| November 12, 2025 | 198 (Coming December 2025) |
Maintenance Release | November 5, 2025 | 198 (Coming December 2025) |
You can now create bulk waivers (simultaneous waivers for multiple policy violations) through the user interface. Sonatype Lifecycle now supports GPG-based commit signing for both native Git and jGit, helping teams enforce commit integrity as part of their policy evaluation workflows. PDF reports now include a Waived column in the policy violations table to provide insight into waiver status. Added a sonatype:original_purl property in exported CycloneDX SBOMs to preserve original package URLs from ingested SBOMs and improve cross-tool component tracking. Bug fixes: CLM-37095 – SBOM Manager now uses both component identifiers and hashes to accurately deduplicate components during SBOM import, improving performance for SBOMs containing large embedded license data. CLM-37027 – SBOM ingestion in both Sonatype Lifecycle and SBOM Manager now correctly imports all components when multiple entries share the same coordinates but have different SHA1 hashes. CLM-35775 – Support zip generation now enforces a cluster-wide lock to prevent concurrent requests from overlapping, ensuring reliable archive creation and avoiding file access conflicts. CLM-35279 – IQ Server no longer requires the Server response header to validate Nexus Repository connections in InnerSource Repository configuration, allowing support for environments that restrict HTTP header exposure through reverse proxies. NEXUS-47655 – (Requires IQ 197 and Nexus Repository 3.86.0) Firewall for Docker now uses the HTTP configuration defined in Nexus Repository (i.e., proxy settings, authentication, timeouts, and SSL certificates) when downloading image content for scanning, improving compatibility with restricted or customized network environments.
| October 29, 2025 | 197 (November 5, 2025) |
A new integrationsSupportedVersionCount system configuration property allows organizations to enforce a minimum version range for IQ Server Integrations that have scanning functionality. This ensures that scans only proceed when using one of the latest approved versions and ensures consistent access to key features (e.g., AI model identification). Waiver configurations now reset automatically when selection criteria are modified, ensuring accurate alignment with the updated scope. Bug Fixes:
| October 22, 2025 | 197 (November 5, 2025) |
Bug Fixes NEXUS-48987 – InnerSource repository connections to Sonatype Nexus Repository cloud tenants now succeed without requiring the Server response header, enabling compatibility with Nexus Repository Cloud in IQ Server. NEXUS-45459 – The Vulnerability Lookup page is now available again for customers with a Repository Firewall-only license, and the login page link correctly directs to it.
| October 15, 2025 | 197 (November 5, 2025) |
Bug Fixes CLM-35845 – The IQ Operator Helm chart now supports specifying CPU limits for pods, enabling deployment in environments with enforced resource quotas. NEXUS-49025 – Firewall report links using the legacy /malware-defense path now redirect correctly, with full backward compatibility implemented to ensure both /malware-defense and /firewall URLs load without errors. (Requires Nexus Repository 3.86.0 and IQ 196 for self-hosted customers.)
| October 8, 2025 | 196 (October 8, 2025) |
Support for Java 25 bytecode fingerprinting. Implemented a user activity overview feature that, when enabled, provides system administrators visibility into login and usage patterns to support audit and compliance needs. This feature is disabled by default. Bug Fixes NEXUS-48563 – Policy action overrides for the Proxy stage now correctly apply at the repository level for Firewall for Docker, ensuring that repository-specific configurations are honored during image scans. CLM-36272 – Loading the Build Stage Risk Monitoring Summary in the Developer UI now executes significantly fewer SQL queries on PostgreSQL databases, reducing page load times. CLM-35813 – Users with appropriate permissions can now successfully delete applications from Sonatype Lifecycle as expected and without a 500 error.
| October 1, 2025 | 196 (October 8, 2025) |
| September 25, 2025 | 196 (October 8, 2025) |
| September 18, 2025 | 196 (October 8, 2025) |
New Management options for Automated Remediation with GoldenPRsTM for GitLab using Sonatype for SCM New Golden Fixes dashboard New Bulk Vulnerability Details API Bug Fixes: CLM-36122 – The PR commenting feature works as expected. CLM-35964 – Webhook signatures are now generated using explicit UTF-8 encoding, ensuring consistent and verifiable HMAC SHA1 values for all payloads, including those with special or non-ASCII characters. CLM-35271 – Made change to ensure exported SQL from the export-embedded-db task is always valid to prevent import errors when migrating from H2 to PostgreSQL.
