Sonatype IQ Server 186 Release Notes

This release includes significant performance enhancements to the Lifecycle dashboard for customers using a PostgreSQL database. We've refactored the various tabs within the dashboard to optimize data retrieval, resulting in a faster and more responsive experience. Additionally, we've improved the Applications filter by limiting the initial display to 500 applications and providing clear guidance on how to refine your search for larger datasets. These changes ensure smoother navigation and improved usability.

You can now configure mappings between GitHub user attributes (like email, username, or full name) and your Identity Provider (IdP) values. This allows IQ Server to automatically match SCM users to existing IdP users during onboarding and grant them appropriate access to Lifecycle evaluations based on their contributions. This automation simplifies permission management, accelerates onboarding, and provides flexibility for organizations with diverse IdP configurations.

See the Source Control REST API documentation for full details on prerequisites and configuration.

You now have immediate access to waiver reasons directly within API responses and across key areas of the user interface. This eliminates the need for extra API calls or navigating to detailed waiver views, saving you time and effort when integrating with other systems, generating reports, or simply understanding the rationale behind a waiver.

With waiver reasons readily available in API responses for active, expired, and similar waivers, as well as within the Waivers dashboard, violation details views, and exported CSV files, you gain a more streamlined and comprehensive understanding of your waiver decisions. This increased visibility promotes better collaboration, informed decision-making, and improved auditability within your software development lifecycle.

For details on waiver reasons, see the Waivers help documentation.

Sonatype Developer can now intelligently identify and automatically waive vulnerabilities in open-source components where no updated version is available to address the issue. Auto-waivers can help you focus on critical issues, streamline your policy violation management process, and minimize distractions for developers, ultimately improving software supply chain security and developer productivity.

Administrators can configure auto waivers to honor a maximum tolerated threat level at the organization or application level. This ensures control over risk tolerance and alignment with organizational security posture. Auto-waivers are visible on the waivers dashboard, in violation details, and on the license compliance application report. Users can also manually remove auto-waivers for specific violations when necessary. You can also manage auto-waivers programmatically through the API.

See the auto-waiver help documentation and auto-waiver API documentation for full details on configuring this powerful new feature.

All available integrations are now presented on the homepage tabs for improved visibility and access.

Leveraging Sonatype Container Security, SBOM Manager now provides detailed SBOMs for OS-level components within your container images. This enhanced visibility empowers you to better understand and manage your software supply chain risks, leading to more informed decisions and improved security posture.

See the Importing SBOMs help documentation for more details on support for container analysis.

You can now view policy violation data directly within SBOM Manager. This includes a summary of violations in the BOM header, a dedicated violations column for components, and detailed violation information (e.g., severity levels, threat, policy, constraint, and condition information) in the component details page.

You can bypass strict validation checks when importing CDX and SPDX files, providing more flexibility when working with potentially invalid SBOMs. During import, SBOM Manager will extract critical information (e.g., package names and versions) from invalid CDX and SPDX file imports. In addition to capturing essential data, the system preserves the original, unvalidated SBOM for future reference. This ensures that users have access to the complete SBOM if needed.

See SBOM Import for more details.

You can now easily search for components by license, gaining immediate visibility into potential concerns across your projects. This new search functionality complements the existing component name search, providing a more comprehensive view of your SBOMs and empowering you to make informed decisions regarding license compliance and risk mitigation.

The SBOM matching process now prioritizes hashes over coordinates (PURLs) to improve accuracy and reliability, particularly for ecosystems like PECOFF where coordinates may be inconsistent. This change ensures more precise component identification and enhances the overall quality of SBOM data.

Users can now sort components by name on the Bill of Materials (BOM) page for easier navigation and organization.

The Show metadata option within the Bill of Materials page now displays the original filename of the scanned binary, providing clearer traceability and association between your SBOM data and the corresponding source file.

We've enhanced navigation by adding Repository Firewall to the solution switcher, making it readily accessible alongside other Sonatype solutions like SBOM Manager and Sonatype Developer. This improvement streamlines your workflow and provides a more unified experience across the Sonatype platform.

For details about how to use the solution switcher, see the solution switcher help documentation.

We're excited to announce that the IQ CLI is now a standalone solution. The standalone IQ CLI (i.e., IQ CLI 2.0) includes all the functionality you're used to but will now follow its own independent versioning and release cadence. This change allows for faster development, more frequent releases, and better integration with your existing workflows.

Note that this change means that the IQ CLI is now a separate download and is not included in the bundled IQ download. See the Download and Compatibility page to download the CLI.

With IQ CLI 2.0, the dependency tree visualization now allows you to explore the full dependency tree of your Cargo projects, including direct and transitive dependencies sorted by threat level. This provides a comprehensive view of your project's dependencies and potential vulnerabilities, facilitating better risk assessment and management.

Note that for the dependency tree visualization to work for Cargo, both your Cargo.lock and Cargo.toml files must exist in the same location. For more details, see the dependency tree help documentation.