Skip to main content

2018 Release Notes


Sonatype encourages using the most current IQ Server release and not trailing behind for more than six months.

Release 56 (December 2018)

Audit Logging for Security Management, Organization Management, Application Management, Reporting and Server Configuration

Audit logging functionality has been extended to include

  • LDAP integration.

  • Managing role membership.

  • Managing organizations.

  • Managing applications and automatic applications.

  • Configuring the system notice.

  • Installing or uninstalling a product license manually or automatically.

  • Starting and stopping the server.

  • Managing webhooks.

  • Accessing the application composition report.

Automatic Application Creation Minimum Role

Automatic application creation now requires the user to have the Evaluate Applications permission, which requires a minimum role of Application Evaluator, for the designated parent organization.

Python Coordinate-Based Matching

Scanner functionality has been extended to include Python coordinate detection via the requirements.txt file.

Release 55 (November 2018)

Audit Logging forPolicy Management, Security Management, and Nexus Firewall Events

Audit logging functionality has been extended to include

  • Managing application categories.

  • Managing component labels.

  • Managing license threat groups.

  • Managing policies.

  • Managing repositories and component quarantine.

  • Managing users.

  • Managing custom roles.

Policy Violation Waivers

The user interface for adding waivers was improved to make it easier to understand what exactly is waived and the scope of the waiver (application, parent organization, or root organization).

Nexus IQ for Jenkins now expands environment variables for manual application IDs

Nexus IQ for Jenkins 3.3.20181102-112614.a65c3f1 now supports the expansion of environment variables for manually-entered application IDs.

Success Metrics bug fix

Fixed a bug that caused a failure to load Success Metrics Reports on some data sets.

Release 54 (November 2018)

Audit Logging for Policy Management Events

Audit logging functionality has been extended to include

  • Updating proprietary component configuration.

  • Updating continuous monitoring.

  • Creating or deleting waivers.

Policy Violation Waivers

When applying for policy violation waivers, inform users when an older report needs upgrading before applying for waivers.

Important Fix

Release 53 introduced a bug that prevents the processing of HTTP requests that use GZIP compression. Among others, this hinders the Eclipse plugin from performing similar matching. The new release resolves that issue.

Release 53 (October 2018)

Audit Logging for Policy Evaluation and Component Data Events

Audit logging functionality has been extended to include

  • Application evaluation-related events. These events will be logged when application evaluation is triggered via various paths including through IQ Server's UI, integrations, REST APIs, continuous monitoring, and policy re-evaluations.

  • Claiming and revoking claimed components.

  • Changing the status of security issues.

  • Editing license information associated with a component.

  • Assigning and removing component labels.

  • Configuring, applying, and revoking policy violation grandfathering.

Policy Violation Waivers

Waivers have been updated to support waiving a specific violation. This aligns policy waivers with the updated Policy Violation Comparison Behavior.

Release 52 (October 2018)

Audit Logging for Authentication Events

A new auditing feature has been introduced. For this release, auditing is limited to authentication-related events. We will extend the auditing functionality incrementally in future releases. Out of the box, each audited event will be written to a dedicated audit log file as a JSON object allowing for easy line-by-line parsing for inspection, analysis, and extraction of desired data. Audit logging can be customized in your IQ Server configuration.

Automatic License Installation

A new configuration option has been added that, given a path to a license file, will automatically install that license on an unlicensed IQ Server.

Success Metrics Data REST API

The data that Success Metrics charts are based on is now also accessible via an API.

Release 51 (September 2018)

Promote Scan REST API

The Promote Scan REST API allows an existing scan data file to be promoted to a different stage. This means that it will be evaluated at the current point in time at the specified stage. This evaluation will use the most recent security and license data as well as your current policies against the snapshot of the application that the scan data file represents.

Time-based Filtering for Violations

The Dashboard now provides an Age Filter for time-based filtering of violations. The default window is 30 days with additional options of 24 hours, 7 days, 90 days, 12 months, and 'all time'.

Security Fix for Lifecycle XC CLI

Updated a vulnerable dependency of Nexus IQ CLI to fix a zip extraction vulnerability that was exposed when running in its XC (Expanded Coverage) mode.

Policy Violation Grandfathering on Demand

Policy Violation Grandfathering now supports manual grandfathering of existing policy violations at the application level. Subsequent evaluations will treat these policy violations as grandfathered.

Release 50 (August 2018)

To support the new Policy Violation Grandfathering feature in this release, the Maven, Jenkins, and Bamboo plugins have been updated. The new plugins in this release are not compatible with older IQ Servers and will stop with a message indicating the incompatibility. Previous plugins will function with this IQ Server release, but they won't have the full features from Grandfathering.

Happy 50th release!

In celebration of our 50th release, we've changed the versioning scheme of IQ Server. For this release, and all future releases, we're dropping the "1." prefix to indicate the continuous stream of features the IQ Server team delivers, and also highlight the feature increments throughout releases.

Improved JavaScript Reporting

We have streamlined the display of JavaScript results by significantly reducing the noise. Individual JavaScript files identified as belonging to the same component are aggregated and presented as a single line item. This improves the readability and comprehensibility of JavaScript results while retaining all of the discovered vulnerabilities and occurrences.

