Release Notes
We're continuously improving Sonatype IQ Server products and features based on customer feedback. Check out our release notes for detailed descriptions of enhancements for each release.
As a best practice, we recommend that you keep your IQ Server installation up to date, so you can benefit from the latest features and advancements in component intelligence. Download the latest version from here IQ Download and Compatibility.
If you are upgrading from an earlier version of IQ Server, please see Upgrading the IQ Server
Release 167 (September 2023)
New Features
Sonatype Repository Firewall offers Guided Setup
The new Firewall Guided Setup simplifies onboarding Nexus Repository Manager (NXRM) repositories to enable users to get started with Firewall in a few easy steps. The automated process guides first-time users to maximize the supply chain protection offered by Firewall by providing configuration recommendations.
Improvements
Embracing Inclusion with Legacy Violations
As part of our inclusive language initiatives stemming from our core values "Embrace Inclusion", we are renaming the feature previously known as Policy Violation Grandfathering to Legacy Violations. Starting with this release, Sonatype Lifecycle will use the term Legacy Violations for policy violations that can be deferred during onboarding and prioritized to be remediated later. There is no change in functionality of this existing feature (previously known as Policy Violation Grandfathering.)
Known Issues
Temporary Distribution Issue with Plugin
Sonatype is actively working to resolve a distribution issue for the nexus-jenkins-plugin. This is a temporary distribution issue and could affect automatic upgrades of the plugin. It does not affect the existing installations or functionalities of the plugin.
Latest version of the nexus-jenkins-plugin will be available for download here.
Release 166 (August 2023)
New Features
Analyze SBOMs in SPDX format
Sonatype IQ Server extends the mission to promote open standards for communicating SBOM information, by introducing the capability to scan SBOMs compliant with SPDX® 2.3 standards. Users can also upload SPDX SBOMs (in XML or JSON file formats) directly, using the Third-Party Scan REST API for scan and analysis.
Improvements
Horizontal Scaling for IQ Server High Availability Deployments
Starting with this release, IQ Server HA deployments can be configured to auto-scale to match the workload demands. This capability utilizes the native Kubernetes HorizontalPodAutoScaler feature that deploys more pods in response to increased load or scales back to the configured minimum (2 pods) when the workload decreases. Auto-scaling is disabled by default. Users can configure the thresholds for scaling up in the IQ Server helm chart, based on CPU or memory utilization for the workload.
Exclude devDependencies in poetry.lock for Python analysis
To align with the format changes of poetry.lock file from versions 1.5.1 onwards, we have improved the Python Application Analysis with this release. Sonatype IQ Server will now automatically exclude devDependencies for poetry versions 1.5.1 and higher, provided that pyproject.toml exists and is discoverable.
Lifecycle Dashboard Pagination
The UX enhancements to paginate all tabs of the Lifecycle Dashboard are complete with this release. Users can easily navigate to multiple pages to browse over all policy violations, components, applications and waivers, that are relevant to the applied filter. This improvement removes the previous limit of viewing only 100 rows of data on the dashboard.
Error Messages for Remediated Vulnerabilities
We have revised the error message that showed up when a previously occurring policy violation does not exist any more (due to remediation of the vulnerability.) The revised error message indicates the updated vulnerability status and prompts the user to run a new scan to detect the latest violations.
Notable Bug Fixes
Fix for SCM Bulk Import
This release fixes an issue with SCM bulk imports that caused IQ Server to stall at certain instances while performing multiple imports.
Client-side Timeouts Due to Slow Response Times
Improved performance of Sonatype IQ Server for better response times, compared to version 165.
Inconsistency in Waiver Visibility
Fixed discrepancies in waivers visibility across the policy violations table, waivers for violation table and scan report pages.
Fix for Clair and Conda Application Analysis
Fixed an issue with application scan report while scanning clair-scanner-output.json with other metadata type files (conda.txt).
Error in Integrating IQ Server with Firewall for Artifactory
Fixed an HTTP 401 error that occurred during integration of IQ Server with Firewall for Artifactory.
Fix for Policy Violation REST API
Fixed an issue with Policy Violation REST API that did not show displayName for Component-Unknown violations in the API response.
Line Comment Links in Bitbucket PRs
Fixed broken links generated in line comments in BitBucket PRs.
Track Resolved Issues
Click here to see resolved issues in this release.
Release 165 (July 2023)
Sonatype has become aware of a critical issue with Sonatype Nexus Repository versions 3.57.0 and 3.58.0 impacting deployments using and Sonatype IQ Server (Repository Firewall). The known issue may allow unintentional download of quarantined components.
If you are on OrientDB and using Sonatype IQ Server (Repository Firewall), please upgrade to Sonatype Nexus Repository versions 3.57.1 or 3.58.1 instead.
New Features
Generate SBOMs in SPDX format
Sonatype IQ Server extends the mission to promote open standards for communicating SBOM information, by generating SBOMs compliant with SPDX® 2.3 standards. The new SPDX REST API generates SBOMs in both XML and JSON outputs for all supported component formats. Users can also generate the SBOM (in JSON format) from the Application Scan Report page.
ALP Expanded Observed License Detection Coverage
Using Advanced Legal Pack (ALP), users can now detect observed licenses for open-source components for all supported ecosystems (Maven, npm, NuGet, PyPI, RubyGems, RPM, and Composer). New installations of Sonatype IQ Server (version 165 and up) will support the detection of observed licenses, by default. This capability can be enabled on existing installations that upgrade to release 165 or later, by using the alpObservedLicenseDetectionEnabled property of the Configuration REST API.
Improvements
Waiver Requests Webhook
This improvement reduces the manual effort of copy-paste and sharing the curl command (containing the specific violation details to be waived) with a designated approver. Users can now configure a webhook for the Waiver Request event. Once configured, users can now automate requesting the waiver by triggering a webhook by clicking on the Submit button on the Request Waiver page.
Lifecycle Dashboard Pagination
This release starts our UX enhancements to paginate all tabs of the Lifecycle Dashboard. The Violations tab view will now be paginated and display more rows with fewer clicks to browse results.
Firewall Quarantine Message
A new property quarantinedItemCustomMessage added to the Configuration REST API enables users from the App Sec teams to set meaningful remediation messages or directives for the developers when a component is quarantined by Sonatype Repository Firewall. When set, the custom quarantine message will be visible to the developers at the command line, when requesting components.
This feature requires Sonatype Nexus Repository 3.58.1 or above.
Easy Search and Discovery of Repositories
The Repository Manager interface now shows repositories logically grouped under the Repository Manager to which they belong. Two new filters, for repository name and component format allow targeted searches to locate the required repository. The interface includes an additional field, enablement, to indicate the Firewall protection features that are enabled for every repository.
Customizable Names for Repository Manager
A Repository Manager can be renamed from its pre-assigned UUID to an identifiable, user-friendly name, that is visible throughout the Lifecycle and Firewall instances.
Notable Bug Fixes
Error Messages in Export Logs
Error messages generated in export logs during database migrations have been modified to indicate the exact root cause for better resolution of the export errors.
Release 164 (June 2023)
Improvements
Improved Support zips for Better Troubleshooting
The support zips now include the customer-side configuration for reverse proxy authentication, a crucial parameter in troubleshooting unexpected behavior like broken links, caching, and general issues like performance, scalability, and availability of Sonatype IQ Server.
Notable Bug Fixes
OOM Errors Related to Evaluation of Proprietary Components Naming Patterns
This release resolves out-of-memory and other database memory management issues that occurred when the IQ Server evaluation processes encountered a large number of similarly named proprietary components.
Misconfiguration of Waived Components Upgrade Feature
This release fixes an IQ Server upgrade issue with release 163 that caused the Waived Component Upgrade Feature to be disabled, even if it was enabled previously.
Release 163 (June 2023)
Improvements
Improved Identification of Conan Dependencies
Analysis of conaninfo.txt file now does not show duplicate dependencies that were earlier being referenced in the “requires” and “full_requires” sections. Dependencies under the “full_requires” section have higher precedence over those under the “requires” section and will be excluded to avoid duplication.
Eliminated Duplicates in SBOM
Scanning binaries that contain components with the same coordinates, but different hashes could lead to duplicates in the SBOM. The SBOM generation for all supported ecosystems has been improved to avoid such duplicates that resulted in invalid SBOM files.
Extended the Inclusion of Wildcard Characters in IQ for SCM
This improvement ensures that Sonatype (Nexus) IQ for SCM is compatible with all wildcard characters used in markdown across supported developer platforms. This fixes the issue of malformed pull request (PR) layouts on encountering wildcard characters.
Notable Bug Fixes
SCM Database Errors
This release resolves a duplicate primary key error condition that occurred in the Sonatype IQ Server database due to incompatibility in handling case sensitivity across platforms, specifically GitHub.
Gateway timeouts for ALP Attribution Reports
This release includes major performance enhancements to Advanced Legal Pack (ALP) Attribution Reports to avoid gateway timeouts when retrieving data for reports containing a large no. of components.
Fixed pathnames in IQ Webhook payload
This release fixes a payload issue with the IQ Webhook for Application Evaluation that is triggered at Violation Alerts event.
Fix for Cyclone DX REST API
The response on executing Cyclone DX REST API now includes a predefined parent component name as a placeholder in the metadata section, if the application evaluation report does not contain any project data.
