Release Notes
We're continuously improving Nexus IQ Server products and features based on customer feedback. We make a lot of enhancements regularly, and our release notes provide detailed descriptions of each product release with links to additional technical information and support resources.
As a best practice, we recommend that you keep your IQ Server installation up to date so you can benefit from the latest features and advancements in component intelligence. The latest version can be downloaded from the IQ Download and Compatibility page.
If you are upgrading from an earlier version of IQ Server, please see Upgrading the IQ Server.
Release 104 (January 2021)
Fix for GZip Expansion Vulnerability
Release 86 to 103 (inclusive) of IQ Server suffer from CVE-2020-27218 a security vulnerability that allows an attacker to inject data into the body of the request. We advise you to update your IQ Server to this new release which contains the required fix.
Update to Third-Party Scan REST API
Third-Party Scan REST API responses now contain additional report URLs to aid navigation.
IQ for SCM supports Go Projects
Automated pull request feedback is now available for Go projects in all supported Source Control Management platforms. Click here to learn more about configuring automated PRs, PR reviews, and code line comments to work with Go.
InnerSource Insight Improvements
InnerSource Insight was improved and now supports:
- Policy Condition Dependency Type now has the ability to tune policy using InnerSource dependency type, please click here for more information.
- Improved detection of proprietary modules that are not demarcated as InnerSource (instead of marking them as “unknown”).
- Better detection of Direct Dependencies when they are associated with both an InnerSource component and the parent application. Please check InnerSource Insight doc for more information.
NPM and NuGet Manifest Application Analysis
IQ Server (through CLI) now supports evaluating policies against:
- NPM Components defined in yarn.lock, pnpm-lock.yaml, package-lock.json, and npm-shrinkwrap.json files.
- NuGet Components defined in * .csproj and packages.config files.
Release 103 (December 2020)
InnerSource Insight for Maven
InnerSource dependency analysis allows a user to visualize InnerSource components and their transitive dependencies in a report with links to any associated applications. Please refer to InnerSource Insight for more information.
Support for Evaluating Java 14 and 15 Applications and Components
The application and component evaluation have been updated to support Java 14 and 15 bytecode.
IQ for SCM supports Gradle Projects
Automated pull request feedback is now available for Gradle projects in all supported Source Control Management platforms. Click here to learn more about configuring automated PRs, PR reviews, and code line comments to work with Gradle.
Additional columns for Violations Export
Two additional columns have been added to the exported file from the dashboard's violation tab:
- Reference: contains the CVE or Sonatype code assigned to the vulnerability that caused the policy violation
- Policy Violation Id: contains the policy violation id that triggered the violation
Release 102 (November 2020)
Manage User Token
The new User Token UI allows each user to manage their own User Token directly from IQ Server.
API to check if User Token exists
The User Token API has a new endpoint that allows checking if a User Token exists for the current user.
Security Fixes
Fixed an XML External Entity (XXE) vulnerability affecting IQ Server parsing of admin submitted SAML metadata. See the CVE-2020-29436 advisory for details.
Release 101 (November 2020)
Lifecycle XC Removed in Nexus IQ CLI
Nexus IQ CLI no longer supports Lifecycle XC. IQ Server now has native support for all languages that were supported in Lifecycle XC. For more information on the supported languages please refer to the Comprehensive Guide to Lifecycle Scanning.
New Structure for .NET Pecoff PackageUrl
PackageUrl for pecoff has a new structure. The namespace is part of the qualifiers with the key "nexusnamespace", older versions will not change. More information can be found in our supported formats.
Manifest Evaluation REST API
The new Manifest Evaluation REST API provides a way to perform an application policy evaluation on supported manifest files discovered in a source control branch.
Manage Waivers for Violation
The new Waivers for Violation page allows viewing, adding and deleting waivers for a violation.
Time-based Waivers
Now Add Waiver page allows setting an expiration timeframe for the waiver.
