2024 Release Notes
Release 179 (July 2024)
Announcing our Latest Product Offering: Sonatype Developer |
---|
Sonatype Developer brings a developer-centric experience to manage the quality of open source components. Developers can easily access prioritized and actionable suggestions to improve the quality and security posture of their applications, and eliminate rework. Sonatype Developer brings the component intelligence and policy enforcement of the IQ Server within the context of CI/CD piplelines, SCM tools, issue tracking sytems, and IDEs for easy access, to help plan and prioritize remediation tasks. Learn more about Sonatype Developer. Contact your customer success representative to find out how Sonatype Developer may fit your needs. |
New Features
Preview - Reachability Analysis
Sonatype Platform Plugin for Jenkins now offers the ability to enable Reachability Analysis (previously known as Call Flow Analysis.) The availability of this feature is currently limited.
Improvements
Remediation Details for Parent Dependencies
The new query param includeParentRemediation for Component Remediation REST API, when set to true, will return a POST response containing component details for remediating the implicated direct as well as transitive dependencies. The suggested remediation for transitive dependencies is a based on the nearest parent dependency.
Automatic Role Assignment for SCM Users
The Source Control REST API can be used to automatically assign the developer role on a specified application, to all contributors associated with a SCM repository. Using the POST method and providing the applicationId, all contributors associated with a SCM repository will be assigned the developer role for that application in IQ Server/Lifecycle.
Note
Support for Java 8 and 11 is being phased out for Sonatype IQ Server and Sonatype IQ CLI from this release onwards. Java 17 is recommended for this release.
Java 17 will be required from next release onwards.
Notable Bug Fixes
Scanning Docker Images Having Absolute Paths
Docker images containing absolute paths (when created with tools like buildpacks.io) can now be successfully scanned with Sonatype IQ CLI.
Scanning Docker Images on Windows OS
This release fixes an issue with Sonatype IQ CLI that caused scanning of docker images on the Windows OS to fail.
Release 178 (June 2024)
Note
This release fixes an upgrade issue with Sonatype IQ Server versions 169 and above, that rendered the upgraded instance in a non-functioning state, if the upgrade process was interrupted.
New Features
Streamlined Workflow for Waivers
The new Similar Waivers feature offers the convenience of looking up Similar Waivers for a specific policy violation. The waiver details displayed in the Similar Waivers pane can be useful in determining if the selected policy violation can be waived for similar reasons.
The Similar Waiver REST API retrieves all waivers that are Similar and can potentially be applied to a given policy violation. By providing the policyViolationId in the GET method, the response returns a list of all similar waivers, with details on each waiver.
Solution Switcher for Sonatype Platform
The Solution Switcher simplifies navigating to different products offered by the Sonatype Platform. Using the Solution Switcher, users can easily transition to use other Sonatype products that are licensed to their organization.
Release 177 (June 2024)
Announcing our Latest Product Offering: SBOM Manager |
---|
We are proud to announce SBOM Manager, with dual deployment options, SaaS and self-hosted (on-premise) for customers looking to streamline SBOM Management. With SBOM Manager users can catalog third-party SBOMs, associated with applications or libraries, in a configurable organizational structure that mimics their company's organizational structure or business units. Powered by the Sonatype Component Intelligence spanning over 14 ecosystems, the SBOM Manager analyzes each component in the ingested SBOM and provides a detailed vulnerability profile, including transitive dependencies. This information can be used to audit the third party applications and libraries to ensure compliance with organizational or Federal policies. The VEX workflow allows users to communicate the exploitability status or provide clarity on vulnerabilities that may or may not pose a risk. SBOM Manager can embed user annotations in CycloneDX format for downstream consumption, to faciliate decision making for rapid roll-outs by eliminating blockers. Contact your Customer Success representative to find out how SBOM Manager may fit your compliance needs. |
New Features
Dependency Scorecard
Users can review and evaluate the quality of upgrade decisions taken, using the new Dependency Scorecard. This new dashboard under Data Insights reveals the App Score (calculated per Sonatype's Supply Chain Monitoring guidelines), age of the components in applications or libraries and the best version of the component. Based on the placement of an application in the scorecard quadrants, and the key factors determining the App Score, users can determine the next steps to improve their upgrade decisions for the most optimal threat protection.
