Skip to main content

2022 Release Notes

Note

Sonatype encourages using the most current IQ Server release and not trailing behind for more than six months.

IQ Release 151 (December 2022)

ImprovementsData Architecture Improvements

This release offers improvements to the existing data architecture for IQ Server and HDS. The changes in data organization will prevent database locking issues due to concurrent transactions on shared resources.

Bug fixesAdvanced Legal Pack REST API error

This release resolves the internal server error that occurred when using long report template names (>250 chars.) for attribution reports while using the GET method for License Legal REST API.

SBOM generation exception

This release handles the null pointer exception that was thrown when attempting to generate an SBOM from an evaluation report that did not show any components.

IQ Release 150 (November 2022)

New featuresSonatype Lifecycle now offers Experimental Data Insights

Use Experimental Data Insights to view open-source governance behavior for your organization. Click on Data Insights in the left navigation bar, to get started. Analyses from Data Insights uncover open-source component usage patterns across your organization.

Data Insights currently offers:

  • Migration Scorecard is a visual representation of component upgrade decisions made by your Java development teams.

  • Stack Divergence is an industry-wide comparative analysis of the popularity of components in your technology stack.

  • Nudges and Anomalies are key indicators of your platform usage. These indicators reveal patterns and trends used in the remediation processes across your organization.

ImprovementsUpdates to Sonatype Container Scanning with Sonatype CLI

Scanning local images does not require providing environmental variables. To scan remote images, the user will now have to provide only these variables:

  1. NEXUS_CONTAINER_IMAGE_REGISTRY_USER

  2. NEXUS_CONTAINER_IMAGE_REGISTRY_PASSWORD

Bug fixesFix to successfully scan files with Byte Order Mark (BOM)

Sonatype IQ Server can now successfully scan files containing the special Unicode character, BYTE ORDER MARK.

Minor UI fixes

This release covers minor UI fixes like typos and the usage of tooltips to display long component names that appeared truncated otherwise.

Policy violation fixes

To maintain and improve stability and security, we continually scan all Sonatype products and applications internally for vulnerabilities. For a strong and most current security posture, components used by our development teams are continually scanned and compared with our proprietary advanced vulnerability detection systems. This section contains information on component upgrades made to mitigate or remediate risks due to our internal policy violations as below:

Fix for CVE-2022-41946

CVE-2022-41946 Public on November 23, 2022, Medium risk, Severity 6.3

Resolution: Upgraded to non-vulnerable component version org.postgresql:postgresql 42.5.1

Fix for SONATYPE-2022-4344

SONATYPE-2022-4344, Sonatype Discovered November 22, 2022, Medium risk, Severity 4.7

Resolution: Upgraded to a non-vulnerable version of the component autolinker :3.16.1 and introduced validations in the code base to verify the trusted source of inputs to the component.

IQ Release 149 (November 2022)

New featuresEnabled Scanning of pom.xml META-INF directory

A modification in release 142 for manifest scans, ignored pom.xml located inside a META-INF directory. In most cases (specifically for uber/shaded archives), pom.xml does not represent the manifest file for the target application to be scanned. This release offers a configurable option to enable scanning of pom.xml files, for scan targets that could contain manifest files, in rare situations.

ImprovementsPerformance Tuning for Attribution Reports

The Advanced Legal Pack (ALP) uses complex automated processes to generate attribution reports. Retrieving data for multiple applications containing hundreds of components can cause high query times. We have optimized our queries and API calls resulting in improved query statistics for attribution reports.

Sonatype Lifecycle Dashboard Improvements

With this release we continue our improvements to the performance of underlying queries for the Dashboard page, to offer a fast and comprehensive risk profile of your applications.

Bug fixesFix for Expiration Date on Waivers Dashboard

Selecting x days for the Expiration Date filter on the Lifecycle Waivers Dashboard, showed expired waivers, in addition to the waivers meeting the filter criteria i.e. expiring in x days. This release includes a fix for the expiration date filter to show waivers for x days only.

Fix for Forced Idle Timeouts

For IQ Server release 132 and higher, idle timeouts affected only native implementation, while users were still able to navigate the UI. With this fix, IQ Server will now force the user to log out after 30 minutes of inactivity.

Fix for User Emails Tooltip

A tooltip to display the email address of users (from LDAP) on the New Role page under Add a Role, had stopped appearing in IQ Server release 143 and later. This has now been fixed.

