Skip to main content

2023 Release Notes

IQ Release 170 (December 2023)


IQ release 170 may cause out-of-memory errors on high-volume installations. We do not recommend upgrading to this version.

This release includes several database changes to complete our transition to using the term Legacy Violations. Users may experience longer upgrade times (around an hour.)


Scan Skopeo Generated Docker Images

Users can now scan docker images saved as tar files, that were converted from OCI (Open Container Initiative) images using Skopeo.

Support for CycloneDX 1.5

Sonatype Lifecycle can now analyze and generate SBOMs in the most advanced CycloneDX 1.5 format. We have improved the Third-Party Scan REST API, CycloneDX Application Analysis, and CycloneDX REST API to support CycloneDX schema version 1.5.

New Query Parameters Added

Users can utilize the new optional query parameters openTimeAfter and openTimeBefore for the Policy Violation REST API, to filter the no. of violations returned, by a date range. This will eliminate the possibility of running into out-of-memory errors or slow response times for Lifecycle instances with multiple years of policy violation data.

Active Waivers Indicator

The Application Composition Report has a new Active Waivers indicator. It is displayed for components with waived policy violations that are hidden in the aggregated view of the report. It also shows the total number of violations that were being actively waived at the time of the scan.

Repository Results Aggregated by Component

The Aggregate by component toggle on the Repository Results page can be switched off to view all violations, instead of the default view (toggle on) showing violations aggregated by components.

Fine Tuned Advanced Search

Advanced Search supports searching for components or vulnerabilities by organization. Users can include the organizationName or organizationId in their search query to fine tune the search within specific organizations.

Notable Bug Fixes

Error Loading Reports

This release fixes an issue when loading Lifecycle Reports of large sizes.

Fix for poetry.lock Scans

This release handles the null pointer exception that was thrown when attempting to scan poetry.lock file containing packages with no further dependencies.

Fix for Empty Scan Reports

This release fixes an error that occurred scanning SBOMs using the Third Party Scan REST API, when the length of the id field for vulnerability objects exceeded 20. This caused generation of empty scan reports.

Startup Times for IQ HA Pods

This release contains a fix for an issue with IQ High Availability (HA) pods with terabytes of data, that prolonged the startup times,

IQ Release 169 (November 2023)

This release fixes a critical issue that affected the command line scanning of SBOMs and containers on installations of release 168 running on the embedded H2 database. Earlier versions (prior to 168) or those running on PostgreSQL (external database) are not affected.

Users facing issues with release 168 installations running on the H2 database should upgrade immediately.

This release includes several database changes to complete our transition to using the term Legacy Violations. Users may experience longer upgrade times (around an hour.)


Sonatype Lifecycle Application Limit Removed

Lifecycle users can now onboard unlimited applications (previously limited to 5000), to Sonatype Lifecycle to maximize the benefits and improve the security profile of their expanding supply chains. The application limit will be automatically removed at restart, after an upgrade. To avoid system downtimes due to a restart after the upgrade, users also have the option to reinstall their existing license to remove the application count limit, instead of an upgrade.

RPM Data Cleanup

In investigating the root cause of unusual policy results for RPM components, we found that some RPM data was accidentally released for general availability. With data quality as our top priority, we have retracted this data from our catalog. As a result, some users might see changes in the policy results. We apologize for the inconvenience.

Method Added to Firewall REST API

Using the new POST method, users can now add a repository manager using the Firewall REST API.

Announcing Successor API

The Manifest Evaluation REST API (deprecation announced in release 126) has reached the end of the sunsetting window and can no longer be used. We recommend using the successor API, Source Control Evaluation REST API to perform application policy evaluations in a source control branch.

Notable Bug Fixes

Third-Party Scans Failing on IQ Server running on H2 database

This release fixes a critical issue that caused CLI scanning to fail when scanning third-party SBOMs and containers in release 168 running on the embedded H2 database.

