2022 Release Notes

This release offers improvements to the existing data architecture for IQ Server and HDS. The changes in data organization will prevent database locking issues due to concurrent transactions on shared resources.

This release resolves the internal server error that occurred when using long report template names (>250 chars.) for attribution reports while using the GET method for License Legal REST API.

This release handles the null pointer exception that was thrown when attempting to generate an SBOM from an evaluation report that did not show any components.

Use Experimental Data Insights to view open-source governance behavior for your organization. Click on Data Insights in the left navigation bar, to get started. Analyses from Data Insights uncover open-source component usage patterns across your organization.

Data Insights currently offers:

Scanning local images does not require providing environmental variables. To scan remote images, the user will now have to provide only these variables:

Sonatype IQ Server can now successfully scan files containing the special Unicode character, BYTE ORDER MARK.

This release covers minor UI fixes like typos and the usage of tooltips to display long component names that appeared truncated otherwise.

To maintain and improve stability and security, we continually scan all Sonatype products and applications internally for vulnerabilities. For a strong and most current security posture, components used by our development teams are continually scanned and compared with our proprietary advanced vulnerability detection systems. This section contains information on component upgrades made to mitigate or remediate risks due to our internal policy violations as below:

CVE-2022-41946 Public on November 23, 2022, Medium risk, Severity 6.3

Resolution: Upgraded to non-vulnerable component version org.postgresql:postgresql 42.5.1

SONATYPE-2022-4344, Sonatype Discovered November 22, 2022, Medium risk, Severity 4.7

Resolution: Upgraded to a non-vulnerable version of the component autolinker :3.16.1 and introduced validations in the code base to verify the trusted source of inputs to the component.

A modification in release 142 for manifest scans, ignored pom.xml located inside a META-INF directory. In most cases (specifically for uber/shaded archives), pom.xml does not represent the manifest file for the target application to be scanned. This release offers a configurable option to enable scanning of pom.xml files, for scan targets that could contain manifest files, in rare situations.

The Advanced Legal Pack (ALP) uses complex automated processes to generate attribution reports. Retrieving data for multiple applications containing hundreds of components can cause high query times. We have optimized our queries and API calls resulting in improved query statistics for attribution reports.

With this release we continue our improvements to the performance of underlying queries for the Dashboard page, to offer a fast and comprehensive risk profile of your applications.

Selecting x days for the Expiration Date filter on the Lifecycle Waivers Dashboard, showed expired waivers, in addition to the waivers meeting the filter criteria i.e. expiring in x days. This release includes a fix for the expiration date filter to show waivers for x days only.

For IQ Server release 132 and higher, idle timeouts affected only native implementation, while users were still able to navigate the UI. With this fix, IQ Server will now force the user to log out after 30 minutes of inactivity.

A tooltip to display the email address of users (from LDAP) on the New Role page under Add a Role, had stopped appearing in IQ Server release 143 and later. This has now been fixed.

To maintain and improve stability and security, we continually scan all Sonatype products and applications internally for vulnerabilities. For a strong and most current security posture, components used by our development teams are continually scanned and compared with our proprietary advanced vulnerability detection systems. This section contains information on component upgrades made to mitigate or remediate risks due to our internal policy violations as below:

CVE-2022-1415 drools: Public on October 27, 2022, Medium risk, Severity 6.8

Resolution: Updated drools to 7.73.0.Final

This release fixes major bugs in the previous release 147.

Users facing issues with release 147 installations, should upgrade to this version immediately. For users planning an upgrade, we recommend upgrading to release 148 and skipping release 147.

Bugs fixed in this release include:

This release includes memory usage optimization to improve the performance of the Lifecycle Dashboard and its related export feature.

Release 147 contains issues. Upgrading to this version is not recommended. Upgrade to a later release.

This release offers an addition to the Lifecycle Dashboard, the Waivers View. Policy waivers will now be readily available for review on the dashboard. Users can access waivers specific to their needs by creating customized filters for the dashboard. The drill-down capability on each waiver in this list offers a more granular view of the waiver. The Export Waivers Data button generates a .csv file populated with all the waiver data that is retrieved based on the dashboard filter settings.

The Policy Waiver REST API can now retrieve details on a single waiver by passing the policyWaiverID in the GET method.

This release fixes an issue with SAML authentication, that prevented IQ Server from correctly identifying group names containing commas.

We have refactored CycloneDX REST API to include the dependency graph in SBOM, per CycloneDX specification. This is supported for CycloneDX versions 1.2 and higher.

This release offers minor bug fixes and general UI improvements.

Some of these include:

Experimental feature flags deprecated in config.yml: experimentalFeatures setting in config.yml is no longer referenced. For older versions of IQ server, this configuration setting will have to be deleted from config.yml.

We strongly recommend using Configuration REST API to update the configuration settings for IQ Server 142 and above, instead of config.yml.

Attribution reports from the Advanced Legal Pack (ALP) provide comprehensive access to more than 90% of OSS obligations. We have streamlined our data retrieval processes to generate these complex and data-intensive reports, faster. This will reduce the possibility of session time-outs that could occur while generating attribution reports for multiple and large applications.

