Skip to main content

2024 Release Notes

Release 185 (December 2024)

New Features

New and Improved Success Metrics Dashboard Under Data Insights

We're excited to introduce an enhanced Success Metrics dashboard under the Data Insights section in the Lifecycle user interface. This dashboard is built to provide a more dynamic and comprehensive view of your organization's security management over time with key information such as the following:

  • Violation Activity - Track violation trends with comprehensive metrics, including totals, averages, and mean time to resolution (MTTR).

  • Application Security - Monitor application onboarding progress, scan coverage, and waiver usage.

  • Component Health - Assess component risk with insights into mitigation scores and quarantine trends.

  • Organizational Performance - Analyze success metrics across your entire organization, from the root level down to specific applications, with role-based access controls for data privacy.

This interactive dashboard allows you to filter data by week, policy type (security, license, quality, and others), and drill down into specific time frames for detailed analysis. Visualize trends over the last 12 months and gain a deeper understanding of your security posture.

Make SSO the Default Login Option

Lifecycle now allows you to streamline user authentication by setting SSO login as the default. This enhancement simplifies the login process by automatically redirecting users to your SSO provider upon accessing Lifecycle. This provides a smoother and more efficient user experience, especially for organizations that rely heavily on SSO for centralized access management. First available in preview in release 171, this feature is now generally available as of release 185.

See the SAML integration help documentation and Configuration REST API documentation for more information on configuring SSO to be your default login option.

This feature was made possible through your feedback in the Sonatype Ideas Portal.

Coordinates Policy Condition Supports Cargo, Cocoapods, Composer, Conan, and Hugging Face Formats

Lifecycle’s Coordinates policy condition now supports Cargo, Cocoapods, Composer, Conan, and Hugging Face (hf-model) package formats alongside the previously supported Maven, npm, and PyPI formats. You can now create policies that specifically target components from these ecosystems without resorting to more complex workarounds like using labels.

Import Binary Files through the SBOM Manager User Interface

You can now easily import binary files directly through the SBOM Manager user interface, expanding your ability to analyze and understand your software components. This streamlined import process allows you to quickly generate SBOMs for your binaries, identify similar components, and gain deeper insights into your software supply chain.

For details, see the SBOM Manager help documentation.

Generate PDF of Bill of Materials Report from SBOM Manager

SBOM Manager now allows you to export a Bill of Materials report as a PDF document, providing a convenient and shareable format for your SBOM data. This new export option includes policy violation and vulnerability details, and is accessible directly from the Bill of Materials view. See the Bill of Materials View help documentation for full details.

Improvements

New Filtering Options in Security Risk Analysis Dashboard

The Security Risk Analysis Dashboard now allows users to filter by organization and application category, allowing for greater flexibility and precision when identifying and managing security vulnerabilities across your software development lifecycle.

Lifecycle Dashboard Performance Improvements

This release improves the Lifecycle dashboard’s performance by reducing database round trips. This results in faster dashboard loading times and reduced memory consumption.

Improved Transfer List Performance

This release improves transfer list performance throughout the application, resulting in faster and more responsive filtering when working with long lists of items. You'll notice this improvement in areas such as the license selection and the application filters.

Removed Old Framework for Data Insights

As detailed in our Sunsetting documentation, we have officially sunsetted our legacy experimental Data Insights framework. If you are on an IQ version earlier than release 171 and navigate to the old Data Insights section in Lifecycle, you will now see an alert informing you that the feature is no longer supported.

To take advantage of our most advanced data capabilities, upgrade to version 171 or higher and check out our growing list of enhanced Insights. See the Data Insights help documentation for details.

Embedded JDKs in IQ Server Docker Images

This release includes optimized IQ Server Docker images that leverage jreleaser assemblies with embedded JDKs. This eliminates unnecessary packages and dependencies, reducing image size and improving both efficiency and security while also aligning the Docker images with the latest advancements in our standalone bundles. Additionally, the updated images now support both linux/amd64 and linux/arm64 architectures, broadening platform compatibility.

Sonatype Container Security Enhancement - OS-Focused Container Scans

Sonatype Container Security now offers the option to focus container scans exclusively on OS-related components and their associated vulnerabilities, excluding other component types like Java (jar) files. You can enable this feature by setting the new environmental variable NEXUS_CONTAINER_INCLUDE_ONLY_OS_COMPONENTS to true. This enhancement provides greater flexibility and control over scan results, allowing users to concentrate specifically on OS-level security concerns.

