2022 Release Notes
Note
Sonatype encourages using the most current IQ Server release and not trailing behind for more than six months.
IQ Release 151 (December 2022)
This release offers improvements to the existing data architecture for IQ Server and HDS. The changes in data organization will prevent database locking issues due to concurrent transactions on shared resources.
This release resolves the internal server error that occurred when using long report template names (>250 chars.) for attribution reports while using the GET method for License Legal REST API.
This release handles the null pointer exception that was thrown when attempting to generate an SBOM from an evaluation report that did not show any components.
IQ Release 150 (November 2022)
Use Experimental Data Insights to view open-source governance behavior for your organization. Click on Data Insights in the left navigation bar, to get started. Analyses from Data Insights uncover open-source component usage patterns across your organization.
Data Insights currently offers:
Migration Scorecard is a visual representation of component upgrade decisions made by your Java development teams.
Stack Divergence is an industry-wide comparative analysis of the popularity of components in your technology stack.
Nudges and Anomalies are key indicators of your platform usage. These indicators reveal patterns and trends used in the remediation processes across your organization.
Scanning local images does not require providing environmental variables. To scan remote images, the user will now have to provide only these variables:
NEXUS_CONTAINER_IMAGE_REGISTRY_USER
NEXUS_CONTAINER_IMAGE_REGISTRY_PASSWORD
Sonatype IQ Server can now successfully scan files containing the special Unicode character, BYTE ORDER MARK.
This release covers minor UI fixes like typos and the usage of tooltips to display long component names that appeared truncated otherwise.
To maintain and improve stability and security, we continually scan all Sonatype products and applications internally for vulnerabilities. For a strong and most current security posture, components used by our development teams are continually scanned and compared with our proprietary advanced vulnerability detection systems. This section contains information on component upgrades made to mitigate or remediate risks due to our internal policy violations as below:
CVE-2022-41946 Public on November 23, 2022, Medium risk, Severity 6.3
Resolution: Upgraded to non-vulnerable component version org.postgresql:postgresql 42.5.1
SONATYPE-2022-4344, Sonatype Discovered November 22, 2022, Medium risk, Severity 4.7
Resolution: Upgraded to a non-vulnerable version of the component autolinker :3.16.1 and introduced validations in the code base to verify the trusted source of inputs to the component.
IQ Release 149 (November 2022)
A modification in release 142 for manifest scans, ignored pom.xml located inside a META-INF directory. In most cases (specifically for uber/shaded archives), pom.xml does not represent the manifest file for the target application to be scanned. This release offers a configurable option to enable scanning of pom.xml files, for scan targets that could contain manifest files, in rare situations.
The Advanced Legal Pack (ALP) uses complex automated processes to generate attribution reports. Retrieving data for multiple applications containing hundreds of components can cause high query times. We have optimized our queries and API calls resulting in improved query statistics for attribution reports.
With this release we continue our improvements to the performance of underlying queries for the Dashboard page, to offer a fast and comprehensive risk profile of your applications.
Selecting x days for the Expiration Date filter on the Lifecycle Waivers Dashboard, showed expired waivers, in addition to the waivers meeting the filter criteria i.e. expiring in x days. This release includes a fix for the expiration date filter to show waivers for x days only.
For IQ Server release 132 and higher, idle timeouts affected only native implementation, while users were still able to navigate the UI. With this fix, IQ Server will now force the user to log out after 30 minutes of inactivity.
A tooltip to display the email address of users (from LDAP) on the New Role page under Add a Role, had stopped appearing in IQ Server release 143 and later. This has now been fixed.
To maintain and improve stability and security, we continually scan all Sonatype products and applications internally for vulnerabilities. For a strong and most current security posture, components used by our development teams are continually scanned and compared with our proprietary advanced vulnerability detection systems. This section contains information on component upgrades made to mitigate or remediate risks due to our internal policy violations as below:
CVE-2022-1415 drools: Public on October 27, 2022, Medium risk, Severity 6.8
Resolution: Updated drools to 7.73.0.Final
IQ Release 148 (October 2022)
This release fixes major bugs in the previous release 147.
Users facing issues with release 147 installations, should upgrade to this version immediately. For users planning an upgrade, we recommend upgrading to release 148 and skipping release 147.
Bugs fixed in this release include:
Waiver migrator fails when upgrading to version 147 if "expired" waivers are found.
Clicking on the Export Waivers Data button causes an internal server error.
This release includes memory usage optimization to improve the performance of the Lifecycle Dashboard and its related export feature.