Docker Image User Permissions Migration
The sonatype/nexus-iq-server docker image for IQ version 101 changed the base image from Red Hat UBI (Universal Base Image) to a different Red Hat UBI that includes OpenJDK 1.8. As a result, the UID of the nexus
user has changed from uid=998 to uid=997, which will impact access to persistent data. See our upgrade instructions if you are upgrading to version 101 or later in a docker image.
Release 100 (October 2020)
Advanced Development Pack
Advanced Remediation Strategies, Hygiene Ratings, Breaking Changes, and Release Integrity capabilities made Generally Available as part of the Advanced Development Pack add-on product license.
Time-based Waivers via APIs
Add Waiver API now has an option to apply an expiryTime to waivers as a means to better manage and remove waivers. When the timeframe for the expiryTime has been met, the waiver will automatically expire.
Release 99 (September 2020)
GitLab MR Reviews with Line Comments
GitLab MR reviews now provide MR line comments, noting the exact line of code that caused a policy violation. Supplemented with the summary of policy violations for a specific MR, developers have all the information at their fingertips to innovate with peace of mind.
Release 98 (September 2020)
Improvements to Golang Application Analysis
IQ Server (through CLI) now supports evaluating policies against Go components defined in a Gopkg.lock file.
Automatic Migration to Root Organization
Installations that have not yet created and configured the Root Organization will automatically be migrated to a Root Organization with no policies defined.
If you have not yet migrated and wish to use policies from an existing organization at the Root Organization level, it is recommended to do this before upgrading. More information can be found in our documentation.
Automatic Update of Advanced Search Index
Previously, the search index had to be rebuilt manually to ensure search results reflect the latest policy configuration and application data. This release starts adding an incremental update of the search index that runs automatically when the application data is changed. Automatic indexing currently covers organizations, applications, application categories, component labels, policies, and security vulnerabilities found during policy evaluations.
Drop Requests with Unsafe Characters
IQ Server now drops inbound requests containing in the path characters known to be used for unsafe purposes (semicolons, backslash and unescaped non-ascii characters).
GitLab MR Reviews
GitLab MR reviews provide a MR comment with summary of violations, affected components, and description of violations introduced in that specific MR to help developers resolve policy violations effectively and efficiently.
User Sessions Maintained on Restart
IQ Server user sessions are now kept when the server is stopped such that they can continue to be used when the server is restarted as long as they have not timed out.
Applicable Waivers REST API
The new Applicable Waivers REST API enables retrieval of all the waivers applicable to a given policy violation.
New Add Waiver page
The new Add Waiver page provides the ability to apply a waiver against a policy violation from two different workflows. You can access the Add Waiver page either directly from the Application Report or from the Violation Details page.
SAML Destination Field Required for Signed Messages
The SAML implementation in IQ Server has been updated and now requires the "Destination" field to be set, if the SAML messages (request/response) are signed. This is in accordance with the SAML specification and if not done you may encounter an authentication error. See Error during SSO login "Authentication failed due to SAML error" after upgrading Nexus Repo 3 or IQ Server for more information.
Release 97 (August 2020)
Repository Policy Violation Notifications
Email notifications for repository policy violations are sent now when the policy violation is detected instead of periodically.
New Security Vulnerability Category Policy Condition
Security Vulnerability Category is now available as a policy condition. See Understanding the Parts of a Policy for details and Policy Management.
Security Vulneratibility Override REST API
Addition of the Security Vulnerability Override API now allows security vulnerability status overrides to be retrieved alongside information about the components where they are currently taking effect.
Add Waiver REST API
New Policy Waiver REST API allows adding waivers with Application, Organization or Root Organization scope. The API has an option to apply a waiver to all components with matching policy violation.
Automated Pull Requests for GitLab
Support Automated Pull Requests for GitLab where pull requests are automatically created for policy violations with suggested remediation.
Source Control Configuration Test Button
Check the configuration of your source control setup for appropriate permissions for pull requests.
Automated Pull Requests Daily Activity View
Show recent automated pull request activity in the source control configuration screen.
Release 96 (July 2020)
New Dependency Type Policy Condition
Dependency Type is now available as a policy condition. See Understanding the Parts of a Policy for details and Policy Management.