Policy violation fixes

To maintain and improve stability and security, we continually scan all Sonatype products and applications internally for vulnerabilities. For a strong and most current security posture, components used by our development teams are continually scanned and compared with our proprietary advanced vulnerability detection systems. This section contains information on component upgrades made to mitigate or remediate risks due to our internal policy violations as below:

Fix for CVE-2022-1415

CVE-2022-1415 drools: Public on October 27, 2022, Medium risk, Severity 6.8

Resolution: Updated drools to 7.73.0.Final

IQ Release 148 (October 2022)

Emergency Bug Fix Release

This release fixes major bugs in the previous release 147.

Users facing issues with release 147 installations, should upgrade to this version immediately. For users planning an upgrade, we recommend upgrading to release 148 and skipping release 147.

Bugs fixed in this release include:

  1. Waiver migrator fails when upgrading to version 147 if "expired" waivers are found.

  2. Clicking on the Export Waivers Data button causes an internal server error.

This release includes memory usage optimization to improve the performance of the Lifecycle Dashboard and its related export feature.

IQ Release 147 (October 2022)

Release 147 contains issues. Upgrading to this version is not recommended. Upgrade to a later release.

Waivers View on Dashboard

This release offers an addition to the Lifecycle Dashboard, the Waivers View. Policy waivers will now be readily available for review on the dashboard. Users can access waivers specific to their needs by creating customized filters for the dashboard. The drill-down capability on each waiver in this list offers a more granular view of the waiver. The Export Waivers Data button generates a .csv file populated with all the waiver data that is retrieved based on the dashboard filter settings.

Policy Waiver REST API enhancement

The Policy Waiver REST API can now retrieve details on a single waiver by passing the policyWaiverID in the GET method.

Notable fix for SAML authentication

This release fixes an issue with SAML authentication, that prevented IQ Server from correctly identifying group names containing commas.

CycloneDX REST API improvement

We have refactored CycloneDX REST API to include the dependency graph in SBOM, per CycloneDX specification. This is supported for CycloneDX versions 1.2 and higher.

IQ Release 146 (October 2022)

Maintenance Release

This release offers minor bug fixes and general UI improvements.

Some of these include:

  1. Validations for empty (zero-length) strings in text fields

  2. Addition of tooltips

  3. Explanatory error messages for user inputs like invalid dates

  4. Resolution of 404 error for the Data Insights feature

  5. Intuitive label names

Maintenance Release

Experimental feature flags deprecated in config.yml: experimentalFeatures setting in config.yml is no longer referenced. For older versions of IQ server, this configuration setting will have to be deleted from config.yml.

We strongly recommend using Configuration REST API to update the configuration settings for IQ Server 142 and above, instead of config.yml.

IQ Release 145 (October 2022)

Performance improvements in Advanced Legal Pack Attribution Reports

Attribution reports from the Advanced Legal Pack (ALP) provide comprehensive access to more than 90% of OSS obligations. We have streamlined our data retrieval processes to generate these complex and data-intensive reports, faster. This will reduce the possibility of session time-outs that could occur while generating attribution reports for multiple and large applications.

Notable bug fix in recent releases

Releases 142 and above fix a bug where a manifest scan processed pom.xml files inside a META-INF directory. Files in this directory, in most cases (specifically for uber/shaded archives), do not represent the manifest file for the target application to be scanned. All pom.xml files inside a META-INF directory from Release 142 and above are now ignored during a manifest scan.

IQ Release 144 (September 2022)

View all affected version ranges of an implicated component

The Vulnerability Details page contains a section that lists all affected version ranges of the implicated component. This will help users recognize different versions of an implicated component, which could also have security vulnerabilities.

Improvements to the Sonatype Platform Plugin for Jenkins for auto-creating new applications

To evaluate a new application that has not been onboarded to IQ Server, using the Sonatype Platform Plugin for Jenkins, users can now provide an additional parameter organization-id for a specific organization. IQ Server will create this application under the specified organization (Org) instead of the parent organization that is set up during the configuration of Automatic Application Creation.

Targeting peak performance for policy evaluations

As a result of our code optimization efforts, this release offers significantly faster policy evaluations. We have eliminated performance bottlenecks that occurred in scenarios with hundreds of concurrent users and complex policy evaluations.