Release 162 (June 2023)
New Features
Waived Components Upgrade
This release offers users the ability to configure Lifecycle to monitor for waived components from the System Preferences menu. The Upgrade Available indicator on the Waivers dashboard will indicate when a safe-to-use version of the component is being recommended by the Sonatype Research Team. Users can remediate the violation by upgrading to the recommended component version and removing the waiver.
Configure Waived Component Upgrade Feature using REST API
A new property waivedComponentUpgradeMonitoringEnabled provides the added flexibility of configuring your Lifecycle instance for Waived Components Upgrades by using the Configuration REST API.
Improvements
Support for Evaluating Java 19 and Java 20 Applications and Components
The application and component evaluation have been updated to support Java 19 and Java 20 bytecode.
Reports REST API Supports New Query Parameters for Retrieving Scan Report History
The Reports REST API now supports two new query parameters stage and limit. Users can now retrieve scan reports related to a specific stage and limit the number of reports returned by specifying the count of the most recent reports.
UI Improvements for Navigating N-Level Hierarchy
This release contains UI improvements related to window sizing and resolution for navigating multi-level organizations and linked dependent applications.
Default Branch Monitoring Cycle
We have improved the execution cycle of Default Branch Monitoring to prevent unnecessary exits on encountering errors.
Compatibility with Chrome Updates
Compatibility with the latest Google Chrome versions is now up-to-date.
Notable Bug Fixes
Truncation of Support Log Files
This release fixes an issue in the support zips generated by customers, that caused truncation of a few log files.
Filter Behavior on ALP application page
The filter on the Advanced Legal Pack (ALP) application page now resets contextually, when navigating to a new application.
Submit button on Source Control Monitoring page
The button text on the old “Submit” button on the Source Control Monitoring (SCM) configuration page now reflects the exact action, “Create” or “Update” to match creating a new SCM configuration or modifying an existing SCM configuration.
LDAP username authentication
The authentication exception related to LDAP naming error which caused session timeouts for IQ Server in multi-realm authentication environments, has been fixed.
Scanning Unknown Components using Maven plugin
This release fixes the incorrect identification of unknown dependencies, which were previously being identified as coming from a package manifest.
Error due to Non-English Characters
The internal server error that occurred when downloading an application report containing non-English characters has been resolved.
Fix for Incorrect License Violations
This release fixes an issue with the parsing of npm components that caused the application composition report to show incorrect license violations.
Release 161 (May 2023)
New Features
Introducing Sonatype Lifecycle and Sonatype Repository Firewall
We are updating our product names and logos for a new refreshed look. This release unveils brand-new logos for our new product names Sonatype Lifecycle (previously Nexus Lifecycle) and Sonatype Repository Firewall (previously Nexus Firewall.)
Customizable Security Vulnerability Attributes
This release offers the flexibility to customize Sonatype Vulnerability Data. Security experts can use the new "Customize" feature to edit the CWE-ID, CVSS vector string, severity, and remediation instructions for any vulnerability, to augment their company security regulations. The customized vulnerability data can be used to build constraints for Lifecycle policies and help with prioritizing the remediations.
Vulnerability Custom Attributes REST API
The new Vulnerability Custom Attributes REST API (experimental) extends the ability to customize the vulnerability data, beyond the UI. The custom vulnerability data can be used to build policy constraints in Lifecycle.
Move Organizations
This feature allows users to move an organization, including its dependent organizations and applications to a new branch in the hierarchy. Using this feature, users can also transform an existing single-level organization hierarchy into an N-Level hierarchy, without having to recreate the entire organization structure in Lifecycle.
Improvements
Vulnerability Details REST API Enhancement
The Vulnerability Details REST API includes an additional response field, customData to retrieve vulnerability attributes that are user customized.
PUT method in Organizations REST API
The new PUT method in Organizations REST API can be used to change the parent organizations and transform to N-level hierarchy, identical to the Move Organizations feature.
Automatic Commit Feedback for SCM
The Source Control Configuration section now allows SCM users to turn the Automatic Commit Feedback feature off. Previously enabled by default, users can disable this feature when importing a large number of applications and avoid hitting the SCM rate limits.
Quarantined Component Report in Firewall
Users can configure the expiration time of Quarantined Component Report in Firewall using the quarnatinedComponentReportExpirationTimeInHours property in Configurations REST API - v2. Setting the expiration time limit to longer durations (12 hours by default) will allow more time for users to process requests like releasing components from quarantine, which are based on the information in this report.
Hosted Repositories
Users will now be able to view all hosted repositories, for which namespace confusion protection is enabled.
Prevent unintended build failures in IQ CLI
Users can now set the --ignore-scanning-errors switch in IQ Command Line Interface (CLI). This will prevent CLI from scanning invalid files in the target codebase and causing build failures.
Notable Bug Fixes
Fix for SCM URLs
This release fixes an issue with SCM URLs that occurred during importing applications.
Fix for Forwarded HTTP headers
This release resolves errors occurring with forwarded HTTP headers when used for reverse proxy.
Fix for Repository Policies
This release resolves the error that occurred with viewing policies at the Repositories level.
Release 160 (April 2023)
Improvements
Search for Quarantined Components in Firewall
Users can search for a specific component quarantined by Firewall, by entering the component name in the new filter in the components column. This will help locate the component quickly, without having to look for it in the paginated lists that could run across multiple pages.
Settings for Sonatype IQ Server Base URL
Admins can now see a warning message on the Lifecycle homepage, when the base URL for IQ Server is not set, as part of configuration settings. Configuring the base URL for IQ Server is now easier and more accessible via the System Preferences menu in the UI.
Performance of SCM System Scans
We have improved the scanning performance of applications in the Source Control Monitoring (SCM) systems by first checking if pull request commenting (PR commenting) has been disabled for a specific SCM configuration. This allows the Lifecycle scan calls to return early, without consuming system resources.
Graceful Shutdown of Nodes
This release improves the node shutdown process of IQ Server in the cluster environment, and prevents IQ Server outages.
Notable Bug Fixes
Fix for Promote SCAN REST API
This release fixes an issue with the scan reports generated after using Promote Scan REST API - v2. Container scan reports now reflect the scan results.
User Group Searches for LDAP and SAML
The "Associate Group" search option will now be displayed if group search is disabled for LDAP even if SAML is enabled.
Database Migration Issues
This release fixes errors that occurred during migration from H2 database to external PostgreSQL database for certain installations.
Release 159 (April 2023)
New Features
Waived Component Upgrades
This release offers users the ability to configure Lifecycle to monitor for waived components.
(Note: This feature has undergone major improvements in release 162. We recommend upgrading to release 162 to derive maximum value.)
Sonatype IQ Server HA General Availability
Sonatype IQ Server for High Availability (HA) previously launched with release 155 for limited access, is now available to all customers.
Improvements
Searching for Orgs and Applications in N-level Hierarchy
Users can navigate to a specific organization or application by entering its name in the search filter located in the tree view showing the inheritance hierarchy. This will improve navigating complex n-level hierarchy with fewer clicks.
Tooltips for Orgs and Applications
Tooltips will now appear in the filter search results, on hover over the titles of organizations and applications in the navigation sidebar. Data such as the name of the parent organization, the number of sub-organizations linked to the parent, and the total number of applications contained in the selected organization will be readily visible in these tooltips.
Flexibility to Control Namespace Confusion Protection
Users can disable namespaces for the namespace confusion protection feature to unblock components of specific hosted public repositories, if this protection is causing unnecessary blockers in the development cycles.
Improved UI to show Quarantined Components
We have improved the UI for Firewall users to clearly indicate policy violations due to quarantined components and other allowed versions of the quarantined component.
Improved UI for SCM Integrations
Threat levels of fixed policy violations are now included in the pull request comments.
GitLab Token Validation
This release improves the validation process of GitLab access tokens while setting up SCM integrations.
User Ownership for CLI scans
The generated scan_results.json file during a container scan is now owned by the user, instead of the root user.
Updated UI for Vulnerability Lookup
We have updated the title Vulnerability Search in the left navigation bar to Vulnerability Lookup.
Release 158 (March 2023)
Improvements
Override Policy Notifications
Users will now be able to override policy notifications for inherited policies. Using this option, it is possible to change the pre-configured policy notification settings for the desired DevSecOps pipeline stage. This improvement also offers the flexibility of changing the recipient type and recipient emails, if applicable, from what was set at the parent level.
Extended Support for SAML Users and Groups
We have extended the support for SAML users and groups to allow them to be discoverable via searches in the UI. SAML users and groups are now accessible from the UI to set up access control, assign as application contacts and receive role notifications. Note that SAML users and their associated groups must login to this or later releases at least once before they will be discoverable.
Clone Repositories using SSH Protocol
This release allows using the SSH protocol for Automatic Source Control Monitoring (SCM) configuration when cloning a repository. The repository clone URL is now successfully derived and displayed on the SCM UI. This is currently supported for the cloud-version of SCMs only.
Support Long Passwords for Jira Integrations
We have updated our backend to accommodate the increased length of Atlassian API tokens. This will resolve the error related to passwords exceeding 255 characters when setting up Jira configurations.
