Skip to main content

2022 Release Notes

Note

Sonatype encourages using the most current IQ Server release and not trailing behind for more than six months.

Release 151 (December 2022)

Improvements

Data Architecture Improvements

This release offers improvements to the existing data architecture for IQ Server and HDS. The changes in data organization will prevent database locking issues due to concurrent transactions on shared resources.

Bug fixes

SBOM generation exception

This release handles the null pointer exception that was thrown when attempting to generate an SBOM from an evaluation report that did not show any components.

Release 150 (November 2022)

New features

Sonatype Lifecycle now offers Experimental Data Insights

Use Experimental Data Insights to view open-source governance behavior for your organization. Click on Data Insights in the left navigation bar, to get started. Analyses from Data Insights uncover open-source component usage patterns across your organization.

Data Insights currently offers:

  • Migration Scorecard is a visual representation of component upgrade decisions made by your Java development teams.

  • Stack Divergence is an industry-wide comparative analysis of the popularity of components in your technology stack.

  • Nudges and Anomalies are key indicators of your platform usage. These indicators reveal patterns and trends used in the remediation processes across your organization.

Improvements

Updates to Sonatype Container Scanning with Sonatype CLI

Scanning local images does not require providing environmental variables.

To scan remote images, the user will now have to provide only these variables:

  1. NEXUS_CONTAINER_IMAGE_REGISTRY_USER

  2. NEXUS_CONTAINER_IMAGE_REGISTRY_PASSWORD

Bug fixes

Fix to successfully scan files with Byte Order Mark (BOM)

Sonatype IQ Server can now successfully scan files containing the special Unicode character, BYTE ORDER MARK.

Minor UI fixes

This release covers minor UI fixes like typos and the usage of tooltips to display long component names that appeared truncated otherwise.

Policy violation fixes

To maintain and improve stability and security, we continually scan all Sonatype products and applications internally for vulnerabilities. For a strong and most current security posture, components used by our development teams are continually scanned and compared with our proprietary advanced vulnerability detection systems. This section contains information on component upgrades made to mitigate or remediate risks due to our internal policy violations as below:

Fix for CVE-2022-41946

CVE-2022-41946 Public on November 23, 2022, Medium risk, Severity 6.3

Resolution: Upgraded to non-vulnerable component version org.postgresql:postgresql 42.5.1

Fix for SONATYPE-2022-4344

SONATYPE-2022-4344, Sonatype Discovered November 22, 2022, Medium risk, Severity 4.7

Resolution: Upgraded to a non-vulnerable version of the component autolinker :3.16.1 and introduced validations in the code base to verify the trusted source of inputs to the component.

Release 149 (November 2022)

New features

Enabled Scanning of pom.xml META-INF directory

A modification in release 142 for manifest scans, ignored pom.xml located inside a META-INF directory. In most cases (specifically for uber/shaded archives), pom.xml does not represent the manifest file for the target application to be scanned. This release offers a configurable option to enable scanning of pom.xml files, for scan targets that could contain manifest files, in rare situations.

Improvements

Performance Tuning for Attribution Reports

The Advanced Legal Pack (ALP) uses complex automated processes to generate attribution reports. Retrieving data for multiple applications containing hundreds of components can cause high query times. We have optimized our queries and API calls resulting in improved query statistics for attribution reports.

Sonatype Lifecycle Dashboard Improvements

With this release we continue our improvements to the performance of underlying queries for the Dashboard page, to offer a fast and comprehensive risk profile of your applications.

Bug fixes

Fix for Expiration Date on Waivers Dashboard

Selecting x days for the Expiration Date filter on the Lifecycle Waivers Dashboard, showed expired waivers, in addition to the waivers meeting the filter criteria i.e. expiring in x days. This release includes a fix for the expiration date filter to show waivers for x days only.

Fix for Forced Idle Timeouts

For IQ Server release 132 and higher, idle timeouts affected only native implementation, while users were still able to navigate the UI. With this fix, IQ Server will now force the user to log out after 30 minutes of inactivity.