IQ Release 143 (September 2022)

Search for vulnerabilities by any known ID

Users can look up vulnerability details by entering any known vulnerability ID from the vulnerability lookup page or Vulnerability Details REST API. The vulnerability ID could be a Sonatype ID (assigned by Sonatype researchers) or just the CVE ID (may also have a Sonatype ID, if discovered first by Sonatype researchers.)

Affected version ranges of an implicated component now returned in the Vulnerability Details API

To help users avoid choosing different versions of an implicated component, which could also have security vulnerabilities, we now report all affected version ranges of the implicated component. The affected version range can be retrieved using the Vulnerability Details REST API by passing the component identifier as a query parameter.

Fine-tuned risk management with additional policy constraint CWE ID

Users can now create security policies to evaluate components against the reported CWE IDs. Selecting Security Vulnerability CWE from the dropdown in the conditions section of the policy page now allows defining policy constraint conditions based on the CWE ID.

Advanced Legal Pack Supports Composer

The upgraded Advanced Legal Pack now provides copyrights, notices, and license text data for the Composer ecosystem.

CycloneDX REST API Improvements

We have enhanced the response for CycloneDX REST API to include vulnerability details for components in the generated SBOM. This will help get a better understanding of the level of security risk associated with the components and implement remediation.

Policy Evaluation Summary Improvements

We have enhanced the Jenkins, Azure DevOps, Bamboo, and Maven plugins to show the total number of evaluated components in the policy evaluation summary. This addition makes eventual misconfigurations easier to spot.

Improved support for evaluating Java 18 applications and components

Support for evaluating Java 18 applications and components (first introduced in release 136) has been improved.

Improvements to Sonatype CLI for auto-creating new applications

To evaluate a new application that has not been onboarded to IQ Server, using Sonatype CLI, users can now provide an additional parameter organization-id for a specific organization. IQ Server will create this application under the specified organization (Org) instead of the parent organization that is set up during the configuration of Automatic Application Creation.

Extended scope of evaluations

Evaluate a binary action in Lifecycle UI has been modified to Evaluate a file. Using this menu option, users can now also perform manifest scans to analyze source control repositories or software bill of materials (SBOMs) earlier in the development lifecycle, before the applications are built.

Policy Waiver REST API Improvements

Users can apply policy waivers to specific repositories using the new owner types repository and repository_container in the POST request of Policy Waiver REST API.

Fix for application scan reports

This release fixes the reported issue (in release 142 only) of blank pages appearing in the web browser, instead of application scan reports. A new scan of the application is recommended for generating the scan report, after installing this release.

Configurable session timeouts

Users can now configure the session timeout times for IQ Server using the property sessionTimeout through Configuration REST API.

IQ Release 142 (July 2022)

Configurable content security policy directive

The frame-ancestors directive for content security policy (CSP) can be configured using Configuration REST API. This will allow users to control the domains that can frame the current resource and prevent clickjacking. Using the property frameAncestorsAllowlist, users can specify a list of allowed domain URLs as JSON.

More properties added to IQ server configuration REST API

Additional IQ Server properties are now exposed through Configuration REST API. These can be configured using the same endpoint /api/v2/config and GET, PUT, and DELETE HTTP methods to read, set, and delete the properties respectively. This process can now be used instead of making changes to the config.yml as in older versions.

Properties added in this release:

  1. eventBus.maxThreadPoolSize

  2. csrfProtection

  3. policyMonitoringHouruserAgentSuffix

  4. userAgentSuffix

  5. webhookSecretPassphrase

  6. maxAdvancedSearchClauseCount

  7. advancedSearchCSVExportDelimiter

Redesigned Components View for Dashboard

We have redesigned the component view in Dashboard, for an enhanced UI:

  1. The total risk score for the component is now displayed right under the component name at the top.

  2. A back button has been added to replace the breadcrumb in older versions.

  3. Each application is now represented by a card with an accordion, that can be toggled to reveal all the policy violations.

  4. A cleaner interface to display Unknown component names.

Permission to access the Firewall Dashboard

Users can access the Firewall Dashboard for Repositories if they are granted View IQ Elements and Edit IQ Elements permissions.

Permissions at the global level to access the dashboard are no longer required.

Fixed a bug where a manifest scan would include pom.xml files inside META-INF

This release fixes a bug where a manifest scan processed pom.xml files inside a META-INF directory. Files in this directory, in most cases (specifically for uber/shaded archives), do not represent the manifest file for the target application to be scanned. All pom.xml files inside a META-INF directory are now ignored.