Notable Bug Fixes
IQ CLI Exceptions for Empty NuGet Manifests
The IQ Command Line Interface (CLI) scan continues graceful execution with warnings, instead of exceptions, on encountering empty NuGet manifests.
Firewall Exception for Unknown Quarantined Components
This release handles the null pointer exception that was thrown when attempting to load unknown components that are quarantined.
Default Branch Monitoring
This release fixes issues with default branch monitoring that affected release 156. Default branch monitoring is now fully functional.
Release 157 (March 2023)
This release did not meet the critical product acceptance criteria and will not be made available.
Release 156 (February 2023)
New Features
Launching N-Level Organization Hierarchy
Sonatype IQ Server now supports a multi-level hierarchical model for Orgs and Policies. Users will now have the flexibility to set up organizations at different levels (n levels) of hierarchy, to mimic their company's organizational structure and business units. We have introduced a new left navigation bar that lets users manage the Orgs and Policies configured at different levels of the hierarchy. Users can utilize the N-level Org model to create context-sensitive policies and remediation steps that apply locally to their domain.
Improvements
Namespace Confusion Protection Status for Repositories
Users can now view the proprietary namespaces from hosted repositories for which the namespace confusion protection is enabled. This will give a better visibility into scenarios where the download of certain OSS components is blocked due to policy violations related to dependency confusion.
Improved Sorting for Repositories
This release includes secondary sorting of results displayed on the Repositories and Repositories Results page.
Clean up of Older Scan Files
We have modified the behavior of the purgeScanFiles property of Configuration REST API - v2. Setting the purgeScanFiles property to null will now also clean up the retained older scan files, in addition to pausing the retention of new scan files.
Policy Violation Fixes
To maintain and improve stability and security, we continually scan all Sonatype products and applications internally for vulnerabilities. For a strong and most current security posture, components used by our development teams are continually scanned and compared with our proprietary advanced vulnerability detection systems. This section contains information on component upgrades made to mitigate or remediate risks due to our internal policy violations as below:
Fix for SONATYPE-2023-0962
SONATYPE-2023-0962, Sonatype Discovered February 15, 2023, High Risk, Severity 7.5
Resolution: Upgraded to non-vulnerable version of the component core-js-pure : 3.28.0
Notable Bug Fixes
Abnormal Disk Usage and Wait Times
This release fixes an issue with application evaluations that take longer than a few minutes to complete. We have optimized memory and performance parameters for IQ Server to support long-running evaluations.
Release 155 (February 2023)
This release fixes issues in the previous release 154.
Users facing issues with release 154 installations, should upgrade to this version immediately. For users planning an upgrade, we recommend upgrading to release 155 and skipping release 154.
Emergency Bug Fix Release
Release Summary
This Release Includes All Features, Improvements, and Notable Bug Fixes of Release 154.
Release 154 (February 2023)
New Features
Launching Sonatype Lifecycle High Availability
Starting with this release, users can configure Sonatype Lifecycle for High Availability (HA). Currently offered on AWS and on-premises, the HA installations will enable recovery from failures or disruptions with near-zero downtime.
Improvements
Sorting results in Repository Results View
Users can now run a multi-column sort in the Repository Results View to retrieve the most relevant repository details.
SBOM with Richer Metadata
The SBOM generated from CycloneDX REST API - v2 will now include vendor and software name (Sonatype and Sonatype IQ Server version). This additional information will improve the quality of SBOMs generated using this REST API.
Improved Persistence for Filters
We have improved persisting and resetting filter values to match the navigation steps to and from the Reports view page.
Improved Release Integrity for Maven
We have added malicious component protection for Java (Maven) All Next-Gen Firewall users might experience blocking of the latest version of Maven artifacts. Blocking of these components will continue until Next-Gen Firewall determines they are safe for your development pipelines.
Notable Bug Fixes
Test Configuration for SCM
This release fixes an issue related to the “Test Configuration” button being disabled while setting up an SCM configuration.
Advanced Search Results
The grouping of results obtained on running the Advanced Search REST API - v2 is now consistent, regardless of the value specified for pageSize in the search query.
Overriding Component License in Firewall Repository
This release fixes an HTTP 400 response while overriding a component license.
Release 153 (January 2023)
Improvements
npm Application Analysis includes development Dependencies and optional Dependencies
This release offers users better control over running a npm Application Analysis. Using a POST and DELETE request, users can choose to enable/disable scanning development dependencies and optional dependencies in manifest and lock files of JavaScript packages.
Performance Improvements to the Sonatype Firewall
Users with large repositories of OSS components will experience a marked improvement in loading times of the Firewall Repository Results page.
Refined Search Relevance for Sonatype Firewall Repository Results Page
The Repository Results search by component functionality is now more responsive and will enable users to search by specifying multiple component coordinates.
Upgraded UI Elements
This release marks our shift to the React framework. In addition to performance benefits, the new UI offers a general overhaul and simplicity of use, while maintaining the familiar user experience.
Notable Bug Fixes
GitLab URLs for SCM Onboarding
This release fixes an issue associated with the context path while importing GitLab applications. Users can now import GitLab applications into Sonatype Lifecycle by specifying the complete context path in the GitLab URL of their applications.
Attribution Report Fix on Legal Dashboard
Attribution reports generated for applications containing unknown components no longer trigger a 404 error condition. Such reports will now be displayed as empty reports with no data.
Release 152 (January 2023)
New Features
New experimental REST API to add custom security vulnerability groups
Users can use the Vulnerability Groups REST API - experimental to organize vulnerability IDs into custom groups. These groups can then be used as a condition within a policy constraint to aid in risk management and remediation. This should be used in those few edge cases where policy should directly be tied to a class or group of vulnerabilities. Refer to Policy Constraints for more information.
New Experimental Call Flow Analysis
Sonatype IQ CLI now includes experimental flags that will enable call flow analysis on application scans. Once the scan completes, the CLI will automatically apply a "Security-Reachable" label on any component that has a vulnerability with reachable code. Users are free to create a policy around this label to aid in prioritization and remediation.
Improvements
Updated Firewall Repository Results and Repository Component Details Page
The Repository Results and the Repository Component Details Page have been re-designed and updated. The view delivers meaningful insights into violation counts, component identification, and quarantined components with improved filtering, pagination, and UI.
Support to build more granular security Policies using Security Research Type
This release offers an option to set policy conditions to check whether a component has undergone Fast Track or Deep Dive research. More on Policy constraints and conditions.
Verify the authenticity of the Sonatype IQ Docker image with Docker Content Trust
Docker image consumers can now use the trusted, signed Sonatype IQ Docker image, now available to inspect at the Docker Hub.
Repository Waivers View on Dashboard
The Waivers View on the Dashboard includes Repository waivers.
Performance enhancements to Repositories Results View
The repository results view now has better support for pagination and filtering. These changes should improve the performance of this page for large repositories.
Waive all versions of a component with Root Org Scope
A waiver applied to one version of a component can now be applied to all future versions of that component for the 'Root Organization' scope.
Environment variables for Sonatype Container Scanning are optional
Setting environment variables for scanning Sonatype Container with Sonatype Lifecycle is optional. Refer to the Sonatype Container Scanning page for default values.
New configuration setting for deletion of Scan Files
Users can choose to retain or delete older scan files using the property purgeScanFiles for Configuration REST API - v2. Older scan files that are retained can be promoted to other stages using Promote Scan API - v2.
New configuration setting for Automatic Quarantine Release scheduling
Users can choose how often Automatic Quarantine Release is scheduled to run using the property automaticQuarantineReleaseTimeIntervalInMinutes for Configuration REST API - v2. By default, it is now set to run on an hourly basis.
New labels to highlight specific vulnerabilities in Violations Details
Violation details contain two new labels, Deep Dive (indicates the vulnerability data includes Sonatype researched details and recommendations) and Advance Vulnerability Detection (indicates that the vulnerability has been detected from an embedded dependency).
Release 151 (December 2022)
Improvements
Data Architecture Improvements
This release offers improvements to the existing data architecture for Nexus IQ Server and HDS. The changes in data organization will prevent database locking issues due to concurrent transactions on shared resources.
Bug fixes
Advanced Legal Pack REST API error
This release resolves the internal server error that occurred when using long report template names (>250 chars.) for attribution reports while using the GET method for License Legal REST API - v2.
SBOM generation exception
This release handles the null pointer exception that was thrown when attempting to generate a SBOM from an evaluation report that did not show any components.
Release 150 (November 2022)
New features
Nexus Lifecycle now offers Experimental Data Insights
Use Experimental Data Insights to view open-source governance behavior for your organization. Click on Data Insights in the left navigation bar, to get started. Analyses from Data Insights uncover open-source component usage patterns across your organization.
Data Insights currently offers:
- Migration Scorecard, a visual representation of component upgrade decisions made by your Java development teams.
- Stack Divergence, industry-wide comparative analysis of the popularity of components in your technology stack.
- Nudges and Anomalies, key indicators of your platform usage. These indicators reveal patterns and trends used in the remediation processes across your organization.
Improvements
Updates to Nexus Container Scanning with Nexus IQ CLI
Scanning local images does not require providing environmental variables.
