Skip to main content

2021 Release Notes


Sonatype encourages using the most current IQ Server release and not trailing behind for more than six months.

IQ Release 131 (December 2021)

Fixed issue with archived repos

An issue with the SCM onboarding feature has been fixed, where the onboarding process could not load all unarchived repositories if there is a large number of archived repositories in a git organization.

Dependency Tree REST API

Application dependency tree data for Java & NPM components is now available using the Report REST APIs

IQ Release 130 (December 2021)

Update logback Library Version in IQ

Nexus IQ Server does not use log4j versions and uses logback instead. It is therefore not at risk from vulnerabilities impacting log4j. However, because of a low/moderate vulnerability existing in "logback", we're taking precautionary measures by updating the logback library version used in Nexus IQ products.

Cran and Cargo Matching Improvements

Cran and Cargo data have been improved for both Lifecycle and Firewall.

Conda Matching Improvements

Conda data has been improved for both Lifecycle and Firewall. Adopt the updated command and file for better results, refer to Conda Application Analysis for more information.

Application PDF Report Enhancements

The Application PDF Report now lists the Effective, Declared, and Observed licenses separately in the Licenses table and indicates if an Effective license is Overridden.

IQ Release 129 (December 2021)

Component Remediation Performance Improvements

Added some performance improvements affecting component remediation (both UI and API).

Fixed Issue with Component Details Page Legal Tab not loading

Fixed an issue that could cause the legal tab on the component details page to not load for some components.

IQ Release 128 (November 2021)

New Component Details Page

This new Component Details Page is a fully redesigned experience within a singularly dedicated page. This new page provides an improved layout, new comparison functionality to better identify ideal component versions, an increased focus on waiver statuses, and dedicated Security and Legal tabs.

Fixed Issue with Advanced Legal Pack Attribution Report Generation

Fixed an issue that caused attribution report generation to fail when a report contained an InnerSource or proprietary component.

IQ Release 127 (November 2021)

Reset Source Control Configuration

Users can now reset an organization or application source control configuration.

Component Information Panel's License Tab Links to Advanced Legal Pack

The license tab in the Component Information Panel (CIP) now contains a link from that tab to the component's legal obligation details page in the Advanced Legal Pack. This is useful for legal reviewers who are attempting to remediate legal policy violations from a Firewall report, an IDE integration, or a policy evaluation.

Advanced Legal Pack Customized Attribution Reports

The Advanced Legal Pack (ALP) now allows users to customize their attribution reports. Initial options allow users to add custom headers, footers, titles, and various appendixes. The ability to include standard license text as an appendix can reduce report sizes by as much as 80% and the ability to include generic legal text allows users to include legacy third-party notices or legacy attribution reports with the newer ALP attribution reports.

IQ Release 126 (October 2021)


There is an issue with some IDEs not being able to load data from IQ 126. Customers should upgrade to IQ 127 if experiencing this issue.

Source Control Evaluation REST API

The Manifest Evaluation REST API was deprecated in favor of the new Source Control Evaluation REST API, which is 100% backward compatible.

SSH Support for IQ for SCM Operations

SSH is now supported as a transport protocol for Git operations in IQ for SCM.

IQ Release 125 (October 2021)


There is an issue with the 'Orgs and Policies' view in IQ 125 which can cause errors to appear in the web UI when viewing organizations. Customers should upgrade to IQ 126 if experiencing this issue.

Improved Policy Evaluation Performance

A potential regression in policy evaluation performance introduced in Release 104 has been mitigated. This reduces the chance of lock timeout exceptions especially when using the default embedded H2 database.

New Source Control Configurations

Two new options were added to the Source Control Configuration to allow users to enable or disable pull request commenting and IQ-initiated source control evaluations.

Pull Request Commenting Improvements

The policy evaluation selection for Pull Request Commenting has been optimized.

Conan Matching Improvements

Conan data and matching have been improved for both Lifecycle and Firewall.

Dependency Information Improvements for NPM

NPM Dependency Information detection has been improved to display more accurate results.

Source Control Repository Information Visibility

The repository configured under source control has been made more visible in the Organizations and Applications view.

Source Control Onboarding Performance Improvements

The Easy SCM Onboardingfor Bitbucket Server has received some performance improvements.

Support for Pull Request Status and Target Branch Protection in Azure DevOps

The policy result for a scan is now available in the Azure DevOps pull request screen. This enables target branch protection for Azure DevOps.

Support for Evaluating Java 17 Applications and Components

The application and component evaluation have been updated to support Java 17 bytecode.

IQ Release 124 (September 2021)

Fixed Source Control REST API

Fixed an issue with the Source Control REST API whereby some fields in the response JSON had been renamed. The previous names have been restored.