Improvements to Application Analysis
IQ Server (through CLI) now supports evaluating policies against
- C/C++ components defined in a conaninfo.txt file.
- Go components defined in a go.list file.
Performance Improvements for Accessing LDAP Servers
Various performance improvements for accessing LDAP servers
Release 95 (July 2020)
Components Identified by Package Manifest
Components found in a manifest that were previously unknown by Sonatype will be shown in the CIP as identified by "Package Manifest" displaying the given coordinates in the scanned file.
.NET improvements
Nuget data matching have been enhanced with PE ( Portable Executable )/COFF ( Common Objective File Format ) data:
- The best fit matching is replaced with dll pecoff matching.
- Exact matching to the .nupkg archive and for each .dll pecoff signature.
With the enhanced data, identification of following extensions are now supported : .acm, .ax, .cpl, .dll, .drv, .efi, .exe, .mui, .ocx, .scr, .sys, .tsp
Improved Reports Page Performance
The Reporting Area in IQ Server's UI is now paged, increasing performance by decreasing load time.
Various Performance Improvements
Improved the performance in various areas (UI, REST APIs, etc).
New Option to Ignore LDAP Referrals
The configuration for LDAP connections now features an additional option to control how LDAP referrals are handled.
PR Reviews with Line Comments
PR reviews available in GitHub and BitBucket now provide PR line comments, noting the exact line that introduced a policy violation. Supplemented with the summary of policy violations for a specific PR, developers have all the information at their fingertips to innovate with peace of mind.
Improved Dashboard Filter Management
The UI for saving, loading and deleting Dashboard filters is simplified. Now the Save button is accessible directly in the sidebar footer. Saved filters can be loaded and deleted from the single dropdown menu.
Release 94 (June 2020)
C/C++ Application Analysis to Support conanfile.py Files
IQ Server (through CLI) can now be used to evaluate policies against components defined in a conanfile.py file.
Cross-stage Violation REST API
Policy violations can now be retrieved using the Cross-stage violation API to get information on a particular policy violation across the different stages of the lifecycle.
New Violation Details Page
Centralized access point for policy violation information. It can be accesed from the Dashboard to obtain detailed information on a specific policy violation for an application, including report information across different stages of the lifecycle.
Permission-aware Results from Advanced Search
The Advanced Search is still an early access feature but one of its caveats has now been resolved: Search results are now filtered to only include those records the user has "View" permission for.
Release 93 (June 2020)
Non Failing Version Recommendation in CIP
Additional recommended version is added to Component Info - Next version with no build failure violations.
Release 92 (May 2020)
Performance Improvements with External Databases
Improved the performance when using an external database for policy evaluations, application reports UI, application reports and other REST APIs.
Use of TLS for Static Resources Referenced by Email Notifications
The static resources like images that are needed to view email notifications are now retrieved via HTTPS instead of HTTP. Please make sure your network allows outbound connections as detailed in Configuring Outbound Traffic.
Policy Waiver REST API Enhancement
Policy Waivers can now be retrieved using the updated Policy Waivers REST API.
Release 91 (May 2020)
New REST API for Application Categories
Application Categories can now be managed using the REST API. See the Application Categories REST API for details.
Improved Policy Evaluation Performance with External Databases
Improved the performance of policy evaluations when using an external database.
Yum Application Analysis
IQ Server (through CLI) can now be used to evaluate policies against components from dependency files of Yum
New Data Source Policy Condition
Data Source is now available as a policy condition. See Understanding the Parts of a Policy for details and Policy Management.
Nexus Firewall Support of New Languages/Ecosystems
Firewall is extended to support packages of following languages/ecosystems:
- PHP (Composer)
- Swift/Objective-C (Cocoapods)
- Conda
- Alpine (APK)
- Bower
- CRAN (R)
- Debian (APT)
- C/C++ (Conan)
It is recommended to upgrade to the latest Reference Policy Set (reference-policies-v4) with the Component-Unknown policy changes.
Release 90 (April 2020)
Policy Waiver REST API Enhancement
Policy Waivers can now be deleted using the updated Policy Waivers REST API.