Fix for User Emails Tooltip

A tooltip to display the email address of users (from LDAP) on the New Role page under Add a Role, had stopped appearing in IQ Server release 143 and later. This has now been fixed.

Policy violation fixes

To maintain and improve stability and security, we continually scan all Sonatype products and applications internally for vulnerabilities. For a strong and most current security posture, components used by our development teams are continually scanned and compared with our proprietary advanced vulnerability detection systems. This section contains information on component upgrades made to mitigate or remediate risks due to our internal policy violations as below:

Fix for CVE-2022-1415

CVE-2022-1415 drools: Public on October 27, 2022, Medium risk, Severity 6.8

Resolution: Updated drools to 7.73.0.Final

Release 148 (October 2022)

Emergency Bug Fix Release

Note

This release fixes major bugs in the previous release 147.

Users facing issues with release 147 installations, should upgrade to this version immediately. For users planning an upgrade, we recommend upgrading to release 148 and skipping release 147.

Bugs fixed in this release include:

  1. Waiver migrator fails when upgrading to version 147 if "expired" waivers are found.

  2. Clicking on the Export Waivers Data button causes an internal server error.

This release includes memory usage optimization to improve the performance of the Lifecycle Dashboard and its related export feature.

Release 147 (October 2022)

Warning

Release 147 contains some issues. Upgrading to this version is not recommended. Upgrade to a later release.

Waivers View on Dashboard

This release offers an addition to the Lifecycle Dashboard, the Waivers View. Policy waivers will now be readily available for review on the dashboard. Users can access waivers specific to their needs by creating customized filters for the dashboard. The drill-down capability on each waiver in this list offers a more granular view of the waiver. The Export Waivers Data button generates a .csv file populated with all the waiver data that is retrieved based on the dashboard filter settings.

Policy Waiver REST API enhancement

The Policy Waiver REST API can now retrieve details on a single waiver by passing the policyWaiverID in the GET method.

Notable fix for SAML authentication

This release fixes an issue with SAML authentication, that prevented IQ Server from correctly identifying group names containing commas.

CycloneDX REST API improvement

We have refactored CycloneDX REST API to include the dependency graph in SBOM, per CycloneDX specification. This is supported for CycloneDX versions 1.2 and higher.

Release 146 (October 2022)

Maintenance Release

This release offers minor bug fixes and general UI improvements.

Some of these include:

  1. Validations for empty (zero-length) strings in text fields

  2. Addition of tooltips

  3. Explanatory error messages for user inputs like invalid dates

  4. Resolution of 404 error for the Data Insights feature

  5. Intuitive label names

Experimental feature flags deprecated in config.yml: experimentalFeatures setting in config.yml is no longer referenced. For older versions of IQ server, this configuration setting will have to be deleted from config.yml.

We strongly recommend using Configuration REST API to update the configuration settings for IQ Server 142 and above, instead of config.yml.

Release 145 (October 2022)

Notable bug fix in recent releases

Releases 142 and above fix a bug where a manifest scan processed pom.xml files inside a META-INF directory. Files in this directory, in most cases (specifically for uber/shaded archives), do not represent the manifest file for the target application to be scanned. All pom.xml files inside a META-INF directory from Release 142 and above are now ignored during a manifest scan.

Release 144 (September 2022)

View all affected version ranges of an implicated component

The Vulnerability Details page contains a section that lists all affected version ranges of the implicated component. This will help users recognize different versions of an implicated component, which could also have security vulnerabilities.

Improvements to the Sonatype Platform Plugin for Jenkins for auto-creating new applications

To evaluate a new application that has not been onboarded to IQ Server, using the Sonatype Platform Plugin for Jenkins, users can now provide an additional parameter organization-id for a specific organization. IQ Server will create this application under the specified organization (Org) instead of the parent organization that is set up during the configuration of Automatic Application Creation.

Targeting peak performance for policy evaluations

As a result of our code optimization efforts, this release offers significantly faster policy evaluations. We have eliminated performance bottlenecks that occurred in scenarios with hundreds of concurrent users and complex policy evaluations.