IQ Release 147 (October 2022)
Release 147 contains issues. Upgrading to this version is not recommended. Upgrade to a later release.
This release offers an addition to the Lifecycle Dashboard, the Waivers View. Policy waivers will now be readily available for review on the dashboard. Users can access waivers specific to their needs by creating customized filters for the dashboard. The drill-down capability on each waiver in this list offers a more granular view of the waiver. The Export Waivers Data button generates a .csv file populated with all the waiver data that is retrieved based on the dashboard filter settings.
The Policy Waiver REST API can now retrieve details on a single waiver by passing the policyWaiverID in the GET method.
This release fixes an issue with SAML authentication, that prevented IQ Server from correctly identifying group names containing commas.
We have refactored CycloneDX REST API to include the dependency graph in SBOM, per CycloneDX specification. This is supported for CycloneDX versions 1.2 and higher.
IQ Release 146 (October 2022)
This release offers minor bug fixes and general UI improvements.
Some of these include:
Validations for empty (zero-length) strings in text fields
Addition of tooltips
Explanatory error messages for user inputs like invalid dates
Resolution of 404 error for the Data Insights feature
Intuitive label names
Experimental feature flags deprecated in config.yml: experimentalFeatures setting in config.yml is no longer referenced. For older versions of IQ server, this configuration setting will have to be deleted from config.yml.
We strongly recommend using Configuration REST API to update the configuration settings for IQ Server 142 and above, instead of config.yml.
IQ Release 145 (October 2022)
Attribution reports from the Advanced Legal Pack (ALP) provide comprehensive access to more than 90% of OSS obligations. We have streamlined our data retrieval processes to generate these complex and data-intensive reports, faster. This will reduce the possibility of session time-outs that could occur while generating attribution reports for multiple and large applications.
Releases 142 and above fix a bug where a manifest scan processed pom.xml files inside a META-INF directory. Files in this directory, in most cases (specifically for uber/shaded archives), do not represent the manifest file for the target application to be scanned. All pom.xml files inside a META-INF directory from Release 142 and above are now ignored during a manifest scan.
IQ Release 144 (September 2022)
The Vulnerability Details page contains a section that lists all affected version ranges of the implicated component. This will help users recognize different versions of an implicated component, which could also have security vulnerabilities.
To evaluate a new application that has not been onboarded to IQ Server, using the Sonatype Platform Plugin for Jenkins, users can now provide an additional parameter organization-id for a specific organization. IQ Server will create this application under the specified organization (Org) instead of the parent organization that is set up during the configuration of Automatic Application Creation.
As a result of our code optimization efforts, this release offers significantly faster policy evaluations. We have eliminated performance bottlenecks that occurred in scenarios with hundreds of concurrent users and complex policy evaluations.
IQ Release 143 (September 2022)
Users can look up vulnerability details by entering any known vulnerability ID from the vulnerability lookup page or Vulnerability Details REST API. The vulnerability ID could be a Sonatype ID (assigned by Sonatype researchers) or just the CVE ID (may also have a Sonatype ID, if discovered first by Sonatype researchers.)
To help users avoid choosing different versions of an implicated component, which could also have security vulnerabilities, we now report all affected version ranges of the implicated component. The affected version range can be retrieved using the Vulnerability Details REST API by passing the component identifier as a query parameter.
Users can now create security policies to evaluate components against the reported CWE IDs. Selecting Security Vulnerability CWE from the dropdown in the conditions section of the policy page now allows defining policy constraint conditions based on the CWE ID.
The upgraded Advanced Legal Pack now provides copyrights, notices, and license text data for the Composer ecosystem.
We have enhanced the response for CycloneDX REST API to include vulnerability details for components in the generated SBOM. This will help get a better understanding of the level of security risk associated with the components and implement remediation.
We have enhanced the Jenkins, Azure DevOps, Bamboo, and Maven plugins to show the total number of evaluated components in the policy evaluation summary. This addition makes eventual misconfigurations easier to spot.
Support for evaluating Java 18 applications and components (first introduced in release 136) has been improved.
To evaluate a new application that has not been onboarded to IQ Server, using Sonatype CLI, users can now provide an additional parameter organization-id for a specific organization. IQ Server will create this application under the specified organization (Org) instead of the parent organization that is set up during the configuration of Automatic Application Creation.
Evaluate a binary action in Lifecycle UI has been modified to Evaluate a file. Using this menu option, users can now also perform manifest scans to analyze source control repositories or software bill of materials (SBOMs) earlier in the development lifecycle, before the applications are built.
