Sonatype IQ Server 193 Release Notes

This release introduces Common Platform Enumeration (CPE)–based vulnerability matching for C/C++ components. This expanded coverage allows organizations to identify risks across a wider range of proprietary and open source software written in C/C++.

The new feature is configurable, enabling teams to control how and where it is applied across organizations or applications. This flexibility helps maintain compatibility with existing installations while improving the accuracy of policy evaluations and vulnerability reporting for C/C++ projects.

For details, see our help documentation on configuring Lifecycle to use public data sources.

Sonatype Lifecycle now includes a new Security Vulnerability Detection Type policy constraint. This enhancement gives organizations more control and visibility into how vulnerabilities are discovered (e.g., through expert research, automated analysis, or third-party sources). This allows teams to prioritize and act on risks with greater precision.

For full details, see the policy constraints help documentation.

This release improves Application Analysis performance by optimizing how Java similar matching is handled when exact matches are also present. Vulnerability detection remains accurate as Sonatype’s data catalog already accounts for nested component relationships through secondary expansion and research-based implication. This ensures that vulnerabilities in nested files (e.g., .class files inside .jar or .war archives) are still properly identified and reported.

Sonatype Developer now supports proactive dependency management for InnerSource components through automated pull requests. When a new, compatible (non-major) version of an InnerSource component is detected during application evaluation at the release stage, Sonatype Lifecycle will automatically generate a pull request in your source control system to update the older version. Note that automated pull requests are only created for version updates and not for policy violations.

This feature helps teams stay current with the latest improvements to InnerSource libraries without manual tracking, reducing technical debt and improving development velocity.

To take advantage of this improvement, enable the Automated InnerSource Updates feature under Orgs and Policies as described in our Automated PRs for InnerSource help documentation.

Sonatype SBOM Manager now uses Common Platform Enumeration (CPE)–based matching to detect vulnerabilities across a broader catalog of technologies, including third-party applications, operating systems, firmware, and embedded hardware. This enhancement improves the depth and reach of vulnerability coverage in generated SBOMs, helping users identify more risks across their software supply chain.

This release also introduces a new Data Enrichment column in the Disclosed Vulnerabilities table. This column helps users differentiate vulnerability records based on metadata source: Sonatype Enhanced, Vendor Data, or Public Data. This enhancement improves transparency and makes it easier to understand the origin and trust level of each finding.

See the SBOM Manager Component Details View help documentation for details.

As part of ongoing improvements to Enterprise Reporting, the Dependency Scorecard data insight will be retired on August 31, 2025. The final data refresh will occur on July 31, 2025.

This change allows us to focus on delivering more actionable, relevant insights in future reporting features.