Sonatype IQ Server 193 Release Notes
Released July 9, 2025
The IQ 193 release includes multiple changes to our IQ-powered solutions. View the details in each solution’s section below.
Changes Impacting Multiple Solutions
The following changes impact multiple IQ-powered solutions:
Expanded Risk Data with Known Exploited Vulnerabilities (KEV) Catalog Integration
Sonatype’s data catalog now automatically incorporates data from the Known Exploited Vulnerabilities (KEV) catalog published by CISA, enhancing your ability to assess risk based on real-world exploitation. This update enables security and development teams to quickly identify and prioritize remediation for actively exploited vulnerabilities.
You can now create policy constraints using the KEV Status condition, choosing whether a vulnerability must be Known to be Exploited or Not Listed in the KEV catalog. The Vulnerability Details page also clearly indicates a vulnerability’s KEV status, making this critical information easily accessible during triage and review. KEV status is also easily accessible via the Vulnerability Details REST API.
By surfacing KEV insights across the user interface, policy engine, and API, you can now better focus efforts on vulnerabilities known to be under active exploitation.
IQ Server OpenShift Operator Image (192) Available
The latest IQ OpenShift operator image (192) is now available in the Red Hat catalog. This update allows users to deploy and manage Sonatype Lifecycle on OpenShift with improved reliability and easier maintenance through the Operator framework.
Sonatype Lifecycle
This release includes the following changes for Sonatype Lifecycle:
C/C++ Ecosystem Support
This release introduces Common Platform Enumeration (CPE)–based vulnerability matching for C/C++ components. This expanded coverage allows organizations to identify risks across a wider range of proprietary and open source software written in C/C++.
The new feature is configurable, enabling teams to control how and where it is applied across organizations or applications. This flexibility helps maintain compatibility with existing installations while improving the accuracy of policy evaluations and vulnerability reporting for C/C++ projects.
For details, see our help documentation on configuring Lifecycle to use public data sources.
New Security Vulnerability Detection Type Policy Constraint
Sonatype Lifecycle now includes a new Security Vulnerability Detection Type policy constraint. This enhancement gives organizations more control and visibility into how vulnerabilities are discovered (e.g., through expert research, automated analysis, or third-party sources). This allows teams to prioritize and act on risks with greater precision.
For full details, see the policy constraints help documentation.
Improved Performance for Java Similar Matching
This release improves Application Analysis performance by optimizing how Java similar matching is handled when exact matches are also present. Vulnerability detection remains accurate as Sonatype’s data catalog already accounts for nested component relationships through secondary expansion and research-based implication. This ensures that vulnerabilities in nested files (e.g., .class
files inside .jar
or .war
archives) are still properly identified and reported.
Sonatype Developer
This release includes the following changes for Sonatype Developer:
InnerSource Proactive Dependency Management
Sonatype Developer now supports proactive dependency management for InnerSource components through automated pull requests. When a new, compatible (non-major) version of an InnerSource component is detected during application evaluation at the release stage, Sonatype Lifecycle will automatically generate a pull request in your source control system to update the older version. Note that automated pull requests are only created for version updates and not for policy violations.
This feature helps teams stay current with the latest improvements to InnerSource libraries without manual tracking, reducing technical debt and improving development velocity.
To take advantage of this improvement, enable the Automated InnerSource Updates feature under Orgs and Policies as described in our Automated PRs for InnerSource help documentation.
Sonatype SBOM Manager
This release includes the following changes for Sonatype SBOM Manager:
Broader Catalog Coverage
Sonatype SBOM Manager now uses Common Platform Enumeration (CPE)–based matching to detect vulnerabilities across a broader catalog of technologies, including third-party applications, operating systems, firmware, and embedded hardware. This enhancement improves the depth and reach of vulnerability coverage in generated SBOMs, helping users identify more risks across their software supply chain.
This release also introduces a new Data Enrichment column in the Disclosed Vulnerabilities table. This column helps users differentiate vulnerability records based on metadata source: Sonatype Enhanced, Vendor Data, or Public Data. This enhancement improves transparency and makes it easier to understand the origin and trust level of each finding.
See the SBOM Manager Component Details View help documentation for details.
Sonatype Repository Firewall
This release does not include any significant changes for for Sonatype Repository Firewall.
Bug Fixes
This release includes the following notable bug fixes:
Issue ID | Description |
---|---|
CLM-34705 | Added additional debug logging to the Auto Pull Request process to capture detailed reasons when remediations cannot be applied. |
CLM-32926 | Renaming or moving an organization with sub-organizations now completes successfully when using the H2 database without triggering table lock timeouts or UI errors. |
CLM-31557 | When IQ Server is started, stopped, and started again in quick succession, the system now correctly detects and prevents multiple IQ instances from running at the same time. |
CLM-30594 | Added more detailed logging to data retention processes to improve visibility into report purging behavior. |
CLM-30371 | The licensing screen no longer displays duplicate entries for Sonatype Repository Firewall or lists “Lifecycle Cloud” for self-hosted licenses. |
CLM-24916 | The ALP dashboard now accurately counts components as "reviewed" only when their actual review status is set to Reviewed. This eliminates discrepancies between the dashboard summary and the Application Obligations page. |
NEXUS-47507 | Accessing the Orgs and Policies and Repository Manager sections in the Lifecycle UI now completes significantly faster. |
Coming Soon
We’re excited to share that the following enhancements will be coming soon to Sonatype Repository Firewall:
Firewall Support for Containers
Sonatype Repository Firewall will soon introduce support for containers, enabling you to proactively block the download of container images violating your organization's policy configurations before they enter your container ecosystem.
Retirement of Dependency Scorecard
As part of ongoing improvements to Enterprise Reporting, the Dependency Scorecard data insight will be retired on August 31, 2025. The final data refresh will occur on July 31, 2025.
This change allows us to focus on delivering more actionable, relevant insights in future reporting features.