To scan remote images, the user will now have to provide only these variables:
NEXUS_CONTAINER_IMAGE_REGISTRY_USERNEXUS_CONTAINER_IMAGE_REGISTRY_PASSWORD
Bug fixes
Fix to successfully scan files with Byte Order Mark (BOM)
Nexus IQ Server can now successfully scan files containing the special unicode character, BYTE ORDER MARK.
Minor UI fixes
This release covers minor UI fixes like typos and the usage of tooltips to display long component names that appeared truncated otherwise.
Policy violation fixes
To maintain and improve the stability and security, we continually scan all Nexus products and applications internally for vulnerabilities. For a strong and most current security posture, components used by our development teams are continually scanned and compared with our proprietary advanced vulnerability detection systems. This section contains information on component upgrades made to mitigate or remediate risks due to our internal policy violations as below:
Fix for CVE-2022-41946
CVE-2022-41946 Public on November 23, 2022, Medium risk, Severity 6.3
Resolution: Upgraded to non-vulnerable component version org.postgresql:postgresql 42.5.1
Fix for SONATYPE-2022-4344
SONATYPE-2022-4344, Sonatype Discovered November 22, 2022, Medium risk, Severity 4.7
Resolution: Upgraded to non-vulnerable version of the component autolinker :3.16.1 and introduced validations in the code base to verify trusted source of inputs to the component.
Find out more about Sonatype Vulnerability Data.
Release 149 (November 2022)
New features
Enabled Scanning of pom.xml META-INF directory
A modification in release 142 for manifest scans, ignored pom.xml located inside a META-INF directory. In most cases (specifically for uber/shaded archives), pom.xml does not represent the manifest file for the target application to be scanned. This release offers a new configurable option to enable scanning of pom.xml files, for scan targets that could contain manifest files, in rare situations.
Improvements
Performance Tuning for Attribution Reports
The Advanced Legal Pack (ALP) uses complex automated processes to generate attribution reports. Retrieving data for multiple applications containing hundreds of components can cause high query times. We have optimized our queries and API calls resulting in improved query statistics for attribution reports.
Nexus Lifecycle Dashboard Improvements
With this release we continue our improvements to the performance of underlying queries for the Dashboard page, to offer a fast and comprehensive risk profile of your applications.
Bug fixes
Fix for Expiration Date on Waivers Dashboard
Selecting x days for the Expiration Date filter on Nexus Lifecycle Waivers Dashboard, showed expired waivers, in addition to the waivers meeting the filter criteria i.e. expiring in x days. This release includes a fix for the expiration date filter to show waivers for x days only.
Fix for Forced Idle Timeouts
For Nexus IQ Server release 132 and higher, idle timeouts affected only native implementation, while users were still able to navigate the UI. With this fix, Nexus IQ Server will now force the user to logout after 30 minutes of inactivity.
Fix for User Emails Tooltip
A tooltip to display the email address of users (from LDAP) on New Role page under Add a Role, had stopped appearing in Nexus IQ Server release 143 and later. This has now been fixed.
Policy violation fixes
To maintain and improve the stability and security, we continually scan all Nexus products and applications internally for vulnerabilities. For a strong and most current security posture, components used by our development teams are continually scanned and compared with our proprietary advanced vulnerability detection systems. This section contains information on component upgrades made to mitigate or remediate risks due to our internal policy violations as below:
Fix for CVE-2022-1415
CVE-2022-1415 drools: Public on October 27, 2022 Medium risk, Severity 6.8
Resolution: Updated drools to 7.73.0.Final
Release 148 (October 2022)
Emergency Bug Fix Release
This release fixes major bugs in the previous release 147.
Users facing issues with release 147 installations, should upgrade to this version immediately. For users planning an upgrade, we recommend upgrading to release 148 and skipping release 147.
Bugs fixed in this release include:
- Waiver migrator fails when upgrading to version 147 if "expired" waivers are found.
- Clicking on the Export Waivers Data button causes internal server error.
This release includes memory usage optimization to improve the performance of Nexus Lifecycle Dashboard and its related export feature.
Release 147 (October 2022)
Warning
Release 147 contains some issues. Upgrading to this version is not recommended. Please upgrade to release 148 coming soon.
Waivers View on Dashboard
This release offers a new addition to Nexus Lifecycle Dashboard, the Waivers View. Policy waivers will now be readily available for review on the dashboard. Users can access waivers specific to their needs by creating customized filters for the dashboard. The drill-down capability on each waiver in this list offers a more granular view of the waiver. The Export Waivers Data button generates a .csv file populated with all the waivers data that is retrieved based on the dashboard filter settings.
Policy Waiver REST API enhancement
The Policy Waiver REST API - v2 can now retrieve details on a single waiver by passing the policyWaiverID in the GET method.
Notable fix for SAML authentication
This release fixes an issue with SAML authentication, that prevented Nexus IQ Server from correctly identifying group names containing commas.
CycloneDX REST API improvement
We have refactored CycloneDX REST API - v2 to include the dependency graph in SBOM, per CycloneDX specification. This is supported for CycloneDX versions 1.2 and higher.
Release 146 (October 2022)
Maintenance Release
This release offers minor bug fixes and general UI improvements.
Some of these include:
- Validations for empty (zero-length) strings in text fields
- Addition of tooltips
- Explanatory error messages for user inputs like invalid dates
- Resolution of 404 error for the Data Insights feature
- Intuitive label names
Experimental feature flags deprecated in config.yml: experimentalFeatures setting in config.yml is no longer referenced. For older versions of IQ server, this configuration setting will have to be deleted from config.yml. We strongly recommend using Configuration REST API - v2 to update the configuration settings for IQ Server 142 and above, instead of config.yml.
Release 145 (October 2022)
Performance improvements in Advanced Legal Pack Attribution Reports
Attribution reports from the Advanced Legal Pack (ALP) provide comprehensive access to more than 90% of OSS obligations. We have streamlined our data retrieval processes to generate these complex and data-intensive reports, faster. This will reduce the possibility of session time-outs that could occur while generating attribution reports for multiple and large applications.
Notable bug fix in recent releases
Releases 142 and above fix a bug where a manifest scan processed pom.xml files inside a META-INF directory. Files in this directory, in most cases (specifically for uber/shaded archives), do not represent the manifest file for the target application to be scanned. All pom.xml files inside a META-INF directory from release 142 and above are now ignored during a manifest scan.
Release 144 (September 2022)
View all affected version ranges of an implicated component
The Vulnerability Details page contains a new section that lists all affected version ranges of the implicated component. This will help users recognize different versions of an implicated component, which could also have security vulnerabilities.
Improvements to Nexus Platform Plugin for Jenkins for auto-creating new applications
To evaluate a new application that has not been onboarded to IQ Server, using Nexus Platform Plugin for Jenkins, users can now provide an additional parameter organization-id for a specific organization. IQ Server will create this application under the specified organization (Org) instead of the parent organization that is setup during the configuration of Automatic Application Creation.
Targeting peak performance for policy evaluations
As a result of our code optimization efforts, this release offers significantly faster policy evaluations. We have eliminated performance bottlenecks that occurred in scenarios with hundreds of concurrent users and complex policy evaluations.
Release 143 (September 2022)
Search for vulnerabilities by any known ID
Users can look up vulnerability details by entering any known vulnerability ID from the vulnerability lookup page or Vulnerability Details REST API - v2. Vulnerability ID could be a Sonatype ID (assigned by Sonatype researchers) or just the CVE ID (may also have a Sonatype ID, if discovered first by Sonatype researchers.)
Affected version ranges of an implicated component now returned in Vulnerability Details API
To help users avoid choosing different versions of an implicated component, which could also have security vulnerabilities, we now report all affected version ranges of the implicated component. The affected version range can be retrieved using the Vulnerability Details REST API - v2 by passing the component identifier as a query parameter.
Fine-tuned risk management with additional policy constraint CWE ID
Users can now create security policies to evaluate components against the reported CWE IDs. Selecting Security Vulnerability CWE from the dropdown in the conditions section of the Policy page now allows defining policy constraint conditions based on the CWE ID.
Advanced Legal Pack Supports Composer
The upgraded Advanced Legal Pack now provides copyrights, notices, and license text data for the Composer ecosystem.
CycloneDX REST API Improvements
We have enhanced the response for CycloneDX REST API - v2 to include vulnerability details for components in the generated SBOM. This will help get a better understanding of the level of security risk associated with the components and implement remediation.
Policy Evaluation Summary Improvements
We have enhanced the Jenkins, Azure DevOps, Bamboo, and Maven plugins to show the total number of evaluated components in the policy evaluation summary. This addition makes eventual misconfigurations easier to spot.
Improved support for evaluating Java 18 applications and components
Support for evaluating Java 18 applications and components (first introduced in release 136) has been improved.
Improvements to Nexus IQ CLI for auto-creating new applications
To evaluate a new application that has not been onboarded to IQ Server, using Nexus IQ CLI, users can now provide an additional parameter organization-id for a specific organization. IQ Server will create this application under the specified organization (Org) instead of the parent organization that is setup during the configuration of Automatic Application Creation.
Extended scope of evaluations
Evaluate a binary action in Nexus Lifecycle UI has been modified to Evaluate a file. Using this menu option, users can now also perform manifest scans to analyze source control repositories or software bill of materials (SBOMs) earlier in the development lifecycle, before the applications are built.
