Skip to main content

2024 Release Notes

Release 173 (February 2024)


Reduced User Clicks to Waive Violations

The improved workflow for waivers reduces the number of user clicks or steps required to waive a violation. Using the Add Waiver/Request Waiver button on the Violations page accessible from the Dashboard and Reports, users can add or request a waiver, while staying in context of the violation and avoid multiple clicks.

CycloneDX REST API for v1.5

The response for CycloneDX REST API has been updated to include the field occurrences for each individual component. The SBOM generated by the REST API (per CycloneDX schema specification 1.5) will indicate under the occurrences field, whether a component is installed on multiple locations.

Track Resolved Issues

Click here to see the resolved issues in this release.

Release 172 (February 2024)


Emergency Bug Fix Release

This release fixes an issue with version 170 and 171 that could cause out-of-memory errors on high volume installations.

Users running versions 170 and 171 should upgrade to this version immediately.

Release Summary

This release contains fix for versions 170 and 171, in addition to all new features, improvements, and notable bug fixes of version 171.

Release 171 (January 2024)


This version may cause out-of-memory errors on high volume installations. We do not recommend upgrading to this version, unless absolutely necessary.

A fix for this issue will be available soon.

New Features

Sonatype Lifecycle Launches IER to include AI/ML components

Integrated Enterprise Reporting (IER) serves as one-stop access to understand the open-source components consumption patterns, including AI/ML components. It summarizes how Lifecycle impacts the security profile of the development pipelines within your organization. Click on Data Insights in the left navigation bar of Lifecycle to view:

Sonatype Repository Firewall Performance Metrics

Users can now review the performance metrics of Sonatype Repository Firewall using the Firewall REST API. A GET request returns a JSON response containing and exact no. of:

  1. Safe versions of components selected automatically

  2. Components auto-released

  3. Namespace attacks blocked

  4. Supply chain attacks blocked

  5. Components waived

  6. Components quarantined


Customize Policies at the Repository Level

This release offers the capability to set a different policy for the individual repositories under the Repository Managers option. By navigating to the Repository Managers from the left navigation bar, users can select a repository from the drop down list, to configure the corresponding policy.

Scan SBOMs without pURL

SBOMs that do not have the package-URL(pURL) field specified, or could have incomplete or malformed identifiers can now be scanned using the Third-Party Scan REST API . The REST API can now identify the components using the cpe and swid tags, when no pURL is specified or is unidentifiable.

Searching on Orgs using Advanced Search

The search results retrieved by Advanced Search now include all child organizations in the hierarchy, when searching for organizations by organization name.

Container Scan of SELinux Enabled Images

By setting the new environment variable, NEXUS_CONTAINER_SCANNING_BIND_MOUNT_SHARED to true, Sonatype Container Scanning can now be used to scan Security-Enhanced Linux (SELinux) images.

Project Dependency Detection for Maven

Sonatype IQ CLI scanner can now be limited to scan the only the project dependencies section of Maven pom files, by setting the new parameter excludeMavenDependencyManagement to true.

Notable Bug Fixes

Licenses not Identified in CycloneDX SBOM

This release fixes an issue that prevented identification of licenses if they were specified in the expression field of the CycloneDX SBOM.

Track Resolved Issues

Click here to see the resolved issues in this release.