IQ Release 168 (October 2023)

Sonatype Repository Firewall Guided Setup for JFrogArtifactory

The Repository Firewall Guided Setup simplifies onboarding JFrog Artifactory® repositories to enable users to get started with Firewall in a few easy steps. The automated process guides first-time users to maximize supply chain protection by providing configuration recommendations for Firewall based on the host (users') environment.


Continuing Updates for Legacy Violations

As part of our inclusive language initiatives, we have begun renaming the feature previously known as Policy Violation Grandfathering to Legacy Violations starting with release 167. There is no change in functionality of this existing feature (previously known as Policy Violation Grandfathering). In this release, we have updated Report REST APIs, Third-Party Scan REST API, Sonatype CLI, Sonatype for GitLab CI, and policy violation email alerts.

The response fields grandfatheredPolicyViolationCount and grandfathered for Report REST APIs have been deprecated. We recommend using the new response fields legacyViolationCount and legacyViolation.

The response field grandfatheredPolicyViolations for Third-Party Scan REST API has been deprecated. We recommend using the new response field legacyViolations.

The grandfatheredPolicyViolationCount field in the evaluation results of Sonatype CLI and Sonatype for GitLab CI has been deprecated. We recommend using the new response field legacyViolationCount.

Methods Added to Firewall REST API

We have added methods to the Firewall REST API. Users can retrieve repository configurations using the new GET operations, and update the repository configurations using the new POST operation. These operations can be used in system-to-system integration to customize the security governance processes.

Optimized Disk Space Storage

As a result of the new optimized storage technique for resources shared across reports, Lifecyclelegacy reports will now utilize lesser storage space. Lifecycle installations with a high volume of reports (over a million) will see a marked decrease (in tens of GBs) in space utilization.

UX Enhancements for GitHub and GitLab SCM Integrations

Inline comments in GitHub and GitLab will now include code suggestions for security issues and links to Vulnerability Reports in Lifecycle for easier navigation.

Firewall extends PCCS to the Python ecosystem

The Policy Compliant Component Selection in Sonatype Repository Firewall with Nexus Repository Manager has been enhanced to cover Python components. The minimum requirements for this feature is Sonatype IQ Server version 167 and Nexus Repository version 3.61.

Notable Bug Fixes

User Access to Data Retention Settings

This release fixes an issue with setting up Data Retention for orgs, that caused insufficient permissions error for allowed users.

Fix for SAML IDP configurations

Fixed an error that occurred with long group names in SAML configurations when upgrading to other versions of Sonatype IQ Server.

Resolved Repository Names Issue with Bitbucket

SCM configuration will no longer perform a case-sensitive comparison of repository names in Bitbucket, which caused it to fail previously. Repository names will be compared case-insensitive.

IQ Release 167 (September 2023)

Sonatype Repository Firewall offers Guided Setup

The Repository Firewall Guided Setup simplifies onboarding Nexus Repository Manager repositories to enable users to get started with Firewall in a few easy steps. The automated process guides first-time users to maximize the supply chain protection offered by Firewall by providing configuration recommendations.

Embracing Inclusion with Legacy Violations

As part of our inclusive language initiatives stemming from our core values of embracing inclusion, we are renaming the feature previously known as Policy Violation Grandfathering to Legacy Violations. Starting with this release, Sonatype Lifecycle will use the term Legacy Violations for policy violations that can be deferred during onboarding and prioritized to be remediated later.

There is no change in functionality of this existing feature (previously known as Policy Violation Grandfathering.)

Temporary Distribution Issue with the Plugin

Sonatype is actively working to resolve a distribution issue for the nexus-jenkins-plugin. This is a temporary distribution issue and could affect automatic upgrades of the plugin. It does not affect the existing installations or functionalities of the plugin.

The latest version of the nexus-jenkins-plugin will be available from Download and Compatibility.

IQ Release 166 (August 2023)

Analyze SBOMs in SPDX format

Sonatype IQ Server extends the mission to promote open standards for communicating SBOM information, by introducing the capability to SPDX Application Analysis compliant with SPDX® 2.3 standards. Users can also upload SPDX SBOMs (in XML or JSON file formats) directly, using the Third-Party Scan REST API for scan and analysis.


