Sonatype IQ Server 191 Release Notes

Sonatype Lifecycle now provides comprehensive support for scanning Dart and Flutter projects, bringing the power of our component analysis to this rapidly growing ecosystem. This enhancement allows you to proactively manage the security and licensing aspects of your Dart and Flutter projects, mitigating potential risks associated with open source dependencies. By analyzing project dependency files such as pubspec.yaml, the more detailed pubspec.lock, and Dart and Flutter packages (tar.gz files that contain the source code and license information), Lifecycle provides in-depth visibility into your application's composition.

For full details, see our Dart and Flutter Analysis help documentation.

We have renamed the Data Insights section to Enterprise Reporting in the left-hand navigation and introduced an improved landing page with a clearer layout and organization.

The improved Enterprise Reporting landing page offers two categories of visualizations:

Learn more about available dashboards and insights in the Enterprise Reporting help documentation.

We’ve enhanced the Security Risk Analysis dashboard to provide greater insight into security risks. A new Violations Over Time table allows users to track the trend of open and waived violations monthly, offering a historical perspective on their security posture. Additionally, you can now filter by Violation Type and display only Legacy Violations or Non-Legacy Violations to help you differentiate between new and pre-existing violations.

For full details, see the Security Risk Analysis Dashboard help documentation.

Releases 189 - 190 used the path api/v2/licenseOverride for the License Overrides API. However, in release 191, we have updated the API to match Sonatype's naming convention. As of release 191, this API uses api/v2/licenseOverrides (with Overrides now plural). See the License Overrides REST API documentation.

Sonatype Developer’s automated waiver functionality is now extended to automatically waive policy violations for vulnerabilities identified in methods that are not conclusively reachable. This allows you to focus on addressing vulnerabilities within your application's active execution paths, minimizing noise from findings that pose a lower risk. See the automated waiver help documentation for full details.

Note that Reachability Analysis must be enabled via Sonatype CLI (version 2.5.0-01 or higher) or your integrated CI/CD plugin in order to take advantage of this functionality. Please consult the latest release notes for your specific CI/CD plugin to confirm support for this functionality.

Along with automated waivers for non-reachable methods, Sonatype Developer now supports multiple automated waiver configurations at the application and organization levels, allowing for more advanced logic. You can now define different threat levels for reachability and no-path-forward automated waivers as well as implement OR and AND logic when combining these configurations.

See the automated waivers help documentation for details on how to use this feature.

Sonatype Firewall now extends its comprehensive component analysis to include artifacts from Hugging Face. This enhancement allows users to leverage Firewall's policy engine and vulnerability insights to govern the use of pre-trained models and other assets hosted on the Hugging Face Hub. Note that support for Hugging Face does not yet extend to the Firewall for Artifactory plugin.

By integrating Hugging Face support, organizations can proactively identify and mitigate potential security risks and licensing issues associated with these widely used machine learning resources, ensuring a more secure AI/ML development lifecycle.

A dedicated workflow that allows developers to submit waiver requests for review and approval or rejection by designated personnel.

Implement a new policy constraint leveraging Known Exploited Vulnerabilities (KEV) data.