Skip to main content

Nexus Repository 3.38.0 - 3.38.1 Release Notes

Highlights in This Release

Expanded Log4j Visualizer (3.38.1)

Release 3.38.1 fixes a bug that prevented the Log4j Visualizer from rendering. You can now take full advantage of our newly expanded Log4j Visualizer, which includes a new chart.

Common Vulnerabilities and Exposures (CVE) Fix (3.38.0)

This release includes a fix for an HTML injection vulnerability. See the CVE-2021-43961 advisory for full details. If you are using an earlier version, you should upgrade to this release immediately.

Common Vulnerabilities and Exposures (CVE) Fix (3.38.0)

This release includes a fix for a server-side request forgery. See the CVE-2022-27907 advisory for more information.

System Status Check for NuGet Versions (3.38.0) PRO

We added a system status check that indicates if there are any NuGet version 2 repositories present on a Nexus Repository instance.

What's New and Noteworthy in Nexus Repository 3.38.1?

Released March 29, 2022

New in Nexus Repository Pro

Note

Only available in Sonatype Nexus Repository Pro. Interested in a free trial? Start here.

Improvements to Policy-Compliant Component Selection for npm PRO

In Nexus Repository 3.35.0, we released policy-compliant component selection for npm for those integrating Nexus Firewall with Nexus Repository. Since then, we have made big implementation changes. These changes improve performance and also mean that components that are not downloaded but are only scanned for resolving version range to policy-compliant versions will no longer be visible in the Firewall repository results view.

Nexus Repository 3.38.1 is now the minimum recommended version for using this feature; IQ release 134 is the minimum required IQ version.

Upgraded PostgreSQL Driver PRO

In this release, we upgraded the PostgreSQL driver from version 42.2.25 to version 42.3.3.

New for Everyone

Expanded Log4j Visualizer

In 3.38.1, we fixed a bug that prevented the Log4j Visualizer from rendering in 3.38.0. This release also includes the expansion we had tried to include in 3.38.0.

In release 3.37.2and in response to a critical vulnerability in Apache's "Log4j2" logging utility (CVE-2021-44228, also known as "log4shell"), we introduced the Log4J Visualizer for all Nexus Repository Pro and OSS customers. Our hope was and continues to be to provide administrators with insight into their log4j consumption so that they could determine where vulnerable components were still entering their organization.

In this release, we added a Log4j Consumption chart to help you see if your organization's vulnerable log4j component consumption is trending in the right direction.

103909529.png

The new chart displays alongside the existing tables and uses your request logs to show two trend lines: log4j component downloads of versions impacted by CVE-2021-44228 and log4j component downloads of versions not impacted by this CVE.

For more information, see our Log4J Visualizer capability documentation.

Note

This is a temporary feature currently limited to only identifying components impacted by CVE-2021-44228, and we may modify or remove it completely in future releases. Note that enabling the capability may impact Nexus Repository performance. Also note that the Log4j Visualizer only captures information about the log4j-core component in Maven and only identifies those impacted by CVE-2021-44228. It does not currently identify or track other log4j vulnerabilities.

Note

The Log4j Visualizer does not work in High-Availability Clustering (HA-C) environments.

What's New and Noteworthy in Nexus Repository 3.38.0?

Released March 2, 2022

New in Nexus Repository Pro

Note

Only available in Sonatype Nexus Repository Pro. Interested in a free trial? Start here.

System Status Check for NuGet Versions PRO

In order to help administrators identify which NuGet repositories are using the version 2 versus version 3 protocol, we have added a system status check that indicates if there are any NuGet version 2 repositories present on a Nexus Repository instance. While Nexus Repository still supports the version 2 protocol and repositories using version 2 will still show as having a healthy status, we recommend migrating these repositories to version 3.

Note on Replication PRO

We are redesigning replication in 2022 to remove Replicator and make it easier to set up and deploy. Once we release the new implementation, we will no longer support the current replication method.