Horizontal Scaling for IQ Server High Availability Deployments

Starting with this release, IQ Server HA deployments can be configured to auto-scale to match the workload demands. This capability utilizes the native Kubernetes HorizontalPodAutoScaler feature that deploys more pods in response to increased load or scales back to the configured minimum (2 pods) when the workload decreases. Auto-scaling is disabled by default.

Users can configure the thresholds for scaling up in the IQ Server helm chart, based on CPU or memory utilization for the workload.

Exclude devDependencies in poetry.lock for Python analysis

To align with the format changes of poetry.lock file from version 1.5.1 onwards, we have improved the Python Application Analysis with this release. IQ Server will now automatically exclude devDependencies for poetry versions 1.5.1 and higher, provided that pyproject.toml exists and is discoverable.

Lifecycle Dashboard Pagination

The UX enhancements to paginate all tabs of the Lifecycle Dashboard are complete with this release. Users can easily navigate to multiple pages to browse over all policy violations, components, applications, and waivers, that are relevant to the applied filter.

This improvement removes the previous limit of viewing only 100 rows of data on the dashboard.

Error Messages for Remediated Vulnerabilities

We have revised the error message that showed up when a previously occurring policy violation does not exist anymore (due to remediation of the vulnerability.) The revised error message indicates the updated vulnerability status and prompts the user to run a new scan to detect the latest violations.

Notable Bug Fixes

Fix for SCM Bulk Import

This release fixes an issue with SCM bulk imports that caused IQ Server to stall at certain instances while performing multiple imports.

Client-side Timeouts Due to Slow Response Times

Improved performance of Sonatype IQ Server for better response times, compared to version 165.

Inconsistency in Waiver Visibility

Fixed discrepancies in waivers visibility across the policy violations table, waivers for violation table, and scanned report pages.

Fix for Clair and Conda Application Analysis

Fixed an issue with the application scan report while scanning clair-scanner-output.json with other metadata type files (conda.txt).

Error in Integrating IQ Server with Firewall for Artifactory

Fixed an HTTP 401 error that occurred during the integration of IQ Server with Firewall for Artifactory.

Fix for Policy Violation REST API

Fixed an issue with Policy Violation REST API that did not show displayName for Component-Unknown violations in the API response.

Line Comment Links in Bitbucket PRs

Fixed broken links generated inline comments in BitBucket PRs.

IQ Release 165 (July 2023)

Sonatype has become aware of a critical issue with Nexus Repository versions 3.57.0 and 3.58.0 impacting deployments using and IQ Server (Repository Firewall). The known issue may allow unintentional download of quarantined components.

If you are on OrientDB and using IQ Server (Repository Firewall), upgrade to Sonatype Nexus Repository versions 3.57.1 or 3.58.1 instead.

New Features

Generate SBOMs in SPDX format

IQ Server extends the mission to promote open standards for communicating SBOM information, by generating SBOMs compliant with SPDX® 2.3 standards. The SPDX REST API generates SBOMs in both XML and JSON outputs for all supported component formats. Users can also generate the SBOM (in JSON format) from the Software Bill of Materials (SBOM).

ALP Expanded Observed License Detection Coverage

Using Advanced Legal Pack (ALP), users can now detect observed licenses for open-source components for all supported ecosystems (Maven, npm, NuGet, PyPI, RubyGems, RPM, and Composer). New installations of Sonatype IQ Server (version 165 and up) will support the detection of observed licenses, by default. This capability can be enabled on existing installations that upgrade to release 165 or later, by using the alpObservedLicenseDetectionEnabled property of the Configuration REST API.


Waiver Requests Webhook

This improvement reduces the manual effort of copy-pasting and sharing the curl command (containing the specific violation details to be waived) with a designated approver. Users can now configure a webhook for the Waiver Request event. Once configured, users can now automate requesting the waiver by triggering a webhook by clicking on the Submit button on the Waiver Tasks page.

