF protection. Older integrations are not compatible and should be upgraded. If not upgraded, you may need to disable CSRF protection.

The public API is subject to CSRF attacks when made available through reverse proxy authentication. In typical use, the public API is for system-to-system integrations, and in those scenarios reverse proxy authentication is not expected between the two systems. CSRF protection will be added to public APIs exposed via reverse proxy authentication in a future release.

1.25 (January)

The IQ Server 1.25 release contains the following updates:

Support for Multiple LDAP Servers

IQ Server now supports authenticating against multiple LDAP servers, each with its own unique configuration. These updates allow you to add, remove, and reorder multiple LDAP servers. Once arranged, authentication searches the ordered list for a positive match on credentials.

Support for Webhooks

Webhooks allow you to integrate IQ Server into your process. For example, you can set up webhooks to fire when application evaluations are complete, letting you automate processes that tie into the IQ Server.

Updates to Saved Filters

The name of a saved filter is now added to the file name when exporting data.

When you open a saved filter, the filter name now appears at the top of the Manage Filters menu.

Custom JIRA Fields

JIRA Notifications can now be configured to supply a predefined value to any field via the Custom Fields section. This allows the configuration of JIRA issue types that have required fields that are not configurable through the IQ Server UI.