Notable Integrations Changes
This page summarizes the major changes in Sonatype integrations. Note that this is not an exhausted list of all changes across all integrations; detailed change logs are available within each individual integration's main help page. This page focuses only on highlighting major changes.
April 2025
See below to learn more about exciting changes to our integrations in April 2025.
All CI Integrations Use reachability
Instead of callflow
for Parameters
To enhance clarity and consistency across our CI integrations, we've renamed parameters related to callflow
to use the term reachability
. While the original callflow
parameters remain available in this release, they are now deprecated and will be removed in a future version. We encourage you to begin using the new reachability
parameters in your CI configurations. This change streamlines terminology and prepares for future enhancements in how Sonatype products interact with your continuous integration pipelines.
Jenkins Plugin: Improved Reachability Configuration
The Jenkins plugin now offers a simplified configuration experience for reachability analysis. This improvement applies specifically to Java call flow analysis, ensuring that other language configurations remain unaffected and the core reachability analysis for Java remains consistent. See the Reachability Analysis documentation for full configuration details.
Bamboo Plugin: Support for Multi-Step Evaluation and Auto-Waivers
The Bamboo plugin now includes support for multi-step evaluation, enabling you to take advantage of automated waivers in Sonatype IQ Server version 191+. This enhancement streamlines the evaluation process for complex builds with multiple steps. This feature simplifies policy management and reduces manual intervention for qualifying security and license violations.
Azure DevOps Plugin: Download and Run User-Specified Versions of IQ CLI
The Azure DevOps plugin now offers greater flexibility in IQ CLI usage with the introduction of the SonatypeEvaluate
task. This new task allows you to specify and download a particular version of the IQ CLI to use during your build process, mirroring the functionality available in our GitHub Actions integration.
VS Code Plugin: Support for Yarn v4-Based Projects
The Sonatype VS Code plugin now includes compatibility for projects using Yarn v4. The plugin now detechts the Yarn version in your VS Code workspace and dynamically uses the appropriate Yarn command (yarn info
or yarn why
) to accurately generate the dependency tree. This enhancement ensures that developers working with the latest Yarn version can seamlessly leverage the plugin's dependency analysis features within their VS Code environment.
Updated Apt and Yum Public Keys
Sonatype has updated the public keys for our Apt and Yum repositories. The previous keys are expired; to continue downloading Debian or RPM packages from Sonatype, you must update the keys in your infrastructure.
The new public keys are available at the following locations:
Please ensure these keys are updated at your earliest convenience to maintain uninterrupted access to Sonatype packages.
March 2025
See below to learn more about exciting changes to our integrations in March 2025.
Enhanced Prioritization with Integration-Specific Filters
When navigating to the Priorities view from one of our supported integrations, the results are now automatically filtered to display violating components that directly impact your build. This means you'll immediately see components causing build failures or warnings, eliminating the need to sift through irrelevant data. For example, if you access the Priorities view through Jenkins, the filter will highlight components that caused your Jenkins build to fail. This focused view ensures that you address critical vulnerabilities promptly, streamline your vulnerability management process, and reduce the time spent manually adjusting filters.
February 2025
See below to learn more about exciting changes to our integrations in February 2025.
Enhanced Console Output with Lifecycle and Developer Links (IQ CLI)
Released February 15, 2025
Sonatype CLI now provides direct links to both the detailed Sonatype Lifecycle report and the Developer priority page in the console output. This enhancement makes it easier to access critical vulnerability and policy violation details, streamlining remediation efforts for developers and security teams.
Branch Name Collection (Bamboo, Jenkins, Maven, GitLab, GitHub, Azure DevOps)
Released February 5, 2025
Sonatype's CI/CD integrations—including Bamboo, Jenkins, Maven, GitLab, GitHub, and Azure DevOps—can now retrieve and send Git branch names along with scan data. This enhancement provides better context for security and policy evaluations, ensuring that branch-specific insights are available within reports. By associating scans with their respective branches, developers can more effectively track and address issues. For more details, see the Sonatype CI and CLI Integrations documentation.
January 2025
See below to learn more about changes to our integrations in January 2025.
Sonatype IQ CLI is now a Standalone Solution (IQ CLI)
Released January 9, 2025
We're excited to announce that the IQ CLI is now a standalone solution. The standalone IQ CLI (i.e., IQ CLI 2.0) includes all the functionality you're used to but will now follow its own independent versioning and release cadence. This change allows for faster development, more frequent releases, and better integration with your existing workflows.
Note that this change means that the IQ CLI is now a separate download and is not included in the bundled IQ download. See the Download and Compatibility page to download the CLI.
Dependency Tree Visualization for Cargo (IQ CLI)
Released January 9, 2025
With IQ CLI 2.0, the dependency tree visualization now allows you to explore the full dependency tree of your Cargo projects, including direct and transitive dependencies sorted by threat level. This provides a comprehensive view of your project's dependencies and potential vulnerabilities, facilitating better risk assessment and management.
Note that for the dependency tree visualization to work for Cargo, both your Cargo.lock
and Cargo.toml
files must exist in the same location. For more details, see the dependency tree help documentation.