Skip to main content

2019 Release Notes


Sonatype encourages using the most current IQ Server release and not trailing behind for more than six months.

Release 81 (December 2019)

Extended Organization REST API

The organization REST API now supports retrieving information for a single organization by its identifier or name.

Extended Component Label REST API

The component label REST API can now manage component labels for an entire organization.

clm-maven-plugin 2.15.0-01 Requires Java 8

Starting with version 2.15.0-01, the clm-maven-plugin requires Java 8.

License Data and Coordinates Support for Third Party Scanning

The Third-Party Scan REST API and CycloneDX Application Analysis have been extended to support the following features.

  • Identify component license data.

  • Support coordinate-based matching (in addition to Package URL).

Release 80 (December 2019)

Updated Main Header Design

Visual refresh of IQ Server main header.

Fix for HTTPS/SNI Issue in IQ 79

This release fixes a regression that prevented IQ Server 79 from starting if configured with an HTTPS connector that employed a server certificate making use of SNI.

Release 79 (November 2019)


We are investigating an issue with IQ Server 79 failing to start when configured with a direct (config.yml) HTTPS connector.

Customers using this specific scenario should avoid upgrading to release 79 and instead upgrade to release 80 or newer.

Component Waiver REST API

Added policy waiver scope to the Component Waivers REST API.

Nexus IQ for SCM Configuration UI

The Nexus IQ for SCM Configuration UI allows for configuration of the integration between Nexus IQ Server and an external Source Control Management provider.

Automated Pull Requests

Automated Pull Requests allow for the automatic creation of pull requests for policy violations on components that have an available version that remediates those violations.

Release 78 (November 2019)

Components In Quarantine REST API

Components in Quarantine REST API allows you to list repository components that are quarantined.

Release Component from Quarantine REST API

Release Component from Quarantine REST API allows you to release a quarantined repository component by waiving the policy violations causing the component to be quarantined.

Vulnerabilities Support for CycloneDX Application Analysis

CycloneDX Application Analysis is now extended to support submitting component vulnerabilities.

Release 77 (November 2019)

Clair Scan Evaluation

IQ Server integration with Clair provides you the ability to identify and apply IQ policies against Clair scanner results.

CycloneDX Application Analysis

IQ Server can now be used to evaluate policies against a software component list supplied in CycloneDX SBOM (software bill-of-material) format. This can be used in the following ways.

  • Third-Party Scan API allows you to evaluate a CycloneDX SBOM via REST interface.

  • CycloneDX Application Analysis allows you to evaluate a CycloneDX SBOM via Nexus IQ CLI / IQ Server UI.

Release 76 (October 2019)

Component Waiver REST API

Component Waivers REST API allows you to retrieve components with waivers for applications and repositories.


All repository reports must be re-evaluated in order to include the most accurate policy waiver information used by the new API.

User Tokens REST API

User Tokens REST API allows IQ users to create and delete user tokens. It also allows IQ Server administrators to purge obsolete tokens.

General improvements and bug fixes:

  • Fix bug with Firewall Audit and Quarantine where IQ Server database errors were more likely to occur on under-resourced hosts.

  • IQ Server UI links to Firewall results from the Repository settings page in the Organizations and Applications configuration.

Release 75 (October 2019)

Anonymous Vulnerability Lookup

You can now look up a vulnerability without logging in.

Vulnerability Details REST API

Vulnerability Details REST API allows you to retrieve vulnerability details in the form of JSON.

Release 74 (September 2019)

Single Sign-On via SAML

IQ Server can now be configured to enable single sign-on via SAML during login, which can be done by a system administrator via the UI or via the SAML REST API.

Support for Evaluating Java 13 Applications and Components

The application and component evaluation have been updated to support Java 13 bytecode.

Release 73 (September 2019)


Shortly after the wide release, a rare issue was found that can prevent the successful upgrade of IQ Server.

To help avoid upgrade failures and forced rollback procedures, this release is not a recommended install. Use release 72 or release 74 and newer instead.

Fix for Remote Code Execution Vulnerability

All previous releases of IQ Server suffer from a security vulnerability that allows authenticated users with the Edit System Configuration and Users permission to execute arbitrary code. We advise you to update your IQ Server at the earliest opportunity to this new release which contains the required fix. Details have been published on October 17: CVE-2019-16530 .

