Notable Integrations Changes

The Sonatype CLI is now available as a Homebrew package for Mac users and as Debian and RPM packages for Linux users. These new distribution methods streamline the installation process, allowing you to quickly set up and utilize the Sonatype CLI for your development workflows. See the Sonatype CLI with Bundled JDK help documentation.

Azure DevOps users now have visibility into the status and details of long-running pipelines. Previously, you had to wait for a pipeline to complete before viewing the results of a policy evaluation. Now, the Sonatype-contributed tabs display content as soon as the evaluation step finishes, even if the overall pipeline is still running. This allows you to quickly identify progress, issues, or failures without waiting for the pipeline to finish.

See the Sonatype for Azure DevOps help documentation.

Azure DevOps users now have greater flexibility in analyzing and reporting on policy violations within their pipelines. You can specify dashboard widgets by Application ID or Evaluation Index Number to create separate summary widgets for each evaluation, providing detailed insights per application.

Additionally, a single dashboard trend widget can aggregate the total number of policy violations from multiple evaluations, providing a holistic view of your security posture.

These enhancements provide a more comprehensive and tailored view of your Sonatype Lifecycle policy evaluation results directly within your Azure DevOps dashboards.

See the Sonatype for Azure DevOps help documentation.

The Sonatype Platform Plugin for Jenkins now correctly applies exclusion patterns, preventing unintended scans of specified files and directories. This improvement ensures that when you configure a pipeline scan with iqScanPatterns that include exclusion rules (e.g., !**/malformed_package_json/package.json), those files and directories are skipped as expected. This change also optimizes the scanning process by preventing the system from scanning the same targets multiple times.

See the Sonatype Platform Plugin for Jenkins help documentation.

The Sonatype Platform Plugin for Jenkins now provides improved visibility for jobs that invoke multiple policy evaluations. The main job page now shows multiple summary fragments for all policy evaluations conducted within that run, giving you a more complete and immediate overview of your scan results without needing to navigate to individual run details.

See the Sonatype Platform Plugin for Jenkins help documentation.

To enhance clarity and consistency across our CI integrations, we've renamed parameters related to callflow to use the term reachability. While the original callflow parameters remain available in this release, they are now deprecated and will be removed in a future version. We encourage you to begin using the new reachability parameters in your CI configurations. This change streamlines terminology and prepares for future enhancements in how Sonatype products interact with your continuous integration pipelines.

The Jenkins plugin now offers a simplified configuration experience for reachability analysis. This improvement applies specifically to Java call flow analysis, ensuring that other language configurations remain unaffected and the core reachability analysis for Java remains consistent. See the Reachability Analysis documentation for full configuration details.

The Bamboo plugin now includes support for multi-step evaluation, enabling you to take advantage of automated waivers in Sonatype IQ Server version 191+. This enhancement streamlines the evaluation process for complex builds with multiple steps. This feature simplifies policy management and reduces manual intervention for qualifying security and license violations.

The Azure DevOps plugin now offers greater flexibility in IQ CLI usage with the introduction of the SonatypeEvaluate task. This new task allows you to specify and download a particular version of the IQ CLI to use during your build process, mirroring the functionality available in our GitHub Actions integration.

The Sonatype VS Code plugin now includes compatibility for projects using Yarn v4. The plugin now detechts the Yarn version in your VS Code workspace and dynamically uses the appropriate Yarn command (yarn info or yarn why) to accurately generate the dependency tree. This enhancement ensures that developers working with the latest Yarn version can seamlessly leverage the plugin's dependency analysis features within their VS Code environment.

Sonatype has updated the public keys for our Apt and Yum repositories. The previous keys are expired; to continue downloading Debian or RPM packages from Sonatype, you must update the keys in your infrastructure.

The new public keys are available at the following locations:

Please ensure these keys are updated at your earliest convenience to maintain uninterrupted access to Sonatype packages.

When navigating to the Priorities view from one of our supported integrations, the results are now automatically filtered to display violating components that directly impact your build. This means you'll immediately see components causing build failures or warnings, eliminating the need to sift through irrelevant data. For example, if you access the Priorities view through Jenkins, the filter will highlight components that caused your Jenkins build to fail. This focused view ensures that you address critical vulnerabilities promptly, streamline your vulnerability management process, and reduce the time spent manually adjusting filters.

Released January 9, 2025

We're excited to announce that the IQ CLI is now a standalone solution. The standalone IQ CLI (i.e., IQ CLI 2.0) includes all the functionality you're used to but will now follow its own independent versioning and release cadence. This change allows for faster development, more frequent releases, and better integration with your existing workflows.

Note that this change means that the IQ CLI is now a separate download and is not included in the bundled IQ download. See the Download and Compatibility page to download the CLI.

Released January 9, 2025

With IQ CLI 2.0, the dependency tree visualization now allows you to explore the full dependency tree of your Cargo projects, including direct and transitive dependencies sorted by threat level. This provides a comprehensive view of your project's dependencies and potential vulnerabilities, facilitating better risk assessment and management.

Note that for the dependency tree visualization to work for Cargo, both your Cargo.lock and Cargo.toml files must exist in the same location. For more details, see the dependency tree help documentation.