Release 143 (September 2022)

Search for vulnerabilities by any known ID

Users can look up vulnerability details by entering any known vulnerability ID from the vulnerability lookup page or Vulnerability Details REST API. The vulnerability ID could be a Sonatype ID (assigned by Sonatype researchers) or just the CVE ID (may also have a Sonatype ID, if discovered first by Sonatype researchers.)

Affected version ranges of an implicated component now returned in the Vulnerability Details API

To help users avoid choosing different versions of an implicated component, which could also have security vulnerabilities, we now report all affected version ranges of the implicated component. The affected version range can be retrieved using the Vulnerability Details REST API by passing the component identifier as a query parameter.

Fine-tuned risk management with additional policy constraint CWE ID

Users can now create security policies to evaluate components against the reported CWE IDs. Selecting Security Vulnerability CWE from the dropdown in the conditions section of the policy page now allows defining policy constraint conditions based on the CWE ID.

CycloneDX REST API Improvements

We have enhanced the response for CycloneDX REST API to include vulnerability details for components in the generated SBOM. This will help get a better understanding of the level of security risk associated with the components and implement remediation.

Policy Evaluation Summary Improvements

We have enhanced the Jenkins, Azure DevOps, Bamboo, and Maven plugins to show the total number of evaluated components in the policy evaluation summary. This addition makes eventual misconfigurations easier to spot.

Improved support for evaluating Java 18 applications and components

Support for evaluating Java 18 applications and components (first introduced in release 136) has been improved.

Improvements to Sonatype CLI for auto-creating new applications

To evaluate a new application that has not been onboarded to IQ Server, using Sonatype CLI, users can now provide an additional parameter organization-id for a specific organization. IQ Server will create this application under the specified organization (Org) instead of the parent organization that is set up during the configuration of Automatic Application Creation.

Extended scope of evaluations

Evaluate a binary action in Lifecycle UI has been modified to Evaluate a file. Using this menu option, users can now also perform manifest scans to analyze source control repositories or software bill of materials (SBOMs) earlier in the development lifecycle, before the applications are built.

Policy Waiver REST API Improvements

Users can apply policy waivers to specific repositories using the new owner types repository and repository_container in the POST request of Policy Waiver REST API.

Fix for application scan reports

This release fixes the reported issue (in release 142 only) of blank pages appearing in the web browser, instead of application scan reports. A new scan of the application is recommended for generating the scan report, after installing this release.

Configurable session timeouts

Users can now configure the session timeout times for IQ Server using the property sessionTimeout through Configuration REST API.

Release 142 (July 2022)

Configurable content security policy directive

The frame-ancestors directive for content security policy (CSP) can be configured using Configuration REST API. This will allow users to control the domains that can frame the current resource and prevent clickjacking. Using the property frameAncestorsAllowlist, users can specify a list of allowed domain URLs as JSON.

More properties added to IQ server configuration REST API

Additional IQ Server properties are now exposed through Configuration REST API. These can be configured using the same endpoint /api/v2/config and GET, PUT, and DELETE HTTP methods to read, set, and delete the properties respectively. This process can now be used instead of making changes to the config.yml as in older versions.

Properties added in this release:

  1. eventBus.maxThreadPoolSize

  2. csrfProtection

  3. policyMonitoringHouruserAgentSuffix

  4. userAgentSuffix

  5. webhookSecretPassphrase

  6. maxAdvancedSearchClauseCount

  7. advancedSearchCSVExportDelimiter

Redesigned Components View for Dashboard

We have redesigned the component view in Dashboard, for an enhanced UI:

  1. The total risk score for the component is now displayed right under the component name at the top.

  2. A back button has been added to replace the breadcrumb in older versions.

  3. Each application is now represented by a card with an accordion, that can be toggled to reveal all the policy violations.

  4. A cleaner interface to display Unknown component names.

Permission to access the Firewall Dashboard

Users can access the Firewall Dashboard for Repositories if they are granted View IQ Elements and Edit IQ Elements permissions.