This feature is available under Data Insights for Sonatype IQ Server versions 171 and higher.
Supply Chain Monitoring
Supply Chain Monitoring dashboard offers insights into the effectiveness of a Sonatype Lifecycle instance in protecting the organizations open source supply chain. Users can review the health of the open source component supply chain periodically, and take corrective actions like improve the management of critical vulnerabilities, increase the extent of the protection provided by Sonatype Lifecycle by adding more applications to the instance.
This feature is available under Data Insights for Sonatype IQ Server versions 171 and higher.
Improvements
Compatibility with Chrome Cookie Deprecation
We have implemented cookie-less embedding of all dashboards using Looker™, under Data Insights. This will ensure normal functioning of all embedded dashboards in Chrome browsers, after third-party cookies have been deprecated by Google Chrome.
Notable Bug Fixes
Fix for Sonatype IQ CLI
This release fixes an issue that did not provide an option to set non-proxy hosts while using Sonatype IQ CLI. Users can now configure no-proxy lists while using Sonatype IQ CLI in environments such as Azure DevOps.
Release 176 (May 2024)
New Features
Experimental REST API for Call Flow Analysis
The new experimental Call Flow Analysis REST API can be used to setup the configuration for Call Flow Analysis for an application or organization in Sonatype Lifecyle. With this REST API, users can view, add or delete a Call Flow Analysis configuration for an application or organization. Sonatype IQ CLI, when performing application scans with Call Flow Analysis, will pick up these configuration settings.
Improvements
Identify Policy Violations Detected During Container Scan
Users can set the policy constraint Identification Source to a new constraint condition, Sonatype-Container, when creating policies. This will provide visibility into the policy violations that are specifically detected when scanning Sonatype Containers.
Depracated support for SHA-1
For improved security, Sonatype IQ Server base Docker image no longer supports SHA-1 signed SSL certificates. (This may impact outgoing SSL connections that still use SHA-1 certificates.)
Notable Bug Fixes
Errors Analyzing CycloneDX SBOM
This release fixes an issue that caused errors while scanning CycloneDX SBOMs that were generated from Sonatype IQ Server/Lifecycle.
Download of Waived Quarantined Components
This release fixes an issue with the component evaluation in Sonatype IQ Server version 173, that blocked the download of quarantined PyPI components even after they were waived.
Release 175 (April 2024)
New Features
Audit Log REST API
The new Audit Log REST API can be used to retrieve audit logs from Sonatype IQ Server for specific time periods. The GET request allows users to specify the start and end dates for the events that will be included in the response.
Improvements
Support for Java 17
Sonatype IQ Server/Lifecycle and CLI now have the capability to run in the Java Runtime Environment version 17.
For information on the JRE versions supported for plugins, please refer to Compatibility with Integrations.
Repository Results View REST API
The Repository Results View REST API can now be used to view information on components in all repositories at the container level. It also provides the capability to filter the search results based on the values specified for repositoryId and repository managerId in the API call.
Configuration REST API
The new property apiAccessAllowList enables users to control and manage access to all Sonatype Lifecycle REST APIs. By specifying the usernames in the input JSON for Configuration REST API, access to the REST APIs will be limited to only those users.
Per Repository Policy Configuration
The Repository Manager now offers the capability to configure Sonatype Repository Firewall for hosted repositories, including namespace confusion protection. Users can easily enable or disable namespace confusion protection for each hosted repository using the toggle.
Notable Bug Fixes
Scanning Docker images
This release fixes an issue with Sonatype IQ CLI that caused the scanning of Docker images to fail for Docker versions 25 and above.
Release 174 (March 2024)
Improvements
Per Repository Policy Management
The Repository Manager now offers the capability to access proxy repositories, in addition to hosted repositories. Users can configure, manage role based access, check namespace confusion protection and manage policies for individual repositories.