Release 72 (September 2019)

Removed Support for Anonymous Access

The support for anonymous access used by very old IQ clients and plugins was removed from the IQ Server. This doesn't affect you unless you are still using very old IQ clients or plugins. If present, the optional anonymousClientAccessAllowed setting should be removed from the config yml file used to configure the IQ Server.

Request Waiver Workflow

The policy violation ID has been added to the REST API to facilitate Requesting a Waiver

Source Control Onboarding

During policy evaluation, the commit hash and repository URL are automatically deduced allowing our scanners (CLI, Jenkins, GitLab, etc) to pick up which commit and repository they are evaluating against. This will allow Nexus IQ for Git to push policy evaluation report summaries to Git commits and pull requests with minimal configuration.

Release 71 (August 2019)

Request Waiver Workflow

You can now Request a Waiver when your workflow for waivers is handled outside of the IQ Server.

Policy Evaluation Summary in GitLab

Policy evaluation report summaries and a link to the report can now be viewed on GitLab commits and pull requests.

Release 70 (August 2019)

REST APIs to Manage Users and Roles

Several additions to the public REST API of IQ Server were made to help automate the management of users and their roles:

  • User REST API

  • Role REST API

  • Role Membership REST API

New CycloneDX REST API

We support the generation of SBOM using industry-standard CycloneDX specifications. The new CycloneDX REST API returns an SBOM containing coordinates and licenses for components in a scan report.

Release 69 (July 2019)

Package URL (purl-spec) Support in Policy Configuration

You can now use package URLs when configuring constraints in policy management.

Mitigate IQ Server Client Timeouts

IQ Server clients now poll for application evaluation results rather than waiting on the socket. Clients affected by this change are CLI, Jenkins, Bamboo, and Maven plugins.


IQ Server needs to be upgraded first in order for new clients to work properly.

Docker Image User Permissions Migration


The sonatype/nexus-iq-server docker image for IQ version 69 changed the base image from CentOS to RedHat UBI (Universal Base Image). As a result, the UID of the Nexus user has changed from uid=999 to uid=998, which will impact access to persistent data.

Release 68 (July 2019)

Fix for Caching of UI Resources Between IQ versions

Recent versions of IQ have had a bug where user interface resources could be cached within the browser across IQ version upgrades. This could cause a mismatch between the IQ frontend and backend code, or even a mismatch between different parts of the frontend code. This would result in UI breakages, such as an oversized IQ logo rendering the page unusable in Release 67. IQ 68 differs from IQ 67 only in that it fixes this issue.

Release 67 (July 2019)

Policy Evaluation Summary in GitHub

Policy evaluation report summaries and a link to the report can now be viewed on GitHub commits and pull requests.

Package URL (purl-spec) Support in Public APIs

The following APIs are extended to support package URLs in requests and responses:

  • Component Search REST APIs

  • Component Evaluation REST APIs

  • Component Details REST APIs

  • Component Remediation REST APIs

  • Violation REST APIs

  • Report-related REST APIs

Vulnerability List in the Application Composition Report

The Application Composition report now includes the option to easily see a list of the vulnerabilities that triggered policy violations associated with a given application.

Dropped Support for IE9 and IE10

As of Release 67 IQ no longer provides support for Internet Explorer 9 & 10.

Release 66 (June 2019)

Command to Reset the Admin Account Password and Roles

A new command was added to reestablish the default admin account in a shutdown IQ Server including its default password and roles.

Package URL (purl-spec) Support in Public APIs

We are rolling out package URL-based component information access as an alternative to the coordinate-based component information retrieval in REST APIs. The following API is extended to support package URLs.

  • Component versions REST API

Optional 'Description' Field for Webhook Configurations

The webhook description is displayed in the UI where webhooks can be selected such as the webhook list or the policy editor.

Component Remediation Information added to the Component Information Panel

Component Remediation Suggestions have been added to the Component Information Panel. For components that have policy violations, it will show the next available version that does not violate any policies for the given application, if such a version exists. This will be shown in the Application Composition Report and the IDE plugins.

Release 65 (May 2019)

Policy-centric Application Composition Report

The policy-centric Application Composition Report is no longer in preview mode and has now replaced the previous version of the report. The previous version is still accessible through the link provided in the new UI.

Application Composition Report API - Policy Violations

A new endpoint was added in order to provide policy violation data for a given report. See "Policy Violations by Report REST API (v2)" in Report-related REST APIs.