Sonatype Developer Enhancements

  • New Reachability Analysis Version for Java - This release updates Reachability Analysis to address an issue that prevented it from running against compressed artifacts. This ensures accurate and comprehensive analysis of your applications, including those packaged with compression formats.

  • Golden PR is Default for Maven when Auto PR is Enabled - Sonatype Developer now enables Golden Pull Requests for Maven projects by default when Auto PRs are enabled. Developers will receive recommendations to upgrade to the Golden Version of a component, streamlining upgrades and ensuring compatibility. This enhancement helps improve developer productivity by suggesting non-breaking upgrades that resolve issues for both the component and its dependencies. See the Golden Version and PR documentation for details on this feature.

  • Fail/Warn Filtering in Developer Priorities (UI and API) - This release introduces a new "fail/warn" filter for Developer Priorities in both the UI and API, allowing you to focus on the most critical components. This filter refines your results to show only components with "fail" or "warn" violations, streamlining your workflow and prioritizing your attention.

    Currently, this filter is enabled by default to ensure you're immediately seeing the most urgent issues. Note that this can currently result in confusing messaging in the UI that will state "all clear no violations" when there still may be violations being filtered out due to their not having fail or warn notification/action. We will revise this wording in a future release to be more clear and conditionally change if filtering is enabled or disabled.

    While the UI toggle to easily enable/disable this feature is coming soon, you can still control the filter programmatically. To disable it, simply set the optionalActionFilter parameter to false in your API calls.

SBOM Manager Enhancements

  • Improved Messaging to Support User Awareness of Imported SBOM Interpretation - SBOM Manager now provides clearer feedback when uploading invalid SBOM files. If an uploaded file fails validation but can still be processed as a binary, SBOM Manager provides a more informative message indicating the issue. This helps avoid confusion and ensures you have the necessary information to correct any syntax errors.

  • Updates to CycloneDX Property Names - This release updates property names in CycloneDX exports to align with Sonatype taxonomy standards and ensure consistency across both Lifecycle and SBOM Manager exports. These changes maintain backward compatibility, allowing seamless import and export functionality with both the old and new property names. See our help documentation for an updated list of Sonatype properties in SBOMs.

  • Standardize CycloneDX File Names - Lifecycle and SBOM Manager can now both ingest CycloneDX SBOMs with the standardized .cdx.xml and cdx.json file extensions. Additionally, exported SBOMs from SBOM Manager now also use the standardized .cdx.xml file extension. This change ensures consistency with industry best practices while maintaining support for existing *-bom.xml|json formats.

  • Improved Accuracy for Similar Matched Components - SBOM Manager now offers enhanced accuracy and consistency when managing CycloneDX SBOMs that contain components with similar matches. Similar matched components imported through a CycloneDX SBOM now retain their original designation and associated metadata, ensuring a consistent and reliable view of your component information throughout the SBOM lifecycle. This improvement strengthens your software supply chain security by providing a more accurate representation of your software's composition.

Firewall Enhancements

Updates to Firewall Dashboard - We've enhanced the Firewall dashboard with improved filtering capabilities, allowing you to refine your view of quarantined components by repository and date. You may also notice updated labels and terminology to clarify the status of quarantined components.

Sunsetting Announcements

Refer to Sunsetting Announcements Details.

Sunsetting a-name: Effective September, 2025 a-name identification process will no longer be supported.

Minimum Version Requirement for PostgreSQL: Sonatype IQ Server for older versions of PostgreSQL will be phased out. Effective from December 2024, PostgreSQL version 14.x will be the minimum version supported.

Sunsetting LORT: Effective October 2024, we are sunsetting the License Obligation Review Tool (LORT)

Sunsetting Legacy Evaluation Report

Sunsetting Shaded Vulnerability Detection Dashboard effective December 17, 2024

Release 184 (November 2024)

New Features

New AI Model Dashboard

Our new AI Model dashboard helps you understand which Hugging Face models are present in your applications and track usage trends across your organization. With this knowledge, you can make informed decisions to mitigate risks and optimize your AI strategy.

This dashboard provides detailed information on the Hugging Face models detected in your applications over the last 90 days. You can filter this data by organization, application, application category, and stage for targeted analysis. Visualizations include a breakdown of detected models, identical model identification across repositories, and a view of model usage in different applications.