IQ Release 141 (June 2022)

Quarantined Component View

This release fixes a critical issue related to the Compare button in the Quarantined Component view in Firewall.

IQ Release 140 (June 2022)

Export search results from the Advanced Search page

The Export Results button on the Advanced Search page provides the flexibility of exporting the results into a .csv file, in addition to the existing Advanced Search REST API.

REST API for configuring Source Control

The source control configuration that was controlled through config.yml in older versions must now be configured using Source Control Configuration REST API.

Policy Configuration - Policy Actions Override Feature

The Policy Overrides feature will allow the policy actions for inherited policies to be overridden. This feature will provide more control in managing the policies and is currently available only for policies configured and inherited for Lifecycle.

Waive all versions of a component enhancement

The <component name> (all versions) option in the components section of the Add, View, and Remove Waiver page allows the creation of a waiver that will be applied to all versions of a component. NOTE: Unknown components will need to be claimed first.

Input parameter to Policy Waivers REST API

The JSON payload for Policy Waiver REST API now supports matcherStrategy. It will now be possible to specify the range for components i.e., exact component, all versions of the component, or all components at the specified hierarchy to which the waiver will apply.

Reference Policy Set v7

As part of this release, the Reference Policy Set v7 now includes a release-integrity policy. For Repository Firewall license installations, the release-integrity policy will not be created automatically.

IQ Release 139 (June 2022)

REST API for configuring JIRA

The JIRA configuration must now be changed using JIRA Configuration REST API, instead of making changes in config.yml as in older versions.

Custom expiration dates for Policy Waivers

This feature adds the flexibility of configuring custom expiration dates for policy waivers from the Add Waivers page. This could previously be done only by using the Policy Waivers API.

IQ Release 138 (May 2022)

REST API for configuring Reverse Proxy Authentication

The Reverse Proxy Authentication Configuration must now be changed using Reverse Proxy Authentication Configuration REST API, instead of making changes in config.yml as in older versions.

REST API for Base URL Configuration

The base URL configuration must now be changed using Configuration REST API, instead of making changes in config.yml as in older versions.

NOTE: Configuration of the base URL is required, before configuring email/JIRA notifications and SCM integrations, for events like policy violations.

Fixed a bug where invalid SBOMs could be generated

This release fixed a bug where invalid SBOMs could be generated.

Additionally, from this release, if an SBOM is scanned and it is found to be invalid, then it will be rejected.

IQ Release 137 (May 2022)

Reports List Redesign

To enhance user experience and make the IQ Server report list page easier to navigate and use, we made the following design improvements:

  1. Search as you type – IQ Server now progressively filters search results as you type the name of an application or organization in the search box.

  2. Show Contact Link – The Show Contact link that appears under the application name in the Application column now displays contact information for relevant applications only.

Fixed a Bug Relating to Searching for LDAP Static Group Members

This release fixes a bug that originated in Release 135. Searches for LDAP static group members now work as expected and return appropriate member information for policy email notifications.

Advanced Legal Pack: Sonatype Special License Filter for Attribution Reports

To allow further report customization, the Advanced Legal Pack now includes a filter for Sonatype Special Licenses in the attribution report template. Users can now enable this feature to filter out Sonatype Special Licenses (e.g., Generic-Copyleft-Clause, Generic-Liberal-Clause, See-License-Clause, Identity-Clause, etc.) from their attribution reports.

IQ Release 136 (April 2022)

Policy Configuration

A policy condition type for component formats was added.

Support for Evaluating Java 18 Applications and Components

The application and component evaluation have been updated to support Java 18 bytecode.

Firewall: Quarantined Component View

A view for remediation advice on quarantined components is available in Firewall. By default, the view is accessible anonymously, using the tokenized link. A unique link is generated for every component quarantine encountered and expires after a certain time. The view contains information on component coordinates, policy violations, recommendations, and other versions that can be used instead.

This feature allows any user with access to the tokenized link to view component vulnerability details. If your IQ Server is publicly accessible to users outside your organization, it is strongly recommended you disable anonymous access to this view using the configuration. Consult with your legal and security teams to determine if you should disable this feature for your organization. If you are using the Repository Firewall for the Nexus Repository, this feature requires the Nexus Repository 3.38.1 release.