Policy Violation Fixes
To maintain and improve stability and security, we continually scan all Sonatype products and applications internally for vulnerabilities. For a strong and most current security posture, components used by our development teams are continually scanned and compared with our proprietary advanced vulnerability detection systems. This section contains information on component upgrades made to mitigate or remediate risks due to our internal policy violations as below:
Fix for CVE-2024-1142
CVE-2024-1142 Path Traversal Vulnerability, Sonatype Discovered January 15, 2024, Medium risk, Severity 5.4
Resolution: Upgrade to IQ Server version 171 or later
Release 173 (February 2024)
Improvements
Reduced User Clicks to Waive Violations
The improved workflow for waivers reduces the number of user clicks or steps required to waive a violation. Using the Add Waiver/Request Waiver button on the Violations page accessible from the Dashboard and Reports, users can add or request a waiver, while staying in context of the violation and avoid multiple clicks.
CycloneDX REST API for v1.5
The response for CycloneDX REST API has been updated to include the field occurrences for each individual component. The SBOM generated by the REST API (per CycloneDX schema specification 1.5) will indicate under the occurrences field, whether a component is installed on multiple locations.
Release 172 (February 2024)
Note
Emergency Bug Fix Release
This release fixes an issue with version 170 and 171 that could cause out-of-memory errors on high volume installations.
Users running versions 170 and 171 should upgrade to this version immediately.
Release Summary
This release contains fix for versions 170 and 171, in addition to all new features, improvements, and notable bug fixes of version 171.
Release 171 (January 2024)
Warning
This version may cause out-of-memory errors on high volume installations. We do not recommend upgrading to this version, unless absolutely necessary.
A fix for this issue will be available soon.
New Features
Sonatype Lifecycle Launches IER to include AI/ML components
Integrated Enterprise Reporting (IER) serves as one-stop access to understand the open-source components consumption patterns, including AI/ML components. It summarizes how Lifecycle impacts the security profile of the development pipelines within your organization. Click on Data Insights in the left navigation bar of Lifecycle to view:
The Rolling Recap feature was made possible because of your feedback in the Ideas Portal.
Sonatype Repository Firewall Performance Metrics
The new dashboard offers insights into the effectiveness of Sonatype Repository Firewall in protecting the users' repositories. The key metrics displayed on the dashboard include:
Safe versions of components selected automatically
Components auto-released
Namespace attacks blocked
Supply chain attacks blocked
Components waived
Components quarantined
Users can also retrieve these performance metrics using the new Firewall REST API. A GET request returns a JSON response containing exact counts for the metrics in the list above.
This feature was made possible because of your feedback in the Ideas Portal.
Improvements
Customize Policies at the Repository Level
This release offers the capability to set a different policy for the individual repositories under the Repository Managers option. By navigating to the Repository Managers from the left navigation bar, users can select a repository from the drop down list, to configure the corresponding policy.
This feature was made possible because of your feedback in the Ideas Portal.
Scan SBOMs without pURL
SBOMs that do not have the package-URL(pURL) field specified, or could have incomplete or malformed identifiers can now be scanned using the Third-Party Scan REST API . The REST API can now identify the components using the cpe and swid tags, when no pURL is specified or is unidentifiable.
Searching on Orgs using Advanced Search
The search results retrieved by Advanced Search now include all child organizations in the hierarchy, when searching for organizations by organization name.
Container Scan of SELinux Enabled Images
By setting the new environment variable, NEXUS_CONTAINER_SCANNING_BIND_MOUNT_SHARED to true, Sonatype Container Scanning can now be used to scan Security-Enhanced Linux (SELinux) images.
Project Dependency Detection for Maven
Sonatype IQ CLI scanner can now be limited to scan the only the project dependencies section of Maven pom files, by setting the new parameter excludeMavenDependencyManagement to true.
Notable Bug Fixes
Licenses not Identified in CycloneDX SBOM
This release fixes an issue that prevented identification of licenses if they were specified in the expression field of the CycloneDX SBOM.