Sonatype IQ Server 191 Release Notes
Released May 6, 2025
The IQ 191 release includes multiple changes to our IQ-powered solutions. View the details in each solution’s section below.
Sonatype Lifecycle
This release includes the following changes for Sonatype Lifecycle:
New Insight for IQ 189+: Waivers Explorer
The Waivers Explorer dashboard is a powerful tool to help you optimize your vulnerability remediation process. It offers a comprehensive view of your organization's waived policy violations, allowing you to make informed decisions and strategically prioritize development deliverables while managing security risks.

The Waivers Explorer dashboard helps you analyze your active waivers by providing a breakdown of waivers scoped to root organizations, individual organizations, and applications. It also summarizes the volume of created waivers (manual and automated), gives a snapshot of upcoming waiver expirations, and highlights the top five most frequently waived policy violations for components and applications. With these insights, you can refine your remediation strategies based on your organization's risk tolerance.
This dashboard is available for IQ versions 189 and beyond. See the Waivers Explorer help documentation for full details.
New Insights for IQ 184+: Security Risk Trends and Security Risk Breakdown Dashboards Replace Security Risk Analysis
We have replaced the Security Risk Analysis dashboard with two new, more focused dashboards: Security Risk Trends and Security Risk Breakdown. These new dashboards provide enhanced visibility into your organization's security posture.
The Security Risk Trends dashboard allows you to monitor your applications' health and security over time. By tracking trends in open violations, fix rates, and mean time to remediate (MTTR), you can establish benchmarks and gain insights into your remediation strategies' effectiveness. This dashboard offers various filters to help you analyze specific areas of interest.

The Security Risk Breakdown dashboard provides a detailed view of vulnerability distribution and severity within your applications. This enables a more targeted approach to remediation, helping you prioritize efforts to maintain a low-risk security profile and meet compliance requirements. The dashboard highlights the Top 10 Violations Fixed, Top 5 Applications with Most Risk, Top 5 Most Common Vulnerabilities (CVEs), Top 5 Components with Most Risk, and Top 5 Common Weaknesses (CWEs). Interactive filters allow you to analyze risk based on various criteria, such as threat level, stage, and violation type.

