2024 Release Notes

Sonatype IQ Server/Lifecycle and CLI now have the capability to run in the Java Runtime Environment version 17.

For information on the JRE versions supported for plugins, please refer to Compatibility with Integrations.

The Repository Results View REST API can now be used to view information on components in all repositories at the container level. It also provides the capability to filter the search results based on the values specified for repositoryId and repository managerId in the API call.

The new property apiAccessAllowList enables users to control and manage access to all Sonatype Lifecycle REST APIs. By specifying the usernames in the input JSON for Configuration REST API, access to the REST APIs will be limited to only those users.

The Repository Manager now offers the capability to configure Sonatype Repository Firewall for hosted repositories, including namespace confusion protection. Users can easily enable or disable namespace confusion protection for each hosted repository using the toggle.

The Repository Manager now offers the capability to access proxy repositories, in addition to hosted repositories. Users can configure, manage role based access, check namespace confusion protection and manage policies for individual repositories.

CVE-2024-1142 Path Traversal Vulnerability, Sonatype Discovered January 15, 2024, Medium risk, Severity 5.4

Resolution: Upgrade to IQ Server version 171 or later

The improved workflow for waivers reduces the number of user clicks or steps required to waive a violation. Using the Add Waiver/Request Waiver button on the Violations page accessible from the Dashboard and Reports, users can add or request a waiver, while staying in context of the violation and avoid multiple clicks.

The response for CycloneDX REST API has been updated to include the field occurrences for each individual component. The SBOM generated by the REST API (per CycloneDX schema specification 1.5) will indicate under the occurrences field, whether a component is installed on multiple locations.

This release contains fix for versions 170 and 171, in addition to all new features, improvements, and notable bug fixes of version 171.

Integrated Enterprise Reporting (IER) serves as one-stop access to understand the open-source components consumption patterns, including AI/ML components. It summarizes how Lifecycle impacts the security profile of the development pipelines within your organization. Click on Data Insights in the left navigation bar of Lifecycle to view:

The Rolling Recap feature was made possible because of your feedback in the Ideas Portal.

The new dashboard offers insights into the effectiveness of Sonatype Repository Firewall in protecting the users' repositories. The key metrics displayed on the dashboard include:

Users can also retrieve these performance metrics using the new Firewall REST API. A GET request returns a JSON response containing exact counts for the metrics in the list above.

This feature was made possible because of your feedback in the Ideas Portal.

This release offers the capability to set a different policy for the individual repositories under the Repository Managers option. By navigating to the Repository Managers from the left navigation bar, users can select a repository from the drop down list, to configure the corresponding policy.

This feature was made possible because of your feedback in the Ideas Portal.

SBOMs that do not have the package-URL(pURL) field specified, or could have incomplete or malformed identifiers can now be scanned using the Third-Party Scan REST API . The REST API can now identify the components using the cpe and swid tags, when no pURL is specified or is unidentifiable.

The search results retrieved by Advanced Search now include all child organizations in the hierarchy, when searching for organizations by organization name.

By setting the new environment variable, NEXUS_CONTAINER_SCANNING_BIND_MOUNT_SHARED to true, Sonatype Container Scanning can now be used to scan Security-Enhanced Linux (SELinux) images.

Sonatype IQ CLI scanner can now be limited to scan the only the project dependencies section of Maven pom files, by setting the new parameter excludeMavenDependencyManagement to true.

This release fixes an issue that prevented identification of licenses if they were specified in the expression field of the CycloneDX SBOM.