Component Labels REST API Enhancement
Component Labels can now be managed using the updated Component Labels REST API.
Alpine, Drupal and Debian Application Analysis
IQ Server (through CLI) can now be used to evaluate policies against components from dependency files of:
Automated Pull Requests and Build Status for Bitbucket Server and Bitbucket Cloud
Support for both Bitbucket Server and Bitbucket Cloud have been added to Automated Pull Requests and Build Status.
Improved Storage for Firewall Data
The storage for Firewall data has been refactored to be faster and to require less disk space. A small performance impact may be noticed after the upgrade (for a few hours) until the existing data is migrated.
Release 89 (April 2020)
Component Evaluation REST API Enhancement
The Component Evaluation REST API now includes data about effective component licenses.
Report-related REST API Enhancement
The Report-related REST API now includes data about effective component licenses.
R and Rust Application Analysis
IQ Server (through CLI) can now be used to evaluate policies against components from dependency files of:
New PDF Report
The Look & Feel of the PDF Report for the Application Composition Report has been updated and streamlined to align more with IQ Server's UI. This increases its focus on essential information in addition to improving PDF generation performance.
Release 88 (March 2020)
Recommended Remediation for Transitive Maven Dependencies
Now the Component Info tab in the Component Information Panel adds a Recommended Remediation section for transitive dependencies. It provides links to all direct dependencies that brought in the selected component. Available for maven components only.
Advanced Search (Early Access)
This release includes an Early Access version of Advanced Search. This new search feature provides a flexible way to locate items among your applications. For instance, Advanced Search can help find all applications that are affected by a given security vulnerability.
Component Details REST API Enhancement
The Component Details REST API now includes data about effective component licenses.
Swift/Objective-C and Conda Application Analysis
IQ Server (through CLI) can now be used to evaluate policies against components from dependency files of:
GitHub PR Reviews
GitHub PR reviews provide a PR comment to provide a summary of violations, affected components, and description of violations introduced in a specific PR to help developers resolve policy violations effectively and efficiently.
Release 87 (March 2020)
User Tokens REST API Enhancements
User Tokens REST API exposes endpoints to System Administrators for querying tokens by creation date and supports deletion.
Fix for a critical issue with the Application Report in IQ 86
This release fixes a regression that prevented IQ Server 86 to load some reports.
Release 86 (March 2020)
Known Issue with the Application Report
There is an issue with IQ Server 86 failing to load some reports.
Customers should avoid upgrading to release 86 and instead upgrade to release 87 or newer.
New REST API for Moving an Application from one Organization to another
An application can now be moved from one organization to another using the REST API. See the Application REST API for details.
C/C++, Ruby and PHP Application Analysis
IQ Server (through CLI, Jenkins and Bamboo plugins) can now be used to evaluate policies against components from dependencies files for:
Release 85 (February 2020)
New Component Category Policy Condition
Component Category is now available as a policy condition. See Understanding the Parts of a Policy for details.
New Component Claim REST API
The new Component Claim REST API allows you to view, add, update, and delete component claims.
Extended Stale Waivers REST API
Stale Waivers REST API now returns stale evaluations along with the stale waivers.
Release 84 (February 2020)
Release 83 and Release 84 introduced migration steps in server startup where proxy server and mail server configurations are read from the existing config.yml
file and transferred to the database. An issue was discovered which stops IQ Server from successfully starting when the password
field for either of these configurations is an empty string. If that is the case for either of your configurations please comment out the password
fields entirely instead of having an empty string.
Using the proxy server configuration as an example, instead of having a configuration as below:
proxy: hostname: "proxy.server" port: 8081 username: "proxy-user" password: ""
please configure your configuration as follows where password
is commented out:
proxy: hostname: "proxy.server" port: 8081 username: "proxy-user" # password: ""
No special action is needed if a non-empty password exists. It will be stored in the database encrypted.
New Stale Waivers REST API
Stale Waivers REST API allows you to retrieve stale application and repository waivers.