Policy Waiver REST API Improvements
Users can apply policy waivers to specific repositories using the new owner types repository and repository_container in the POST request of Policy Waiver REST API - v2.
Fix for application scan reports
This release fixes the reported issue (in release 142 only) of blank pages appearing in the web browser, instead of application scan reports. A new scan of the application is recommended for generating the scan report, after installing this release.
Configurable session timeouts
Users can now configure the session timeout times for Nexus IQ Server using the property sessionTimeout through Configuration REST API - v2.
Release 142 (July 2022)
Configurable content security policy directive
The frame-ancestors directive for content security policy (CSP) can be configured using Configuration REST API - v2. This will allow users to control the domains that can frame the current resource and prevent clickjacking. Using the property frameAncestorsAllowlist, users can specify a list of allowed domain URLs as JSON.
More properties added to IQ server configuration REST API
Additional IQ Server properties are now exposed through Configuration REST API - v2. These can be configured using the same endpoint /api/v2/config and GET, PUT, and DELETE HTTP methods to read, set, and delete the properties respectively. This process can now be used instead of making changes to the config.yml as in older versions.
Properties added in this release:
- eventBus.maxThreadPoolSize
- csrfProtection
- policyMonitoringHouruserAgentSuffix
- userAgentSuffix
- webhookSecretPassphrase
- maxAdvancedSearchClauseCount
- advancedSearchCSVExportDelimiter
Redesigned Components View for Dashboard
We have redesigned the component view in Dashboard, for an enhanced UI:
- The Total Risk score for the component is now displayed right under the component name at the top.
- A Back button has been added to replace the breadcrumb in older versions.
- Each application is now represented by a card with an accordion, that can be toggled to reveal all the policy violations.
- A cleaner interface to display Unknown component names.
Permissions to access Firewall Dashboard
Users can access the Firewall Dashboard for Repositories if they are granted View IQ Elements and and Edit IQ Elements permissions. Permissions at the global level to access the dashboard are no longer required.
Fixed a bug where a manifest scan would include pom.xml files inside META-INF
This release fixes a bug where a manifest scan processed pom.xml files inside a META-INF directory. Files in this directory, in most cases (specifically for uber/shaded archives), do not represent the manifest file for the target application to be scanned. All pom.xml files inside a META-INF directory are now ignored.
Release 141 (June 2022)
Quarantined Component View
This release fixes a critical issue related to the Compare button in the Quarantined Component view in Firewall.
Release 140 (June 2022)
Export search results from the Advanced Search page
The new Export Results button on the Advanced Search page provides the flexibility of exporting the results into a .csv file, in addition to the existing Advanced Search REST API.
New REST API for configuring Source Control
The source control configuration that was controlled through config.yml in older versions must now be configured using this REST API.
Policy Configuration - New Policy Actions Override Feature
The new Policy Actions Override feature will allow the policy actions for inherited policies to be overridden. This feature will provide more control in managing the policies and is currently available only for policies configured and inherited for Lifecycle.
New waive all versions of a component enhancement
The new <component name> (all versions) option in the Components section of the Add, View, and Remove Waiver page allows creating a waiver that will be applied to all versions of a component.
NOTE: Unknown components will need to be claimed first.
New input parameter to Policy Waivers REST API
The JSON payload for Policy Waiver REST API v2 now supports matcherStrategy. It will now be possible to specify the range for components i.e., exact component, all versions of the component, or all components at the specified hierarchy to which the waiver will apply.
Reference Policy Set v7
As part this release, the Reference Policy Set v7 now includes release-integrity policy.
For Nexus Firewall license installations, the release-integrity policy will not be created automatically. Please use Reference Policy Set v7, if needed.
Release 139 (June 2022)
New REST API for configuring JIRA
The JIRA configuration must now be changed using this REST API, instead of making changes in config.yml as in older versions.
Custom expiration dates for Policy Waivers
This feature adds the flexibility of configuring custom expiration dates for policy waivers from the Add Waivers page. This could previously be done only by using the Policy Waivers API.
Release 138 (May 2022)
New REST API for configuring Reverse Proxy Authentication
The Reverse Proxy Authentication Configuration must now be changed using this REST API, instead of making changes in config.yml as in older versions.
New REST API for Base URL Configuration
The base URL configuration must now be changed using this REST API, instead of making changes in config.yml as in older versions.
NOTE: Configuration of the base URL is required, before configuring email/JIRA notifications and SCM integrations, for events like policy violations.
Fixed a bug where invalid SBOMs could be generated
This release fixed a bug where invalid SBOMs could be generated.
Additionally, from this release, if an SBOM is scanned and it is found to be invalid, then it will be rejected.
Release 137 (May 2022)
Reports List Redesign
To enhance user experience and make the IQ Server report list page easier to navigate and use, we made the following design improvements:
- Search as you type – IQ Server now progressively filters search results as you type the name of an application or organization in the search box.
- Show Contact Link – The Show Contact link that appears under the application name in the Application column now displays contact information for relevant applications only.
Fixed a Bug Relating to Searching for LDAP Static Group Members
This release fixes a bug that originated in Release 135. Searches for LDAP static group members now work as expected and return appropriate member information for policy email notifications.
Advanced Legal Pack: Sonatype Special License Filter for Attribution Reports
To allow further report customization, the Advanced Legal Pack now includes a filter for Sonatype Special Licenses in the attribution report template. Users can now enable this feature to filter out Sonatype Special Licenses (e.g., Generic-Copyleft-Clause, Generic-Liberal-Clause, See-License-Clause, Identity-Clause, etc.) from their attribution reports.
Release 136 (April 2022)
Policy Configuration
A new policy condition type for component formats was added.
Support for Evaluating Java 18 Applications and Components
The application and component evaluation have been updated to support Java 18 bytecode.
Firewall: New Quarantined Component View (Anonymous Developer View)
A new view for remediation advice of quarantined components is available in Firewall. By default, the view is accessible anonymously, using the tokenized link. A unique link is generated for every component quarantine encountered and expires after a certain time. The view contains information on component coordinates, policy violations, recommendations, and other versions that can be used instead.
This feature allows any user with access to the tokenized link to view component vulnerability details. If your IQ Server is publicly accessible to users outside your organization, it is strongly recommended you disable anonymous access to this view using the configuration. Consult with your legal and security teams to determine if you should disable this feature for your organization. If you are using Firewall for Nexus Repository, this feature requires Nexus Repository 3.38.1 release.
Firewall: Improvements to Quarantined Component Release Workflow
We made the following improvements to the release workflow for quarantined components:
- Components that no longer have any policy violations set to block (policy action is set to fail on proxy) can be released from quarantine at once by clicking the 'Re-evaluate' button on the repository results view. Also, as policy violations are waived, once no blocking policy violations remain, components are released without the need to click on 'Release Quarantine'.
- The 'Match State' policy condition type can be enabled for automatic release from quarantine.
Advanced Legal Pack Multi-Application Attribution Report
The Advanced Legal Pack's REST API now supports creating an attribution report for multiple applications with a single call. Users of the UI can now use the legal dashboard filters to generate an attribution report for multiple applications.
Advanced Legal Pack Now Automatically Supports Original Source Code Disclosures
The Advanced Legal Pack now automates weak copyleft original source code disclosure obligation for all supported ecosystems. This new data will automatically be included in any new attribution reports that are generated.
Improvements to Applications REST API
The Application REST APIs have been updated so that when querying the applications endpoint, an optional query parameter can be added to include the details of applied application categories.
Atlassian Crowd Integration
Atlassian Crowd server provides single sign-on and identity management. Configuration of IQ Atlassian Crowd is through the UI or the REST API. Once enabled, you can use your Atlassian Crowd credentials to log in through the UI or make REST calls.
SAML User Tokens
SAML users may now create User Tokens through the UI.
Option to search for all components, including those with no security vulnerabilities
We have upgraded the Advanced Search feature for component-based searches. The new interactive interface gives users the option to choose whether they want to view:
- All components that match the search criteria or
- Only components that match the search criteria and have security vulnerabilities
Release 135 (March 2022)
InnerSource Repository Configuration
Organizations and Applications under the Orgs and Policies view in IQ now support configuring InnerSource repositories which enables the Version Explorer for InnerSource components in the component details page. Please refer to the InnerSource Repository Configuration documentation for more details on how to configure InnerSource repository connections.
Release 134 (March 2022)
Support for CycloneDX 1.4
The Third-Party Scan REST API, CycloneDX Application Analysis, and CycloneDX REST API have been extended to support the CycloneDX schema version 1.4 for XML and JSON formats. In addition to that, the View SBOM option has been updated to produce CycloneDX schema version 1.4 XML.
Advanced Legal Pack Component Dashboard
The Advanced Legal Pack now has a Component Dashboard that provides users with an easy means to view, or search, all components scanned by Nexus IQ.
Advanced Legal Pack Integration with the Component Details Page
Users that have the Advanced Legal Pack can now navigate from the legal tab in the Component Details Page to a component's extended legal details via the 'Review Obligations' button. This makes it much easier to conduct a legal review of a component from a policy report.
Improvements to Policy Compliant Component Selection
We've made a number of improvements to the policy-compliant component selection released first in Nexus Repository 3.35.0 release. If you're new to the feature, be sure to check out our documentation. The improvements listed require Nexus Repository 3.38.1 and IQ Release 134 as the minimum recommended versions to use this feature.
