2024 Release Notes

The Component Coordinates panel accessible from the View Coordinates button on the Component Details page offers the convenience of copying long and complicated package URLs to the clipboard, for use at other places.

It is no longer required to enable the Golden Version feature using the Feature Configuration REST API. The feature is enabled by default for all users of Sonatype Lifecycle and Developer.

This release offers major performance enhancements to Reachability Analysis for faster response times.

Policy constraints can include a condition to match (or do not match) npm coordinates when creating a policy in Sonatype Lifecycle.

The Policy Waiver REST API has been updated to include the new parameter waiverReasonId. Using the POST method, users can assign a waiver reason ID while creating a policy waiver.

The Component Details Page in Sonatype Lifecycle, will now show Golden Versions of a component, if available. Users can replace the violating component to this recommended-non-breaking-with dependencies version that is recommended by the version scoring system to remediate policy violations.

We have improved the stability and performance of the IQ Server databases (PostgreSQL) by reducing the database size on disk to a considerable extent. To experience the performance improvement, we recommend running a vacuum command on PostgreSQL instances running the IQ Server. Refer to Release specific upgrade instructions.

The improved Reachability Analysis now labels policy violations in the Application Report as Reachable, if a vulnerable component is found in the execution path.

Sonatype SBOM Manager offers the capability to copy VEX annotations from an application's previous SBOM to the SBOM for current version. The Copy Annotation option in the Disclosed Vulnerabilities section allows users to copy previous annotation for a vulnerability and avoid rework.

The updated Component End-of-Life (EOL) dashboard under Data Insights in Sonatype Lifecycle displays components of npm, NuGet and PyPI format/ecosystems.

We have tweaked permissions for dashboards under Data Insights in Lifecycle, that will now allow users to view data only for applications to which they have access. Dashboards reflecting this change are Component End-of-Life, Machine Learning AI, Dependency Scorecard, and Shaded Vulnerability Detection.

The minimum IQ Server versions required to view these dashboards is listed below:

This release contains a fix for IQ Server version 179 and 180, in addition to all new features, improvements, and notable bug fixes of version 180.

The capability to display a custom quarantine message due to a Sonatype Repository Firewall policy failure has been extended to the Firewall for Artifactory (FWFA) plugin. Users can provide a custom quarantine message using the quartantineItemCustomMessage property for Configuration REST API to set up more meaningful messages for failed component requests.

The Re-evaluate button on the Application Composition Report is disabled for all reports that are not the latest policy evaluations. This prevents users from encountering page load failures. An on-screen alert message will now inform the users and provide a link to navigate to the latest policy evaluation report.

Sonatype Lifecycle users can seamlessly navigate to Sonatype Developer for a standalone Developer experience, using the solution switcher in the top navigation menu. This offers users a focused and streamlined experience of using the functionalities of Sonatype Developer outside the context of Lifecycle. The context-sensitive switching also allows users to navigate to the Lifecycle user interface when necessary, for e.g. when using Advanced Search or Reports view in Sonatype Developer.

The Feature Configuration REST API now allows skipping schema validations for CycloneDX SBOMs. By enabling the feature skipSbomImportValidation users can also ingest a CycloneDX SBOM that does not comply with the schema specifications and successfully generate an evaluation report.

This release offers major performance enhancements to the Legal Obligations page in the Advanced Legal Pack (ALP). It improves the response times for instances that have a large volume of applications (>10,000).

The new field detectionType obtained in the response of the GET method of Vulnerability Details REST API will indicate the type of vulnerability detection that was used to detect the vulnerable component. The type of vulnerability detection (primary, secondary, AST, unshader) can help plan remediation efforts.

This feature was based on a user contribution in the Ideas Portal.

This release resolves the out of memory error that occurred when calling the Success Metrics REST API.

Sonatype Platform Plugin for Jenkins now offers the ability to enable Reachability Analysis (previously known as Call Flow Analysis.) The availability of this feature is currently limited.

The new query param includeParentRemediation for Component Remediation REST API, when set to true, will return a POST response containing component details for remediating the implicated direct as well as transitive dependencies. The suggested remediation for transitive dependencies is based on the nearest parent dependency.

The Source Control REST API can be used to automatically assign the developer role on a specified application, to all contributors associated with a SCM repository. Using the POST method and providing the applicationId, all contributors associated with an SCM repository will be assigned the developer role for that application in IQ Server/Lifecycle.

Docker images containing absolute paths (when created with tools like buildpacks.io) can now be successfully scanned with Sonatype IQ CLI.

This release fixes an issue with Sonatype IQ CLI that caused the scanning of docker images on the Windows OS to fail.

The new Similar Waivers feature offers the convenience of looking up Similar Waivers for a specific policy violation. The waiver details displayed in the Similar Waivers pane can be useful in determining if the selected policy violation can be waived for similar reasons.

The Similar Waiver REST API retrieves all waivers that are Similar and can potentially be applied to a given policy violation. By providing the policyViolationId in the GET method, the response returns a list of all similar waivers, with details on each waiver.

The Solution Switcher simplifies navigating to different products offered by the Sonatype Platform. Using the Solution Switcher, users can easily transition to using other Sonatype products that are licensed to their organization.

Users can review and evaluate the quality of upgrade decisions taken, using the new Dependency Scorecard. This new dashboard under Data Insights reveals the App Score (calculated per Sonatype's Supply Chain Monitoring guidelines), the age of the components in applications or libraries, and the best version of the component. Based on the placement of an application in the scorecard quadrants, and the key factors determining the App Score, users can determine the next steps to improve their upgrade decisions for the most optimal threat protection.