To ensure accuracy, the API fails if there are any repository evaluations older than release 76, as new waiver information was added as part of that release. Please re-evaluate all repositories to get a successful response.
Email Server Configuration Verification in Email Server Configuration UI
A sample email can be sent in the Email configuration UI to verify the email server being configured by entering the desired recipient and using the
Send Test Email
button.
New HTTP Proxy Server Configuration REST API and UI
The proxy server configuration is now configurable via the new HTTP Proxy Server Configuration REST API or via the Proxy Server Configuration View found in System Preferences. Any existing proxy server configuration in config.yml
will be migrated and become obsolete.
NPM support for Automated Pull Requests
Nexus IQ for SCM now supports the NPM ecosystem. See Automated Pull Requests for details.
Release 83 (January 2020)
New Email Server Configuration REST API and UI
The email server configuration for email notifications is now configurable via the new Mail REST API or via IQ Server's UI. Any existing email server configuration in config.yml
will be migrated and become obsolete.
New Permissions for Waiving Policy Violations, Changing Licenses, and Changing Security Vulnerabilities
Three new permissions Waive Policy Violations, Change Licenses, and Change Security Vulnerabilities are now available for (un)waiving policy violations, changing component licenses, and changing component security vulnerabilities. Previously, the Edit IQ Elements permission was required for these operations. All roles that have the Edit IQ Elements permission are automatically updated to have these new permissions.
Binary Fingerprinting Improvements
This release includes improvements to our proprietary advanced binary fingerprinting and will increase scan file sizes up to four times.
SHA-1 Support for Third Party Scanning
The Third-Party Scan REST API and CLI has been extended to support the following feature.
- Identify components based on SHA-1 value (content hash).
Legacy Application Report Link Moved
The Policy-centric Application Composition Report no longer contains a banner with a link to the legacy version of the Application Composition Report. Instead, the legacy version may now be accessed via the Policy-centric report's Options menu.
Release 82 (January 2020)
Dependency Type Indicators and Filter
Application Composition Report now displays Dependency Type Indicators for maven components. Components can be filtered by dependency type using the new Dependency Type filter.
Note: Dependency Type is only supported for maven components. Reports created prior to January 2, 2020 will show all non-maven components as a direct dependency type. Once the application is rescanned, the non-maven components will be shown as unknown dependency types.
New Permission for Changing Access Control
A new Edit Access Control permission was added for managing the access control for applications, organizations and repositories. Previously, the Edit IQ Elements permission was required for access control management. All roles that have the Edit IQ Elements permission are automatically updated to have the new Edit Access Control permission.
Release 81 (December 2019)
Extended Organization REST API
The organization REST API now supports retrieving information for a single organization by its identifier or name.
Extended Component Label REST API
The component label REST API can now manage component labels for an entire organization.
clm-maven-plugin 2.15.0-01 Requires Java 8
Starting with version 2.15.0-01, the clm-maven-plugin requires Java 8.
License Data and Coordinates Support for Third Party Scanning
The Third-Party Scan REST API and CycloneDX Application Analysis has been extended to support the following features.
- Identify component license data.
- Support coordinate based matching (in addition to Package URL).
Release 80 (December 2019)
Updated Main Header Design
Visual refresh of IQ Server main header.
Fix for HTTPS/SNI Issue in IQ 79
This release fixes a regression that prevented IQ Server 79 to start if configured with an HTTPS connector that employed a server certificate making use of SNI.
Release 79 (November 2019)
Known Issue with HTTPS Connector
We are investigating an issue with IQ Server 79 failing to start when configured with a direct (config.yml) HTTPS connector.
Customers using this specific scenario should avoid upgrading to release 79 and instead upgrade to release 80 or newer.
Component Waiver REST API
Added policy waiver scope to the Component Waivers REST API.
Nexus IQ for SCM Configuration UI
The Nexus IQ for SCM Configuration UI allows for configuration of the integration between Nexus IQ Server and an external Source Control Management provider.
Automated Pull Requests
Automated Pull Requests allows for automatic creation of pull requests for policy violations on components that have an available version which remediates those violations.