1. Performance improvements
2. New components scanned for resolving version ranges to policy compliant versions but not downloaded will no longer be visible in the Firewall repository results view
Fixed a Bug That Prevented Users From Being Able to Select a License in the Component Details Page
A bug was introduced in 133 that prevented users from being able to select a license in the Component Details Page.
Application Analysis Report & SAML configuration form
Updated the look and feel to be consistent with our design guidelines.
Release 133 (March 2022)
Composer Matching Improvements
Composer data has been improved for both Lifecycle and Firewall. Please refer to this community post for more information.
SCM Onboarding
As of this release, when importing applications into IQ using easy SCM onboarding, dots are no longer omitted from the application names. Prior to this release, the dots were removed from the resulting application name.
Dependency Information for CycloneDX SBOM scans
CycloneDX sbom file scans with dependency-graph data now display dependency information for bom components (Direct and Transitive). Please refer to CycloneDX Application Analysis and InnerSource Insight for more information
Release 132 (January 2022)
New Dependency Tree Page
This new Dependency Tree Page shows a tree like structure of all the dependencies identified in an application analysis report. This feature is only available for NPM and Maven ecosystems and its full documentation can be found at our Dependency Tree Documentation.
The Component Details Page is also updated with a component specific Dependency Tree in the Overview Tab. More information about this feature can be found at our Component Details Page Documentation as well.
Addition of 'Created By' Field for waivers
Addition of ‘Created By’ for Waivers will display and store the information of the individual that created the waiver. This information will also be visible when viewing existing waivers. Take a look at our API updates and UI updates .
Bug Fix for False Positives in Image Scans
False positives that could exist in rare occasions in exported Docker image tar scans is fixed.
Release 131 (December 2021)
Fixed issue with archived repos
An issue with the SCM onboarding feature has been fixed, where the onboarding process could not load all unarchived repositories, if there is a large number of archived repositories in a git organization.
Dependency Tree REST API
Application dependency tree data for Java & NPM components is now available using the Report-related REST APIs - v2
Release 130 (December 2021)
Update logback Library Version in IQ
Nexus IQ Server does not use log4j versions and uses logback instead. It is therefore not at risk from vulnerabilities impacting log4j. However, because of a low/moderate vulnerability existing in "logback", we're taking precautionary measures by updating the logback library version used in Nexus IQ products.
Cran and Cargo Matching Improvements
Cran and Cargo data have been improved for both Lifecycle and Firewall.
Conda Matching Improvements
Conda data has been improved for both Lifecycle and Firewall. Please adopt the updated command and file for better results, refer to Conda Application Analysis for more information.
Application PDF Report Enhancements
The Application PDF Report now lists the Effective, Declared, and Observed licenses separately in the Licenses table and indicates if an Effective license is Overridden.
Release 129 (December 2021)
Component Remediation Performance Improvements
Added some performance improvements affecting component remediation (both UI and API).
Fixed Issue with Component Details Page Legal Tab not Loading
Fixed an issue that could cause the legal tab on the component details page to not load for some components.
Release 128 (November 2021)
New Component Details Page
This new Component Details Page is a fully redesigned experience within a singular dedicated page. This new page provides an improved layout, new comparison functionality to better identify ideal component versions, an increased focus on waiver statuses, and dedicated Security and Legal tabs. Take a look at our help documentation to learn more.
Fixed Issue with Advanced Legal Pack Attribution Report Generation
Fixed an issue that caused attribution report generation to fail when a report contained an InnerSource or propritary component.
Release 127 (November 2021)
Reset Source Control Configuration
Users can now reset an organization or application source control configuration.
Component Information Panel's License Tab Links to Advanced Legal Pack
The license tab in the Component Information Panel (CIP) now contains a link from that tab to the component's legal obligation details page in the Advanced Legal Pack. This is useful for legal reviewers that are attempting to remediate legal policy violations from a Firewall report, an IDE integration, or a policy evaluation.
Advanced Legal Pack Customized Attribution Reports
The Advanced Legal Pack (ALP) now allows users to customize their attribution reports. Initial options allow users to add custom headers, footers, titles, and various appendixes. The ability to include standard license text as an appendix can reduce report sizes by as much as 80% and the ability to include generic legal text allows users to include legacy third-party-notices or legacy attribution reports with the newer ALP attribution reports.
Release 126 (October 2021)
Source Control Evaluation REST API
The Manifest Evaluation REST API was deprecated in favor of the new Source Control Evaluation REST API, which is 100% backwards compatible.
SSH Support for IQ for SCM Operations
SSH is now supported as a transport protocol for Git operations in IQ for SCM. See the details and requirements in the help documentation.
Release 125 (October 2021)
Improved Policy Evaluation Performance
A potential regression in policy evaluation performance introduced in Release 104 has been mitigated. This reduces the chance of lock timeout exceptions especially when using the default embedded H2 database.
New Source Control Configurations
Two new options were added to the Source Control Configuration to allow users to enable or disable pull request commenting and IQ initiated source control evaluations.
Pull Request Commenting Improvements
The policy evaluation selection for Pull Request Commenting has been optimized.
Conan Matching Improvements
Conan data and matching have been improved for both Lifecycle and Firewall.
Dependency Information Improvements for NPM
NPM Dependency Information detection has been improved to display more accurate results.
Source Control Repository Information Visibility
The repository configured under source control has been made more visible in the Organizations and Applications view.
Source Control Onboarding Performance Improvements
The Easy SCM Onboarding for Bitbucket Server has received some performance improvements.
Support for Pull Request Status and Target Branch Protection in Azure DevOps
The policy result for a scan is now available in the Azure DevOps pull request screen. This enables target branch protection for Azure DevOps.
Support for Evaluating Java 17 Applications and Components
The application and component evaluation have been updated to support Java 17 bytecode.
Release 124 (September 2021)
Fixed Source Control REST API
Fixed an issue with the Source Control REST API whereby some fields in the response JSON had been renamed. The previous names have been restored.
Release 123 (September 2021)
Fixed Issue with NPM Scans
Fixed an issue with some NPM scans that was causing IQ Server 122 evaluations to fail when reading dependency information.
Release 122 (September 2021)
Dependency Information for NPM
NPM project scans with manifests allow displaying dependency information for NPM components (Direct and Transitive). Please refer to npm Application Analysis and Application Composition Report for more information.
InnerSource Insight for NPM
InnerSource dependency analysis allows a user to visualize NPM InnerSource components and their transitive dependencies in a report with links to any associated applications. Please refer to InnerSource Insight for more information.
InnerSource Insight UI Improvements
Reports containing InnerSource Insight components will have more and better information about their transitive dependencies and relationships. Please refer to InnerSource Insight and the Component Information Panel for more information.
InnerSource Insight Transitive Violations Group Waiver
IQ Server now has the ability to group waive InnerSource transitive policy violations.
InnerSource Insight Report Filter
IQ report filters now allow filtering by a component's InnerSource status.
Azure DevOps Support in Source Control Features
Support for Azure DevOps in Automated Pull Requests, Pull Request Commenting, and Automated Commit Feedback.
Release 121 (July 2021)
General Fixes and Improvements
In this version, we have addressed a few bugs in IQ and made some performance improvements.
Release 120 (July 2021)
Continuous Risk Profile
Continuous Risk Profile keeps default branch policy evaluations up to date with fresh source control policy evaluations on a regular basis (configurable). In addition, IQ server will keep feature branch policy evaluations updated with new source control policy evaluations as new commits are made to those feature branches (assuming a pull request exists for that feature branch).
IQ for SCM supports Gradle property files
IQ for SCM makes use of 'gradle.properties' files in providing SCM feedback. Click here to learn more about configuring automated PRs, PR reviews, and code line comments to work with Gradle.
Release 119 (June 2021)
SBOM Improvements and Bug Fixes
CycloneDX SBOM scans using the Third-Party Scan Rest API and CLI have been improved to display better results in the report and some bugs have been fixed as well.
Release 118 (June 2021)
Swift Application Analysis
IQ Server (through CLI) can now be used to evaluate policies against components from the dependency file of a Swift application.
Important update for CocoaPods users
Starting June 30, Nexus Lifecycle and Nexus Firewall users may experience a change in CocoaPods results due to some major improvements to our identity and security data services. Read more in our community post .
Release 117 (June 2021)
Fixed Regression with Component Search REST API
Fixed an issue where using the Component Search REST API could render application reports inaccessible without setting the experimental feature flag componentSearchApiWithInnerSource to false . It is now safe to remove this flag or to set it to true.
Support for CycloneDX 1.3
The Third-Party Scan REST API, CycloneDX Application Analysis, and View SBOM option have been extended to support the schema version CycloneDX 1.3 for XML format.
Release 116 (June 2021)
Known Issue with Component Search REST API
Customers should avoid using the Component Search REST API without the following setting in their IQ Server configuration config.yml file as otherwise it can render application reports inaccessible.
experimentalFeatures: componentSearchApiWithInnerSource: false
Fix for automated PRs
Fixes a regression for automatic pull requests when using Linux or Mac and the native git support.
Dependency Data in REST APIs
Dependency data for Java components is now available using the Report-related REST APIs - v2 and Component Search REST APIs - v2.
