Skip to main content

Sonatype IQ Server 191 Release Notes

Released May 6, 2025

The IQ 191 release includes multiple changes to our IQ-powered solutions. View the details in each solution’s section below.

logo-lifecycle Sonatype Lifecycle

This release includes the following changes for Sonatype Lifecycle:

New Insight for IQ 189+: Waivers Explorer

The Waivers Explorer dashboard is a powerful tool to help you optimize your vulnerability remediation process. It offers a comprehensive view of your organization's waived policy violations, allowing you to make informed decisions and strategically prioritize development deliverables while managing security risks.

Waivers_Explorer.png

The Waivers Explorer dashboard helps you analyze your active waivers by providing a breakdown of waivers scoped to root organizations, individual organizations, and applications. It also summarizes the volume of created waivers (manual and automated), gives a snapshot of upcoming waiver expirations, and highlights the top five most frequently waived policy violations for components and applications. With these insights, you can refine your remediation strategies based on your organization's risk tolerance.

This dashboard is available for IQ versions 189 and beyond. See the Waivers Explorer help documentation for full details.

New Insights for IQ 184+: Security Risk Trends and Security Risk Breakdown Dashboards Replace Security Risk Analysis

We have replaced the Security Risk Analysis dashboard with two new, more focused dashboards: Security Risk Trends and Security Risk Breakdown. These new dashboards provide enhanced visibility into your organization's security posture.

The Security Risk Trends dashboard allows you to monitor your applications' health and security over time. By tracking trends in open violations, fix rates, and mean time to remediate (MTTR), you can establish benchmarks and gain insights into your remediation strategies' effectiveness. This dashboard offers various filters to help you analyze specific areas of interest.

Security_Risk_Trends.png

The Security Risk Breakdown dashboard provides a detailed view of vulnerability distribution and severity within your applications. This enables a more targeted approach to remediation, helping you prioritize efforts to maintain a low-risk security profile and meet compliance requirements. The dashboard highlights the Top 10 Violations Fixed, Top 5 Applications with Most Risk, Top 5 Most Common Vulnerabilities (CVEs), Top 5 Components with Most Risk, and Top 5 Common Weaknesses (CWEs). Interactive filters allow you to analyze risk based on various criteria, such as threat level, stage, and violation type.

Security_Risk_Breakdown.png

These dashboards are available for IQ versions 184 and beyond. See the Security Risk Trends and Security Risk Breakdown help pages for full details.

Added Support for Dart and Flutter Analysis

Sonatype Lifecycle now provides comprehensive support for scanning Dart and Flutter projects, bringing the power of our component analysis to this rapidly growing ecosystem. This enhancement allows you to proactively manage the security and licensing aspects of your Dart and Flutter projects, mitigating potential risks associated with open source dependencies. By analyzing project dependency files such as pubspec.yaml, the more detailed pubspec.lock, and Dart and Flutter packages (tar.gz files that contain the source code and license information), Lifecycle provides in-depth visibility into your application's composition.

For full details, see our Dart and Flutter Analysis help documentation.

Data Insights is now Enterprise Reporting

We have renamed the Data Insights section to Enterprise Reporting in the left-hand navigation and introduced an improved landing page with a clearer layout and organization.

326158_hpr.png

The improved Enterprise Reporting landing page offers two categories of visualizations:

  • Enterprise Dashboards offering a holistic view of OSS usage, risks, and policy compliance across your organization.

  • Data Insights offering focused views on specific/singular open-source trends in your organization for component end-of-life, AI/ML usage, and tech diversity.

Learn more about available dashboards and insights in the Enterprise Reporting help documentation.

Data Insights Enhancement: Enhanced Security Risk Analysis Dashboard

We’ve enhanced the Security Risk Analysis dashboard to provide greater insight into security risks. A new Violations Over Time table allows users to track the trend of open and waived violations monthly, offering a historical perspective on their security posture. Additionally, you can now filter by Violation Type and display only Legacy Violations or Non-Legacy Violations to help you differentiate between new and pre-existing violations.

For full details, see the Security Risk Analysis Dashboard help documentation.Security Risk Analysis

Change to License Overrides REST API Naming

Releases 189 - 190 used the path api/v2/licenseOverride for the License Overrides API. However, in release 191, we have updated the API to match Sonatype's naming convention. As of release 191, this API uses api/v2/licenseOverrides (with Overrides now plural). See the License Overrides REST API documentation.

