Sonatype IQ Server 189 Release Notes

All IQ-powered solutions—Sonatype Lifecycle, Sonatype Repository Firewall, Sonatype SBOM Manager, and Sonatype Developer—now display product-specific favicons and browser tab titles. Previously, all products used the same Sonatype Suite favicon and a generic title. This update provides clearer visual cues, helping users quickly identify and switch between products when working across multiple tabs.

Lifecycle scans can now identify AI/ML models that are derivatives of other models, providing crucial insights into model lineage.

This new feature allows you to establish policies that distinguish between foundational models and their retrained or derived counterparts. By flagging models derived from others, you can ensure that your organization uses AI models with intentionality, promoting adherence to security and compliance standards.

When a Derivative AI Model policy is in place and a scan detects a derived model, the policy violation details will display the parent model, giving you the context needed to make informed decisions. This feature enables you to maintain better control over your AI/ML model supply chain and manage the inherent risks associated with using derived models.

For full details, see the Policy Constraints and AI/ML Derivative Model Detection help documentation.

This release includes improved flexibility for scanning AI/ML model files hosted on the Hugging Face platform, addressing the challenges posed by Git Large File Storage (LFS). Previously, scans required the complete model file to be present on disk, leading to failures when encountering LFS pointers. With this enhancement, IQ Server can now effectively process these pointers, enabling successful scans even when model files are cloned without downloading their full content. This advancement streamlines the scanning workflow, eliminating the need for manual file retrieval and reducing the potential for scan interruptions.

For full details, see the Hugging Face Model Analysis topic.

Lifecycle’sCoordinates policy condition now supports all IQ-supported formats. This release specifically adds support for Conda, Cran, Gem, Golang, NuGet, Pub, RPM, SWID, and Swift formats. This policy condition already supported Maven, npm, PyPI, Cargo, Cocoapods, Composer, Conan, and Hugging Face package formats.

You can now create policies that specifically target components from all of these ecosystems without resorting to more complex workarounds like using labels.

We’ve enhanced Lifecycle’s policy re-evaluation functionality (available in the Application Composition Report) to always use the latest Hosted Data Services (HDS) data. This means that re-evaluation now includes up-to-date changes to HDS data, including vulnerabilities, license information, and more. This change ensures that policy evaluations are based on the most accurate and comprehensive information available, leading to more reliable security and compliance assessments.

To improve traceability and meet customer feedback, the Latest Evaluations page in Sonatype Lifecycle now includes the CLI or plugin version used to generate each scan. This addition helps teams better understand the context of evaluation results and simplifies troubleshooting.

When merging multiple SBOMs, SBOM Manager now merges associated licenses and vulnerabilities for duplicate components. This enhancement ensures that all relevant security and licensing information is preserved during the merging operation, providing a more accurate and complete representation of your software bill of materials.

Sonatype's new Malware Defense Evaluation API enables on-demand malware checks for software artifacts, providing rapid and automated threat detection across development pipelines. This API leverages Sonatype's comprehensive threat intelligence to accurately pinpoint malicious components, including those deeply embedded within dependencies.

The API's response includes detailed information about identified threats, such as the attackVector and threatTypes. For example, a malicious component might be flagged with attackVector: "trojan" and threatTypes: "secrets_exfiltration, backdoor", offering a clear understanding of the specific risks involved.

For detailed information, refer to the Malware Defense Evaluation REST API documentation.

Sonatype Repository Firewall now provides a dedicated REST API to mitigate Namespace Confusion attacks, a common vulnerability in dependency management.

This new API allows users to define and manage protected namespaces, preventing the installation of malicious packages that exploit naming conflicts. Using the new endpoint, administrators can add namespaces, including wildcard support, to a dedicated repository that is automatically created if it does not exist. Additionally, the API offers a DELETE method to remove all protected namespaces for a given format, providing comprehensive control over your namespace security.

This functionality empowers users to proactively defend against Namespace Confusion attacks and maintain the integrity of their software supply chain. For full details, see the Namespace Confusion REST API help documentation.

In this release, the Swagger API documentation paths for Sonatype Repository Firewall have been updated to use malware-defense instead of firewall. This is a technical change in the API documentation only—Sonatype Repository Firewall remains the same product.

There’s no impact to functionality. Existing API endpoints that use 'firewall' will continue to work. Requests using 'firewall' are automatically forwarded to 'malware-defense'.

However, please note that the User Interface (UI) URL must now use 'malware-defense' in the path. For example:

https://base-url/platform/assets/index.html#/malware-defense/dashboard

https://base-url/platform/assets/index.html#/firewall/dashboard (this will not work)

Earlier this month, Sonatype released version 2.5.0 of the Firewall for Artifactory plug-in to support JFrog Artifactory versions 7.104.5 and later. While the previous version, 2.4.13, remains available for download, it is only compatible with Artifactory versions up to 7.98.15.

Users on newer Artifactory versions must upgrade to 2.5.0 for continued functionality and security. Find the latest plugin on the Download and Compatibility page. Also, see the Firewall for Artifactory compatibility information and our Sonatype Repository Firewall for JFrog Artifactory help documentation for full details about our plugin.

Please note that Firewall Classic will be sunset on April 9, 2025, and will then be considered fully replaced by Sonatype Repository Firewall. For full details, see the Firewall Classic Sunsetting documentation.

Expansion of Lifecycle’s support for mobile development by providing full support for Dart + Flutter.

Lifecycle and Developer’s reachability analysis will seamlessly support npm and JavaScript code.