New for Everyone

Log4j Visualizer

Warning

As previously announced, this release was supposed to include an expansion to our Log4j Visualizer. However, a known issue is preventing the Log4j Visualizer from rendering in our 3.38.0 release.

We will release a fix with version 3.38.1, which is coming soon. Full details about the expanded Log4j Visualizer will be available with the upcoming 3.38.1 release.

Added GET Method to Repository Management API

To help you easily discover basic information about a given repository by name without declaring a format, we added a new GET method to the Repository Management API.

GET /v1/repositories/{repositoryName}

Calling this method provides high-level details for a repository with the given name.

Expanded Assets API

You can now use the Assets API to see who uploaded a certain component or image via the API. We have added uploader, uploaderIp, and fileSize fields to the Assets API responses. One popular use case for these fields is to help administrators identify who has uploaded components that are vulnerable to the recent log4j vulnerability so that they can contact them to remediate the issue.

Asset Name Matcher Criteria Available for Yum Cleanup Policies

When creating cleanup policies for Yum format, you can now use the Asset Name Matcher criteria. This allows you to remove components that have at least one asset name matching a regular expression pattern. For more information, see our Cleanup Policies documentation.

Apple M1 Chip Support

We have added support for building Nexus Repository on machines using an Apple M1 chip.

Bug Fixes

3.38.1 Bug Fixes

Ticket Number

Description

NEXUS-31201

Running the Repair - Reconcile component database from blob store task on H2 or PostgreSQL databases no longer generates duplicate blobs.

3.38.0 Bug Fixes

Ticket Number

Description

NEXUS-20683

Fixed an issue in the Search API that was preventing users from viewing returned artifacts despite having appropriate permissions.

NEXUS-24787

An anonymous Docker pull by an anonymous user configured to use the Docker bearer token realm will no longer break future anonymous Docker logins.

NEXUS-26406

Cleanup preview now contains a proper message alerting users that the list is a sample.

NEXUS-27035

Fixed an issue that was preventing some users from deleting untouched routing rule matchers.

NEXUS-28166

Yum metadata refreshes as expected after assets are changed/moved.

NEXUS-28446

A Maven proxy repository will now appropriately return a 404 error rather when manually blocked for content not yet cached.

NEXUS-28889

Fixed an issue that was preventing some Debian packages from uploading.

NEXUS-29151

The IQ Policy Violations column now correctly displays violations for the given proxy repository for users with appropriate permissions.

NEXUS-29227

Added documentation about extra configuration options for PostgreSQL to help users avoid encountering warnings related to their maxLifetime settings.

NEXUS-29408

The following API is no longer missing for H2/PostgreSQL users: service/rest/v1/repositories/npm/group.

NEXUS-29417

Fixed an issue that was causing an exception when migrating from OrientDB to an external database when an asset record has no name.

NEXUS-29465

You should now be able to retrieve Go components/modules via go-group as expected.

NEXUS-30043

Resolved an issue that was causing errors with Yum hosted metadata cleanup when there were at least two hosted repositories.

NEXUS-30366

Routing rules should now take effect as expected for Docker repositories when running Nexus Reopository with an external database.

NEXUS-30443

This release includes a fix for an HTML injection vulnerability. See the CVE-2021-43961 advisory for full details.

NEXUS-30534

Resolved an issue that was causing Docker repositories backed by S3 blob stores to generate an exception when pulling a Docker image with the same checksum as an existing image in that repository.

NEXUS-30694

Sorting Maven components by version now returns results in alpha-numeric order as expected.

NEXUS-30807

Nexus Repository should create user-token records for users as expected when using a PostgreSQL database.

NEXUS-31030

Fixed an error that was ocurring when users edited existing blob stores with whitespaces in the name.

NEXUS-31057

PyPI simple index is now a proper HTML5 document and is PEP503-compliant and ready for pip version 22.2 and newer.

NEXUS-31233

Adjusted the read-only view on the IQ Server, SAML, and Anonymous Settings pages.

NEXUS-31630

This release includes a fix for a server-side request forgery. See the CVE-2022-27907 advisory for more information.