Skip to main content

Sonatype IQ Server 189 Release Notes

Released April 2025

The IQ 189 release includes multiple changes to our IQ-powered solutions. View the details in each solution’s section below.

Improvements Impacting Multiple Solutions

This release includes the following improvements that impact multiple IQ Server-powered solutions:

Improved Browser Tab Identification Across Solutions

All IQ-powered solutions—Sonatype Lifecycle, Sonatype Repository Firewall, Sonatype SBOM Manager, and Sonatype Developer—now display product-specific favicons and browser tab titles. Previously, all products used the same Sonatype Suite favicon and a generic title. This update provides clearer visual cues, helping users quickly identify and switch between products when working across multiple tabs.

Lifecycle Sonatype Lifecycle

This release includes the following changes for Sonatype Lifecycle:

Policy Conditions for Derivative AI Models

Lifecycle scans can now identify AI/ML models that are derivatives of other models, providing crucial insights into model lineage.

This new feature allows you to establish policies that distinguish between foundational models and their retrained or derived counterparts. By flagging models derived from others, you can ensure that your organization uses AI models with intentionality, promoting adherence to security and compliance standards.

Note

Derivative model detection currently applies only to models hosted on Hugging Face.

1230667819.png

When a Derivative AI Model policy is in place and a scan detects a derived model, the policy violation details will display the parent model, giving you the context needed to make informed decisions. This feature enables you to maintain better control over your AI/ML model supply chain and manage the inherent risks associated with using derived models.

For full details, see the Policy Constraints and AI/ML Derivative Model Detection help documentation.

Support for Scanning LFS Files for AI/ML

Tip

This feature will be fully available once the scanning integrations (including the IQ CLI) compatible with IQ Server version 189 are made available. This should be shortly after the core IQ Server release in accordance with our staggered release schedule for integrations.

This release includes improved flexibility for scanning AI/ML model files hosted on the Hugging Face platform, addressing the challenges posed by Git Large File Storage (LFS). Previously, scans required the complete model file to be present on disk, leading to failures when encountering LFS pointers. With this enhancement, IQ Server can now effectively process these pointers, enabling successful scans even when model files are cloned without downloading their full content. This advancement streamlines the scanning workflow, eliminating the need for manual file retrieval and reducing the potential for scan interruptions.

For full details, see the Hugging Face Model Analysis topic.

Coordinate Constraint Supports All Formats

Lifecycle’sCoordinates policy condition now supports all IQ-supported formats. This release specifically adds support for Conda, Cran, Gem, Golang, NuGet, Pub, RPM, SWID, and Swift formats. This policy condition already supported Maven, npm, PyPI, Cargo, Cocoapods, Composer, Conan, and Hugging Face package formats.

You can now create policies that specifically target components from all of these ecosystems without resorting to more complex workarounds like using labels.

Re-Evaluation Now Uses Latest Hosted Data Services Data

We’ve enhanced Lifecycle’s policy re-evaluation functionality (available in the Application Composition Report) to always use the latest Hosted Data Services (HDS) data. This means that re-evaluation now includes up-to-date changes to HDS data, including vulnerabilities, license information, and more. This change ensures that policy evaluations are based on the most accurate and comprehensive information available, leading to more reliable security and compliance assessments.

Display CLI/Plugin Version in Latest Evaluations

To improve traceability and meet customer feedback, the Latest Evaluations page in Sonatype Lifecycle now includes the CLI or plugin version used to generate each scan. This addition helps teams better understand the context of evaluation results and simplifies troubleshooting.

Sonatype Developer Sonatype Developer

This release does not include any significant changes for Sonatype Developer.

sonatype-sbom-manager-icon.png Sonatype SBOM Manager

This release includes the following changes for Sonatype SBOM Manager.

Enhanced Component Merging

When merging multiple SBOMs, SBOM Manager now merges associated licenses and vulnerabilities for duplicate components. This enhancement ensures that all relevant security and licensing information is preserved during the merging operation, providing a more accurate and complete representation of your software bill of materials.

