The Dashboard landing page now displays an informative note if the Dashboard feature is disabled by an administrator. | July 16, 2025 | 194 (Coming August 2025) |
Maintenance release; no notable changes. | July 9, 2025 | 194 (Coming August 2025) |
Common Platform Enumeration (CPE)–based vulnerability matching for C/C++ components. Sonatype SBOM Manager now uses Common Platform Enumeration (CPE)–based matching to detect vulnerabilities across a broader catalog of technologies, including third-party applications, operating systems, firmware, and embedded hardware. Bug Fixes CLM-30371 – The licensing screen no longer displays duplicate entries for Sonatype Repository Firewall or lists “Lifecycle Cloud” for self-hosted licenses. CLM-30594 – Added more detailed logging to data retention processes to improve visibility into report purging behavior. CLM-31557 – When IQ Server is started, stopped, and started again in quick succession, the system now correctly detects and prevents multiple IQ instances from running at the same time. CLM-34705 – Added additional debug logging to the Auto Pull Request process to capture detailed reasons when remediations cannot be applied.
| July 2, 2025 | 193 (July 9, 2025) |
Sonatype's vulnerability catalog now includes Known Exploited Vulnerabilities (KEV) data to help you identify vulnerabilities under known exploitation. KEV status appears in the UI and Vulnerability Details REST API; you can also create policy constraints around KEV status. Sonatype’s vulnerability catalog now skips Java similar matching on nested components when the outer artifact is an exact match. This improves scan performance while preserving accuracy.
| June 25, 2025 | 193 (July 9, 2025) |
New Security Vulnerability Detection Type policy constraint to allow for more granular insight into how vulnerabilities are discovered. The latest IQ OpenShift operator image (192) is now available in the Red Hat catalog. Bug Fixes CLM-24916 - The Components reviewed value on the main ALP dashboard now accurately reflects the Review status listed on the Application Obligations page. NEXUS-47507 - Accessing the Orgs and Policies and Repository Manager sections within the Sonatype Lifecycle UI now loads significantly faster.
| June 19, 2025 | 193 (July 9, 2025) |
| June 10, 2025 | 192 (June 11, 2025) |
New AI Content policy condition to identify objectionable AI models from Hugging Face The Security tab on the Component Details page now includes Identification Source and Confidence columns for identified vulnerabilities. The component details drawer now displays Vulnerability Detection Type, Identification Source, and Confidence, and the pill at the top of the drawer displays the security research type (e.g., fast track, deep dive) associated with the vulnerability. Enhanced the Component Claim REST API by adding two new properties: claimerId and claimerName. Bug Fixes
| June 5, 2025 | 192 (June 11, 2025) |
New workflow for requesting and approving/rejecting waivers, with updated dashboard and views to surface waiver status across personas Support for SPDX 2.2 SBOM ingestion alongside existing SPDX 2.3 support SBOM Manager Legal View now provides full license management capabilities with ALP integration (requires ALP, Lifecycle, and SBOM Manager licenses) Waiver status visibility and expiry indicators in Priorities view Bug Fixes
| May 28, 2025 | 192 (June 11, 2025) |
| May 21, 2025 | 192 (June 11, 2025) |
| May 14, 2025 | 192 (June 11, 2025) |
| May 7, 2025 | 191 (May 6, 2025) |
Automated waivers for non-reachable methods (Developer) Support for multiple auto-waivers (Developer) Doc notification that Cocoapods approaching end-of-life
| April 30, 2025 | 191 (May 6, 2025) |
| April 23, 2025 | 191 (May 6, 2025) |
| April 16, 2025 | 191 (May 6, 2025) |
| April 9, 2025 | 191 (May 6, 2025) |
| April 8, 2025 (self-hosted release date) | 190 |
Improved browser tab identification across solutions Policy conditions for derivative AI models Support for scanning LFS files for AI/ML Coordinate constraint supports all formats; this release adds the following formats: Conda Cran Gem Golang NuGet Pub RPM SWID Swift
Re-evaluation now uses latest HDS data New License Override REST API Display CLI/Plugin version in latest evaluations When merging multiple SBOMs, SBOM manager now merges associated licenses and vulnerabilities for duplicate components New Malware Defense Evaluation REST API New Firewall REST API to protect against Namespace Confusion attacks. Swagger now uses malware-defense instead of firewall; this does not impact functionality and 'firewall' will still work UI URL for Firewall uses malware-defense; 'firewall' will not work in the UI URL New Firewall for Artifactory Plugin supporting latest Artifactory versions Firewall Classic sunsetting April 9
| April 1, 2025 (self-hosted release date) | 189 |
API documentation, powered by Swagger and OpenAPI, is now available in the user interface for all IQ-powered solutions (i.e., Lifecycle, Developer, SBOM Manager, Firewall, and Advanced Legal Pack). Update existing waivers with the Policy Waivers REST API. Policy Violations REST API now returns waived, legacy, and auto-waived violations. Report REST API policy violations now returns openTime. Success Metrics Enterprise Dashboard displays remediation status chart. Enhanced Security Risk Analysis Dashboard.
