Sonatype IQ Server 192 Release Notes

Sonatype Lifecycle now includes a new AI Content policy condition that helps you detect AI models from Hugging Face containing offensive or demeaning language. These models are flagged as Objectionable based on Sonatype’s Component Intelligence team’s analysis, which looks for indicators such as "Not For All Audiences" or "NSFW" tags, as well as banned terms in the model’s name or README.

By configuring a policy with the AI Content condition, you can automatically identify and report violations when an objectionable AI model is introduced. This capability helps enforce organizational content standards and promotes responsible AI usage throughout your development lifecycle. For full details on configuring this new feature, see our help documentation on threats in AI models.

The Security tab on the Component Details page in Sonatype Lifecycle now provides more granular information about identified vulnerabilities. You will find a new column for Identification Source, giving you a clearer understanding of how vulnerabilities were identified. Additionally, the component details drawer now displays Vulnerability Detection Type and Identification Source. The pill at the top of the drawer also shows the security research type, such as fast track or deep dive, associated with the vulnerability.

These enhancements provide a more comprehensive view of your components' security posture. For a complete overview of the Component Details page, see our help documentation on component details.

Sonatype Lifecycle now offers expanded support for ingesting Software Bill of Materials (SBOMs), accommodating both SPDX v2.2 and the existing SPDX v2.3 formats. This enhancement provides greater flexibility and compatibility, allowing you to seamlessly analyze SBOMs generated in either of these widely adopted SPDX versions. By supporting both formats, Lifecycle ensures you can maintain comprehensive visibility into your software supply chain, regardless of the SPDX version used to generate your SBOMs. For full details, see our SPDX application analysis help documentation.

You can now configure Lifecycle/Developer to create pull requests (PRs) on the default branch in your SCM (e.g., GitHub) directly from the Priorities view. This new capability helps your teams integrate vulnerability remediation seamlessly into their development workflows. By streamlining the process of creating PRs for suggested remediations, you can significantly reduce your Mean Time To Resolution (MTTR) and maintain a stronger security posture.

This new feature allows you to quickly initiate the fix for a direct dependency with a recommended upgrade right from where you prioritize your security issues. Lifecycle and Developer will ensure that the necessary conditions are met before allowing PR creation, helping you focus on actionable remediations.

For all the technical details on how to configure and use this feature, refer to our help documentation on creating PRs from priorities view.

Sonatype Lifecycle now provides an enhanced workflow for requesting and managing waivers, along with updated dashboards and views to keep all stakeholders informed of waiver statuses. The new Requested Waivers tab on the Waivers dashboard offers a quick overview of all policy violation waiver requests awaiting administrator approval. Administrators can review each request in detail and either apply or reject it directly.

This new feature supports users who need to de-prioritize the remediation of a violation but do not have the direct permission to waive it themselves. For full details, see our help documentation on requesting waivers.

Sonatype Lifecycle's Priorities view now offers enhanced visibility into waived violations, allowing you to quickly understand their status and the impact on your builds. The Build Action column now clearly displays Waived when all violations for a component have been waived. A tooltip also indicates the exact time remaining until the waiver expires.

Additionally, the Suggested Remediation column now shows Waive Violations for violations without upgrade recommendations that are not reachable. When all violations are waived, this column also displays the total number of waived violations. A green Auto tab appears if at least one of the violations has been automatically waived, providing a quick visual cue.

For full details, see our help documentation on viewing waivers from Priorities view.

Sonatype SBOM Manager now includes a new Legal view, delivering robust license management through integration with Sonatype’s Advanced Legal Pack (ALP). This centralized view helps you identify component licenses within your SBOMs, flag policy issues, and generate detailed reports. It distinguishes between Effective, Declared, and Observed licenses—even when a component has multiple license terms—to provide deeper visibility into your legal obligations.

Available to customers with licenses for SBOM Manager, Sonatype Lifecycle, and ALP, the Legal view supports license selection and overrides at the application, organization, and root organization levels. Built-in inheritance rules ensure consistency, while status options like Selected, Overridden, and Acknowledged give you the control and flexibility needed to stay compliant across your software portfolio.

For full details, see our Legal View help documentation.

Sonatype Repository Firewall will soon introduce support for containers, enabling you to proactively block the download of container images violating your organization's policy configurations before they enter your container ecosystem.

Sonatype Developer will soon help you automate the management of InnerSource dependencies, making it easier to identify and upgrade shared libraries with low risk and high reward.