Sonatype Repository Firewall Sonatype Repository Firewall

This release includes the following changes for Sonatype Repository Firewall:

New Malware Defense Evaluation REST API

Sonatype's new Malware Defense Evaluation API enables on-demand malware checks for software artifacts, providing rapid and automated threat detection across development pipelines. This API leverages Sonatype's comprehensive threat intelligence to accurately pinpoint malicious components, including those deeply embedded within dependencies.

The API's response includes detailed information about identified threats, such as the attackVector and threatTypes. For example, a malicious component might be flagged with attackVector: "trojan" and threatTypes: "secrets_exfiltration, backdoor", offering a clear understanding of the specific risks involved.

For detailed information, refer to the Malware Defense Evaluation REST API documentation.

New Firewall REST API to Protect Against Namespace Confusion

Sonatype Repository Firewall now provides a dedicated REST API to mitigate Namespace Confusion attacks, a common vulnerability in dependency management.

This new API allows users to define and manage protected namespaces, preventing the installation of malicious packages that exploit naming conflicts. Using the new endpoint, administrators can add namespaces, including wildcard support, to a dedicated repository that is automatically created if it does not exist. Additionally, the API offers a DELETE method to remove all protected namespaces for a given format, providing comprehensive control over your namespace security.

This functionality empowers users to proactively defend against Namespace Confusion attacks and maintain the integrity of their software supply chain. For full details, see the Namespace Confusion REST API help documentation.

Changes in Swagger API and User Interface URL

In this release, the Swagger API documentation paths for Sonatype Repository Firewall have been updated to use malware-defense instead of firewall. This is a technical change in the API documentation only—Sonatype Repository Firewall remains the same product.

There’s no impact to functionality. Existing API endpoints that use 'firewall' will continue to work. Requests using 'firewall' are automatically forwarded to 'malware-defense'.

However, please note that the User Interface (UI) URL must now use 'malware-defense' in the path. For example:

Confirmed https://base-url/platform/assets/index.html#/malware-defense/dashboard

(error)https://base-url/platform/assets/index.html#/firewall/dashboard (this will not work)

New Firewall for Artifactory Plugin Supporting Latest Artifactory Versions

Earlier this month, Sonatype released version 2.5.0 of the Firewall for Artifactory plug-in to support JFrog Artifactory versions 7.104.5 and later. While the previous version, 2.4.13, remains available for download, it is only compatible with Artifactory versions up to 7.98.15.

Users on newer Artifactory versions must upgrade to 2.5.0 for continued functionality and security. Find the latest plugin on the Download and Compatibility page. Also, see the Firewall for Artifactory compatibility information and our Sonatype Repository Firewall for JFrog Artifactory help documentation for full details about our plugin.

Firewall Classic Sunsetting

Please note that Firewall Classic will be sunset on April 9, 2025, and will then be considered fully replaced by Sonatype Repository Firewall. For full details, see the Firewall Classic Sunsetting documentation.

Bug Fixes

Issue ID

Description

CLM-34525

Firewall's LDAP configuration now functions correctly with a Firewall-only license.

CLM-34331

The Nexus IQ Server Alpine image now includes curl, ensuring successful health checks.

CLM-34168

CycloneDX files exported from IQ Server now correctly handle the WXwindows license, allowing successful re-importation and scanning.

CLM-31307

IQ Server upgrades from version 175 to 176 and later no longer generate excessive WARN log messages related to policy waiver comparisons across different component formats.

CLM-30536

Users can now navigate back to the "Review Obligations" view from the license view within scan reports.

CLM-30372

CLI scans performed by users with the "Application Evaluator" role no longer fail with "Could not fetch IQ params for application" errors due to insufficient permissions.

Coming Soon to Lifecycle and Developer

We’re excited to share that the following enhancements will be coming soon to Sonatype Lifecycle and Developer:

Expanded Lifecycle Support for Dart + Flutter

Expansion of Lifecycle’s support for mobile development by providing full support for Dart + Flutter.

Reachability Ecosystem Expansion to Cover npm and JavaScript

Lifecycle and Developer’s reachability analysis will seamlessly support npm and JavaScript code.