To access the dashboard, ensure you are running IQ Server version 184 or higher, have scanned at least one application containing Hugging Face models, and have opted in to share telemetry data with Sonatype.

See the AI Model dashboard help documentation for full details.

AI/ML Governance with Sonatype Lifecycle

The AI/ML model scanning capability with Sonatype IQ CLI and all supported plugins, introduces open-source AI/ML model observability in DevSecOps pipelines. Users can scan AI/ML models downloaded from the Hugging Face (HF) platform to retrieve and maintain the identity of the AI/ML model, in the form of evaluation reports in Lifecycle.

Learn more about the new format/ecosystem and component identifiers for the analysis of AI/ML models.

Security Risk Analysis Dashboard

The Security Risk Analysis Dashboard under Data Insights in Sonatype Lifecycle provides visibility into the daily open violation counts and the time it takes to remediate them. The threat levels of the policy violations in conjunction with the number of violations gives a comprehensive insight into the overall security risk in applications.

Component EOL Policy Constraint in Sonatype Lifecycle

The new policy constraint Component End-of-Life (EOL) allows users to create policies for evaluating applications containing EOL components. The policy actions and remediation for component EOL violations will prevent EOL components from jeopardizing the security of your applications and enable initiatives for a Tech Refresh by encouraging use of newer open-source components.

This feature was based on a user contribution in the Ideas Portal.

Golden Versions in IDE Plugins and Auto PRs

Golden Versions can elevate developer productivity by recommending a version of the component that has non-breaking changes, including its dependencies.

The Golden Versions are now available in the Sonatype IQ Server plugin for IntelliJ IDEA (4.13.0), Sonatype IQ Server plugin for Eclipse (3.3.0) and Sonatype IQ Server IDE plugin for VS Code (1.2.0) to enable the developers apply violation fixes within the context of the development environment.

This feature was based on a user contribution in the Ideas Portal.

Improvements

Easy Copy Package URLs

The Component Coordinates panel accessible from the View Coordinates button on the Component Details page offers the convenience of copying long and complicated package URLs to the clipboard, for use at other places.

Golden Versions Auto-enabled

It is no longer required to enable the Golden Version feature using the Feature Configuration REST API. The feature is enabled by default for all users of Sonatype Lifecycle and Developer.

Important Upgrade Impact

If you enabled the Golden Versions feature in release 183 and then upgraded IQ server to 184, you will need to disable and re-enable the feature post-upgrade in order to access it. This is a one-time requirement and will not be required after your next upgrade.

Reachability Analysis Performance Enhancements

This release offers major performance enhancements to Reachability Analysis for faster response times.

Policy Constraints Now Include npm coordinates

Policy constraints can include a condition to match (or do not match) npm coordinates when creating a policy in Sonatype Lifecycle.

Retrieve Paginated List of Priorities for a Scan/Evaluation

Users can now use a new /v2/developer/priorities API endpoint to retrieve a paginated list of priorities for a given scan/evaluation. You can also export them to CSV format through a new /v2/developer/priorities/export endpoint.

SBOM Manager Enhancements

  • Software Bill of Materials that failed validation have a warning message indicating the failure

  • An optional argument is added to the SBOM Import API to set the version ID on the upload of SBOMs

  • SBOM Manager Search includes links to the specific version and vulnerability

Sunsetting Announcements

Refer to Sunsetting Announcements Details.

Minimum Version Requirement for PostgreSQL: Sonatype IQ Server for older versions of PostgreSQL will be phased out. Effective from December 2024, PostgreSQL version 14.x will be the minimum version supported.

Sunsetting LORT: Effective October 2024, we are sunsetting the License Obligation Review Tool (LORT)

Sunsetting Legacy Evaluation Report

Sunsetting Shaded Vulnerability Detection Dashboard

Release 183 (October 2024)

Announcements

Java Versions Support

Starting from release 179 onwards, support for running Sonatype IQ Server and Sonatype IQ CLI on Java 8 and 11 has been phased out. We strongly recommend running Sonatype IQ Server and IQ CLI on Java 17 or higher. Users may need to reconfigure the signature algorithm on their identity provider platform as SHA-1 is no longer supported.

Although Java 17 is required to run IQ Server and IQ CLI, there is no change in the supported versions of Java for application scanning and analysis.

