Sonatype IQ Server 194 Release Notes
Released August 12, 2025
The IQ 194 release includes multiple changes to our IQ-powered solutions. View the details in each solution’s section below.
Changes Impacting Multiple Solutions
The following changes impact multiple IQ-powered solutions:
Expanded Risk Data with Exploit Prediction Scoring System (EPSS) Integration
Sonatype’s data catalog now includes Exploit Prediction Scoring System (EPSS) data, further enhancing your ability to assess and prioritize risk based on real-world exploitation likelihood. EPSS provides a probability score estimating the chance a vulnerability will be exploited in the next 30 days, helping teams focus on what’s most likely to pose an immediate threat.
The EPSS score is now available in the Vulnerability Details API response, alongside existing severity and classification data. You can also now create policy constraints using the EPSS Score (percentage) condition, allowing you to define thresholds for acceptable exploit likelihood in your environments. Combined with existing constraint options, this gives you greater precision in enforcing risk-based remediation practices at scale.
Sonatype Lifecycle
This release includes the following changes for Sonatype Lifecycle:
New Evaluating Component Policy Waiver Reason
A new Evaluating component policy waiver reason is now available in Sonatype Lifecycle. This reason can be selected when temporarily waiving policy violations during component evaluation periods, helping teams document intent clearly and maintain transparency in audit trails.
The new option appears in both the user interface for creating waivers and the Waiver Reason REST API.
Various User Interface Enhancements
In this release, we've made the following various user interface enhancements:
The Dashboard landing page now displays an informative note if the Dashboard feature is disabled by an administrator.
In the policy creation user interface, the Condition options in the drop-down menu under Constraint now appear in alphabetical order.
Email notifications coming from Continuous Monitoring now have a subject line beginning with “Continuous Monitoring” to help users better differentiate between types of notification emails.
The back button and breadcrumbs now appear above the page title in the user interface.
Reminder: Dependency Scorecard Sunsetting
To enhance your Enterprise Reporting experience, we're continuously evolving our Data Insights. As part of this, the Dependency Scorecard's data refresh ceased on July 31, 2025; it will be formally sunset on August 31, 2025. We're excited to bring you new and improved insights soon, so keep an eye on this space for updates!
Sonatype Developer
This release does not include notable changes for Sonatype Developer.
Sonatype SBOM Manager
This release includes the following changes for Sonatype SBOM Manager:
Improved Configuration Experience for those using SBOM Manager and Lifecycle
In release 193, we expanded our vulnerability catalog using Common Platform Enumeration- (CPE) based matching.
This release improves the user experience for customers licensed for both SBOM Manager and Sonatype Lifecycle:
The Public Data Sources section in SBOM Manager displays the current CPE matching configuration status in a read-only view. We’ve added a direct link to allow you to quickly navigate to Lifecycle and manage these settings.
A new Public Data Sources section in the Owner Summary page provides quick access to enrichment information.
The SBOM Manager Dashboard now includes a notification highlighting C/C++ support and providing quick access to configuration settings and supporting documentation.
You can also use the CPE Matching Configuration REST API.
Note that if you are licensed only for SBOM Manager, CPE matching is not configurable and these options will not appear.
New API for Retrieving Detailed Vulnerability Data
This release introduces a new SBOM Manager API that allows you to access in-depth vulnerability information for specific components within an SBOM version.
With this API, users can programmatically retrieve enriched data, including severity details, descriptions, root causes, and remediation guidance, for any known vulnerability affecting a component. This streamlines investigation and speeds up decision-making when managing risk across complex software inventories.
For full details, see the SBOM Manager API help documentation.
Sonatype Repository Firewall
This release does not include any significant changes for for Sonatype Repository Firewall.
Prevent Risky Containers from Entering Your Organization with Repository Firewall
You can now extend Sonatype Repository Firewall’s automatic policy enforcement to containerized applications, enabling your team to block non-compliant or vulnerable Docker images before they enter your development environments.
Repository Firewall analyzes Docker images as they are requested through a protected proxy repository. Images that violate your defined policies are automatically quarantined, ensuring developers and deployment pipelines only use trusted containers. Violations are reported in a new Containers dashboard that also provides clear insights into which components within a container triggered enforcement.
You can also apply waivers to container-level violations directly from the container report or via the new Container Waivers API, streamlining security review and enabling critical images to proceed when necessary.
This functionality supports Docker Schema 2 (both single and multi-architecture) images from any container registry proxied by Sonatype Nexus Repository. Support for OCI images and other formats is not available at this time. To optimize performance, local disk storage is recommended for temporary container analysis. Note that Sonatype does not ingest or retain container data during analysis.
For full configuration instructions, supported formats, and usage details, see the Repository Firewall for Docker help documentation.
Bug Fixes
This release includes the following notable bug fixes:
Issue ID | Description |
|---|---|
CLM-26944 | The OpenAPI spec at |
CLM-35315 | When scanning a binary first without |