Lifecycle Dashboard Pagination

This release starts our UX enhancements to paginate all tabs of the Lifecycle Dashboard. The violations tab view will now be paginated and display more rows with fewer clicks to browse results.

Firewall Quarantine Message

A new property quarantinedItemCustomMessage added to the Configuration REST API enables users from the App Sec teams to set meaningful remediation messages or directives for the developers when a component is quarantined by the Repository Firewall. When set, the custom quarantine message will be visible to the developers at the command line, when requesting components. This feature requires Nexus Repository 3.58.1 or above.

Easy Search and Discovery of Repositories

The Repository Manager interface now shows repositories logically grouped under the Repository Manager to which they belong. Two new filters, for repository name and component format, allow targeted searches to locate the required repository. The interface includes an additional field, enablement, to indicate the Firewall protection features that are enabled for every repository.

Customizable Names for Repository Manager

A Repository Manager can be renamed from its pre-assigned UUID to an identifiable, user-friendly name, that is visible throughout the Lifecycle and Firewall instances.

Notable Bug Fixes

Error Messages in Export Logs

Error messages generated in export logs during database migrations have been modified to indicate the exact root cause for better resolution of the export errors.

IQ Release 164 (June 2023)


Improved support zips for Better Troubleshooting

The support zips now include the customer-side configuration for reverse proxy authentication, a crucial parameter in troubleshooting unexpected behavior like broken links, caching, and general issues like performance, scalability, and availability of IQ Server.

Notable Bug Fixes

OOM Errors Related to Evaluation of Proprietary Components Naming Patterns

This release resolves out-of-memory and other database memory management issues that occurred when the IQ Server evaluation processes encountered a large number of similarly named proprietary components.

Misconfiguration of Waived Components Upgrade Feature

This release fixes an IQ Server upgrade issue with release 163 that caused the Waived Component Upgrades Configuration to be disabled, even if it was enabled previously.

IQ Release 163 (June 2023)


Improved Identification of Conan Dependencies

Analysis of conaninfo.txt file now does not show duplicate dependencies that were earlier being referenced in the “requires” and “full_requires” sections. Dependencies under the “full_requires” section have higher precedence over those under the “requires” section and will be excluded to avoid duplication.

Eliminated Duplicates in SBOM

Scanning binaries that contain components with the same coordinates, but different hashes could lead to duplicates in the SBOM. The SBOM generation for all supported ecosystems has been improved to avoid such duplicates that result in invalid SBOM files.

Extended the Inclusion of Wildcard Characters in IQ for SCM

This improvement ensures that Sonatype (Nexus) IQ for SCM is compatible with all wildcard characters used in markdown across supported developer platforms. This fixes the issue of malformed pull request (PR) layouts on encountering wildcard characters.

Notable Bug Fixes

SCM Database Errors

This release resolves a duplicate primary key error condition that occurred in the Sonatype IQ Server database due to incompatibility in handling case sensitivity across platforms, specifically GitHub.

Gateway timeouts for ALP Attribution Reports

This release includes major performance enhancements to Advanced Legal Pack (ALP) Attribution Reports to avoid gateway timeouts when retrieving data for reports containing a large number of components.

Fixed pathnames in IQ Webhook payload

This release fixes a payload issue with the IQ Webhook for Application Evaluation that is triggered at the Violation Alerts event.

Fix for Cyclone DX REST API

The response on executing Cyclone DX REST API now includes a predefined parent component name as a placeholder in the metadata section, if the application evaluation report does not contain any project data.

IQ Release 162 (June 2023)

New Features

Waived Components Upgrade

This release offers users the ability to configure Lifecycle to monitor for waived components from the System Preferences menu. The Upgrade Available indicator on the Waivers dashboard will indicate when a safe-to-use version of the component is being recommended by the Sonatype Research Team.

Users can remediate the violation by upgrading to the recommended component version and removing the waiver.

Configure Waived Component Upgrade Feature using REST API

A new property waivedComponentUpgradeMonitoringEnabled provides the added flexibility of configuring your Sonatype Lifecycle instance for Waived component upgrades by using the Configuration REST API.