Installation with Bundled JDK

This release is also available in installation packages that include application binaries bundled with JDK.

The bundled JDK option is available here: Download and Compatibility

Minimum Version Requirement for PostgreSQL

Sonatype IQ Server for older versions of PostgreSQL will be phased out. Effective from December 2024, PostgreSQL version 14.x will be the minimum version supported.

New Features

Waiver Reasons

Sonatype Lifecycle users can now add appropriate reasons when creating a waiver for a policy violation. This will enhance the ability to categorize waivers under same waiver reasons and improve visibility into the decision-making process for remediation.

The new Waiver Reasons REST API allows users to view all the predefined waiver reasons that can be applied to a waiver.

This feature was based on a user contribution in the Ideas Portal.

Golden Versions in Sonatype Developer

Golden Versions and Golden PR Comments can elevate developer productivity by recommending a version of the component that has non-breaking changes, including its dependencies.

The Golden Pull Requests (PR) comments, which are generated in the Source Control Management systems supported by the Sonatype IQ Server SCM plugins (GitHub, GitLab, Bitbucket, and Azure DevOps) will contain recommendation to the change to the Golden Version of the component.

This feature was based on a user contribution in the Ideas Portal.

Improvements

Policy Waiver REST API

The Policy Waiver REST API has been updated to include the new parameter waiverReasonId. Using the POST method, users can assign a waiver reason ID while creating a policy waiver.

Component Golden Versions in Lifecycle

The Component Details Page in Sonatype Lifecycle, will now show Golden Versions of a component, if available. Users can replace the violating component to this recommended-non-breaking-with dependencies version that is recommended by the version scoring system to remediate policy violations.

Enhanced Database Stability and Performance

We have improved the stability and performance of the IQ Server databases (PostgreSQL) by reducing the database size on disk to a considerable extent. To experience the performance improvement, we recommend running a vacuum command on PostgreSQL instances running the IQ Server. Refer to Release specific upgrade instructions.

View Reachability in Application Reports

The improved Reachability Analysis now labels policy violations in the Application Report as Reachable, if a vulnerable component is found in the execution path.

SBOM Manager Enhancements

  • Binary archives may be analyzed using SBOM Manager to generate a Bill of Materials; this is currently only supported via API but will be available via UI in a future release

  • Exporting PDF reports has been added to the SBOM Bill of Materials

  • Bill of Material reports now support importing and displaying unknown components from binary archives

Release 182 (September 2024)

Announcements

Shaded Vulnerability Detection Starting Soon

Shaded Vulnerability Data covering all Critical shaded vulnerabilities will be rolled out to Sonatype customers starting 09/09/2024 (Drip 1.) This might lead to a jump in new policy violations. Refer to Shaded Vulnerability Detection for more information.Shaded Vulnerability Detection

Java Versions Support

Starting from release 179 onwards, support for running Sonatype IQ Server and Sonatype IQ CLI on Java 8 and 11 has been phased out. We strongly recommend running Sonatype IQ Server and IQ CLI on Java 17 or higher. Users may need to reconfigure the signature algorithm on their identity provider platform as SHA-1 is no longer supported.

Although Java 17 is required to run IQ Server and IQ CLI, there is no change in the supported versions of Java for application scanning and analysis.

Minimum Version Requirement for PostgreSQL

Sonatype IQ Server support for older versions of PostgreSQL is being phased out. Effective from October 2024, PostgreSQL version 14.x will be the minimum version supported.

Firewall Guided Setup Temporarily Disabled

The Guided Setup for Sonatype Repository Firewall has been disabled in this release.

New Features

Stage Selection for Success Metrics in Lifecycle

Sonatype Lifecycle users can now limit the generation of Success Metrics to a specific stage (source, build, stage-release, release and operate.)

The new property successMetricsStageID added to the Configuration REST API, enables users to set a specific licensed stage to generate Success Metrics, instead of generating this data for all stages, by default.

This feature was based on a user contribution in the Ideas Portal.

Improvements

Copy VEX Annotations in SBOM Manager

Sonatype SBOM Manager offers the capability to copy VEX annotations from an application's previous SBOM to the SBOM for current version. The Copy Annotation option in the Disclosed Vulnerabilities section allows users to copy previous annotation for a vulnerability and avoid rework.