| September 10, 2025 | 196 (October 8, 2025) |
New Display Theme option under Manage User Account – Users now have the ability to use Lifecycle, SBOM Manager, Developer, and Firewall in light or dark mode. New Management options for Automated Remediation with GoldenPRsTM for GitHub using Sonatype for SCM. See the Sonatype for SCM configuration help documentation. Bug Fixes
| September 3, 2025 | 195 (September 9, 2025) |
New side and top navigation design across Lifecycle, Developer, SBOM Manager, and Firewall. IQ Server and the IQ CLI Scanner now support Java 23 and 24 bytecode fingerprinting. Redesigned Enterprise Reporting landing page to group reports that go together under a single card with a drop-down menu, allowing you to select the specific report view you need. Bug Fixes
| August 20, 2025 | 195 (September 9, 2025) |
New Insight: Legal Risk Trends dashboard tracks policy compliance and remediation performance. Sonatype’s data catalog now includes Exploit Prediction Scoring System (EPSS) data. You can now create policy constraints using a new EPSS Score (percentage) condition. Firewall for Containers (Requires Nexus Repository 3.83.0).
| August 6, 2025 | 194 (August 12, 2025) |
| July 30, 2025 | 194 (August 12, 2025) |
The Dashboard landing page now displays an informative note if the Dashboard feature is disabled by an administrator. | July 16, 2025 | 194 (August 12, 2025) |
| July 9, 2025 | 194 (August 12, 2025) |
Common Platform Enumeration (CPE)–based vulnerability matching for C/C++ components. Sonatype SBOM Manager now uses Common Platform Enumeration (CPE)–based matching to detect vulnerabilities across a broader catalog of technologies, including third-party applications, operating systems, firmware, and embedded hardware. Bug Fixes CLM-30371 – The licensing screen no longer displays duplicate entries for Sonatype Repository Firewall or lists “Lifecycle Cloud” for self-hosted licenses. CLM-30594 – Added more detailed logging to data retention processes to improve visibility into report purging behavior. CLM-31557 – When IQ Server is started, stopped, and started again in quick succession, the system now correctly detects and prevents multiple IQ instances from running at the same time. CLM-34705 – Added additional debug logging to the Auto Pull Request process to capture detailed reasons when remediations cannot be applied.
| July 2, 2025 | 193 (July 9, 2025) |
Sonatype's vulnerability catalog now includes Known Exploited Vulnerabilities (KEV) data to help you identify vulnerabilities under known exploitation. KEV status appears in the UI and Vulnerability Details REST API; you can also create policy constraints around KEV status. Sonatype’s vulnerability catalog now skips Java similar matching on nested components when the outer artifact is an exact match. This improves scan performance while preserving accuracy.
| June 25, 2025 | 193 (July 9, 2025) |
New Security Vulnerability Detection Type policy constraint to allow for more granular insight into how vulnerabilities are discovered. The latest IQ OpenShift operator image (192) is now available in the Red Hat catalog. Bug Fixes CLM-24916 - The Components reviewed value on the main ALP dashboard now accurately reflects the Review status listed on the Application Obligations page. NEXUS-47507 - Accessing the Orgs and Policies and Repository Manager sections within the Sonatype Lifecycle UI now loads significantly faster.
| June 19, 2025 | 193 (July 9, 2025) |
| June 10, 2025 | 192 (June 11, 2025) |
New AI Content policy condition to identify objectionable AI models from Hugging Face The Security tab on the Component Details page now includes Identification Source and Confidence columns for identified vulnerabilities. The component details drawer now displays Vulnerability Detection Type, Identification Source, and Confidence, and the pill at the top of the drawer displays the security research type (e.g., fast track, deep dive) associated with the vulnerability. Enhanced the Component Claim REST API by adding two new properties: claimerId and claimerName. Bug Fixes
| June 5, 2025 | 192 (June 11, 2025) |
New workflow for requesting and approving/rejecting waivers, with updated dashboard and views to surface waiver status across personas Support for SPDX 2.2 SBOM ingestion alongside existing SPDX 2.3 support SBOM Manager Legal View now provides full license management capabilities with ALP integration (requires ALP, Lifecycle, and SBOM Manager licenses) Waiver status visibility and expiry indicators in Priorities view Bug Fixes
| May 28, 2025 | 192 (June 11, 2025) |
| May 21, 2025 | 192 (June 11, 2025) |
| May 14, 2025 | 192 (June 11, 2025) |
| May 7, 2025 | 191 (May 6, 2025) |
Automated waivers for non-reachable methods (Developer) Support for multiple auto-waivers (Developer) Doc notification that Cocoapods approaching end-of-life
| April 30, 2025 | 191 (May 6, 2025) |
| April 23, 2025 | 191 (May 6, 2025) |
| April 16, 2025 | 191 (May 6, 2025) |
| April 9, 2025 | 191 (May 6, 2025) |
| April 8, 2025 (self-hosted release date) | 190 |
