Sonatype IQ Server 197 Release Notes

We have redesigned IQ’s Advanced Search to make searching across your data easier and more flexible. This update introduces a new Query Builder alongside the existing Add Search Terms option, providing both guided and manual methods for constructing complex searches.

Key enhancements include the following:

For full details, see the Advanced Search help documentation.

You can now create bulk waivers (simultaneous waivers for multiple policy violations) directly through the Sonatype Lifecycle user interface.

This enhancement builds on the bulk waiver API capability introduced in version 196 and adds a user-friendly interface in version 197. The new UI option streamlines waiver management, improves consistency, and reduces the time required to handle multiple policy violations.

Bulk waivers can be created from both the Application Report and Component Details pages by users with the WAIVE_POLICY_VIOLATIONS permission.

For detailed instructions, see the Bulk Waivers help documentation.

With this release, a new integrationsSupportedVersionCount system property allows organizations to enforce a minimum version range for Sonatype integrations that include scanning functionality. When configured, only a defined number of the most recent integration versions are permitted to initiate policy evaluations.

This enhancement helps ensure consistent access to the latest features (e.g., AI-powered model identification) and promotes alignment across teams using scanning integrations.

If not configured, all integration versions remain supported by default. Evaluations initiated from the Lifecycle UI or during re-evaluations are not subject to this version check.

For full configuration details, see the Configuration REST API help documentation.

Sonatype Lifecycle now includes waiver status information in the Policy Violations table of the PDF version of the Application Composition Report. A new Waived column indicates whether each policy violation has been waived (Yes / No), giving users clear visibility into all policy decisions. This enhancement supports better auditing and historical tracking of component evaluations.

For details on generating PDF reports and what they contain, see the PDF Report help documentation.

Waiver configurations now automatically reset when the selection criteria are modified. Previously, waiver settings were retained even after changing the selection filters, which could result in unintended policy exceptions. With this update, modifying selected violations on the previous step clears the waiver configuration, ensuring it accurately reflects the current evaluation scope.

This release includes support for a sonatype:original_purl property in exported CycloneDX SBOMs. This Sonatype-specific metadata, added under the Sonatype namespace, preserves the original package URL (purl) from ingested SBOMs. Including this property helps maintain consistent component identity and improves interoperability when tracking components across different tools in your software supply chain.

For full details, see our CycloneDX Application Analysis documentation.

Sonatype Lifecycle now supports GPG-based commit signing for both native Git and jGit. This enhancement allows teams to include commit signature verification in their policy evaluation workflows, strengthening software supply chain integrity and helping ensure that only trusted commits are used in builds and scans.

Starting with Nexus Repository version 3.86.0 and IQ Server version 197, Firewall for Docker Scanning now uses the network connection settings configured in Nexus Repository when accessing Docker registries.

This enhancement ensures that Docker scans respect custom networking configurations, allowing seamless image downloads and more consistent scanning behavior across different environments.

With this update, Firewall scans automatically apply the following Nexus Repository settings when available:

If you use Nexus Repository 3.86.0 with an earlier version of IQ Server, Firewall for Docker will fall back to the older IQ CLI scanning method, which does not apply the Nexus Repository HTTP configuration.

Firewall for Docker now supports analyzing and quarantining a broader range of OCI-compliant images requested through Docker proxy repositories. This includes multi-architecture manifest lists, single-manifest images without layers, and uncompressed image layers. These updates improve compatibility with modern image formats by adding support for less common Docker layer constructs.

Sonatype will soon introduce a new product that helps your AI coding assistant make smarter dependency choices. A preview of the first component, our Model Context Protocol (MCP) server, is available now for early exploration. Sonatype’s MCP server guides AI to select secure, reliable, and license-compliant versions using Sonatype’s trusted open source intelligence.