Component EOL Dashboard Updates in Lifecycle

The updated Component End-of-Life (EOL) dashboard under Data Insights in Sonatype Lifecycle displays components of npm, NuGet and PyPI format/ecosystems.

Notable Bug Fixes

Access to Application Data in Data Insights for Lifecycle

We have tweaked permissions for dashboards under Data Insights in Lifecycle, that will now allow users to view data only for applications to which they have access. Dashboards reflecting this change are Component End-of-Life, Machine Learning AI, Dependency Scorecard, and Shaded Vulnerability Detection.

The minimum IQ Server versions required to view these dashboards is listed below:

Data Insights/Dashboards

Minimum IQ Server Version

Component End-of-Life

Release 177

Machine Learning AI

Release 177

Rolling Recap Dashboard

Release 171

Supply Chain Monitoring

Release 171

Dependency Scorecard

Release 177

Shaded Vulnerability DetectionShaded Vulnerability Detection

Release 177

Stack Divergence

Release 171

Upgrade Posture

Release 171

Release 181 (August 2024)

Note

Emergency Bug Fix Release

This release fixes an issue with versions 179 and 180 that could cause IQ Server instances to shut down when using Source Control Management (SCM) features like Automated Pull Requests and Pull Request Commenting.

Users running versions 179 or 180 should upgrade to this version immediately.

New Features

No new features are being added to this Release. This is a Bug-Fix release.

Release Summary

This release contains a fix for IQ Server version 179 and 180, in addition to all new features, improvements, and notable bug fixes of version 180.

Release 180 (August 2024)

Sonatype Developer Now Available to all Lifecycle Users

Sonatype Developer (previously released as Preview Only) brings a developer-centric experience to manage the quality of open-source components for all Lifecycle users. Using the solution switcher, Lifecycle users can easily access Sonatype Developer.

Learn more about Sonatype Developer.

New Features

Support for Fingerprinting Java 21 and 22

IQ Server and the IQ CLI Scanner now support Java 21 and 22 bytecode fingerprinting.

Added support for CycloneDX 1.6

The IQ Server is updated to support the CycloneDX Core Java library for the 1.6 version of the CycloneDX specification for export and application analysis. The validation library now supports specification 1.6 to ingest SBOM in XML and JSON formats through the SBOM Manager UI.

Custom Quarantine Messages for FWFA

The capability to display a custom quarantine message due to a Sonatype Repository Firewall policy failure has been extended to the Firewall for Artifactory (FWFA) plugin. Users can provide a custom quarantine message using the quartantineItemCustomMessage property for Configuration REST API to set up more meaningful messages for failed component requests.

Improvements

Re-evaluation of Stale Policy Evaluation Reports

The Re-evaluate button on the Application Composition Report is disabled for all reports that are not the latest policy evaluations. This prevents users from encountering page load failures. An on-screen alert message will now inform the users and provide a link to navigate to the latest policy evaluation report.

Sonatype Developer Navigation Enhancements

Sonatype Lifecycle users can seamlessly navigate to Sonatype Developer for a standalone Developer experience, using the solution switcher in the top navigation menu. This offers users a focused and streamlined experience of using the functionalities of Sonatype Developer outside the context of Lifecycle. The context-sensitive switching also allows users to navigate to the Lifecycle user interface when necessary, for e.g. when using Advanced Search or Reports view in Sonatype Developer.

Flexibility in Scanning CycloneDX SBOMs

The Feature Configuration REST API now allows skipping schema validations for CycloneDX SBOMs. By enabling the feature skipSbomImportValidation users can also ingest a CycloneDX SBOM that does not comply with the schema specifications and successfully generate an evaluation report.

ALP Legal Obligations Page Performance Improvements

This release offers major performance enhancements to the Legal Obligations page in the Advanced Legal Pack (ALP). It improves the response times for instances that have a large volume of applications (>10,000).

Detect the Type of Vulnerability Detection System

The new field detectionType obtained in the response of the GET method of Vulnerability Details REST API will indicate the type of vulnerability detection that was used to detect the vulnerable component. The type of vulnerability detection (primary, secondary, AST, unshader) can help plan remediation efforts.

This feature was based on a user contribution in the Ideas Portal.

