Notable Integrations Changes

To enhance clarity and consistency across our CI integrations, we've renamed parameters related to callflow to use the term reachability. While the original callflow parameters remain available in this release, they are now deprecated and will be removed in a future version. We encourage you to begin using the new reachability parameters in your CI configurations. This change streamlines terminology and prepares for future enhancements in how Sonatype products interact with your continuous integration pipelines.

The Jenkins plugin now offers a simplified configuration experience for reachability analysis. This improvement applies specifically to Java call flow analysis, ensuring that other language configurations remain unaffected and the core reachability analysis for Java remains consistent. See the Reachability Analysis documentation for full configuration details.

The Bamboo plugin now includes support for multi-step evaluation, enabling you to take advantage of automated waivers in Sonatype IQ Server version 191+. This enhancement streamlines the evaluation process for complex builds with multiple steps. This feature simplifies policy management and reduces manual intervention for qualifying security and license violations.

The Azure DevOps plugin now offers greater flexibility in IQ CLI usage with the introduction of the SonatypeEvaluate task. This new task allows you to specify and download a particular version of the IQ CLI to use during your build process, mirroring the functionality available in our GitHub Actions integration.

The Sonatype VS Code plugin now includes compatibility for projects using Yarn v4. The plugin now detechts the Yarn version in your VS Code workspace and dynamically uses the appropriate Yarn command (yarn info or yarn why) to accurately generate the dependency tree. This enhancement ensures that developers working with the latest Yarn version can seamlessly leverage the plugin's dependency analysis features within their VS Code environment.

Sonatype has updated the public keys for our Apt and Yum repositories. The previous keys are expired; to continue downloading Debian or RPM packages from Sonatype, you must update the keys in your infrastructure.

The new public keys are available at the following locations:

Please ensure these keys are updated at your earliest convenience to maintain uninterrupted access to Sonatype packages.

When navigating to the Priorities view from one of our supported integrations, the results are now automatically filtered to display violating components that directly impact your build. This means you'll immediately see components causing build failures or warnings, eliminating the need to sift through irrelevant data. For example, if you access the Priorities view through Jenkins, the filter will highlight components that caused your Jenkins build to fail. This focused view ensures that you address critical vulnerabilities promptly, streamline your vulnerability management process, and reduce the time spent manually adjusting filters.

Released January 9, 2025

We're excited to announce that the IQ CLI is now a standalone solution. The standalone IQ CLI (i.e., IQ CLI 2.0) includes all the functionality you're used to but will now follow its own independent versioning and release cadence. This change allows for faster development, more frequent releases, and better integration with your existing workflows.

Note that this change means that the IQ CLI is now a separate download and is not included in the bundled IQ download. See the Download and Compatibility page to download the CLI.

Released January 9, 2025

With IQ CLI 2.0, the dependency tree visualization now allows you to explore the full dependency tree of your Cargo projects, including direct and transitive dependencies sorted by threat level. This provides a comprehensive view of your project's dependencies and potential vulnerabilities, facilitating better risk assessment and management.

Note that for the dependency tree visualization to work for Cargo, both your Cargo.lock and Cargo.toml files must exist in the same location. For more details, see the dependency tree help documentation.