Sonatype IQ Server 196 Release Notes
Released October 8, 2025
The IQ 196 release includes multiple changes to our IQ-powered solutions. View the details in each solution’s section below.
Changes Impacting Multiple Solutions
This release includes the following changes impacting multiple IQ-powered solutions:
New Management Options for Automated Remediation with GoldenPRsTM for GitLab and GitHub using Sonatype for SCM
Automated Remediation with GoldenPRs™ automatically generates pull requests with remediation suggestions for policy violations discovered on the default branch. It helps keep dependencies secure and up to date by recommending safe, non-breaking versions, reducing the manual effort required to address vulnerabilities.
To help teams better manage automated pull requests (Auto PRs), two new configuration options are now available for GitHub and GitLab:
Close Auto PRs when required checks fail
Auto PRs will automatically close if one or more required checks (such as CI builds or security scans) fail. This prevents unmergeable pull requests from remaining open unnecessarily.
Close Auto PRs after a specified number of days
Define how long an Auto PR should remain open. If it hasn't been merged or closed manually within the configured time frame, it will automatically close. This helps reduce clutter and stale pull requests in your repository.
These settings apply only to Auto PRs created by GoldenPRs and can be enabled as part of your existing GitHub or GitLab configuration. See the IQ Server Configuration help documentation for details.
Support for Java 25 Bytecode Fingerprinting
IQ Server and the IQ CLI Scanner now support bytecode fingerprinting for applications built with Java 25. This enhancement ensures accurate component identification and policy evaluation for projects compiled with the latest Java version, allowing teams to adopt new language features with continued confidence in Lifecycle’s analysis capabilities.
Sonatype Lifecycle
This release includes the following changes for Sonatype Lifecycle:
Note
New Golden Fixes Dashboard Enhances Visibility into Low-Effort Security Remediation
The new Golden Fixes dashboard in Sonatype Lifecycle helps organizations quickly identify and act on high-impact, low-effort remediation opportunities. This interactive dashboard provides a centralized view of how many open-source policy violations can be resolved using Golden Fixes (validated, policy-compliant component versions that remediate vulnerabilities without introducing breaking changes).
By surfacing Golden Fix availability, this dashboard empowers security, development, and leadership teams to better prioritize remediation efforts. It includes key metrics such as the total number of open violations, how many are addressable with golden fixes, and breakdowns by threat level, component, and application.
For full details, see the Golden Fixes dashboard help documentation.
New Bulk Vulnerability Details REST API
You can now retrieve details for multiple vulnerabilities in a single request using a new bulk lookup option in the Vulnerability Details REST API. This feature supports up to 1,000 CVE or Sonatype vulnerability IDs at once.
This new capability significantly reduces the number of API calls required when auditing or reporting on large sets of vulnerabilities, saving time, simplifying automation, and improving integration performance for security and compliance workflows.
The bulk response uses the same schema as the existing single-lookup API and preserves all request identifiers, including any that are invalid or unknown. This makes it easy to handle post-processing consistently. Full vulnerability details are returned when authenticated, including rootCauses, vulnerableVersionRanges, and contextual markdown fields.
For field definitions, usage examples, and error handling behavior, refer to the Vulnerability Details REST API documentation.
New Bulk Waivers REST API
We have extended the Policy Waiver REST API to allow you to create bulk policy waivers. Leverage this new API to save time and reduce operational overhead by waiving up to 1,000 policy violations in a single API call.
The bulk policy waiver API operation includes automatic deduplication, validation of all provided IDs, and silent skipping of already-waived violations. This streamlines waiver management in high-volume environments such as CI pipelines or security audits.
You can apply bulk waivers with full configuration control, including options for expiration, waiver reason, scope matching strategy, and automatic expiration when a remediation becomes available.
To learn more about usage, valid parameters, and examples, refer to the Policy Waiver REST API documentation.
Advanced Container Scanning (Sonatype Scanner Mode)
Sonatype Lifecycle now includes Advanced Container Scanning, a next-generation replacement for NeuVector-based container security. This new capability brings stronger, more flexible image scanning powered by Sonatype’s own vulnerability intelligence.
Advanced Container Scanning brings the following key benefits:
Unified vulnerability data – Combines Sonatype’s proprietary intelligence with NeuVector data.
Simpler setup – No need for Docker-in-Docker (DinD) or a running Docker daemon.
Broader platform support – Runs natively on Windows and supports scanning remote container images.
Expanded OS package coverage – Detects vulnerabilities in Alpine (APK), RHEL/CentOS/Fedora (RPM/DNF), and Debian (APT) packages, along with standard application-level ecosystems such as Maven, npm, and PyPI.
NeuVector-Based Container Security Enters Extended Maintenance
With the advent of Advanced Container Scanning, NeuVector-based container security enters Extended Maintenance on October 7, 2025 and will only receive critical bug and security fixes only through September 2026. After that date, it reaches end-of-support.
To benefit from ongoing feature development and full support, switch to Advanced Container Scanning (Sonatype Scanner Mode).
For full details, see the Advanced Container Scanning documentation.
Sonatype Developer
This release does not include any notable Sonatype Developer-specific changes.
Sonatype SBOM Manager
This release does not include any notable SBOM Manager-specific changes.
Sonatype Repository Firewall
This release includes the following changes for Sonatype Repository Firewall:
Firewall API Endpoint Alignment
The Firewall API now consistently uses the /api/v2/firewall/ path for all but the malware defense-specific endpoints. Previously existing /api/v2/malware-defense/ paths remain supported for backward compatibility.
The /api/v2/malware-defense/evaluate API continues to be available and uses malware-defense in its path.
Bug Fixes
This release includes the following notable bug fixes:
Issue ID | Description |
|---|---|
NEXUS-48563 | Policy action overrides for the Proxy stage now correctly apply at the repository level for Firewall for Docker, ensuring that repository-specific configurations are honored during image scans. |
NEXUS-48520 | Reduced metadata evaluation latency for PyPI components under Policy Compliant Component Selection. |
CLM-36272 | Loading the Build Stage Risk Monitoring Summary in the Developer UI now executes significantly fewer SQL queries on PostgreSQL databases, reducing page load times. |
CLM-36122 | The PR commenting feature works as expected. |
CLM-36031 | Improved memory management during asynchronous license processing. |
CLM-35964 | Webhook signatures are now generated using explicit UTF-8 encoding, ensuring consistent and verifiable HMAC SHA1 values for all payloads, including those with special or non-ASCII characters. |
CLM-35813 | Users with appropriate permissions can now successfully delete applications from Sonatype Lifecycle as expected and without a 500 error. |
CLM-35667 | Optimized authorization filtering logic to improve performance of the Orgs and Policies page and related APIs. |
CLM-35271 | Made change to ensure exported SQL from the |
Coming Soon
We’re excited to share that the following enhancements will be coming soon to Sonatype Lifecycle:
Create Bulk Waivers Through the User Interface
While this release introduces the ability to create bulk waivers through the API, we will also soon bring this functionality to the Lifecycle user interface.