IQ Release 123 (September 2021)

Fixed Issue with NPM Scans

Fixed an issue with some NPM scans that were causing IQ Server 122 evaluations to fail when reading dependency information.


There is an issue with the Source Control REST API in IQ 123, customers should upgrade to IQ 124 if using this API.

IQ Release 122 (September 2021)

Dependency Information for NPM

NPM project scans with manifests allow the displaying of dependency information for NPM components (Direct and Transitive).

Refer to npm Application Analysis and Application Composition Report for more information.

InnerSource Insight for NPM

InnerSource dependency analysis allows a user to visualize NPM InnerSource components and their transitive dependencies in a report with links to any associated applications.

Refer to InnerSource Insight for more information.

InnerSource Insight UI Improvements

Reports containing InnerSource Insight components will have more and better information about their transitive dependencies and relationships.

Refer to InnerSource Insight and the Component Information Panel for more information.

InnerSource Insight Transitive Violations Group Waiver

IQ Server now has the ability to group waive InnerSource transitive policy violations.

InnerSource Insight Report Filter

IQ report filters now allow filtering by a component's InnerSource status.

Azure DevOps Support in Source Control Features

Support for Azure DevOps in Automated Pull Requests, Pull Request Commenting, and Automated Commit Feedback.


  • Some NPM scans might fail due to an issue discovered in IQ 122, customers should upgrade to IQ 124 if NPM scans are being used.

  • There is an issue with the Source Control REST API in IQ 122, customers should upgrade to IQ 124 if using this API.

IQ Release 121 (July 2021)

General Fixes and Improvements

In this version, we have addressed a few bugs in IQ and made some performance improvements.

IQ Release 120 (July 2021)

Continuous Risk Profile

Continuous Risk Profile keeps default branch policy evaluations up to date with fresh source control policy evaluations regularly (configurable). In addition, IQ server will keep feature branch policy evaluations updated with new source control policy evaluations as new commits are made to those feature branches (assuming a pull request exists for that feature branch).

IQ for SCM supports Gradle property files

IQ for SCM makes use of '' files in providing SCM feedback.

IQ Release 119 (June 2021)

SBOM Improvements and Bug Fixes

CycloneDX SBOM scans using the Third-Party Scan REST API and CLI have been improved to display better results in the report and some bugs have been fixed as well.

IQ Release 118 (June 2021)

Swift Application Analysis

IQ Server (through CLI) can now be used to evaluate policies against components from the dependency file of a Swift Application Analysis.

Important update for CocoaPods users

Starting June 30, Nexus Lifecycle and Nexus Firewall users may experience a change in CocoaPods results due to some major improvements to our identity and security data services.

IQ Release 117 (June 2021)

Fixed Regression with Component Search REST API

Fixed an issue where using the Component Search REST API could render application reports inaccessible without setting the experimental feature flag componentSearchApiWithInnerSource to false. It is now safe to remove this flag or to set it to true.

Support for CycloneDX 1.3

The Third-Party Scan REST API, CycloneDX Application Analysis, and View SBOM option have been extended to support the schema version CycloneDX 1.3 for XML format.

IQ Release 116 (June 2021)


Customers should avoid using the Component Search REST API without the following setting in their IQ Server configuration Config YAML file as otherwise it can render application reports inaccessible.

  componentSearchApiWithInnerSource: false
Fix for automated PRs

Fixes a regression for automatic pull requests when using Linux or Mac and the native git support.

Dependency Data in REST APIs

Dependency data for Java components is now available using the Report REST APIs and Component Search REST API.

IQ Release 115 (May 2021)


Options Dropdown in the evaluation report allows you to view the component bill of materials of the report in CycloneDx REST API.

Improvements to Python Application Analysis

IQ Server (through CLI) now supports evaluating policies against Python components defined in poetry.lock files.

Multiple SCM Support

IQ Server now allows the configuration of multiple source code management systems.

IQ Release 114 (May 2021)

Support for CycloneDX 1.2

The Third-Party Scan REST API and CycloneDX Application Analysis have been extended to support the schema version CycloneDX 1.2 for XML format.

The Advanced Legal Pack Is Now Available for Purchase

This add-on to Nexus Lifecycle will help you automatically comply with the components’ terms of use.

Next-gen Firewall is Now Available for Purchase

This new product from Sonatype helps you stop known risks, novel malware, and 0-day attacks from being downloaded into your repositories.

IQ Release 113 (April 2021)

Fix for Advanced Legal Pack Attribution Reports That Contain InnerSource Components

Fixed a critical error that prevented attribution report generation for applications that contained an InnerSource component.

Availability of Nexus IQ CLI as Debian/Ubuntu and Homebrew package

The Nexus IQ CLI binaries are now available to be installed as a deb package on Debian/Ubuntu-based Linux systems and as a Homebrew package on Mac OSX.