Release 115 (May 2021)
View SBOM
Options Dropdown in the evaluation report allows you to view the component bill of materials of the report in CycloneDX format .
Improvements to Python Application Analysis
IQ Server (through CLI) now supports evaluating policies against Python components defined in poetry.lock files.
Multiple SCM Support
IQ Server nows allows configuration of multiple source code management systems.
Release 114 (May 2021)
Support for CycloneDX 1.2
The Third-Party Scan REST API and CycloneDX Application Analysis have been extended to support the schema version CycloneDX 1.2 for XML format.
The Advanced Legal Pack Is Now Available for Purchase
This add-on to Nexus Lifecycle will help you automatically comply with components’ terms of use. Read more in our press release and blog . Request a demo here!
Next-gen Firewall is Now Available for Purchase
This new product from Sonatype helps you stop known risk, novel malware, and 0-day attacks from being downloaded into your repositories. Learn how to configure this capability using this setup guide. Request a demo here.
Release 113 (April 2021)
Fix for Advanced Legal Pack Attribution Reports That Contain InnerSource Components
Fixed a critical error that prevented attribution report generation for applications that contained an InnerSource component.
Availability of Nexus IQ CLI as Debian/Ubuntu and Hombrew packages
The Nexus IQ CLI binaries are now available to be installed as a deb package on Debian/Ubuntu based Linux systems, and as a Homebrew package on Mac OSX. See the download page for installation instructions.
Release 112 (April 2021)
Enhanced Navigation Experience
As of this release, the navigation has been moved to the left side of the screen and the Dashboard Filter is now accesible via the "Filter" button on the upper right side of the Dashboard results pages. You can read more about it in this Sonatype Community Post.
Support for Evaluating Java 16 Applications and Components
The application and component evaluation have been updated to support Java 16 bytecode.
Release 111 (April 2021)
Fix for HTTPS/SSL Evaluations with Large Files
Fixed an error where evaluating a large file could cause an exception if IQ Server is configured to use HTTPS/SSL.
Advanced Remediation Strategies in IQ for SCM
Advanced Remediation Strategies are available in automated pull requests and pull request comments as part of the Advanced Development Pack add-on product license.
Release 110 (April 2021)
Fix Evaluation for Java 14 and Higher Binaries from UI
Fixed an error occurring when evaluating a binary file from UI compiled with Java 14 or higher.
Release 109 (April 2021)
Easy SCM Onboarding
Allows users to quickly create IQ applications for the repositories IQ Server detects in their configured source control management (SCM) system
Instant Risk Profile
Performs an initial IQ Server scan of the contents of source control repositories for new IQ applications created by SCM Easy Onboarding.
Continuous Risk Assessment
As new pull requests are detected for IQ applications IQ Server may perform a one-time source control scan of the feature branch associated with the pull request and comment on the pull request if new vulnerabilities are discovered or if existing ones have been remediated. This source control scan will only be performed if the customer's CI system is not otherwise initiating scans and policy evaluations for the given application.
Release 108 (March 2021)
Breaking Changes Information in IQ for SCM
Breaking changes information is available in automated pull requests and pull request comments as part of the Advanced Development Pack add-on product license.
Application Reports
Added "Triggered by" information to application reports.
Advanced Legal Pack Initial Release, Now Available for Purchase
Building on the robust features available in Nexus Lifecycle, the Advanced Legal Pack adds the following capabilities:
- Automation of attribution reports that comply with 90+% of OSS obligations.
- Enhanced legal data pertinent to obligations (e.g. all copyright statements, all notice statements, and all license texts found in a component).
- Legal workflow to resolve license obligations (per component, per license).
- Ability to save attribution and obligation resolutions on a per component, per license basis at the organization or application level.
- Ability to customize and edit attribution reporting as needed.
Release 107 (March 2021)
Java Manifest Application Analysis
IQ Server (through CLI) now supports evaluating policies against Java components in pom.xml and build.gradle files
Performance Improvements
- Various bug fixes and performance enhancements.
Release 106 (February 2021)
Namespace Confusion Protection
Nexus users can now automate protection against dependency/namespace conflict at scale by connecting Nexus IQ Server's policy management and component intelligence data with proxy repositories in Nexus Repository Manager.
For more details, check out our demo video to see how Nexus users can start protecting against dependency/namespace confusion attacks at scale.
Improvements to Manifest Analysis
- Updated CLI scanner to exclude development dependencies when scanning package-lock.json files.
- Updated CLI scanner to parse package-lock.json files stored inside an archive.
- Fixed parsing errors when scanning yarn.lock and csproj files.
Release 105 (February 2021)
Performance Improvements
- Various bug fixes and performance enhancements.
- Fixed an edge case while using the external database where the application would run into a deadlock and cause the database pool to be exhausted.
Fixed NuGet Manifest Scanning Issue
Fixed Initialization error in NuGet manifest scanning with CLI.
Release 104 (January 2021)
Fix for GZip Expansion Vulnerability
Release 86 to 103 (inclusive) of IQ Server suffer from CVE-2020-27218 a security vulnerability that allows an attacker to inject data into the body of the request. We advise you to update your IQ Server to this new release which contains the required fix.
Update to Third-Party Scan REST API
Third-Party Scan REST API responses now contain additional report URLs to aid navigation.
IQ for SCM supports Go Projects
Automated pull request feedback is now available for Go projects in all supported Source Control Management platforms. Click here to learn more about configuring automated PRs, PR reviews, and code line comments to work with Go.
InnerSource Insight Improvements
InnerSource Insight was improved and now supports:
- Policy Condition Dependency Type now has the ability to tune policy using InnerSource dependency type, please click here for more information.
- Improved detection of proprietary modules that are not demarcated as InnerSource (instead of marking them as “unknown”).
- Better detection of Direct Dependencies when they are associated with both an InnerSource component and the parent application. Please check InnerSource Insight doc for more information.
NPM and NuGet Manifest Application Analysis
IQ Server (through CLI) now supports evaluating policies against:
- NPM Components defined in yarn.lock, pnpm-lock.yaml, package-lock.json, and npm-shrinkwrap.json files.
- NuGet Components defined in * .csproj and packages.config files.
Release 103 (December 2020)
InnerSource Insight for Maven
InnerSource dependency analysis allows a user to visualize InnerSource components and their transitive dependencies in a report with links to any associated applications. Please refer to InnerSource Insight for more information.
Support for Evaluating Java 14 and 15 Applications and Components
The application and component evaluation have been updated to support Java 14 and 15 bytecode.
IQ for SCM supports Gradle Projects
Automated pull request feedback is now available for Gradle projects in all supported Source Control Management platforms. Click here to learn more about configuring automated PRs, PR reviews, and code line comments to work with Gradle.
Additional columns for Violations Export
Two additional columns have been added to the exported file from the dashboard's violation tab:
- Reference: contains the CVE or Sonatype code assigned to the vulnerability that caused the policy violation
- Policy Violation Id: contains the policy violation id that triggered the violation
Release 102 (November 2020)
Manage User Token
The new User Token UI allows each user to manage their own User Token directly from IQ Server.
API to check if User Token exists
The User Token API has a new endpoint that allows checking if a User Token exists for the current user.
Security Fixes
Fixed an XML External Entity (XXE) vulnerability affecting IQ Server parsing of admin submitted SAML metadata. See the CVE-2020-29436 advisory for details.
Release 101 (November 2020)
Lifecycle XC Removed in Nexus IQ CLI
Nexus IQ CLI no longer supports Lifecycle XC. IQ Server now has native support for all languages that were supported in Lifecycle XC. For more information on the supported languages please refer to the Comprehensive Guide to Lifecycle Scanning.
New Structure for .NET Pecoff PackageUrl
PackageUrl for pecoff has a new structure. The namespace is part of the qualifiers with the key "nexusnamespace", older versions will not change. More information can be found in our supported formats.
Manifest Evaluation REST API
The new Manifest Evaluation REST API provides a way to perform an application policy evaluation on supported manifest files discovered in a source control branch.
Manage Waivers for Violation
The new Waivers for Violation page allows viewing, adding and deleting waivers for a violation.
Time-based Waivers
Now Add Waiver page allows setting an expiration timeframe for the waiver.
Docker Image User Permissions Migration
The sonatype/nexus-iq-server docker image for IQ version 101 changed the base image from Red Hat UBI (Universal Base Image) to a different Red Hat UBI that includes OpenJDK 1.8. As a result, the UID of the nexus user has changed from uid=998 to uid=997, which will impact access to persistent data. See our upgrade instructions if you are upgrading to version 101 or later in a docker image.
Release 100 (October 2020)
Advanced Development Pack
Advanced Remediation Strategies, Hygiene Ratings, Breaking Changes, and Release Integrity capabilities made Generally Available as part of the Advanced Development Pack add-on product license.
Time-based Waivers via APIs
Add Waiver API now has an option to apply an expiryTime to waivers as a means to better manage and remove waivers. When the timeframe for the expiryTime has been met, the waiver will automatically expire.
Release 99 (September 2020)
GitLab MR Reviews with Line Comments
GitLab MR reviews now provide MR line comments, noting the exact line of code that caused a policy violation. Supplemented with the summary of policy violations for a specific MR, developers have all the information at their fingertips to innovate with peace of mind.