This feature is available under Data Insights for Sonatype IQ Server versions 171 and higher.

The Supply Chain Monitoring dashboard offers insights into the effectiveness of a Sonatype Lifecycle instance in protecting the organization's open-source supply chain. Users can review the health of the open source component supply chain periodically, and take corrective actions like improving the management of critical vulnerabilities and increasing the extent of the protection provided by Sonatype Lifecycle by adding more applications to the instance.

This feature is available under Data Insights for Sonatype IQ Server versions 171 and higher.

IQ Server Version Requirements for Data Insights

We have implemented cookie-less embedding of all dashboards using Looker™, under Data Insights. This will ensure the normal functioning of all embedded dashboards in Chrome browsers after third-party cookies have been deprecated by Google Chrome.

This release fixes an issue that did not provide an option to set non-proxy hosts while using Sonatype IQ CLI. Users can now configure no-proxy lists while using Sonatype IQ CLI in environments such as Azure DevOps.

The new experimental Call Flow Analysis REST API can be used to set up the configuration for Call Flow Analysis for an application or organization in Sonatype Lifecycle. With this REST API, users can view, add, or delete a Call Flow Analysis configuration for an application or organization. Sonatype IQ CLI, when performing application scans with Call Flow Analysis, will pick up these configuration settings.

Users can set the policy constraint Identification Source to a new constraint condition, Sonatype-Container when creating policies. This will provide visibility into the policy violations that are specifically detected when scanning Sonatype Containers.

For improved security, Sonatype IQ Server base Docker image no longer supports SHA-1 signed SSL certificates. (This may impact outgoing SSL connections that still use SHA-1 certificates.)

This release fixes an issue that caused errors while scanning CycloneDX SBOMs that were generated from Sonatype IQ Server/Lifecycle.

This release fixes an issue with the component evaluation in Sonatype IQ Server version 173, that blocked the download of quarantined PyPI components even after they were waived.

Sonatype IQ Server/Lifecycle and CLI now have the capability to run in the Java Runtime Environment version 17.

For information on the JRE versions supported for plugins, please refer to Compatibility with Integrations.

The Repository Results View REST API can now be used to view information on components in all repositories at the container level. It also provides the capability to filter the search results based on the values specified for repositoryId and repository managerId in the API call.

The new property apiAccessAllowList enables users to control and manage access to all Sonatype Lifecycle REST APIs. By specifying the usernames in the input JSON for Configuration REST API, access to the REST APIs will be limited to only those users.

The Repository Manager now offers the capability to configure Sonatype Repository Firewall for hosted repositories, including namespace confusion protection. Users can easily enable or disable namespace confusion protection for each hosted repository using the toggle.

The Repository Manager now offers the capability to access proxy repositories, in addition to hosted repositories. Users can configure, and manage role-based access, check namespace confusion protection, and manage policies for individual repositories.

CVE-2024-1142 Path Traversal Vulnerability, Sonatype Discovered January 15, 2024, Medium risk, Severity 5.4

Resolution: Upgrade to IQ Server version 171 or later

The improved workflow for waivers reduces the number of user clicks or steps required to waive a violation. Using the Add Waiver/Request Waiver button on the Violations page accessible from the Dashboard and Reports, users can add or request a waiver, while staying in the context of the violation and avoid multiple clicks.

The response for CycloneDX REST API has been updated to include the field occurrences for each individual component. The SBOM generated by the REST API (per CycloneDX schema specification 1.5) will indicate under the occurrences field, whether a component is installed on multiple locations.

This release contains fixes for versions 170 and 171, in addition to all new features, improvements, and notable bug fixes for version 171.

Integrated Enterprise Reporting (IER) serves as one-stop access to understand the open-source components consumption patterns, including AI/ML components. It summarizes how Lifecycle impacts the security profile of the development pipelines within your organization. Click on Data Insights in the left navigation bar of Lifecycle to view:

The Rolling Recap feature was made possible because of your feedback in the Ideas Portal.

The new dashboard offers insights into the effectiveness of Sonatype Repository Firewall in protecting the users' repositories. The key metrics displayed on the dashboard include:

Users can also retrieve these performance metrics using the new Firewall REST API. A GET request returns a JSON response containing exact counts for the metrics in the list above.

This feature was made possible because of your feedback in the Ideas Portal.

This release offers the capability to set a different policy for the individual repositories under the Repository Managers option. By navigating to the Repository Managers from the left navigation bar, users can select a repository from the drop-down list, to configure the corresponding policy.

This feature was made possible because of your feedback in the Ideas Portal.

SBOMs that do not have the package-URL(pURL) field specified, or could have incomplete or malformed identifiers can now be scanned using the Third-Party Scan REST API . The REST API can now identify the components using the cpe and swid tags when no pURL is specified or is unidentifiable.

The search results retrieved by Advanced Search now include all child organizations in the hierarchy when searching for organizations by organization name.

By setting the new environment variable, NEXUS_CONTAINER_SCANNING_BIND_MOUNT_SHARED to true, Sonatype Container Scanning can now be used to scan Security-Enhanced Linux (SELinux) images.

Sonatype IQ CLI scanner can now be limited to scan only the project dependencies section of Maven pom files, by setting the new parameter excludeMavenDependencyManagement to true.

This release fixes an issue that prevented the identification of licenses if they were specified in the expression field of the CycloneDX SBOM.