Permissions at the global level to access the dashboard are no longer required.

Fixed a bug where a manifest scan would include pom.xml files inside META-INF

This release fixes a bug where a manifest scan processed pom.xml files inside a META-INF directory. Files in this directory, in most cases (specifically for uber/shaded archives), do not represent the manifest file for the target application to be scanned. All pom.xml files inside a META-INF directory are now ignored.

Release 141 (June 2022)

Quarantined Component View

This release fixes a critical issue related to the Compare button in the Quarantined Component view in Firewall.

Release 140 (June 2022)

Export search results from the Advanced Search page

The Export Results button on the Advanced Search page provides the flexibility of exporting the results into a .csv file, in addition to the existing Advanced Search REST API.

REST API for configuring Source Control

The source control configuration that was controlled through config.yml in older versions must now be configured using Source Control Configuration REST API.

Policy Configuration - Policy Actions Override Feature

The Policy Overrides feature will allow the policy actions for inherited policies to be overridden. This feature will provide more control in managing the policies and is currently available only for policies configured and inherited for Lifecycle.

Waive all versions of a component enhancement

The <component name> (all versions) option in the components section of the Add, View, and Remove Waiver page allows the creation of a waiver that will be applied to all versions of a component.

NOTE: Unknown components will need to be claimed first.

Input parameter to Policy Waivers REST API

The JSON payload for Policy Waiver REST API now supports matcherStrategy. It will now be possible to specify the range for components i.e., exact component, all versions of the component, or all components at the specified hierarchy to which the waiver will apply.

Reference Policy Set v7

As part of this release, the Reference Policy Set v7 now includes a release-integrity policy.

For Repository Firewall license installations, the release-integrity policy will not be created automatically.

Release 139 (June 2022)

REST API for configuring JIRA

The JIRA configuration must now be changed using JIRA Configuration REST API, instead of making changes in config.yml as in older versions.

Custom expiration dates for Policy Waivers

This feature adds the flexibility of configuring custom expiration dates for policy waivers from the Add Waivers page. This could previously be done only by using the Policy Waivers API.

Release 138 (May 2022)

REST API for configuring Reverse Proxy Authentication

The Reverse Proxy Authentication Configuration must now be changed using Reverse Proxy Authentication Configuration REST API, instead of making changes in config.yml as in older versions.

REST API for Base URL Configuration

The base URL configuration must now be changed using Configuration REST API, instead of making changes in config.yml as in older versions.

NOTE: Configuration of the base URL is required, before configuring email/JIRA notifications and SCM integrations, for events like policy violations.

Fixed a bug where invalid SBOMs could be generated

This release fixed a bug where invalid SBOMs could be generated.

Additionally, from this release, if an SBOM is scanned and it is found to be invalid, then it will be rejected.

Release 137 (May 2022)

Reports List Redesign

To enhance user experience and make the IQ Server report list page easier to navigate and use, we made the following design improvements:

  1. Search as you type – IQ Server now progressively filters search results as you type the name of an application or organization in the search box.

  2. Show Contact Link – The Show Contact link that appears under the application name in the Application column now displays contact information for relevant applications only.

Fixed a Bug Relating to Searching for LDAP Static Group Members

This release fixes a bug that originated in Release 135. Searches for LDAP static group members now work as expected and return appropriate member information for policy email notifications.

Release 136 (April 2022)

Policy Configuration

A policy condition type for component formats was added.

Support for Evaluating Java 18 Applications and Components

The application and component evaluation have been updated to support Java 18 bytecode.

Firewall: Quarantined Component View (Anonymous Developer View)

A view for remediation advice on quarantined components is available in Firewall. By default, the view is accessible anonymously, using the tokenized link. A unique link is generated for every component quarantine encountered and expires after a certain time. The view contains information on component coordinates, policy violations, recommendations, and other versions that can be used instead.