Support for Evaluating Java 19 and Java 20 Applications and Components

The application and component evaluation have been updated to support Java 19 and Java 20 bytecode.

Reports REST API Supports New Query Parameters for Retrieving Scan Report History

The Report REST APIs now supports two new query parameters stage and limit. Users can now retrieve scan reports related to a specific stage and limit the number of reports returned by specifying the count of the most recent reports.

UI Improvements for Navigating N-Level Hierarchy

This release contains UI improvements related to window sizing and resolution for linked-dependent applications.

Default Branch Monitoring Cycle

We have improved the execution cycle of Continuous Risk Profile to prevent unnecessary exits on encountering errors.

Compatibility with Chrome Updates

Compatibility with the latest Google Chrome versions is now up-to-date.

Notable Bug Fixes

Truncation of Support Log Files

This release fixes an issue in the support zips generated by customers, that caused truncation of a few log files.

Filter Behavior on the ALP application page

The filter on the Advanced Legal Pack (ALP) application page now resets contextually, when navigating to a new application.

Submit button on the Source Control Monitoring page

The button text on the old “Submit” button on the Source Control Monitoring (SCM) configuration page now reflects the exact action, “Create” or “Update” to match creating a new SCM configuration or modifying an existing SCM configuration.

LDAP username authentication

The authentication exception related to the LDAP naming error which caused session timeouts for IQ Server in multi-realm authentication environments, has been fixed.

Scanning Unknown Components using the Maven plugin

This release fixes the incorrect identification of unknown dependencies, which were previously identified as coming from a package manifest.

Error due to Non-English Characters

The internal server error that occurred when downloading an application report containing non-English characters has been resolved.

Fix for Incorrect License Violations

This release fixes an issue with the parsing of npm components that caused the application composition report to show incorrect license violations.

IQ Release 161 (May 2023)

New Features

Introducing Sonatype Lifecycle and Sonatype Repository Firewall

We are updating our product names and logos for a new refreshed look. This release unveils brand-new logos for our new product names Sonatype Lifecycle (previously Nexus Lifecycle) and Sonatype Repository Firewall (previously Nexus Firewall.)

Customizable Security Vulnerability Attributes

This release offers the flexibility to customize Sonatype Vulnerability Data. Security experts can use the customize feature to edit the CWE-ID, CVSS vector string, severity, and remediation instructions for any vulnerability, to augment their company security regulations. The customized vulnerability data can be used to build constraints for Lifecycle policies and help with prioritizing the remediations.

Vulnerability Custom Attributes REST API

The Vulnerability Custom Attributes REST API extends the ability to customize the vulnerability data, beyond the UI. The custom vulnerability data can be used to build policy constraints in Sonatype Lifecycle.

Move Organizations

This feature allows users to include their dependent organizations and applications in a new branch in the hierarchy. Using this feature, users can also transform an existing single-level organization hierarchy into an N-Level hierarchy, without having to recreate the entire organization structure in Lifecycle.


Vulnerability Details REST API Enhancement

The Vulnerability Details REST API includes an additional response field, customData to retrieve vulnerability attributes that are user-customized.

PUT method in Organizations REST API

The new PUT method in Organizations REST API can be used to change the parent organizations and transform to an N-level hierarchy, identical to the Move Organizations feature.

Automatic Commit Feedback for SCM

The Source Control Configuration section now allows SCM users to turn the Automated Commit Feedback feature off. Previously enabled by default, users can disable this feature when importing a large number of applications and avoid hitting the SCM rate limits.

Quarantined Component Report in Firewall

Users can configure the expiration time of Quarantined Component View in Firewall using the time-out property in Configuration REST API. Setting the expiration time limit to longer durations (12 hours by default) will allow more time for users to process requests like releasing components from quarantine, which are based on the information in this report.

Hosted Repositories

Users will now be able to view all hosted repositories, for which Namespace Confusion Protection is enabled.

Prevent unintended build failures in IQ CLI

Users can now set the --ignore-scanning-errors switch in the IQ Command Line Interface (CLI). This will prevent CLI from scanning invalid files in the target codebase and causing build failures.