Cocoapods Approaching End-of-Life

In response to the observed shift in interest towards other ecosystems (e.g., Swift), Cocoapods has announced plans to stop addition of new versions or pods to the Cocoapods trunk by the end of December 2026. As a result, there will be no updates to dependencies which come to Sonatype Component Intelligence through the Cocoapods trunk after December 2026.

We will continue to support analysis of these dependencies/components, but they will be marked as End-of-Life components at all occurrences within Lifecyle (e.g., policies).

Sonatype Developer Sonatype Developer

This release includes the following changes for Sonatype Developer:

Automated Waivers for Non-Reachable Methods

Sonatype Developer’s automated waiver functionality is now extended to automatically waive policy violations for vulnerabilities identified in methods that are not conclusively reachable. This allows you to focus on addressing vulnerabilities within your application's active execution paths, minimizing noise from findings that pose a lower risk. See the automated waiver help documentation for full details.

Note that Reachability Analysis must be enabled via Sonatype CLI (version 2.5.0-01 or higher) or your integrated CI/CD plugin in order to take advantage of this functionality. Please consult the latest release notes for your specific CI/CD plugin to confirm support for this functionality.

Support for Multiple Automated Waivers

Along with automated waivers for non-reachable methods, Sonatype Developer now supports multiple automated waiver configurations at the application and organization levels, allowing for more advanced logic. You can now define different threat levels for reachability and no-path-forward automated waivers as well as implement OR and AND logic when combining these configurations.

1305346061.png

See the automated waivers help documentation for details on how to use this feature.

SBOM Manager Sonatype SBOM Manager

This release does not include significant changes for Sonatype SBOM Manager.

Sonatype Repository Firewall Sonatype Repository Firewall

This release includes the following changes for Sonatype Repository Firewall:

Hugging Face Support for Repository Firewall (Requires Sonatype Nexus Repository version 3.80.0+)

Sonatype Firewall now extends its comprehensive component analysis to include artifacts from Hugging Face. This enhancement allows users to leverage Firewall's policy engine and vulnerability insights to govern the use of pre-trained models and other assets hosted on the Hugging Face Hub.

By integrating Hugging Face support, organizations can proactively identify and mitigate potential security risks and licensing issues associated with these widely used machine learning resources, ensuring a more secure AI/ML development lifecycle.

Hugging Face Support for Firewall for Artifactory Plugin (Plugin version 2.6.0)

The 2.6.0 release of the Firewall for Artifactory Plugin also provides Hugging Face support. See the Firewall for Artifactory Plugin help docs for details on this plugin.

Bug Fixes

Issue ID

Description

CLM-34788

Application report files are now retained until after policy evaluation, preventing premature deletion and potential errors. This change ensures the report.cache directory can be deleted without encountering file access issues.

CLM-34786

The system no longer makes calls to the HDS when an invalid product license is detected. This change prevents the occurrence of spurious "402 Payment Required" errors for SaaS tenants with valid licenses.

CLM-34766

Pull request comments are now successfully created in Bitbucket Server for organizations with Latin-1 special characters in their names. This fix ensures that the payload for pull request comments uses UTF-8 encoding, resolving issues with automated PRs generated by Lifecycle.

CLM-34690

The BitbucketV1ApiClient.isBranchOnServer method now constructs SCM repository request URLs with correctly formatted query parameters. This ensures proper communication with Bitbucket's API and resolves issues where parameters were incorrectly appended.

CLM-34561

The ThirdPartyScanResultsProcessor now aborts scan processing and displays an error to the user when critical exceptions, such as disk/IO errors, are encountered. This change prevents the system from getting stuck in a processing loop and generating excessively large log files in such scenarios.

CLM-34530

The Expiry Date in the Component Waivers popover, which appears on the Policy Violations tab within the Component Details page, now correctly displays the waiver's expiration date. This fix ensures that the expiry time is properly included in the PolicyWaiverResource DTO mapping.

CLM-34522

When FIPS mode is enabled, the system now logs an error. This enhancement provides improved visibility and aids in diagnosing potential issues related to FIPS compliance.

CLM-32347

The system now gracefully handles ConnectTimeoutException errors that may occur during startup due to HTTP proxy misconfigurations or issues.

Coming Soon to Sonatype Lifecycle and Developer

We’re excited to share that the following enhancements will be coming soon to Sonatype Lifecycle and Developer:

Request Waivers Workflow

A dedicated workflow that allows developers to submit waiver requests for review and approval or rejection by designated personnel.

Known Exploitable Vulnerability (KEV) List for Prioritization by Policy

Implement a new policy constraint leveraging Known Exploited Vulnerabilities (KEV) data.