Configuration REST API

baseUrl

Default: null

Base URL of the IQ Server for user-facing links back to the server. Required for Email, SCM, and Jira integrations.

forceBaseUrl

Default: false

Default false value is desired. If true, force IQ Server to treat all inbound requests as originating from the configured baseURL instead of relying on inbound HTTP request headers to determine this dynamically.

Setting this to true in order for HTTP requests to the server to work correctly suggests a misconfiguration of an upstream server that is reverse proxying requests to IQ Server. The upstream server should instead be sending properly formatted Forwarded headers .

frameAncestorsAllowlist

Default: null

List of domains or parent URLs, passed as json. This property is used to add HTTP Content-Security-Policy (CSP) frame-ancestors directive to allow you to specify the domains or parent URLs that can frame the current resource, to prevent clickjacking. 'self' is always appended to this list.

Null value (default) indicates there is no restriction on the allowed domain or parent URLs. All domains can frame the resource.

eventBus.maxThreadPoolSize

Default: 500

The maximum number of threads that can be used for the EventBus.

The EventBus is used to asynchronously post various events (e.g. policy evaluation, entity management, license/security vulnerability overrides, etc). These events can then be consumed by various services (e.g. webhooks, source control, etc).

csrfProtection

Default: true

Enables/disables cross-site request forgery protection. Defaults to true for increased security.

userAgentSuffix

Default: null

A custom fragment to add to the "user-agent" for HTTP calls.

maxAdvancedSearchClauseCount

Default: 2048

The clause count limit for Advanced Search queries.

advancedSearchCSVExportDelimiter

Default: ,

The delimiter for the Advanced Search CSV export. The default is a comma.

policyMonitoringHour

Default: 0

Hour of the day (0-23) to schedule Policy Monitoring execution. The default is midnight.

webhookSecretPassphrase

Default: ^d1swM!FF&qQ

Passphrase used to encrypt the Webhook Secret Keys.

hdsUrl

Default: https://clm.sonatype.com/

Sonatype Data Services URL. The property hdsUrl defaults to the value set in config.yml if no value is found in the database.

sessionTimeout

Default: 30

Session timeout value in minutes for IQ Server. This is a configurable value, with a default set as 30 minutes. Users will receive browser notifications (if enabled for Sonatype sites) when the session is about to expire.

purgeScanFiles

Default: null

Supported value is withReports. If set to withReports, scan files will be deleted along with associated report files during Data Retention.

automaticQuarantineReleaseTimeIntervalInMinutes

Default: 60

Scheduling interval (in minutes) for Automatic Quarantine Release. Minimum value supported is 30 minutes.

quarantinedComponentReportExpirationTimeInHours

Default: 12

Expiration time for quarantine reports

waivedComponentUpgradeMonitoringEnabled

Default: false

Enable or disable

Waived Component Upgrades Configuration

quarantinedItemCustomMessage

Default: null

The custom quarantined message of up to 500 chars to be displayed when a component fails a Firewall policy.

This feature requires Nexus Repository version 3.58 or newer.

alpObservedLicenseDetectionEnabled

Default: false (true, for new installations of Lifecycle)

Enables observed license detection for additional ecosystems for users of Lifecycle with Advanced Legal Pack (ALP) add-on.

apiAccessAllowList

Default: null

List of usernames passed as JSON. This property is used to control the access to the public API.

If set, only the users specified in the list are allowed to make API calls. An empty list or a null value (default) indicates unrestricted API access.