Notable Bug Fixes

Fix for SCM URLs

This release fixes an issue with SCM URLs that occurred during importing applications.

Fix for Forwarded HTTP headers

This release resolves errors occurring with forwarded HTTP headers when used for reverse proxy.

Fix for Repository Policies

This release resolves the error that occurred with viewing policies at the Repository level.

IQ Release 160 (April 2023)


Search for Quarantined Components in Firewall

Users can search for a specific component quarantined by Firewall, by entering the component name in the new filter in the components column. This will help locate the component quickly, without having to look for it in the paginated lists that could run across multiple pages.

Settings for Sonatype IQ Server Base URL

Admins can now see a warning message on the Lifecycle homepage, when the base URL for IQ Server is not set, as part of configuration settings.Configuring Base URL for IQ Server is now easier and more accessible via the System Preferences menu in the UI.

Performance of SCM System Scans

We have improved the scanning performance of applications in the Source Control Monitoring (SCM) systems by first checking if Pull Request Commenting has been disabled for a specific Source Control Configuration.

This allows the Lifecycle scan calls to return early, without consuming system resources.

Graceful Shutdown of Nodes

This release improves the node shutdown process of IQ Server in the cluster environment and prevents IQ Server outages.

Notable Bug Fixes

Fix for Promote SCAN REST API

This release fixes an issue with the scan reports generated after using Promote Scan REST API. Container scan reports now reflect the scan results.

User Group Searches for LDAP and SAML

The "Associate Group" search option will now be displayed if group search is disabled for LDAP even if SAML is enabled.

Database Migration Issues

This release fixes errors that occurred during migration from the H2 database to the external PostgreSQL database for certain installations.

IQ Release 159 (April 2023)

New Features

Waived Component Upgrades

This release offers users the ability to configure Lifecycle to monitor for waived components.

Sonatype IQ Server HA General Availability

Sonatype IQ Server High Availability Installation previously launched with release 155 for limited access, is now available to all customers.


Searching for Orgs and Applications in N-level Hierarchy

Users can navigate to a specific organization or application by entering its name in the search filter located in the tree view. This will improve navigating with fewer clicks.

Tooltips for Orgs and Applications

Tooltips will now appear in the filter search results, on hovering over the titles of organizations and applications in the navigation sidebar. Data such as the name of the parent organization, the number of sub-organizations linked to the parent, and the total number of applications contained in the selected organization will be readily visible in these tooltips.

Flexibility to Control Namespace Confusion Protection

Users can disable namespaces for the namespace confusion protection feature to unblock components of specific hosted public repositories if this protection is causing unnecessary blockers in the development cycles.

Improved UI to show Quarantined Components

We have improved the Quarantined Component View to indicate policy violations due to quarantined components and other allowed versions of the quarantined component.

Improved UI for SCM Integrations

Threat levels of fixed policy violations are now included in the pull request comments.

GitLab Token Validation

This release improves the validation process of GitLab access tokens while setting up SCM integrations.

User Ownership for CLI scans

The generated scan_results.json file during a container scan is now owned by the user, instead of the root user.

Updated UI for Vulnerability Lookup

We have updated the title Vulnerability Search in the left navigation bar to Vulnerability Lookup.

IQ Release 158 (March 2023)

Override Policy Notifications

Users will now be able to override policy notifications for inherited policies. Using this option, it is possible to change the pre-configured policy notification settings for the desired DevSecOps pipeline stage. This improvement also offers the flexibility of changing the recipient type and recipient emails, if applicable, from what was set at the parent level.

Extended Support for SAML Users and Groups

We have extended the support for SAML users and groups to allow them to be discoverable via searches in the UI. SAML users and groups are now accessible from the UI to set up access control, assign as application contacts , and receive role notifications.

Note that SAML users and their associated groups must log in to this or later releases at least once before they will be discoverable.

Clone Repositories using SSH Protocol

This release allows using the SSH protocol for Automatic Source Control Monitoring (SCM) configuration when cloning a repository. The repository clone URL is now successfully derived and displayed on the SCM UI. This is currently supported for the cloud version of SCMs only.