Policy Violation Grandfathering

The Policy Violation Grandfathering feature allows policy violations to be "grandfathered" to streamline the process of onboarding new applications with existing policy violations. Migration of large datasets could take longer to migrate, in our testing it was less than 10 minutes on fast disks.

Policy Violation Comparison Behavior

We have changed the policy violation comparison (diffing) feature to make it more accurately highlight risk.

1.49 (July 2018)

Security Fixes for HTTP Connector (Jetty)

Updated Jetty to fix several vulnerabilities related to HTTP request parsing.

1.48 (June 2018)

Policy-centric Component Information Panel

The Component Information Panel has been updated to display policy violations instead of security vulnerabilities and license issues.

Fixes for Recording Component Occurrences

In some cases, the IQ CLI and our CI plugins for Bamboo and Jenkins recorded incomplete pathnames for the components in applications, causing misleading information in the Occurrences tab and issues in detecting proprietary components. We have fixed this in the new versions of those tools but there's a catch: If you previously configured regular expressions for proprietary components that only match exact pathnames, i.e. do not start with .* or similar wildcards, those regular expressions might need updating to account for the fixed pathnames.

Security Fix for JavaMail

Updated JavaMail to fix leaking host and username in message headers (SONATYPE-2017-0492).

Security Fix for Lifecycle XC CLI

Updated a vulnerable dependency of Nexus IQ CLI to fix a Zip Slip vulnerability that was exposed when running in its XC (Expanded Coverage) mode.

Component Labels REST API

Nexus IQ Server now has a Component Labels REST API for adding and removing component labels for an application.

1.47 (April 2018)

Component Versions REST API

Nexus IQ Server now has a Component Versions REST API for returning a list of versions for a component.

Improvements to the Getting Started Page

The "Getting Started" page now indicates if there are any connectivity issues with Sonatype Data Services.

Persistent Warning to Change Default Password

A persistent warning is displayed if the default password for the built-in 'admin' account is not changed.

Automatic Application Creation for Nexus IQ for Jenkins

Nexus IQ for Jenkins 3.0.20180425-130011.728733c now supports automatic application creation.

1.46 (April 2018)

Automatic Application Creation for Sonatype CLM for Maven

Sonatype CLM for Maven 2.8.1-01 now supports automatic application creation. As part of these changes, anonymous access is no longer supported and credentials must be provided in order to communicate with Nexus IQ Server.

Automatic Application Creation for Nexus IQ for Bamboo

Nexus IQ for Bamboo 1.8.0 now supports automatic application creation.

RubyGems Data Available in Nexus Firewall

RubyGems packages are now supported in Nexus Firewall. Available data includes identification, licenses, and security vulnerabilities.

Getting Started Page

Nexus IQ Server has added a "Getting Started" page to facilitate onboarding administrative users. For non-administrative users, a list of helpful "Learning Topics" are provided.

Performance Fix

A performance issue was found in 1.45 with certain access patterns to violation data. This has been fixed in 1.46. All users of 1.45 are advised to upgrade.

1.45 (March 2018)

Improved Database Format for Reduced Disk Space Consumption

This version of Nexus IQ Server uses a revised format to store the policy violation data to reduce its disk space consumption. Installations that have applications with a long history of policy evaluations or with a high frequency of policy evaluations will benefit from this upgrade.


Depending on the size of your existing installation and the hardware running your IQ Server, upgrading to this new version can take notable time. Be sure to read the instructions for Upgrading the IQ Server to Version 1.45 to prepare yourself appropriately.

Automatic Application Creation

Nexus IQ Server now allows the automatic creation of applications. Users with permission to manage automatic application creation can enable this feature and specify the parent organization for any automatically created applications. When enabled, if a policy evaluation is performed for an application ID that does not exist, a new application with that ID will be created automatically instead of failing. Only the Nexus IQ CLI has been updated to take advantage of this new feature as of this release.

Anonymous Access Removed in Nexus IQ CLI

Nexus IQ CLI no longer supports anonymous access. With this change, we begin the process of phasing out support for anonymous access from Nexus IQ clients.

1.44 (February 2018)

Login Modal Styling Improvements

The Nexus IQ Server login window has been updated with styling that matches the other forms within the application.

Automatic Import of Reference Policies

Upon first start, the Nexus IQ Server will now automatically download and import the current Reference Policy Set. This removes the need for an administrator to manually find, download, and import policies when getting started with IQ for the first time. The manual import capability is still provided.

1.43 (January 2018)

Configuration Changes Due to Upgraded Server Infrastructure

The Nexus IQ Server infrastructure has been upgraded, bringing with it many benefits including a more powerful configuration format for its networking and logging.

If you wish to use a configuration file from a prior version, then you must update it.

Product License Page Improvements

The Product License page has been enhanced to display additional important information including company name, primary contact name and e-mail address, license type(s), licensed users, expiration date, and days remaining. Additionally, we have provided more guidance for license installations.

Sandbox Organization and Application for Fresh Installs

Fresh installations starting with this version will, by default, create a "Sandbox Organization" with a child "Sandbox Application". This is to help facilitate the training of new users by providing a premade and safe sandbox for them to learn within. Please refer to the sample data configuration for more information.