Release Notes - Sonatype for GitLab CI
Provide the latest features for Nexus Lifecycle 1.171.0-01
Provide the latest features for Nexus Lifecycle 1.170.0-01
Provide the latest features for Nexus Lifecycle 1.169.0-01
Provide the latest features for Nexus Lifecycle 1.168.0-01
Provide the latest features for Nexus Lifecycle 1.167.0-01
Provide the latest features for Nexus Lifecycle 1.166.0-01
Provide the latest features for Nexus Lifecycle 1.165.0-01
Provide the latest features for Nexus Lifecycle 1.164.0-01
Provide the latest features for Nexus Lifecycle 1.163.0-01
Provide the latest features for Nexus Lifecycle 1.162.0-01
Provide the latest features for Nexus Lifecycle 1.161.0-01
Provide the latest features for Nexus Lifecycle 1.160.0-01
Provide the latest features for Nexus Lifecycle 1.159.0-01
Updates to Nexus Container Scanning
Scanning remote images do not require providing environmental variables if the image is public
Provide the latest features for Nexus Lifecycle 1.158.0-01
Provide the latest features for Nexus Lifecycle 1.156.0-01
Provide the latest features for Nexus Lifecycle 1.155.0-01
Provide the latest features for Nexus Lifecycle 1.153.0-01
Introduces call flow analysis in Java (or any JVM language) binaries found in the scan targets to find method signatures which trigger a security vulnerability
Provide the latest features for Nexus Lifecycle 1.152.0-01
Provide the latest features for Nexus Lifecycle 1.151.0-01
Evaluations terminate with a non-zero exit code if there are any scanning errors
Provide the latest features for Nexus Lifecycle 1.150.0-01
Provide the latest features for Nexus Lifecycle 1.149.0-01
Provide the latest features for Nexus Lifecycle 1.148.0-01
Provide the latest features for Nexus Lifecycle 1.147.0-01
Provide the latest features for Nexus Lifecycle 1.146.0-01
Notable bug fix
Releases 142 and above fix a bug where a manifest scan processed pom.xml files inside a META-INF directory. Files in this directory, in most cases (specifically for uber/shaded archives), do not represent the manifest file for the target application to be scanned. All pom.xml files inside a META-INF directory from release 142 and above are now ignored during a manifest scan.
Provide the latest features for Nexus Lifecycle 145
Users can now provide an additional parameter organization-id for a specific organization. If the application does not exist, IQ Server will create it under the specified organization, instead of the parent organization that is configured for Automatic Application Creation.
Provide the latest features for Nexus Lifecycle 144
Provide the latest features for Nexus Lifecycle 142
Provide the latest features for Nexus Lifecycle 141
Provide the latest features for Nexus Lifecycle 139
Provide the latest features for Nexus Lifecycle 138
Provide the latest features for Nexus Lifecycle 137
Provide the latest features for Nexus Lifecycle 135
Provide the latest features for Nexus Lifecycle 134
Support for CycloneDX 1.4:
The CycloneDX Application Analysis has been extended to support the CycloneDX schema version 1.4 for XML and JSON formats.
Provide the latest features for Nexus Lifecycle 133
Provide the latest features for Nexus Lifecycle 132
Bug Fix for False Positives in Image Scans
Update logback Library Version in IQ
Nexus IQ Server does not use log4j versions and uses logback instead. It is therefore not at risk from vulnerabilities impacting log4j.
However, because of a low/moderate vulnerability existing in "logback", we're taking precautionary measures by updating the logback library version used in Nexus IQ products.
Cran and Cargo Matching Improvements
Conda Matching Improvements
An optional environment variable, NEXUS_IQ_REPORT_FORMAT, can be set to control the content of the generated evaluation report
Conan Matching Improvements
Conan data and matching have been improved for both Lifecycle and Firewall.
Dependency Information Improvements for NPM
NPM Dependency Information detection has been improved to display more accurate results.
Fixed an issue with some NPM scans that was causing IQ Server 122 evaluations to fail when reading dependency information.
Dependency Information for NPM
NPM project scans with manifests allow displaying dependency information for NPM components (Direct and Transitive).
Support for container scanning via Nexus Container
SBOM Improvements and Bug Fixes:
CycloneDX SBOM scans have been improved to display better results
Swift Application Analysis:
IQ Server can now be used to evaluate policies against components from the dependency file of a Swift application.
Support for CycloneDX 1.3:
CycloneDX Application Analysis has been extended to support the schema version CycloneDX 1.3 for XML format.
Improvements to Python Application Analysis:
IQ Server now supports evaluating policies against Python components defined in poetry.lock files.
Support for CycloneDX 1.2:
CycloneDX Application Analysis have been extended to support the schema version CycloneDX 1.2 for XML format
Java Manifest Application Analysis:
IQ Server now supports evaluating policies against Java components in pom.xml and build.gradle files
Improvements to manifest analysis:
Updated CLI scanner to exclude development dependencies when scanning package-lock.json files.
Updated CLI scanner to parse package-lock.json files stored inside an archive.
Fixed parsing errors when scanning yarn.lock and *.csproj files.
Fixed initialization error in NuGet manifest scanning
Application analysis of components for:
NPM, as defined in yarn.lock, pnpm-lock.yaml, package-lock.json, and npm-shrinkwrap.json files.
NuGet, as defined in .csproj and packages.config files.
Added support for analyzing Java 14 and 15 bytecode.
Nexus IQ CLI no longer supports Lifecycle XC. IQ Server now has native support for all languages that were supported in Lifecycle XC.
Application analysis of components for:
Go components defined in a Gopkg.lock
Application analysis of components for:
C/C++ components defined in a conaninfo.txt file.
Go components defined in a go.list file
Now released in sync with IQ Server releases (which may or may not include updates relevant to this docker image's release)
Application analysis of components for:
C/C++ conanfile.py Files
Yum
Alpine
Debian
Drupal
R (CRAN)
Rust (Cargo)
Application analysis of components for:
Swift/Objective-C CocoaPods
Conda
Identify components based on SHA-1 value (content hash)
Application analysis of components for:
C/C++ Conan
PHP Composer
RubyGems
CycloneDX application analysis extended to support submitting component vulnerabilities
pushed environment variables into processes for automated onboarding of applications for Nexus IQ for SCM
expanded coverage option (-xc) fixed
application ID added to the report filename
policy violation counts added to the HTML report
Known issues:
Using the expanded coverage option (-xc) will incorrectly cause the pipeline job to fail
Multiple evaluations in the same job will incorrectly append report information to the same policy-eval-report.html file