Sonatype Nexus Repository 3.73.0 Release Notes

Nexus Repository Pro 3.73.0 introduces native support for Rust / Cargo, empowering developers to streamline dependency management and enhance the ability to reproduce builds. Leverage hosted, proxy, and group repositories to centralize your Rust dependencies, while Cargo's sparse protocol ensures efficient package fetching. Enjoy compatibility with Cargo versions 1.68+ and robust security and management capabilities, including SSL configuration, user token support, cleanup policies, and more. Pro features like staging, tagging, content replication, and Firewall integration further enhance your workflow.

Note that native Rust / Cargo support is not compatible with the existing community plugin, and data migration is not supported. Component upload is currently limited to the cargo publish command.

See our Rust / Cargo format help documentation for full details.

Note that 3.73.0 administrators may see a Cargo Bearer Token Realm available in the Realms user interface. This is a non-functional Realm that will be removed in our next release.

This feature was made possible through your feedback in the Sonatype Ideas Portal.

Sonatype Nexus Repository now proactively detects open-source malware components within your repositories to enhance the security of your software supply chain and help you monitor malware risk.

What is malware risk? Open-source malware refers to deliberately malicious open-source components designed to mimic legitimate packages while causing harm, such as data theft or system hijacking. This differs from unintentional vulnerabilities, which are weaknesses in code that can be exploited. Even one malicious component is too many and can compromise your entire build pipeline. The more malicious components you have, the greater the risk of exposure, and the more complex it becomes to manage and remediate. The severity of these threats cannot be overstated. Even when discovered and removed from repositories like PyPI or npm, the absence of a CVE complicates efforts to track and address the threat, leaving systems vulnerable and risk mitigation challenging.

As of release 3.73.0, when Sonatype Nexus Repository identifies malware components, a warning banner alerts both administrators and users in the Nexus Repository interface. This banner updates every 24 hours to reflect the latest malware detection status.

Administrators should contact Sonatype using the button within the banner for guidance on remediation; non-administrators seeing a banner should alert their system admins so that they can contact Sonatype.

See our Malware Risk help documentation for full details.

Sonatype Nexus Repository now offers enhanced security through the re-encryption of sensitive data. Nexus Repository employs reversible encryption to store sensitive data like passwords for certain features. By default, Nexus Repository uses a static key for this encryption. However, administrators can now change the encryption key used to protect passwords and other confidential information, adding an extra layer of protection.

If you have not configured and run re-encryption and are still using the default key, you will see a health check warning with the message "Nexus was not configured with an encryption key and is using the Default key" after upgrading to 3.73.0+. Follow the steps in the re-encryption help documentation to resolve the warning.

This feature also mitigates CVE-2024-5764. See the re-encryption help documentation for full feature details details.

As part of our efforts to improve getByDisplayPath query performance, we have added a new index on parent_id that runs on startup. The new index may slow startup time for large deployments but will allow the retrieval of data based on node_id and parent_id in a very efficient way.