Breaking Changes with JFrog Artifactory 7.104 JFrog Artifactory 7.104 is the latest and is incompatible with the Repository Firewall plugin. JFrog Artifactory has introduced a newer version of groovy-core that is not backward compatible with the version the Repository Firewall plugin is compiled against. We recommend not upgrading to Artifactory 7.104 as doing so causes an interruption with the Repository Firewall service and exposes you to malware entering the environment. | March 4, 2025 (self-hosted release date) | 188 |
Upgrade Impact After upgrading a Lifecycle instance using a PostgreSQL database from IQ 182 or earlier to IQ 183 or later, you may temporarily see an internal error when accessing the violations dashboard and find a NullPointerException (NPE) in the logs. This is due to an internal job running in the background; the dashboard will load as expected after the job completes. We will improve this experience in a future release. Hugging Face declared and observed license detection View Latest Evaluations option in Lifecycle Improvements to Security Risk Analysis dashboard Specify SBOM application version during import Easily view SBOM release status Support for Python pipfile.lock Branch name displays in Priorities view Sonatype Developer: Auto-waivers for policy violations on components with no path forward Options like Vulnerability Lookup and Advanced Search no longer display in the standalone Firewall user interface available via Solution Switcher. You can find these items by switching to the Lifecycle option via Solution Switcher.
| February 4, 2025 (self-hosted release date) | 187 |
Upgrade Impact After upgrading a Lifecycle instance using a PostgreSQL database from IQ 182 or earlier to IQ 183 or later, you may temporarily see an internal error when accessing the violations dashboard and find a NullPointerException (NPE) in the logs. This is due to an internal job running in the background; the dashboard will load as expected after the job completes. We will improve this experience in a future release. Lifecycle Changes Lifecycle dashboard performance improvements (includes UI changes) Total count no longer displays on each tab Removed sorting by component name Applications filter displays up to 500 apps with type-ahead filter to refine list Pagination change to only include back/forward buttons within page numbers to select
Easier onboarding with automatic role assignment Waiver reasons in API responses for the Applicable Waivers, Similar Waivers, Component Waivers, and Stale Waivers REST APIs as well as the UI Dependency tree visualization for Cargo Improved matching process for SBOM scans (impacts Lifecycle and SBOM Manager) New AI Model Usage Data Insight
Sonatype Developer Changes SBOM Manager Changes Sort components by name on BOM page Leverage Sonatype Container Security for SBOM Manager container scans Policy violations visible in UI Skip validation support for CycloneDX and SPDX Search by license Original binary filename visible in BOM page Improved matching process for SBOM scans (impacts Lifecycle and SBOM Manager)
Repository Firewall Changes Notable Integrations Changes IQ CLI is now a standalone solution (i.e., IQ CLI 2.0), which means it is a separate download and is no longer included in the bundled IQ download IQ CLI 2.0 supports Python pipfile.lock IQ CLI 2.0 dependency tree visualization for Cargo
This release fixes an issue in release 185 that could cause deadlocking to occur under heavy usage causing the application to become unresponsive.
| January 8, 2025 (self-hosted release date) | 186 |