Java 8 and 11 in Extended Maintenance

IQ and IQ CLI release 179 was the last to support Java 8 and 11, both of which are now in Extended Maintenance as defined in our Sunsetting documentation. If you are unable to upgrade to Java 17, you will need to remain on release 179 until you can do so. Release 179 is available in the Download Archives

Notable Bug Fix

Out of Memory error for Success Metrics API

This release resolves the out of memory error that occurred when calling the Success Metrics REST API.

Release 179 (July 2024)

Announcing our Latest Product Offering: Sonatype Developer (Preview only)

Sonatype Developer brings a developer-centric experience to manage the quality of open-source components.  Developers can easily access prioritized and actionable suggestions to improve the quality and security posture of their applications and eliminate rework.

Sonatype Developer brings the component intelligence and policy enforcement of the IQ Server within the context of CI/CD pipelines, SCM tools, issue tracking systems, and IDEs for easy access, to help plan and prioritize remediation tasks.

Learn more about Sonatype Developer.

Sonatype Developer is available in this release for preview only.Contact your customer success representative to find out how Sonatype Developer may fit your needs.

New Features

Preview - Reachability Analysis

Sonatype Platform Plugin for Jenkins now offers the ability to enable Reachability Analysis (previously known as Call Flow Analysis.) The availability of this feature is currently limited.

Improvements

Remediation Details for Parent Dependencies

The new query param includeParentRemediation for Component Remediation REST API, when set to true, will return a POST response containing component details for remediating the implicated direct as well as transitive dependencies. The suggested remediation for transitive dependencies is based on the nearest parent dependency.

Automatic Role Assignment for SCM Users

The Source Control REST API can be used to automatically assign the developer role on a specified application, to all contributors associated with a SCM repository. Using the POST method and providing the applicationId, all contributors associated with an SCM repository will be assigned the developer role for that application in IQ Server/Lifecycle.

Note

Support for Java 8 and 11 is being phased out for Sonatype IQ Server and Sonatype IQ CLI from this release onwards. Java 17 is recommended for this release.

Java 17 will be required from the next release onwards.

Notable Bug Fixes

Scanning Docker Images Having Absolute Paths

Docker images containing absolute paths (when created with tools like buildpacks.io) can now be successfully scanned with Sonatype IQ CLI.

Scanning Docker Images on Windows OS

This release fixes an issue with Sonatype IQ CLI that caused the scanning of docker images on the Windows OS to fail.

Release 178 (June 2024)

Note

This release fixes an upgrade issue with Sonatype IQ Server versions 169 and above, which rendered the upgraded instance in a non-functioning state when the upgrade process was interrupted.

New Features

Streamlined Workflow for Waivers

The new Similar Waivers feature offers the convenience of looking up Similar Waivers for a specific policy violation. The waiver details displayed in the Similar Waivers pane can be useful in determining if the selected policy violation can be waived for similar reasons.

The Similar Waiver REST API retrieves all waivers that are Similar and can potentially be applied to a given policy violation. By providing the policyViolationId in the GET method, the response returns a list of all similar waivers, with details on each waiver.

Solution Switcher for Sonatype Platform

The Solution Switcher simplifies navigating to different products offered by the Sonatype Platform. Using the Solution Switcher, users can easily transition to using other Sonatype products that are licensed to their organization.

Release 177 (June 2024)

Announcing our Latest Product Offering: SBOM Manager

We are proud to announce SBOM Manager, with dual deployment options, SaaS and self-hosted (on-premise) for customers looking to streamline SBOM Management.

With SBOM Manager users can catalog third-party SBOMs, associated with applications or libraries, in a configurable organizational structure that mimics their company's organizational structure or business units.

Powered by the Sonatype Component Intelligence spanning over 14 ecosystems, the SBOM Manager analyzes each component in the ingested SBOM and provides a detailed vulnerability profile, including transitive dependencies. This information can be used to audit third-party applications and libraries to ensure compliance with organizational or Federal policies.

The VEX workflow allows users to communicate the exploitability status or provide clarity on vulnerabilities that may or may not pose a risk. SBOM Manager can embed user annotations in CycloneDX format for downstream consumption, to facilitate decision-making for rapid roll-outs by eliminating blockers.

Contact your Customer Success representative to find out how SBOM Manager may fit your compliance needs. 

Learn more about SBOM Manager.