Stable Link to Latest Application Composition Report
The report-related REST API has been extended to include the new property latestReportHtmlUrl
in its response, providing a stable link to view the most recent report for a given application and stage.
Release 78 (November 2019)
Components In Quarantine REST API
Components in Quarantine REST API allows you to list repository components that are quarantined.
Release Component from Quarantine REST API
Release Component from Quarantine REST API allows you to release a quarantined repository component by waiving the policy violations causing the component to be quarantined.
Vulnerabilities Support for CycloneDX Application Analysis
CycloneDX Application Analysis is now extended to support submitting component vulnerabilities. For more details please refer to:
Release 77 (November 2019)
Clair Scan Evaluation
IQ Server integration with Clair provides you the ability to identify and apply IQ policies against Clair scanner results.
CycloneDX Application Analysis
IQ Server can now be used to evaluate policies against a software component list supplied in CycloneDX SBOM (software bill-of-material) format. This can be used in the following ways.
- Third-Party Scan API allows you to evaluate a CycloneDX SBOM via REST interface.
- CycloneDX Application Analysis allows you to evaluate a CycloneDX SBOM via Nexus IQ CLI / IQ Server UI.
Release 76 (October 2019)
Component Waiver REST API
Component Waivers REST API allows you to retrieve components with waivers for applications and repositories.
All repository reports must be re-evaluated in order to include the most accurate policy waiver information used by the new API.
User Tokens REST API
User Tokens REST API allows IQ users to create and delete user tokens. It also allows IQ Server administrators to purge obsolete tokens. See User Tokens for details.
General improvements and bug fixes:
- Fix bug with Firewall Audit and Quarantine where IQ Server database errors were more likely to occur on under resourced hosts.
- IQ Server UI links to Firewall results from the Repository settings page in Organizations and Applications configuration.
Release 75 (October 2019)
Anonymous Vulnerability Lookup
You can now look up a vulnerability without logging in. See Vulnerability Lookup for details.
Vulnerability Details REST API
Vulnerability Details REST API allows you to retrieve vulnerability details in the form of JSON.
Release 74 (September 2019)
Single Sign-On via SAML
IQ Server can now be configured to enable single sign-on via SAML during login, which can be done by a system administrator via the UI or via the SAML REST API.
Support for Evaluating Java 13 Applications and Components
The application and component evaluation have been updated to support Java 13 bytecode.
Release 73 (September 2019)
Internal Release
Shortly after wide release a rare issue was found that can prevent successful upgrade of IQ Server.
To help avoid upgrade failures and forced rollback procedures, this release is not a recommended install. Use release 72 or release 74 and newer instead.
Fix for Remote Code Execution Vulnerability
All previous releases of IQ Server suffer from a security vulnerability that allows authenticated users with the Edit System Configuration and Users permission to execute arbitrary code. We advise you to update your IQ Server at the earliest opportunity to this new release which contains the required fix. Details have been published on October 17: CVE-2019-16530 .
Release 72 (September 2019)
Removed Support for Anonymous Access
The support for anonymous access used by very old IQ clients and plugins was removed from IQ Server. This doesn't affect you unless you are still using very old IQ clients or plugins. If present, the optional anonymousClientAccessAllowed setting should be removed from the config yml file used to configure the IQ Server.
Request Waiver Workflow
The policy violation id has been added to the REST API to faciliate with Requesting a Waiver
Source Control Onboarding
During policy evaluation, the commit hash and repository URL are automatically deduced allowing our scanners (CLI, Jenkins, GitLab, etc) to pick up which commit and repository they are evaluating against. This will allow Nexus IQ for Git to push policy evaluation report summaries to Git commits and pull requests with minimal configuration.
Release 71 (August 2019)
Request Waiver Workflow
You can now Request a Waiver when your workflow for waivers is handled outside of IQ Server.
Policy Evaluation Summary in GitLab
Policy evaluation report summaries and a link to the report can now be viewed on GitLab commits and pull requests. See Nexus IQ for SCM
for details.
