Sonatype IQ Server 188 Release Notes

API documentation, powered by Swagger, is now accessible directly within the user interface for all IQ-powered solutions, including Lifecycle, Developer, SBOM Manager, Firewall, and Advanced Legal Pack.

A new API tab in the left-hand navigation for each IQ-powered solution provides easy access to the Swagger documentation. Within the Swagger documentation, you can find detailed information about each API endpoint, including request and response formats, required parameters, authentication requirements, and example responses. You can even try out API calls directly from the user interface provided that you have the necessary permissions for that API.

Regardless of the solution you are currently viewing, the API documentation remains consistent, displaying all available IQ APIs for your license type. This unified approach simplifies API exploration and usage, providing a centralized resource for developers.

In this release, we've expanded the Policy Waivers REST API capabilities, enabling users to update existing waivers through the API. This enhancement provides greater flexibility and efficiency in managing policy exceptions. Specifically, you can now modify attributes such as the waiver's expiration date, comments, and waiver reason ID, streamlining your workflow and ensuring precise control over policy enforcement. See the Policy Waiver REST API help documentation for details.

We’ve enhanced the Policy Violation REST API to provide a more comprehensive view of your policy landscape. Previously, this API only returned active policy violations. Now, you can retrieve waived, auto-waived, and legacy violations as well. This enhancement eliminates the need to consult multiple APIs, providing a consolidated view similar to the violations dashboard in the user interface.

For full details on how to use the Policy Violation REST API to retrieve various violation types, see the Policy Violation REST API documentation.

The Report REST API now includes the openTime field when returning policy violation data, providing users with the timestamp of when a violation was first detected. This enhancement allows for more detailed analysis of violation age and improved tracking of remediation efforts directly within the report data. See the Report REST API help documentation for full details.

We've enhanced the Success Metrics Enterprise Dashboard with two new donut charts, providing a clearer view of remediation status.

The Remediation Status: Critical Violations chart shows a breakdown of critical violations remediated through various methods, including upgrades, downgrades, component removal, vulnerability fixes, and waivers.

The Remediation Status: All Other Violations chart presents a breakdown of remediation actions for all non-critical violations. This chart specifically highlights remediations achieved through component version changes and waivers, offering insight into the strategies used to manage lower-severity violations.

These visual enhancements provide a more comprehensive and actionable overview of your organization's remediation efforts. See the Success Metrics Enterprise Dashboard help documentation for full details.

We've enhanced the Security Risk Analysis dashboard to provide more granular insights into your application security posture.

The dashboard now includes new Mean Time To Remediate (MTTR) and Fix Rate charts to provide a clear visualization of your team's remediation efficiency. The Fix Rate chart displays the percentage of violations resolved over time, including resolutions achieved through component version changes and vulnerability fixes.

Additionally, the dashboard now includes new remediation reason charts, offering a detailed breakdown of critical and non-critical violation remediation methods. These enhancements provide a more comprehensive and actionable view of your application security risks and remediation progress.

For full details, see the Security Risk Analysis Dashboard help documentation.

Released February 15, 2025

Sonatype CLI now provides direct links to both the detailed Sonatype Lifecycle report and the Developer priority page in the console output. This enhancement makes it easier to access critical vulnerability and policy violation details, streamlining remediation efforts for developers and security teams.