Releases 142 and above fix a bug where a manifest scan processed pom.xml files inside a META-INF directory. Files in this directory, in most cases (specifically for uber/shaded archives), do not represent the manifest file for the target application to be scanned. All pom.xml files inside a META-INF directory from Release 142 and above are now ignored during a manifest scan.

The Vulnerability Details page contains a section that lists all affected version ranges of the implicated component. This will help users recognize different versions of an implicated component, which could also have security vulnerabilities.

To evaluate a new application that has not been onboarded to IQ Server, using the Sonatype Platform Plugin for Jenkins, users can now provide an additional parameter organization-id for a specific organization. IQ Server will create this application under the specified organization (Org) instead of the parent organization that is set up during the configuration of Automatic Application Creation.

As a result of our code optimization efforts, this release offers significantly faster policy evaluations. We have eliminated performance bottlenecks that occurred in scenarios with hundreds of concurrent users and complex policy evaluations.

Users can look up vulnerability details by entering any known vulnerability ID from the vulnerability lookup page or Vulnerability Details REST API. The vulnerability ID could be a Sonatype ID (assigned by Sonatype researchers) or just the CVE ID (may also have a Sonatype ID, if discovered first by Sonatype researchers.)

To help users avoid choosing different versions of an implicated component, which could also have security vulnerabilities, we now report all affected version ranges of the implicated component. The affected version range can be retrieved using the Vulnerability Details REST API by passing the component identifier as a query parameter.

Users can now create security policies to evaluate components against the reported CWE IDs. Selecting Security Vulnerability CWE from the dropdown in the conditions section of the policy page now allows defining policy constraint conditions based on the CWE ID.

The upgraded Advanced Legal Pack now provides copyrights, notices, and license text data for the Composer ecosystem.

We have enhanced the response for CycloneDX REST API to include vulnerability details for components in the generated SBOM. This will help get a better understanding of the level of security risk associated with the components and implement remediation.

We have enhanced the Jenkins, Azure DevOps, Bamboo, and Maven plugins to show the total number of evaluated components in the policy evaluation summary. This addition makes eventual misconfigurations easier to spot.

Support for evaluating Java 18 applications and components (first introduced in release 136) has been improved.

To evaluate a new application that has not been onboarded to IQ Server, using Sonatype CLI, users can now provide an additional parameter organization-id for a specific organization. IQ Server will create this application under the specified organization (Org) instead of the parent organization that is set up during the configuration of Automatic Application Creation.

Evaluate a binary action in Lifecycle UI has been modified to Evaluate a file. Using this menu option, users can now also perform manifest scans to analyze source control repositories or software bill of materials (SBOMs) earlier in the development lifecycle, before the applications are built.

Users can apply policy waivers to specific repositories using the new owner types repository and repository_container in the POST request of Policy Waiver REST API.

This release fixes the reported issue (in release 142 only) of blank pages appearing in the web browser, instead of application scan reports. A new scan of the application is recommended for generating the scan report, after installing this release.

Users can now configure the session timeout times for IQ Server using the property sessionTimeout through Configuration REST API.

The frame-ancestors directive for content security policy (CSP) can be configured using Configuration REST API. This will allow users to control the domains that can frame the current resource and prevent clickjacking. Using the property frameAncestorsAllowlist, users can specify a list of allowed domain URLs as JSON.

Additional IQ Server properties are now exposed through Configuration REST API. These can be configured using the same endpoint /api/v2/config and GET, PUT, and DELETE HTTP methods to read, set, and delete the properties respectively. This process can now be used instead of making changes to the config.yml as in older versions.

Properties added in this release:

We have redesigned the component view in Dashboard, for an enhanced UI:

Users can access the Firewall Dashboard for Repositories if they are granted View IQ Elements and Edit IQ Elements permissions.

Permissions at the global level to access the dashboard are no longer required.

This release fixes a bug where a manifest scan processed pom.xml files inside a META-INF directory. Files in this directory, in most cases (specifically for uber/shaded archives), do not represent the manifest file for the target application to be scanned. All pom.xml files inside a META-INF directory are now ignored.

This release fixes a critical issue related to the Compare button in the Quarantined Component view in Firewall.

The Export Results button on the Advanced Search page provides the flexibility of exporting the results into a .csv file, in addition to the existing Advanced Search REST API.

The source control configuration that was controlled through config.yml in older versions must now be configured using Source Control Configuration REST API.

The Policy Overrides feature will allow the policy actions for inherited policies to be overridden. This feature will provide more control in managing the policies and is currently available only for policies configured and inherited for Lifecycle.

The <component name> (all versions) option in the components section of the Add, View, and Remove Waiver page allows the creation of a waiver that will be applied to all versions of a component. NOTE: Unknown components will need to be claimed first.

The JSON payload for Policy Waiver REST API now supports matcherStrategy. It will now be possible to specify the range for components i.e., exact component, all versions of the component, or all components at the specified hierarchy to which the waiver will apply.