Release 70 (August 2019)
New REST APIs to Manage Users and Roles
Several additions to the public REST API of IQ Server were made to help automate the management of users and their roles:
Release 69 (July 2019)
Package URL (purl-spec) Support in Policy Configuration
You can now use package URL when configuring constraints in policy management.
Mitigate IQ Server Client Timeouts
IQ Server clients now poll for application evaluation results rather than waiting on the socket. Clients affected by this change are CLI, Jenkins, Bamboo, and Maven plugins.
IQ Server needs to be upgraded first in order for new clients to work properly.
Docker Image User Permissions Migration
The sonatype/nexus-iq-server docker image for IQ version 69 changed the base image from CentOS to RedHat UBI (Universal Base Image). As a result, the UID of the nexus
user has changed from uid=999 to uid=998, which will impact access to persistent data. See our upgrade instructions if you are upgrading to version 69 or later in a docker image.
Release 68 (July 2019)
Fix for Caching of UI Resources Between IQ versions
Recent versions of IQ have had a bug where user interface resources could be cached within the browser across IQ version upgrades. This could cause a mismatch between the IQ frontend and backend code, or even a mismatch between different parts of the frontend code. This would result in UI breakages, such as an oversized IQ logo rendering the page unusable in Release 67. IQ 68 differs from IQ 67 only in that it fixes this issue.
Release 67 (July 2019)
Policy Evaluation Summary in GitHub
Policy evaluation report summaries and a link to the report can now be viewed on GitHub commits and pull requests. See Nexus IQ for SCM for details.
Package URL (purl-spec) Support in Public APIs
The following APIs are extended to support package URL in requests and responses:
- Component Search REST APIs - v2
- Component Evaluation REST APIs - v2
- Component Details REST APIs - v2
- Component Remediation REST APIs - v2
- Violation REST APIs - v2
- Report-related REST APIs - v2
Vulnerability List in the Application Composition Report
The Application Composition report now includes the option to easily see a list of the vulnerabilities that triggered policy violations associated with a given application.
Vulnerability Search
You can now search for and view information about specific vulnerabilities directly from the top navigation bar in IQ Server.
Dropped Support for IE9 and IE10
As of Release 67 IQ no longer provides support for Internet Explorer 9 & 10.
Release 66 (June 2019)
Command to Reset the Admin Account Password and Roles
A new command was added to reestablish the default admin account in a shutdown IQ Server including its default password and roles.
Package URL (purl-spec) Support in Public APIs
We are rolling out package URL based component information access as an alternative to the coordinate based component information retrieval in REST APIs. The following API is extended to support package URL.
Optional 'Description' Field for Webhook Configurations
The webhook description is displayed in the UI where webhooks can be selected such as the webhook list or the policy editor.
Component Remediation Information added to the Component Information Panel
Component Remediation Suggestions have been added to the Component Information Panel. For components that have policy violations, it will show the next available version that does not violate any policies for the given application, if such a version exists. This will be shown in the Application Composition Report and the IDE plugins.
Release 65 (May 2019)
Policy-centric Application Composition Report
The policy-centric Application Composition Report is no longer in preview mode and has now replaced the previous version of the report. The previous version is still accessible through the link provided in the new UI.
Application Composition Report API - Policy Violations
A new endpoint was added in order to provide policy violations data for a given report. See "Policy Violations by Report REST API (v2)" in Report-related REST APIs - v2.
Component Remediation API - Next Non-failing Remediation Type
Added new remediation type for the next closest component version which does not fail any policy violations.
Release 64 (April 2019)
Application Reports as Point-in-Time Data
Existing Application Composition Reports are not updated anymore when changes are made in the Component Information Panel. These changes become visible only when the application is re-analyzed (via the re-evaluation button or a new evaluation being triggered from CI, CLI, policy monitoring, etc). This ensures that the reports reflect the state of the application and policy evaluation results at the time the application was analyzed.
Web UI to Configure Data Retention Policy for Success Metrics
This release completes the data retention and purging feature introduced in release 63 by extending the IQ Server UI with the elements needed to inspect and edit the data retention for Success Metrics.