This feature allows any user with access to the tokenized link to view component vulnerability details. If your IQ Server is publicly accessible to users outside your organization, it is strongly recommended you disable anonymous access to this view using the configuration. Consult with your legal and security teams to determine if you should disable this feature for your organization. If you are using the Repository Firewall for the Nexus Repository, this feature requires the Nexus Repository 3.38.1 release.

Firewall: Improvements to Quarantined Component Release Workflow

We made the following improvements to the release workflow for quarantined components:

  1. Components that no longer have any policy violations set to block (policy action is set to fail on proxy) can be released from quarantine at once by clicking the 'Re-evaluate' button on the repository results view. Also, as policy violations are waived, once no blocking policy violations remain, components are released without the need to click on 'Release Quarantine'.

  2. The 'Match State' policy condition type can be enabled for automatic release from quarantine.

Improvements to Applications REST API

The Application REST API has been updated so that when querying the endpoint of the application, an optional query parameter can be added to include the details of applied application categories.

Atlassian Crowd Integration

Atlassian Crowd server provides single sign-on and identity management. Configuration of IQ Atlassian Crowd is through the UI or the REST API. Once enabled, you can use your Atlassian Crowd credentials to log in through the UI or make REST calls.

SAML User Tokens

SAML users may now create User Tokens through the UI.

Option to search for all components, including those with no security vulnerabilities

We have upgraded the Advanced Search feature for component-based searches. The interactive interface gives users the option to choose whether they want to view:

  1. All components that match the search criteria or

  2. Only components that match the search criteria and have security vulnerabilities

Release 135 (March 2022)

InnerSource Repository Configuration

Organizations and Applications under the Orgs and Policies view in IQ now support configuring InnerSource repositories which enables the Version Explorer for InnerSource components in the component details page.

Refer to the InnerSource Repository Configuration documentation for more details on how to configure InnerSource repository connections.

Release 134 (March 2022)

Support for CycloneDX 1.4

The Third-Party Scan REST API, CycloneDX Application Analysis, and CycloneDx REST API have been extended to support the CycloneDX schema version 1.4 for XML and JSON formats. In addition to that, the View SBOM option has been updated to produce CycloneDX schema version 1.4 XML.

Improvements to Policy-Compliant Component Selection

We've made a number of improvements to the policy-compliant component selection released first in the Nexus Repository 3.35.0 release. The improvements listed require Nexus Repository 3.38.1 and IQ Release 134 as the minimum recommended versions to use this feature.

1. Performance improvements

2. New components scanned for resolving version ranges to policy-compliant versions but not downloaded will no longer be visible in the Firewall repository results view

Fixed a Bug That Prevented Users From Being Able to Select a License in the Component Details Page

A bug was introduced in 133 that prevented users from being able to select a license on the Component Details Page.

Application Analysis Report & SAML configuration form

Updated the look and feel to be consistent with our design guidelines.

Release 133 (March 2022)

Composer Matching Improvements

Composer data has been improved for both Lifecycle and Firewall.

Refer to this community post for more information.

SCM Onboarding

As of this release, when importing applications into IQ using easy SCM onboarding, dots are no longer omitted from the application names. Prior to this release, the dots were removed from the resulting application name.

Dependency Information for CycloneDX SBOM scans

CycloneDX sbom file scans with dependency-graph data now display dependency information for BOM components (Direct and Transitive).

Refer to CycloneDX Application Analysis and InnerSource Insight for more information

Release 132 (January 2022)

Dependency Tree Page

This Dependency Tree Page shows a tree-like structure of all the dependencies identified in an application analysis report. This feature is only available for NPM and Maven ecosystems and its full documentation can be found at our Dependency Tree.

The Component Details Page is also updated with a component-specific Dependency Tree in the Overview Tab. More information about this feature can be found on our Overview as well.

Addition of 'Created By' Field for waivers

The addition of ‘Created By’ for Waivers will display and store the information of the individual who created the waiver. This information will also be visible when viewing existing waivers.

Bug Fix for False Positives in Image Scans

False positives that could exist on rare occasions in exported Docker image tar scans are fixed.