Users can apply policy waivers to specific repositories using the new owner types repository and repository_container in the POST request of Policy Waiver REST API.
This release fixes the reported issue (in release 142 only) of blank pages appearing in the web browser, instead of application scan reports. A new scan of the application is recommended for generating the scan report, after installing this release.
Users can now configure the session timeout times for IQ Server using the property sessionTimeout through Configuration REST API.
IQ Release 142 (July 2022)
The frame-ancestors directive for content security policy (CSP) can be configured using Configuration REST API. This will allow users to control the domains that can frame the current resource and prevent clickjacking. Using the property frameAncestorsAllowlist, users can specify a list of allowed domain URLs as JSON.
Additional IQ Server properties are now exposed through Configuration REST API. These can be configured using the same endpoint /api/v2/config and GET, PUT, and DELETE HTTP methods to read, set, and delete the properties respectively. This process can now be used instead of making changes to the config.yml as in older versions.
Properties added in this release:
eventBus.maxThreadPoolSize
csrfProtection
policyMonitoringHouruserAgentSuffix
userAgentSuffix
webhookSecretPassphrase
maxAdvancedSearchClauseCount
advancedSearchCSVExportDelimiter
We have redesigned the component view in Dashboard, for an enhanced UI:
The total risk score for the component is now displayed right under the component name at the top.
A back button has been added to replace the breadcrumb in older versions.
Each application is now represented by a card with an accordion, that can be toggled to reveal all the policy violations.
A cleaner interface to display Unknown component names.
Users can access the Firewall Dashboard for Repositories if they are granted View IQ Elements and Edit IQ Elements permissions.
Permissions at the global level to access the dashboard are no longer required.
This release fixes a bug where a manifest scan processed pom.xml files inside a META-INF directory. Files in this directory, in most cases (specifically for uber/shaded archives), do not represent the manifest file for the target application to be scanned. All pom.xml files inside a META-INF directory are now ignored.
IQ Release 141 (June 2022)
This release fixes a critical issue related to the Compare button in the Quarantined Component view in Firewall.
IQ Release 140 (June 2022)
The Export Results button on the Advanced Search page provides the flexibility of exporting the results into a .csv file, in addition to the existing Advanced Search REST API.
The source control configuration that was controlled through config.yml in older versions must now be configured using Source Control Configuration REST API.
The Policy Overrides feature will allow the policy actions for inherited policies to be overridden. This feature will provide more control in managing the policies and is currently available only for policies configured and inherited for Lifecycle.
The <component name> (all versions) option in the components section of the Add, View, and Remove Waiver page allows the creation of a waiver that will be applied to all versions of a component. NOTE: Unknown components will need to be claimed first.
The JSON payload for Policy Waiver REST API now supports matcherStrategy. It will now be possible to specify the range for components i.e., exact component, all versions of the component, or all components at the specified hierarchy to which the waiver will apply.
As part of this release, the Reference Policy Set v7 now includes a release-integrity policy. For Repository Firewall license installations, the release-integrity policy will not be created automatically.
IQ Release 139 (June 2022)
The JIRA configuration must now be changed using JIRA Configuration REST API, instead of making changes in config.yml as in older versions.
This feature adds the flexibility of configuring custom expiration dates for policy waivers from the Add Waivers page. This could previously be done only by using the Policy Waivers API.
IQ Release 138 (May 2022)
The Reverse Proxy Authentication Configuration must now be changed using Reverse Proxy Authentication Configuration REST API, instead of making changes in config.yml as in older versions.
The base URL configuration must now be changed using Configuration REST API, instead of making changes in config.yml as in older versions.
NOTE: Configuration of the base URL is required, before configuring email/JIRA notifications and SCM integrations, for events like policy violations.
This release fixed a bug where invalid SBOMs could be generated.
Additionally, from this release, if an SBOM is scanned and it is found to be invalid, then it will be rejected.
IQ Release 137 (May 2022)
To enhance user experience and make the IQ Server report list page easier to navigate and use, we made the following design improvements:
Search as you type – IQ Server now progressively filters search results as you type the name of an application or organization in the search box.
Show Contact Link – The Show Contact link that appears under the application name in the Application column now displays contact information for relevant applications only.
This release fixes a bug that originated in Release 135. Searches for LDAP static group members now work as expected and return appropriate member information for policy email notifications.