These dashboards are available for IQ versions 184 and beyond. See the Security Risk Trends and Security Risk Breakdown help pages for full details.
Added Support for Dart and Flutter Analysis
Sonatype Lifecycle now provides comprehensive support for scanning Dart and Flutter projects, bringing the power of our component analysis to this rapidly growing ecosystem. This enhancement allows you to proactively manage the security and licensing aspects of your Dart and Flutter projects, mitigating potential risks associated with open source dependencies. By analyzing project dependency files such as pubspec.yaml
, the more detailed pubspec.lock
, and Dart and Flutter packages (tar.gz
files that contain the source code and license information), Lifecycle provides in-depth visibility into your application's composition.
For full details, see our Dart and Flutter Analysis help documentation.
Data Insights is now Enterprise Reporting
We have renamed the Data Insights section to Enterprise Reporting in the left-hand navigation and introduced an improved landing page with a clearer layout and organization.
![]() |
The improved Enterprise Reporting landing page offers two categories of visualizations:
Enterprise Dashboards offering a holistic view of OSS usage, risks, and policy compliance across your organization.
Data Insights offering focused views on specific/singular open-source trends in your organization for component end-of-life, AI/ML usage, and tech diversity.
Learn more about available dashboards and insights in the Enterprise Reporting help documentation.
Data Insights Enhancement: Enhanced Security Risk Analysis Dashboard
We’ve enhanced the Security Risk Analysis dashboard to provide greater insight into security risks. A new Violations Over Time table allows users to track the trend of open and waived violations monthly, offering a historical perspective on their security posture. Additionally, you can now filter by Violation Type and display only Legacy Violations or Non-Legacy Violations to help you differentiate between new and pre-existing violations.
For full details, see the Security Risk Analysis Dashboard help documentation.
Change to License Overrides REST API Naming
Releases 189 - 190 used the path api/v2/licenseOverride
for the License Overrides API. However, in release 191, we have updated the API to match Sonatype's naming convention. As of release 191, this API uses api/v2/licenseOverrides
(with Overrides
now plural). See the License Overrides REST API documentation.
Cocoapods Approaching End-of-Life
In response to the observed shift in interest towards other ecosystems (e.g., Swift), Cocoapods has announced plans to stop addition of new versions or pods to the Cocoapods trunk by the end of December 2026. As a result, there will be no updates to dependencies which come to Sonatype Component Intelligence through the Cocoapods trunk after December 2026.
We will continue to support analysis of these dependencies/components, but they will be marked as End-of-Life components at all occurrences within Lifecyle (e.g., policies).
Sonatype Developer
This release includes the following changes for Sonatype Developer:
Automated Waivers for Non-Reachable Methods
Sonatype Developer’s automated waiver functionality is now extended to automatically waive policy violations for vulnerabilities identified in methods that are not conclusively reachable. This allows you to focus on addressing vulnerabilities within your application's active execution paths, minimizing noise from findings that pose a lower risk. See the automated waiver help documentation for full details.
Note that Reachability Analysis must be enabled via Sonatype CLI (version 2.5.0-01 or higher) or your integrated CI/CD plugin in order to take advantage of this functionality. Please consult the latest release notes for your specific CI/CD plugin to confirm support for this functionality.
Support for Multiple Automated Waivers
Along with automated waivers for non-reachable methods, Sonatype Developer now supports multiple automated waiver configurations at the application and organization levels, allowing for more advanced logic. You can now define different threat levels for reachability and no-path-forward automated waivers as well as implement OR and AND logic when combining these configurations.
![]() |
See the automated waivers help documentation for details on how to use this feature.
Sonatype SBOM Manager
This release does not include significant changes for Sonatype SBOM Manager.
Sonatype Repository Firewall
This release includes the following changes for Sonatype Repository Firewall:
Hugging Face Support for Repository Firewall (Requires Sonatype Nexus Repository version 3.80.0+)
Sonatype Firewall now extends its comprehensive component analysis to include artifacts from Hugging Face. This enhancement allows users to leverage Firewall's policy engine and vulnerability insights to govern the use of pre-trained models and other assets hosted on the Hugging Face Hub.
By integrating Hugging Face support, organizations can proactively identify and mitigate potential security risks and licensing issues associated with these widely used machine learning resources, ensuring a more secure AI/ML development lifecycle.
Hugging Face Support for Firewall for Artifactory Plugin (Plugin version 2.6.0)
The 2.6.0 release of the Firewall for Artifactory Plugin also provides Hugging Face support. See the Firewall for Artifactory Plugin help docs for details on this plugin.
Bug Fixes
Issue ID | Description |
---|---|
CLM-34788 | Application report files are now retained until after policy evaluation, preventing premature deletion and potential errors. This change ensures the |
CLM-34786 | The system no longer makes calls to the HDS when an invalid product license is detected. This change prevents the occurrence of spurious "402 Payment Required" errors for SaaS tenants with valid licenses. |
CLM-34766 | Pull request comments are now successfully created in Bitbucket Server for organizations with Latin-1 special characters in their names. This fix ensures that the payload for pull request comments uses UTF-8 encoding, resolving issues with automated PRs generated by Lifecycle. |
CLM-34690 | The |
CLM-34561 | The |
CLM-34530 | The Expiry Date in the Component Waivers popover, which appears on the Policy Violations tab within the Component Details page, now correctly displays the waiver's expiration date. This fix ensures that the expiry time is properly included in the |
CLM-34522 | When FIPS mode is enabled, the system now logs an error. This enhancement provides improved visibility and aids in diagnosing potential issues related to FIPS compliance. |
CLM-32347 | The system now gracefully handles |
Coming Soon to Sonatype Lifecycle and Developer
We’re excited to share that the following enhancements will be coming soon to Sonatype Lifecycle and Developer:
Request Waivers Workflow
A dedicated workflow that allows developers to submit waiver requests for review and approval or rejection by designated personnel.
Known Exploitable Vulnerability (KEV) List for Prioritization by Policy
Implement a new policy constraint leveraging Known Exploited Vulnerabilities (KEV) data.