IQ Release 112 (April 2021)

Enhanced Navigation Experience

As of this release, the navigation has been moved to the left side of the screen and the Dashboard Filter is now accessible via the "Filter" button on the upper right side of the Lifecycle Dashboard pages.

Support for Evaluating Java 16 Applications and Components

The application and component evaluation have been updated to support Java 16 bytecode.

IQ Release 111 (April 2021)

Fix for HTTPS/SSL Evaluations with Large Files

Fixed an error where evaluating a large file could cause an exception if IQ Server is configured to use HTTPS/SSL.

Advanced Remediation Strategies in IQ for SCM

Advanced Remediation Strategies are available in automated pull requests and pull request comments as part of the Advanced Development Pack add-on product license.

IQ Release 110 (April 2021)

Fix Evaluation for Java 14 and Higher Binaries from UI

Fixed an error occurring when evaluating a binary file from UI compiled with Java 14 or higher.

IQ Release 109 (April 2021)

Easy SCM Onboarding

Allows users to quickly create IQ applications for the repositories IQ Server detects in their configured source control management (SCM) system.

Instant Risk Profile

Performs an initial IQ Server scan of the contents of source control repositories for new IQ applications created by SCM Easy Onboarding.

Continuous Risk Assessment

As new pull requests are detected for IQ applications IQ Server may perform a one-time source control scan of the feature branch associated with the pull request and comment on the pull request if new vulnerabilities are discovered or if existing ones have been remediated. This source control scan will only be performed if the customer's CI system is not otherwise initiating scans and policy evaluations for the given application.

IQ Release 108 (March 2021)

Breaking Changes Information in IQ for SCM

Breaking changes information is available in automated pull requests and pull request comments as part of the Advanced Development Pack add-on product license.

Application Reports

Added "Triggered by" information to application reports.

Advanced Legal Pack Initial Release, Now Available for Purchase

Building on the robust features available in Nexus Lifecycle, the Advanced Legal Pack adds the following capabilities:

  • Automation of attribution reports that comply with 90+% of OSS obligations.

  • Enhanced legal data pertinent to obligations (e.g. all copyright statements, all notice statements, and all license texts found in a component).

  • Legal workflow to resolve license obligations (per component, per license).

  • Ability to save attribution and obligation resolutions on a per component, per license basis at the organization or application level.

  • Ability to customize and edit attribution reporting as needed.

IQ Release 107 (March 2021)

Java Manifest Application Analysis

IQ Server (through CLI) now supports evaluating policies against Java components in pom.xml and build.gradle files

Performance Improvements
  • Various bug fixes and performance enhancements.

IQ Release 106 (February 2021)

Namespace Confusion Protection

Nexus users can now automate protection against dependency/namespace conflict at scale by connecting Nexus IQ Server's policy management and component intelligence data with proxy repositories in Nexus Repository Manager.

For more details, check out our demo video to see how Nexus users can start protecting against dependency/namespace confusion attacks at scale.

Improvements to Manifest Analysis
  • Updated CLI scanner to exclude development dependencies when scanning package-lock.json files.

  • Updated CLI scanner to parse package-lock.json files stored inside an archive.

  • Fixed parsing errors when scanning yarn.lock and csproj files.

IQ Release 105 (February 2021)

Performance Improvements
  • Various bug fixes and performance enhancements.

  • Fixed an edge case while using the external database where the application would run into a deadlock and cause the database pool to be exhausted.

Fixed NuGet Manifest Scanning Issue

Fixed Initialization error in NuGet manifest scanning with CLI.

IQ Release 104 (January 2021)

Fix for GZip Expansion Vulnerability

Release 86 to 103 (inclusive) of IQ Server suffer from CVE-2020-27218 a security vulnerability that allows an attacker to inject data into the body of the request. We advise you to update your IQ Server to this new release which contains the required fix.

Update to Third-Party Scan REST API

Third-Party Scan REST API responses now contain additional report URLs to aid navigation.

IQ for SCM supports Go Projects

Automated pull request feedback is now available for Go projects in all supported Source Control Management platforms.

InnerSource Insight Improvements

InnerSource Insight was improved and now supports:

  • Policy Condition Dependency Type now has the ability to tune policy using the InnerSource dependency type.

  • Improved detection of proprietary modules that are not demarcated as InnerSource (instead of marking them as “unknown”).

  • Better detection of Direct Dependencies when they are associated with both an InnerSource component and the parent application.

NPM and NuGet Manifest Application Analysis

IQ Server (through CLI) now supports evaluating policies against:

  • NPM Components are defined in yarn.lock, pnpm-lock.yaml, package-lock.json, and npm-shrinkwrap.json files.

  • NuGet Components defined in * .csproj and packages.config files.