To allow further report customization, the Advanced Legal Pack now includes a filter for Sonatype Special Licenses in the attribution report template. Users can now enable this feature to filter out Sonatype Special Licenses (e.g., Generic-Copyleft-Clause, Generic-Liberal-Clause, See-License-Clause, Identity-Clause, etc.) from their attribution reports.
IQ Release 136 (April 2022)
A policy condition type for component formats was added.
The application and component evaluation have been updated to support Java 18 bytecode.
A view for remediation advice on quarantined components is available in Firewall. By default, the view is accessible anonymously, using the tokenized link. A unique link is generated for every component quarantine encountered and expires after a certain time. The view contains information on component coordinates, policy violations, recommendations, and other versions that can be used instead.
This feature allows any user with access to the tokenized link to view component vulnerability details. If your IQ Server is publicly accessible to users outside your organization, it is strongly recommended you disable anonymous access to this view using the configuration. Consult with your legal and security teams to determine if you should disable this feature for your organization. If you are using the Repository Firewall for the Nexus Repository, this feature requires the Nexus Repository 3.38.1 release.
We made the following improvements to the release workflow for quarantined components:
Components that no longer have any policy violations set to block (policy action is set to fail on proxy) can be released from quarantine at once by clicking the 'Re-evaluate' button on the repository results view. Also, as policy violations are waived, once no blocking policy violations remain, components are released without the need to click on 'Release Quarantine'.
The 'Match State' policy condition type can be enabled for automatic release from quarantine.
The Advanced Legal Pack REST API now supports creating an attribution report for multiple applications with a single call. Users of the UI can now use the legal dashboard filters to generate an attribution report for multiple applications.
The Advanced Legal Pack now automates weak copyleft original source code disclosure obligations for all supported ecosystems. This data will automatically be included in any attribution reports that are generated.
The Application REST API has been updated so that when querying the endpoint of the application, an optional query parameter can be added to include the details of applied application categories.
Atlassian Crowd server provides single sign-on and identity management. Configuration of IQ Atlassian Crowd is through the UI or the REST API. Once enabled, you can use your Atlassian Crowd credentials to log in through the UI or make REST calls.
SAML users may now create User Tokens through the UI.
We have upgraded the Advanced Search feature for component-based searches. The interactive interface gives users the option to choose whether they want to view:
All components that match the search criteria or
Only components that match the search criteria and have security vulnerabilities
IQ Release 135 (March 2022)
Organizations and Applications under the Orgs and Policies view in IQ now support configuring InnerSource repositories which enables the Version Explorer for InnerSource components in the component details page.
Refer to the InnerSource Repository Configuration documentation for more details on configuring InnerSource repository connections.
IQ Release 134 (March 2022)
The Third-Party Analysis REST API, CycloneDX Application Analysis, and CycloneDx REST API have been extended to support the CycloneDX schema version 1.4 for XML and JSON formats. In addition to that, the View SBOM option has been updated to produce CycloneDX schema version 1.4 XML.
The Advanced Legal Pack now has a Component Dashboard that provides users with an easy means to view, or search, all components scanned by IQ Server.
Users that have the Advanced Legal Pack can now navigate from the legal tab in the Component Details Page to a component's extended legal details via the 'Review Obligations' button. This makes it much easier to conduct a legal review of a component from a policy report.
We've made a number of improvements to the policy-compliant component selection released first in the Nexus Repository 3.35.0 release. The improvements listed require Nexus Repository 3.38.1 and IQ Release 134 as the minimum recommended versions to use this feature.
Performance improvements
New components scanned for resolving version ranges to policy-compliant versions but not downloaded will no longer be visible in the Firewall repository results view
A bug was introduced in 133 that prevented users from being able to select a license on the Component Details Page.
Updated the look and feel to be consistent with our design guidelines.
IQ Release 133 (March 2022)
Composer data has been improved for both Lifecycle and Firewall.
As of this release, dots are no longer omitted from the application names when importing applications into IQ using easy SCM onboarding. Prior to this release, the dots were removed from the resulting application name.
CycloneDX sbom file scans with dependency-graph data now display dependency information for BOM components (Direct and Transitive).
IQ Release 132 (January 2022)
This Dependency Tree Page shows a tree-like structure of all the dependencies identified in an application analysis report. This feature is only available for NPM and Maven ecosystems and its full documentation can be found at our Dependency Tree.
The Component Details Page is updated with a component-specific Dependency Tree in the Overview Tab.
The addition of ‘Created By’ for Waivers will display and store the information of the individual who created the waiver. This information will also be visible when viewing existing waivers.
False positives that could exist on rare occasions in exported Docker image tar scans are fixed.