New Features

Dependency Scorecard

Users can review and evaluate the quality of upgrade decisions taken, using the new Dependency Scorecard. This new dashboard under Data Insights reveals the App Score (calculated per Sonatype's Supply Chain Monitoring guidelines), the age of the components in applications or libraries, and the best version of the component. Based on the placement of an application in the scorecard quadrants, and the key factors determining the App Score, users can determine the next steps to improve their upgrade decisions for the most optimal threat protection.

This feature is available under Data Insights for Sonatype IQ Server versions 171 and higher.

Supply Chain Monitoring

The Supply Chain Monitoring dashboard offers insights into the effectiveness of a Sonatype Lifecycle instance in protecting the organization's open-source supply chain. Users can review the health of the open source component supply chain periodically, and take corrective actions like improving the management of critical vulnerabilities and increasing the extent of the protection provided by Sonatype Lifecycle by adding more applications to the instance.

This feature is available under Data Insights for Sonatype IQ Server versions 171 and higher.

IQ Server Version Requirements for Data Insights

Data Insights/Dashboards

Minimum IQ Server Version

Component End-of-Life

Release 177

Machine Learning AI

Release 177

Rolling Recap Dashboard

Release 171

Supply Chain Monitoring

Release 171

Dependency Scorecard

Release 177

Shaded Vulnerability DetectionShaded Vulnerability Detection

Release 177

Stack Divergence

Release 171

Upgrade Posture

Release 171

Improvements

Compatibility with Chrome Cookie Deprecation

We have implemented cookie-less embedding of all dashboards using Looker™, under Data Insights. This will ensure the normal functioning of all embedded dashboards in Chrome browsers after third-party cookies have been deprecated by Google Chrome.

Notable Bug Fixes

Fix for Sonatype IQ CLI

This release fixes an issue that did not provide an option to set non-proxy hosts while using Sonatype IQ CLI. Users can now configure no-proxy lists while using Sonatype IQ CLI in environments such as Azure DevOps.

Release 176 (May 2024)

New Features

Experimental REST API for Call Flow Analysis

The new experimental Call Flow Analysis REST API can be used to set up the configuration for Call Flow Analysis for an application or organization in Sonatype Lifecycle. With this REST API, users can view, add, or delete a Call Flow Analysis configuration for an application or organization. Sonatype IQ CLI, when performing application scans with Call Flow Analysis, will pick up these configuration settings.

Improvements

Identify Policy Violations Detected During Container Scan

Users can set the policy constraint Identification Source to a new constraint condition, Sonatype-Container when creating policies. This will provide visibility into the policy violations that are specifically detected when scanning Sonatype Containers.

Deprecated support for SHA-1

For improved security, Sonatype IQ Server base Docker image no longer supports SHA-1 signed SSL certificates. (This may impact outgoing SSL connections that still use SHA-1 certificates.)

Notable Bug Fixes

Errors Analyzing CycloneDX SBOM

This release fixes an issue that caused errors while scanning CycloneDX SBOMs that were generated from Sonatype IQ Server/Lifecycle.

Download of Waived Quarantined Components

This release fixes an issue with the component evaluation in Sonatype IQ Server version 173, that blocked the download of quarantined PyPI components even after they were waived.

Release 175 (April 2024)

New Features

Audit Log REST API

The new Audit Log REST API can be used to retrieve audit logs from Sonatype IQ Server for specific time periods. The GET request allows users to specify the start and end dates for the events that will be included in the response.

Improvements

Support for Java 17

Sonatype IQ Server/Lifecycle and CLI now have the capability to run in the Java Runtime Environment version 17.

For information on the JRE versions supported for plugins, please refer to Compatibility with Integrations.

Repository Results View REST API

The Repository Results View REST API can now be used to view information on components in all repositories at the container level. It also provides the capability to filter the search results based on the values specified for repositoryId and repository managerId in the API call.

Configuration REST API

The new property apiAccessAllowList enables users to control and manage access to all Sonatype Lifecycle REST APIs. By specifying the usernames in the input JSON for Configuration REST API, access to the REST APIs will be limited to only those users.

Per Repository Policy Configuration

The Repository Manager now offers the capability to configure Sonatype Repository Firewall for hosted repositories, including namespace confusion protection. Users can easily enable or disable namespace confusion protection for each hosted repository using the toggle.Repository Manager View

Notable Bug Fixes

Scanning Docker images

This release fixes an issue with Sonatype IQ CLI that caused the scanning of Docker images to fail for Docker versions 25 and above.