Component Remediation API - Next Non-failing Remediation Type

Added a new remediation type for the next closest component version which does not fail any policy violations.

Release 64 (April 2019)

Application Reports as Point-in-Time Data

Existing Application Composition Reports are not updated anymore when changes are made in the Component Information Panel. These changes become visible only when the application is re-analyzed (via the re-evaluation button or a new evaluation being triggered from CI, CLI, policy monitoring, etc). This ensures that the reports reflect the state of the application and policy evaluation results at the time the application was analyzed.

Web UI to Configure Data Retention Policy for Success Metrics

This release completes the data retention and purging feature introduced in release 63 by extending the IQ Server UI with the elements needed to inspect and edit the data retention for Success Metrics.

Component Remediation API

In order to facilitate automation and customization of component remediation, IQ Server now supports a Component Remediation API. The first release of the API provides similar data from the component intelligence panel version graph in a machine-readable format. The result of the request provides component remediation suggestions for policy violations on a per-component basis.

Release 63 (March 2019)

Data Retention Policies for Automatic Purging of Obsolete Application Reports and Success Metrics

To reduce the disk space consumption of the IQ Server, you can now specify data retention policies for application reports and Success Metrics. Reports, that according to these retention policies are deemed obsolete, are automatically purged from sonatype-work/clm-server/report. Likewise, policy violation history that is no longer relevant for Success Metrics is purged from sonatype-work/clm-server/data. But note that automatic purging needs to be manually enabled after IQ Server is upgraded to the new version.

Release 62 (March 2019)

Support for Specifying Python Coordinates in Policy Constraints

Users can now specify Python (PyPI) component coordinates when configuring constraints in policy management.

Support for Evaluating Java 12 Applications and Components

The application and component evaluation have been updated to support Java 12 bytecode.

Release 61 (February 2019)

Sonatype’s Nexus Firewall Now Protects JFrog Artifactory

Firewall now supports Artifactory repositories.

Cleanup of Obsolete Scan Files

To reclaim disk space, this release includes a background task that deletes obsolete files from the sonatype-work/clm-server/scan directory. This task is only run once and scheduled automatically for 11 pm local time after the IQ Server is upgraded. Depending on the number of obsolete scan files in your installation, you might see elevated IO activity during that time when the files are removed.

Nexus Firewall Bug Fix

Fixed a bug that resulted in Component IQ not being displayed in Nexus Repository Manager.

Release 60 (February 2019)

Note: Build 1 of this IQ Server release (denoted by 1.60.0-01 in its filename) had a flaw that prevented its startup without a license. If you were quick enough to download this version, please re-download the latest build (1.60.0-02).

Policy Violation Logging

A new policy violation logging feature, which must be explicitly enabled, is now available. It logs its data to a dedicated log file in JSON format. This allows for easy line-by-line parsing for inspection, analysis, and extraction of desired data. It can be enabled/customized in your IQ Server configuration.

Support for Scanning Python Wheel Packages

Python wheel packages are now recognized by the Sonatype IQ Server, CLI, Jenkins, Bamboo, and Maven plugins as well as the Vulnerability Scanner .

Release 59 (January 2019)

Release 58 (January 2019)

Support for Evaluating Java 10/11 Applications and Components

The application and component evaluation have been updated to support Java 10/11 bytecode.

Audit Logging for Policy Violation Notifications and Webhooks

Audit loggingfunctionality has been extended to include

  • Sending notifications for policy violations.

  • Invoking a webhook.

Python Coordinate-Based Matching for More Clients

Python coordinate detection via the requirements.txt file has been extended from just theSonatype IQ Server and CLI to also include the Jenkins, Bamboo, and Maven plugins as well as the Vulnerability Scanner.

Release 57 (January 2019)

Audit Logging for Reporting

Audit logging functionality has been extended to include

  • Viewing repository results.

  • Viewing component information panel data.

  • Accessing and managing success metrics.

  • Accessing dashboard table data.

  • Exporting policy violations.

  • Searching components.

  • Evaluating IDE projects.

  • Evaluating individual components via the REST API.

Component Category in CIP

The Component Information Panel has been updated to display the component category identified by Sonatype.

Policy Centric App Report Preview

A new look of the Application Report is being added to IQ which will allow the user to interpret the report in a more policy-centric manner. We call this the Policy Centric App Report and a preview of this new look is now available alongside the existing reports.