Nexus Repository 3.38.0 - 3.38.1 Release Notes

3.38.1 Release March 29, 2022

Improvements to Policy-Compliant Component Selection for npm PRO

In Nexus Repository 3.35.0, we released policy-compliant component selection for npm for those integrating Nexus Firewall with Nexus Repository. Since then, we have made big implementation changes. These changes improve performance and also mean that components that are not downloaded but are only scanned for resolving version range to policy-compliant versions will no longer be visible in the Firewall repository results view.

Nexus Repository 3.38.1 is now the minimum recommended version for using this feature; IQ release 134 is the minimum required IQ version.

Upgraded PostgreSQL Driver PRO

In this release, we upgraded the PostgreSQL driver from version 42.2.25 to version 42.3.3.

Expanded Log4j Visualizer

In 3.38.1, we fixed a bug that prevented the Log4j Visualizer from rendering in 3.38.0. This release also includes the expansion we had tried to include in 3.38.0.

In release 3.37.2and in response to a critical vulnerability in Apache's "Log4j2" logging utility (CVE-2021-44228, also known as "log4shell"), we introduced the Log4J Visualizer for all Nexus Repository Pro and OSS customers. Our hope was and continues to be to provide administrators with insight into their log4j consumption so that they could determine where vulnerable components were still entering their organization.

In this release, we added a Log4j Consumption chart to help you see if your organization's vulnerable log4j component consumption is trending in the right direction.

The new chart displays alongside the existing tables and uses your request logs to show two trend lines: log4j component downloads of versions impacted by CVE-2021-44228 and log4j component downloads of versions not impacted by this CVE.

For more information, see our Log4J Visualizer capability documentation.

This is a temporary feature currently limited to only identifying components impacted by CVE-2021-44228, and we may modify or remove it completely in future releases. Note that enabling the capability may impact Nexus Repository performance. Also note that the Log4j Visualizer only captures information about the log4j-core component in Maven and only identifies those impacted by CVE-2021-44228. It does not currently identify or track other log4j vulnerabilities.

The Log4j Visualizer does not work in High-Availability Clustering (HA-C) environments.

3.38.0 Release March 2, 2022

System Status Check for NuGet Versions PRO

In order to help administrators identify which NuGet repositories are using the version 2 versus version 3 protocol, we have added a system status check that indicates if there are any NuGet version 2 repositories present on a Nexus Repository instance. While Nexus Repository still supports the version 2 protocol and repositories using version 2 will still show as having a healthy status, we recommend migrating these repositories to version 3.

Note on Replication PRO

We are redesigning replication in 2022 to remove Replicator and make it easier to set up and deploy. Once we release the new implementation, we will no longer support the current replication method.

Log4j Visualizer

As previously announced, this release was supposed to include an expansion to our Log4j Visualizer. However, a known issue is preventing the Log4j Visualizer from rendering in our 3.38.0 release.

We will release a fix with version 3.38.1, which is coming soon. Full details about the expanded Log4j Visualizer will be available with the upcoming 3.38.1 release.

Added GET Method to Repository Management API

To help you easily discover basic information about a given repository by name without declaring a format, we added a new GET method to the Repository Management API.

GET /v1/repositories/{repositoryName}

Calling this method provides high-level details for a repository with the given name.

Expanded Assets API

You can now use the Assets API to see who uploaded a certain component or image via the API. We have added uploader, uploaderIp, and fileSize fields to the Assets API responses. One popular use case for these fields is to help administrators identify who has uploaded components that are vulnerable to the recent log4j vulnerability so that they can contact them to remediate the issue.

Asset Name Matcher Criteria Available for Yum Cleanup Policies

When creating cleanup policies for Yum format, you can now use the Asset Name Matcher criteria. This allows you to remove components that have at least one asset name matching a regular expression pattern. For more information, see our Cleanup Policies documentation.

Apple M1 Chip Support

We have added support for building Nexus Repository on machines using an Apple M1 chip.