Skip to main content

Sonatype IQ Server 191 Release Notes

Released May 6, 2025

The IQ 191 release includes multiple changes to our IQ-powered solutions. View the details in each solution’s section below.

logo-lifecycle Sonatype Lifecycle

This release includes the following changes for Sonatype Lifecycle:

Added Support for Dart and Flutter Analysis

Sonatype Lifecycle now provides comprehensive support for scanning Dart and Flutter projects, bringing the power of our component analysis to this rapidly growing ecosystem. This enhancement allows you to proactively manage the security and licensing aspects of your Dart and Flutter projects, mitigating potential risks associated with open source dependencies. By analyzing project dependency files such as pubspec.yaml, the more detailed pubspec.lock, and Dart and Flutter packages (tar.gz files that contain the source code and license information), Lifecycle provides in-depth visibility into your application's composition.

For full details, see our Dart and Flutter Analysis help documentation.

Data Insights is now Enterprise Reporting

We have renamed the Data Insights section to Enterprise Reporting in the left-hand navigation and introduced an improved landing page with a clearer layout and organization.

326158_hpr.png

The improved Enterprise Reporting landing page offers two categories of visualizations:

  • Enterprise Dashboards offering a holistic view of OSS usage, risks, and policy compliance across your organization.

  • Data Insights offering focused views on specific/singular open-source trends in your organization for component end-of-life, AI/ML usage, and tech diversity.

Learn more about available dashboards and insights in the Enterprise Reporting help documentation.

Data Insights Enhancement: Enhanced Security Risk Analysis Dashboard

We’ve enhanced the Security Risk Analysis dashboard to provide greater insight into security risks. A new Violations Over Time table allows users to track the trend of open and waived violations monthly, offering a historical perspective on their security posture. Additionally, you can now filter by Violation Type and display only Legacy Violations or Non-Legacy Violations to help you differentiate between new and pre-existing violations.

For full details, see the Security Risk Analysis Dashboard help documentation.

Change to License Overrides REST API Naming

Releases 189 - 190 used the path api/v2/licenseOverride for the License Overrides API. However, in release 191, we have updated the API to match Sonatype's naming convention. As of release 191, this API uses api/v2/licenseOverrides (with Overrides now plural). See the License Overrides REST API documentation.

Cocoapods Approaching End-of-Life

In response to the observed shift in interest towards other ecosystems (e.g., Swift), Cocoapods has announced plans to stop addition of new versions or pods to the Cocoapods trunk by the end of December 2026. As a result, there will be no updates to dependencies which come to Sonatype Component Intelligence through the Cocoapods trunk after December 2026.

We will continue to support analysis of these dependencies/components, but they will be marked as End-of-Life components at all occurrences within Lifecyle (e.g., policies).

Sonatype Developer Sonatype Developer

This release includes the following changes for Sonatype Developer:

Automated Waivers for Non-Reachable Methods

Sonatype Developer’s automated waiver functionality is now extended to automatically waive policy violations for vulnerabilities identified in methods that are not conclusively reachable. This allows you to focus on addressing vulnerabilities within your application's active execution paths, minimizing noise from findings that pose a lower risk. See the automated waiver help documentation for full details.

Note that Reachability Analysis must be enabled via Sonatype CLI (version 2.5.0-01 or higher) or your integrated CI/CD plugin in order to take advantage of this functionality. Please consult the latest release notes for your specific CI/CD plugin to confirm support for this functionality.

Support for Multiple Automated Waivers

Along with automated waivers for non-reachable methods, Sonatype Developer now supports multiple automated waiver configurations at the application and organization levels, allowing for more advanced logic. You can now define different threat levels for reachability and no-path-forward automated waivers as well as implement OR and AND logic when combining these configurations.

1305346061.png

See the automated waivers help documentation for details on how to use this feature.

SBOM Manager Sonatype SBOM Manager

This release does not include significant changes for Sonatype SBOM Manager.

Sonatype Repository Firewall Sonatype Repository Firewall

This release includes the following changes for Sonatype Repository Firewall:

Hugging Face Support for Repository Firewall (Requires Sonatype Nexus Repository version 3.80.0+)

Sonatype Firewall now extends its comprehensive component analysis to include artifacts from Hugging Face. This enhancement allows users to leverage Firewall's policy engine and vulnerability insights to govern the use of pre-trained models and other assets hosted on the Hugging Face Hub. Note that support for Hugging Face does not yet extend to the Firewall for Artifactory plugin.

By integrating Hugging Face support, organizations can proactively identify and mitigate potential security risks and licensing issues associated with these widely used machine learning resources, ensuring a more secure AI/ML development lifecycle.

Bug Fixes

Issue ID

Description

CLM-34788

Application report files are now retained until after policy evaluation, preventing premature deletion and potential errors. This change ensures the report.cache directory can be deleted without encountering file access issues.

CLM-34786

The system no longer makes calls to the HDS when an invalid product license is detected. This change prevents the occurrence of spurious "402 Payment Required" errors for SaaS tenants with valid licenses.

CLM-34766

Pull request comments are now successfully created in Bitbucket Server for organizations with Latin-1 special characters in their names. This fix ensures that the payload for pull request comments uses UTF-8 encoding, resolving issues with automated PRs generated by Lifecycle.

CLM-34690

The BitbucketV1ApiClient.isBranchOnServer method now constructs SCM repository request URLs with correctly formatted query parameters. This ensures proper communication with Bitbucket's API and resolves issues where parameters were incorrectly appended.

CLM-34561

The ThirdPartyScanResultsProcessor now aborts scan processing and displays an error to the user when critical exceptions, such as disk/IO errors, are encountered. This change prevents the system from getting stuck in a processing loop and generating excessively large log files in such scenarios.

CLM-34530

The Expiry Date in the Component Waivers popover, which appears on the Policy Violations tab within the Component Details page, now correctly displays the waiver's expiration date. This fix ensures that the expiry time is properly included in the PolicyWaiverResource DTO mapping.

CLM-34522

When FIPS mode is enabled, the system now logs an error. This enhancement provides improved visibility and aids in diagnosing potential issues related to FIPS compliance.

CLM-32347

The system now gracefully handles ConnectTimeoutException errors that may occur during startup due to HTTP proxy misconfigurations or issues.

Coming Soon to Sonatype Lifecycle and Developer

We’re excited to share that the following enhancements will be coming soon to Sonatype Lifecycle and Developer:

Request Waivers Workflow

A dedicated workflow that allows developers to submit waiver requests for review and approval or rejection by designated personnel.

Known Exploitable Vulnerability (KEV) List for Prioritization by Policy

Implement a new policy constraint leveraging Known Exploited Vulnerabilities (KEV) data.