Release 174 (March 2024)

Improvements

Per Repository Policy Management

The Repository Manager now offers the capability to access proxy repositories, in addition to hosted repositories. Users can configure, and manage role-based access, check namespace confusion protection, and manage policies for individual repositories.Repository Management

Policy Violation Fixes

To maintain and improve stability and security, we continually scan all Sonatype products and applications internally for vulnerabilities. For a strong and most current security posture, components used by our development teams are continually scanned and compared with our proprietary advanced vulnerability detection systems. This section contains information on component upgrades made to mitigate or remediate risks due to our internal policy violations as below:

Fix for CVE-2024-1142

CVE-2024-1142 Path Traversal Vulnerability, Sonatype Discovered January 15, 2024, Medium risk, Severity 5.4

Resolution: Upgrade to IQ Server version 171 or later

Release 173 (February 2024)

Improvements

Reduced User Clicks to Waive Violations

The improved workflow for waivers reduces the number of user clicks or steps required to waive a violation. Using the Add Waiver/Request Waiver button on the Violations page accessible from the Dashboard and Reports, users can add or request a waiver, while staying in the context of the violation and avoid multiple clicks.

CycloneDX REST API for v1.5

The response for CycloneDX REST API has been updated to include the field occurrences for each individual component. The SBOM generated by the REST API (per CycloneDX schema specification 1.5) will indicate under the occurrences field, whether a component is installed on multiple locations.

Release 172 (February 2024)

Note

Emergency Bug Fix Release

This release fixes an issue with versions 170 and 171 that could cause out-of-memory errors on high-volume installations.

Users running versions 170 and 171 should upgrade to this version immediately.

Release Summary

This release contains fixes for versions 170 and 171, in addition to all new features, improvements, and notable bug fixes for version 171.

Release 171 (January 2024)

Warning

This version may cause out-of-memory errors on high-volume installations. We do not recommend upgrading to this version, unless absolutely necessary.

A fix for this issue will be available soon.

New Features

Sonatype Lifecycle Launches IER to include AI/ML components

Integrated Enterprise Reporting (IER) serves as one-stop access to understand the open-source components consumption patterns, including AI/ML components. It summarizes how Lifecycle impacts the security profile of the development pipelines within your organization. Click on Data Insights in the left navigation bar of Lifecycle to view:

The Rolling Recap feature was made possible because of your feedback in the Ideas Portal.

Sonatype Repository Firewall Performance Metrics

The new dashboard offers insights into the effectiveness of Sonatype Repository Firewall in protecting the users' repositories. The key metrics displayed on the dashboard include:

  1. Safe versions of components selected automatically

  2. Components auto-released

  3. Namespace attacks blocked

  4. Supply chain attacks blocked

  5. Components waived

  6. Components quarantined

Users can also retrieve these performance metrics using the new Firewall REST API. A GET request returns a JSON response containing exact counts for the metrics in the list above.

This feature was made possible because of your feedback in the Ideas Portal.

Improvements

Customize Policies at the Repository Level

This release offers the capability to set a different policy for the individual repositories under the Repository Managers option. By navigating to the Repository Managers from the left navigation bar, users can select a repository from the drop-down list, to configure the corresponding policy.

This feature was made possible because of your feedback in the Ideas Portal.

Scan SBOMs without pURL

SBOMs that do not have the package-URL(pURL) field specified, or could have incomplete or malformed identifiers can now be scanned using the Third-Party Scan REST API . The REST API can now identify the components using the cpe and swid tags when no pURL is specified or is unidentifiable.

Searching on Orgs using Advanced Search

The search results retrieved by Advanced Search now include all child organizations in the hierarchy when searching for organizations by organization name.

Container Scan of SELinux Enabled Images

By setting the new environment variable, NEXUS_CONTAINER_SCANNING_BIND_MOUNT_SHARED to true, Sonatype Container Scanning can now be used to scan Security-Enhanced Linux (SELinux) images.

Project Dependency Detection for Maven

Sonatype IQ CLI scanner can now be limited to scan only the project dependencies section of Maven pom files, by setting the new parameter excludeMavenDependencyManagement to true.

Notable Bug Fixes

Licenses not Identified in CycloneDX SBOM

This release fixes an issue that prevented the identification of licenses if they were specified in the expression field of the CycloneDX SBOM.