Firewall: Improvements to Quarantined Component Release Workflow

We made the following improvements to the release workflow for quarantined components:

  1. Components that no longer have any policy violations set to block (policy action is set to fail on proxy) can be released from quarantine at once by clicking the 'Re-evaluate' button on the repository results view. Also, as policy violations are waived, once no blocking policy violations remain, components are released without the need to click on 'Release Quarantine'.

  2. The 'Match State' policy condition type can be enabled for automatic release from quarantine.

Advanced Legal Pack Multi-Application Attribution Report

The Advanced Legal Pack REST API now supports creating an attribution report for multiple applications with a single call. Users of the UI can now use the legal dashboard filters to generate an attribution report for multiple applications.

Advanced Legal Pack Now Automatically Supports Original Source Code Disclosures

The Advanced Legal Pack now automates weak copyleft original source code disclosure obligations for all supported ecosystems. This data will automatically be included in any attribution reports that are generated.

Improvements to Applications REST API

The Application REST API has been updated so that when querying the endpoint of the application, an optional query parameter can be added to include the details of applied application categories.

Atlassian Crowd Integration

Atlassian Crowd server provides single sign-on and identity management. Configuration of IQ Atlassian Crowd is through the UI or the REST API. Once enabled, you can use your Atlassian Crowd credentials to log in through the UI or make REST calls.

SAML User Tokens

SAML users may now create User Tokens through the UI.

Option to search for all components, including those with no security vulnerabilities

We have upgraded the Advanced Search feature for component-based searches. The interactive interface gives users the option to choose whether they want to view:

  1. All components that match the search criteria or

  2. Only components that match the search criteria and have security vulnerabilities

IQ Release 135 (March 2022)

InnerSource Repository Configuration

Organizations and Applications under the Orgs and Policies view in IQ now support configuring InnerSource repositories which enables the Version Explorer for InnerSource components in the component details page.

Refer to the InnerSource Repository Configuration documentation for more details on configuring InnerSource repository connections.

IQ Release 134 (March 2022)

Support for CycloneDX 1.4

The Third-Party Analysis REST API, CycloneDX Application Analysis, and CycloneDx REST API have been extended to support the CycloneDX schema version 1.4 for XML and JSON formats. In addition to that, the View SBOM option has been updated to produce CycloneDX schema version 1.4 XML.

Advanced Legal Pack Component Dashboard

The Advanced Legal Pack now has a Component Dashboard that provides users with an easy means to view, or search, all components scanned by IQ Server.

Advanced Legal Pack Integration with the Component Details Page

Users that have the Advanced Legal Pack can now navigate from the legal tab in the Component Details Page to a component's extended legal details via the 'Review Obligations' button. This makes it much easier to conduct a legal review of a component from a policy report.

Improvements to Policy-Compliant Component Selection

We've made a number of improvements to the policy-compliant component selection released first in the Nexus Repository 3.35.0 release. The improvements listed require Nexus Repository 3.38.1 and IQ Release 134 as the minimum recommended versions to use this feature.

  1. Performance improvements

  2. New components scanned for resolving version ranges to policy-compliant versions but not downloaded will no longer be visible in the Firewall repository results view

Fixed a Bug That Prevented Users From Being Able to Select a License in the Component Details Page

A bug was introduced in 133 that prevented users from being able to select a license on the Component Details Page.

Application Analysis Report &amp; SAML configuration form

Updated the look and feel to be consistent with our design guidelines.

IQ Release 133 (March 2022)

Composer Matching Improvements

Composer data has been improved for both Lifecycle and Firewall.

SCM Onboarding

As of this release, dots are no longer omitted from the application names when importing applications into IQ using easy SCM onboarding. Prior to this release, the dots were removed from the resulting application name.

Dependency Information for CycloneDX SBOM scans

CycloneDX sbom file scans with dependency-graph data now display dependency information for BOM components (Direct and Transitive).

IQ Release 132 (January 2022)

Dependency Tree Page

This Dependency Tree Page shows a tree-like structure of all the dependencies identified in an application analysis report. This feature is only available for NPM and Maven ecosystems and its full documentation can be found at our Dependency Tree.

The Component Details Page is updated with a component-specific Dependency Tree in the Overview Tab.

Addition of 'Created By' Field for waivers

The addition of ‘Created By’ for Waivers will display and store the information of the individual who created the waiver. This information will also be visible when viewing existing waivers.

Bug Fix for False Positives in Image Scans

False positives that could exist on rare occasions in exported Docker image tar scans are fixed.