Support Long Passwords for Jira Integrations

We have updated our backend to accommodate the increased length of Atlassian API tokens. This will resolve the error related to passwords exceeding 255 characters when setting up Jira configurations.

IQ CLI Exceptions for Empty NuGet Manifests

The IQ Command Line Interface (CLI) scan continues graceful execution with warnings, instead of exceptions, on encountering empty NuGet manifests.

Firewall Exception for Unknown Quarantined Components

This release handles the null pointer exception that was thrown when attempting to load unknown components that are quarantined.

Default Branch Monitoring

This release fixes issues with default branch monitoring that affected release 156. Default branch monitoring is now fully functional.

IQ Release 157 (March 2023)

This release did not meet the critical product acceptance criteria and will not be made available.

IQ Release 156 (February 2023)

New Features

Launching N-Level Organization Hierarchy

IQ Server now supports a multi-level hierarchical model for organizations and policies. Users will now have the flexibility to set up organizations at different levels (n levels) of hierarchy, to mimic their company's organizational structure and business units. We have introduced a new left navigation bar that lets users manage the Orgs and Policies configured at different levels of the hierarchy.

Users can utilize the n-level org model to create context-sensitive policies and remediation steps that apply locally to their domain.


Namespace Confusion Protection Status for Repositories

Users can now view the proprietary namespaces from hosted repositories for which the namespace confusion protection is enabled. This will give better visibility into scenarios where the download of certain OSS components is blocked due to policy violations related to dependency confusion.

Improved Sorting for Repositories

This release includes secondary sorting of results displayed on the Repositories and Repositories Results page.

Clean up of Older Scan Files

We have modified the behavior of the purgeScanFiles property of Configuration REST API. Setting the purgeScanFiles property to null will now also clean up the retained older scan files, in addition to pausing the retention of new scan files.

Policy Violation Fixes

To maintain and improve stability and security, we continually scan all Sonatype products and applications internally for vulnerabilities. For a strong and most current security posture, components used by our development teams are continually scanned and compared with our proprietary advanced vulnerability detection systems. This section contains information on component upgrades made to mitigate or remediate risks due to our internal policy violations as below:

Fix for SONATYPE-2023-0962

SONATYPE-2023-0962, Sonatype Discovered February 15, 2023, High Risk, Severity 7.5

Resolution: Upgraded to a non-vulnerable version of the component core-js-pure : 3.28.0

Abnormal Disk Usage and Wait Times

This release fixes an issue with application evaluations that take longer than a few minutes to complete. We have optimized memory and performance parameters for IQ Server to support long-running evaluations.

IQ Release 155 (February 2023)

This release fixes issues in the previous release 154.

Users facing issues with release 154 installations, should upgrade to this version immediately. For users planning an upgrade, we recommend upgrading to release 155 and skipping release 154.

Emergency Bug Fix Release

This Release Includes All Features, Improvements, and Notable Bug Fixes of Release 154.

IQ Release 154 (February 2023)

Launching Sonatype Lifecycle High Availability

Starting with this release, users can configure IQ Server High Availability Installation. Currently offered on AWS and on-premises, the HA installations will enable recovery from failures or disruptions with near-zero downtime.

Sorting results in Repository Results View

Users can Sorting results in Repository Results Viewow run a multi-column sort in the Repository Results View to retrieve the most relevant repository details.

SBOM with Richer Metadata

The SBOM generated from CycloneDX REST API will now include vendor and software name; Sonatype and Sonatype IQ Server version. This additional information will improve the quality of SBOMs generated using this REST API.

Improved Persistence for Filters

We have improved persisting and resetting filter values to match the navigation steps to and from the RepImproved Persistence for Filtersorts view page.

Improved Release Integrity for Maven

We have added malicious component protection for Java (Maven) All Next-Gen Firewall users might experience blocking of the latest version of Maven artifacts. Blocking of these components will continue until Next-Gen Firewall determines they are safe for your development pipelines.