Component Remediation API
In order to facilitate automation and customization of component remediation, IQ Server now supports a Component Remediation API. The first release of the API provides similar data from the component intelligence panel version graph into a machine readable format. The result of the request provides component remediation suggestions of policy violations on a per component basis.
Release 63 (March 2019)
Data Retention Policies for Automatic Purging of Obsolete Application Reports and Success Metrics
To reduce the disk space consumption of IQ Server, you can now specify data retention policies for application reports and Success Metrics. Reports, that according to these retention policies are deemed obsolete, are automatically purged from sonatype-work/clm-server/report
. Likewise, policy violation history that is no longer relevant for Success Metrics is purged from sonatype-work/clm-server/data
. But note that automatic purging needs to be manually enabled after IQ Server was upgraded to the new version.
Release 62 (March 2019)
Support for Specifying Python Coordinates in Policy Constraints
Users can now specify python (PyPI) component coordinates when configuring constraints in policy management.
Support for Evaluating Java 12 Applications and Components
The application and component evaluation have been updated to support Java 12 bytecode.
Release 61 (February 2019)
Firewall now supports Artifactory repositories. See more in the press release.
Cleanup of Obsolete Scan Files
To reclaim disk space, this release includes a background task that deletes obsolete files from the sonatype-work/clm-server/scan
directory. This task is only run once and scheduled automatically for 11 pm local time after IQ Server was upgraded. Depending on the number of obsolete scan files in your installation, you might see elevated IO activity during that time when the files are removed.
Nexus Firewall Bug Fix
Fixed a bug that resulted in Component IQ not being displayed in Nexus Repository Manager.
Release 60 (February 2019)
Note: Build 1 of this IQ Server release (denoted by 1.60.0-01 in its filename) had a flaw that prevented its startup without a license. If you were quick enough to download this version, please re-download the latest build (1.60.0-02).
Policy Violation Logging
A new policy violation logging feature, which must be explicitly enabled, is now available. It logs its data to a dedicated log file in JSON format. This allows for easy line-by-line parsing for inspection, analysis, and extraction of desired data. It can be enabled/customized in your IQ Server configuration.
Support for Scanning Python Wheel Packages
Python wheel packages are now recognized by the IQ Server , CLI, Jenkins, Bamboo, and Maven plugins as well as the Vulnerability Scanner .
Release 59 (January 2019)
Security-related HTTP Headers
For added security protection against cross-site scripting and other attack vectors, the IQ server now sets the Content-Security-Policy and X-XSS-Protection HTTP headers.
Release 58 (January 2019)
Support for Evaluating Java 10/11 Applications and Components
The application and component evaluation have been updated to support Java 10/11 bytecode.
Audit Logging for Policy Violation Notifications and Webhooks
Audit logging functionality has been extended to include
- Sending notifications for policy violations.
- Invoking a webhook .
Python Coordinate-Based Matching for More Clients
Python coordinate detection via the requirements.txt file has been extended from just the IQ Server and CLI to also include the Jenkins, Bamboo, and Maven plugins as well as the Vulnerability Scanner.
Release 57 (January 2019)
Audit Logging for Reporting
Audit logging functionality has been extended to include
- Viewing repository results.
- Viewing component information panel data .
- Accessing and managing success metrics.
- Accessing dashboard table data.
- Exporting policy violations.
- Searching components.
- Evaluating IDE projects.
- Evaluating individual components via the REST API.
Component Category in CIP
The Component Information Panel has been updated to display the component category identified by Sonatype.
Policy Centric App Report Preview
A new look of the Application Report is being added to IQ which will allow the user to interpret the report in a more policy-centric manner. We call this the Policy Centric App Report , and a preview of this new look is now available alongside the existing reports.
Other Versions
IQ Server release notes are organized by year:
- 2020 Release Notes (82 and up)
- 2019 Release Notes (57 - 81)
- 2018 Release Notes (1.43 - 56)
- 2017 Release Notes (1.25 - 1.42)
- 2016 Release Notes (1.19 - 1.24)
- 2015 Release Notes (1.13 - 1.18)
- 2014 Release Notes (1.12)