As part of this release, the Reference Policy Set v7 now includes a release-integrity policy. For Repository Firewall license installations, the release-integrity policy will not be created automatically.

The JIRA configuration must now be changed using JIRA Configuration REST API, instead of making changes in config.yml as in older versions.

This feature adds the flexibility of configuring custom expiration dates for policy waivers from the Add Waivers page. This could previously be done only by using the Policy Waivers API.

The Reverse Proxy Authentication Configuration must now be changed using Reverse Proxy Authentication Configuration REST API, instead of making changes in config.yml as in older versions.

The base URL configuration must now be changed using Configuration REST API, instead of making changes in config.yml as in older versions.

NOTE: Configuration of the base URL is required, before configuring email/JIRA notifications and SCM integrations, for events like policy violations.

This release fixed a bug where invalid SBOMs could be generated.

Additionally, from this release, if an SBOM is scanned and it is found to be invalid, then it will be rejected.

To enhance user experience and make the IQ Server report list page easier to navigate and use, we made the following design improvements:

This release fixes a bug that originated in Release 135. Searches for LDAP static group members now work as expected and return appropriate member information for policy email notifications.

To allow further report customization, the Advanced Legal Pack now includes a filter for Sonatype Special Licenses in the attribution report template. Users can now enable this feature to filter out Sonatype Special Licenses (e.g., Generic-Copyleft-Clause, Generic-Liberal-Clause, See-License-Clause, Identity-Clause, etc.) from their attribution reports.

A policy condition type for component formats was added.

The application and component evaluation have been updated to support Java 18 bytecode.

A view for remediation advice on quarantined components is available in Firewall. By default, the view is accessible anonymously, using the tokenized link. A unique link is generated for every component quarantine encountered and expires after a certain time. The view contains information on component coordinates, policy violations, recommendations, and other versions that can be used instead.

This feature allows any user with access to the tokenized link to view component vulnerability details. If your IQ Server is publicly accessible to users outside your organization, it is strongly recommended you disable anonymous access to this view using the configuration. Consult with your legal and security teams to determine if you should disable this feature for your organization. If you are using the Repository Firewall for the Nexus Repository, this feature requires the Nexus Repository 3.38.1 release.

We made the following improvements to the release workflow for quarantined components:

The Advanced Legal Pack REST API now supports creating an attribution report for multiple applications with a single call. Users of the UI can now use the legal dashboard filters to generate an attribution report for multiple applications.

The Advanced Legal Pack now automates weak copyleft original source code disclosure obligations for all supported ecosystems. This data will automatically be included in any attribution reports that are generated.

The Application REST API has been updated so that when querying the endpoint of the application, an optional query parameter can be added to include the details of applied application categories.

Atlassian Crowd server provides single sign-on and identity management. Configuration of IQ Atlassian Crowd is through the UI or the REST API. Once enabled, you can use your Atlassian Crowd credentials to log in through the UI or make REST calls.

SAML users may now create User Tokens through the UI.

We have upgraded the Advanced Search feature for component-based searches. The interactive interface gives users the option to choose whether they want to view:

Organizations and Applications under the Orgs and Policies view in IQ now support configuring InnerSource repositories which enables the Version Explorer for InnerSource components in the component details page.

Refer to the InnerSource Repository Configuration documentation for more details on configuring InnerSource repository connections.

The Third-Party Scan REST API, CycloneDX Application Analysis, and CycloneDx REST API have been extended to support the CycloneDX schema version 1.4 for XML and JSON formats. In addition to that, the View SBOM option has been updated to produce CycloneDX schema version 1.4 XML.

The Advanced Legal Pack now has a Component Dashboard that provides users with an easy means to view, or search, all components scanned by IQ Server.

Users that have the Advanced Legal Pack can now navigate from the legal tab in the Component Details Page to a component's extended legal details via the 'Review Obligations' button. This makes it much easier to conduct a legal review of a component from a policy report.

We've made a number of improvements to the policy-compliant component selection released first in the Nexus Repository 3.35.0 release. The improvements listed require Nexus Repository 3.38.1 and IQ Release 134 as the minimum recommended versions to use this feature.

A bug was introduced in 133 that prevented users from being able to select a license on the Component Details Page.

Updated the look and feel to be consistent with our design guidelines.

Composer data has been improved for both Lifecycle and Firewall.

As of this release, dots are no longer omitted from the application names when importing applications into IQ using easy SCM onboarding. Prior to this release, the dots were removed from the resulting application name.

CycloneDX sbom file scans with dependency-graph data now display dependency information for BOM components (Direct and Transitive).

This Dependency Tree Page shows a tree-like structure of all the dependencies identified in an application analysis report. This feature is only available for NPM and Maven ecosystems and its full documentation can be found at our Dependency Tree.

The Component Details Page is updated with a component-specific Dependency Tree in the Overview Tab.

The addition of ‘Created By’ for Waivers will display and store the information of the individual who created the waiver. This information will also be visible when viewing existing waivers.

False positives that could exist on rare occasions in exported Docker image tar scans are fixed.