Notable Bug Fixes

Test Configuration for SCM

This release fixes an issue related to the “Test Configuration” button being disabled while setting up an SCM configuration.

Advanced Search Results

The grouping of results obtained on running the Advanced Search REST API is now consistent, regardless of the value specified for pageSize in the search query.

Overriding Component License in Firewall Repository

This release fixes an HTTP 400 response while overriding a component license.

IQ Release 153 (January 2023)


npm Application Analysis includes development Dependencies and optional Dependencies

This release offers users better control over running anpm Application Analysis. Using a POST and DELETE request, users can choose to enable/disable scanning development dependencies and optional dependencies in manifest and lock files of JavaScript packages.

Performance Improvements to the Sonatype Firewall

Users with large repositories of OSS components will experience a marked improvement in the loading times of the Repository Results view.

Refined Search Relevance for Sonatype Firewall Repository Results Page

The Repository Results view search by component functionality is now more responsive and will enable users to search by specifying multiple component coordinates.

Upgraded UI Elements

This release marks our shift to the React framework. In addition to performance benefits, the new UI offers a general overhaul and simplicity of use, while maintaining the familiar user experience.

Notable Bug Fixes

GitLab URLs for SCM Onboarding

This release fixes an issue associated with the context path while importing GitLab applications. Users can now import GitLab applications into Sonatype Lifecycle by specifying the complete context path in the GitLab URL of their applications.

Attribution Report Fix on Legal Dashboard

Attribution reports generated for applications containing unknown components no longer trigger a 404 error condition. Such reports will now be displayed as empty reports with no data.

IQ Release 152 (January 2023)

New Features

New experimental REST API to add custom security vulnerability groups

Users can use the Vulnerability Group REST API to organize vulnerability IDs into custom groups. These groups can then be used as a condition within a policy constraint to aid in risk management and remediation. This should be used in those few edge cases where policy should directly be tied to a class or group of vulnerabilities.

New Experimental Call Flow Analysis

Sonatype IQ CLI now includes experimental flags that will enable call flow analysis on application scans. Once the scan completes, the CLI will automatically apply a "Security-Reachable" label on any component that has a vulnerability with reachable code. Users are free to create a policy around this label to aid in prioritization and remediation.


Updated Firewall Repository Results and Repository Component Details Page

The Repository Results view and the Repository Component Details view have been re-designed and updated. The view delivers meaningful insights into violation counts, component identification, and quarantined components with improved filtering, pagination, and UI.

Support to build more granular security Policies using Security Research Type

This release offers an option to set policy conditions to check whether a component has undergone Fast Track or Deep Dive research.

Verify the authenticity of the Sonatype IQ Docker image with Docker Content Trust

Docker image consumers can now use the trusted, signed Sonatype IQ Docker image, now available to inspect at the Docker Hub.

Repository Waivers View on Dashboard

The Waivers View on the Dashboard includes Repository waivers.

Performance enhancements to Repositories Results View

The Repository Results view view now has better support for pagination and filtering. These changes should improve the performance of this page for large repositories.

Waive all versions of a component with root organization scope

A waiver applied to one version of a component can now be applied to all future versions of that component for the 'Root Organization' scope.

Environment variables for Sonatype Container Scanning are optional

Setting environment variables for scanning Sonatype Container with Sonatype Lifecycle is optional.

New configuration setting for deletion of Scan Files

Users can choose to retain or delete older scan files using the property purgeScanFiles for Configuration REST API.

Older scan files that are retained can be promoted to other stages using Promote Scan REST API.

New configuration setting for Automatic Quarantine Release scheduling

Users can choose how often Automatic Quarantine Release is scheduled to run using the quarantine release property for Configuration REST API. By default, it is set to run on an hourly basis.

New labels to highlight specific vulnerabilities in Violations Details

Sonatype Vulnerability Data contains two new labels, Deep Dive (indicates the vulnerability data includes Sonatype researched details and recommendations) and Advance Vulnerability Detection (indicates that the vulnerability has been detected from an embedded dependency).