Improved browser tab identification across solutions Policy conditions for derivative AI models Support for scanning LFS files for AI/ML Coordinate constraint supports all formats; this release adds the following formats: Conda Cran Gem Golang NuGet Pub RPM SWID Swift
Re-evaluation now uses latest HDS data New License Override REST API Display CLI/Plugin version in latest evaluations When merging multiple SBOMs, SBOM manager now merges associated licenses and vulnerabilities for duplicate components New Malware Defense Evaluation REST API New Firewall REST API to protect against Namespace Confusion attacks. Swagger now uses malware-defense instead of firewall; this does not impact functionality and 'firewall' will still work UI URL for Firewall uses malware-defense; 'firewall' will not work in the UI URL New Firewall for Artifactory Plugin supporting latest Artifactory versions Firewall Classic sunsetting April 9
| April 1, 2025 (self-hosted release date) | 189 |
API documentation, powered by Swagger and OpenAPI, is now available in the user interface for all IQ-powered solutions (i.e., Lifecycle, Developer, SBOM Manager, Firewall, and Advanced Legal Pack). Update existing waivers with the Policy Waivers REST API. Policy Violations REST API now returns waived, legacy, and auto-waived violations. Report REST API policy violations now returns openTime. Success Metrics Enterprise Dashboard displays remediation status chart. Enhanced Security Risk Analysis Dashboard.
Breaking Changes with JFrog Artifactory 7.104 JFrog Artifactory 7.104 is the latest and is incompatible with the Repository Firewall plugin. JFrog Artifactory has introduced a newer version of groovy-core that is not backward compatible with the version the Repository Firewall plugin is compiled against. We recommend not upgrading to Artifactory 7.104 as doing so causes an interruption with the Repository Firewall service and exposes you to malware entering the environment. | March 4, 2025 (self-hosted release date) | 188 |
Upgrade Impact After upgrading a Lifecycle instance using a PostgreSQL database from IQ 182 or earlier to IQ 183 or later, you may temporarily see an internal error when accessing the violations dashboard and find a NullPointerException (NPE) in the logs. This is due to an internal job running in the background; the dashboard will load as expected after the job completes. We will improve this experience in a future release. Hugging Face declared and observed license detection View Latest Evaluations option in Lifecycle Improvements to Security Risk Analysis dashboard Specify SBOM application version during import Easily view SBOM release status Support for Python pipfile.lock Branch name displays in Priorities view Sonatype Developer: Auto-waivers for policy violations on components with no path forward Options like Vulnerability Lookup and Advanced Search no longer display in the standalone Firewall user interface available via Solution Switcher. You can find these items by switching to the Lifecycle option via Solution Switcher.
| February 4, 2025 (self-hosted release date) | 187 |
Upgrade Impact After upgrading a Lifecycle instance using a PostgreSQL database from IQ 182 or earlier to IQ 183 or later, you may temporarily see an internal error when accessing the violations dashboard and find a NullPointerException (NPE) in the logs. This is due to an internal job running in the background; the dashboard will load as expected after the job completes. We will improve this experience in a future release. Lifecycle Changes Lifecycle dashboard performance improvements (includes UI changes) Total count no longer displays on each tab Removed sorting by component name Applications filter displays up to 500 apps with type-ahead filter to refine list Pagination change to only include back/forward buttons within page numbers to select
Easier onboarding with automatic role assignment Waiver reasons in API responses for the Applicable Waivers, Similar Waivers, Component Waivers, and Stale Waivers REST APIs as well as the UI Dependency tree visualization for Cargo Improved matching process for SBOM scans (impacts Lifecycle and SBOM Manager) New AI Model Usage Data Insight
Sonatype Developer Changes SBOM Manager Changes Sort components by name on BOM page Leverage Sonatype Container Security for SBOM Manager container scans Policy violations visible in UI Skip validation support for CycloneDX and SPDX Search by license Original binary filename visible in BOM page Improved matching process for SBOM scans (impacts Lifecycle and SBOM Manager)
Repository Firewall Changes Notable Integrations Changes IQ CLI is now a standalone solution (i.e., IQ CLI 2.0), which means it is a separate download and is no longer included in the bundled IQ download IQ CLI 2.0 supports Python pipfile.lock IQ CLI 2.0 dependency tree visualization for Cargo
This release fixes an issue in release 185 that could cause deadlocking to occur under heavy usage causing the application to become unresponsive.
| January 8, 2025 (self-hosted release date) | 186 |