Sonatype IQ Server 187 Release Notes

As of January 28, 2025, all Lifecycle customers running IQ Server version 184 or higher will see declared licenses for Hugging Face models in their application reports. This is the same license that is visible on the readme.md in the metadata section for the model hosted on the Hugging Face platform.

Additionally, Advanced Legal Pack customers with extended observed license detection enabled will also receive observed license and other advanced legal information for these models. Advanced Legal Pack supports extracting copyright statements, notice files, license files, and original source code links from the Hugging Face repository that publishes the AI model. Users can leverage the legal pack's legal compliance workflow to ensure compliance with AI and open source licenses.

This enhancement ensures visibility into license compliance and helps mitigate potential risks associated with using Hugging Face models in your applications. See our Hugging Face help documentation for full details.

This release introduces a new View Latest Evaluations page in Sonatype Lifecycle, providing a comprehensive overview of your system's security posture. The page, which you can access from the Options drop-down menu, displays evaluation dates, trigger information, report links, and key metrics like component and violation counts. This provides developers with quick access to historical evaluation reports, allowing them to track changes across different stages and assess the overall health of their systems. For full details, see the options help documentation.

This release includes a number of improvements to the Security Risk Analysis dashboard to provide a more streamlined and informative experience:

See the Security Risk Analysis Dashboard help documentation for details.

You can now specify the application version during the import process, giving you more control over how your SBOM data is organized and tracked. If no version is specified, SBOM Manager will continue to use the existing logic, either extracting the version from the SBOM itself or generating one based on the date and time. This enhancement provides a more streamlined and user-friendly experience, allowing for better management of SBOMs associated with specific application versions.

For full details, see the SBOM Applications help documentation.

This release introduces a new Release Status feature to provide a clearer picture of your SBOMs' security posture. The BOM page now displays the overall release status of an SBOM version, replacing the previous annotation percentage. This status is calculated based on annotations for critical and high vulnerabilities, providing a more focused view of your risk. Additionally, the Release Status column in the Components table offers a granular view of individual component statuses, empowering you to prioritize remediation efforts.

These enhancements improve SBOM analysis and risk assessment by highlighting the most critical vulnerabilities impacting your software. See the BOM page documentation for full details.

IQ CLI 2.0 now supports Python pipfile.lock files. This allows it to accurately and efficiently identify dependencies directly from Pipenv projects. This eliminates the need for manual workarounds or CI configurations when analyzing Python projects with Pipenv.

Note that users leveraging the Jenkins plugin will need to upgrade their Jenkins plugin to take advantage of this functionality as the changes were made within the scanner.