Release 98 (September 2020)
Improvements to Golang Application Analysis
IQ Server (through CLI) now supports evaluating policies against Go components defined in a Gopkg.lock file.
Automatic Migration to Root Organization
Installations that have not yet created and configured the Root Organization will automatically be migrated to a Root Organization with no policies defined.
If you have not yet migrated and wish to use policies from an existing organization at the Root Organization level, it is recommended to do this before upgrading. More information can be found in our documentation.
Automatic Update of Advanced Search Index
Previously, the search index had to be rebuilt manually to ensure search results reflect the latest policy configuration and application data. This release starts adding an incremental update of the search index that runs automatically when the application data is changed. Automatic indexing currently covers organizations, applications, application categories, component labels, policies, and security vulnerabilities found during policy evaluations.
Drop Requests with Unsafe Characters
IQ Server now drops inbound requests containing in the path characters known to be used for unsafe purposes (semicolons, backslash and unescaped non-ascii characters).
GitLab MR Reviews
GitLab MR reviews provide a MR comment with summary of violations, affected components, and description of violations introduced in that specific MR to help developers resolve policy violations effectively and efficiently.
User Sessions Maintained on Restart
IQ Server user sessions are now kept when the server is stopped such that they can continue to be used when the server is restarted as long as they have not timed out.
Applicable Waivers REST API
The new Applicable Waivers REST API enables retrieval of all the waivers applicable to a given policy violation.
New Add Waiver page
The new Add Waiver page provides the ability to apply a waiver against a policy violation from two different workflows. You can access the Add Waiver page either directly from the Application Report or from the Violation Details page.
SAML Destination Field Required for Signed Messages
The SAML implementation in IQ Server has been updated and now requires the "Destination" field to be set, if the SAML messages (request/response) are signed. This is in accordance with the SAML specification and if not done you may encounter an authentication error. See Error during SSO login "Authentication failed due to SAML error" after upgrading Nexus Repo 3 or IQ Server for more information.
Release 97 (August 2020)
Repository Policy Violation Notifications
Email notifications for repository policy violations are sent now when the policy violation is detected instead of periodically.
New Security Vulnerability Category Policy Condition
Security Vulnerability Category is now available as a policy condition. See Understanding the Parts of a Policy for details and Policy Management.
Security Vulneratibility Override REST API
Addition of the Security Vulnerability Override API now allows security vulnerability status overrides to be retrieved alongside information about the components where they are currently taking effect.
Add Waiver REST API
New Policy Waiver REST API allows adding waivers with Application, Organization or Root Organization scope. The API has an option to apply a waiver to all components with matching policy violation.
Automated Pull Requests for GitLab
Support Automated Pull Requests for GitLab where pull requests are automatically created for policy violations with suggested remediation.
Source Control Configuration Test Button
Check the configuration of your source control setup for appropriate permissions for pull requests.
Automated Pull Requests Daily Activity View
Show recent automated pull request activity in the source control configuration screen.
Release 96 (July 2020)
New Dependency Type Policy Condition
Dependency Type is now available as a policy condition. See Understanding the Parts of a Policy for details and Policy Management.
Improvements to Application Analysis
IQ Server (through CLI) now supports evaluating policies against
- C/C++ components defined in a conaninfo.txt file.
- Go components defined in a go.list file.
Performance Improvements for Accessing LDAP Servers
Various performance improvements for accessing LDAP servers
Fix Report Data Rendering Containing PE/COFF Data
Some PE/COFF component report data (raw/PDF-printed) and Component Information Panel (CIP) data may cause errors rendering. The application log file would have contained messages such as MalformedPackageURLException: Segments in the namespace and subpath may not be empty. This rendering prolem is now resolved.
Release 95 (July 2020)
Components Identified by Package Manifest
Components found in a manifest that were previously unknown by Sonatype will be shown in the CIP as identified by "Package Manifest" displaying the given coordinates in the scanned file.
.NET improvements
Nuget data matching have been enhanced with PE ( Portable Executable )/COFF ( Common Objective File Format ) data:
- The best fit matching is replaced with dll pecoff matching.
- Exact matching to the .nupkg archive and for each .dll pecoff signature.
With the enhanced data, identification of following extensions are now supported : .acm, .ax, .cpl, .dll, .drv, .efi, .exe, .mui, .ocx, .scr, .sys, .tsp
Improved Reports Page Performance
The Reporting Area in IQ Server's UI is now paged, increasing performance by decreasing load time.
Various Performance Improvements
Improved the performance in various areas (UI, REST APIs, etc).
New Option to Ignore LDAP Referrals
The configuration for LDAP connections now features an additional option to control how LDAP referrals are handled.
PR Reviews with Line Comments
PR reviews available in GitHub and BitBucket now provide PR line comments, noting the exact line that introduced a policy violation. Supplemented with the summary of policy violations for a specific PR, developers have all the information at their fingertips to innovate with peace of mind.
Improved Dashboard Filter Management
The UI for saving, loading and deleting Dashboard filters is simplified. Now the Save button is accessible directly in the sidebar footer. Saved filters can be loaded and deleted from the single dropdown menu.
Release 94 (June 2020)
C/C++ Application Analysis to Support conanfile.py Files
IQ Server (through CLI) can now be used to evaluate policies against components defined in a conanfile.py file.
Cross-stage Violation REST API
Policy violations can now be retrieved using the Cross-stage violation API to get information on a particular policy violation across the different stages of the lifecycle.
New Violation Details Page
Centralized access point for policy violation information. It can be accesed from the Dashboard to obtain detailed information on a specific policy violation for an application, including report information across different stages of the lifecycle.
Permission-aware Results from Advanced Search
The Advanced Search is still an early access feature but one of its caveats has now been resolved: Search results are now filtered to only include those records the user has "View" permission for.
Release 93 (June 2020)
Non Failing Version Recommendation in CIP
Additional recommended version is added to Component Info - Next version with no build failure violations.
Release 92 (May 2020)
Performance Improvements with External Databases
Improved the performance when using an external database for policy evaluations, application reports UI, application reports and other REST APIs.
Use of TLS for Static Resources Referenced by Email Notifications
The static resources like images that are needed to view email notifications are now retrieved via HTTPS instead of HTTP. Please make sure your network allows outbound connections as detailed in Configuring Outbound Traffic.
Policy Waiver REST API Enhancement
Policy Waivers can now be retrieved using the updated Policy Waivers REST API.
Release 91 (May 2020)
New REST API for Application Categories
Application Categories can now be managed using the REST API. See the Application Categories REST API for details.
Improved Policy Evaluation Performance with External Databases
Improved the performance of policy evaluations when using an external database.
Yum Application Analysis
IQ Server (through CLI) can now be used to evaluate policies against components from dependency files of Yum
New Data Source Policy Condition
Data Source is now available as a policy condition. See Understanding the Parts of a Policy for details and Policy Management.
Nexus Firewall Support of New Languages/Ecosystems
Firewall is extended to support packages of following languages/ecosystems:
- PHP (Composer)
- Swift/Objective-C (Cocoapods)
- Conda
- Alpine (APK)
- Bower
- CRAN (R)
- Debian (APT)
- C/C++ (Conan)
It is recommended to upgrade to the latest Reference Policy Set (reference-policies-v4) with the Component-Unknown policy changes.
Release 90 (April 2020)
Policy Waiver REST API Enhancement
Policy Waivers can now be deleted using the updated Policy Waivers REST API.
Component Labels REST API Enhancement
Component Labels can now be managed using the updated Component Labels REST API.
Alpine, Drupal, and Debian Application Analysis
These languages are no longer supported in Lifecycle.
IQ Server (through CLI) can now be used to evaluate policies against components from dependency files of:
- Alpine
- Debian
- Drupal
Automated Pull Requests and Build Status for Bitbucket Server and Bitbucket Cloud
Support for both Bitbucket Server and Bitbucket Cloud has been added to Automated Pull Requests and Build Status.
Improved Storage for Firewall Data
The storage for Firewall data has been refactored to be faster and to require less disk space. A small performance impact may be noticed after the upgrade (for a few hours) until the existing data is migrated.
Release 89 (April 2020)
Component Evaluation REST API Enhancement
The Component Evaluation REST API now includes data about effective component licenses.
Report-related REST API Enhancement
The Report-related REST API now includes data about effective component licenses.
R and Rust Application Analysis
IQ Server (through CLI) can now be used to evaluate policies against components from dependency files of:
New PDF Report
The Look & Feel of the PDF Report for the Application Composition Report has been updated and streamlined to align more with IQ Server's UI. This increases its focus on essential information in addition to improving PDF generation performance.
Release 88 (March 2020)
Recommended Remediation for Transitive Maven Dependencies
Now the Component Info tab in the Component Information Panel adds a Recommended Remediation section for transitive dependencies. It provides links to all direct dependencies that brought in the selected component. Available for maven components only.
Advanced Search (Early Access)
This release includes an Early Access version of Advanced Search. This new search feature provides a flexible way to locate items among your applications. For instance, Advanced Search can help find all applications that are affected by a given security vulnerability.
Component Details REST API Enhancement
The Component Details REST API now includes data about effective component licenses.
Swift/Objective-C and Conda Application Analysis
IQ Server (through CLI) can now be used to evaluate policies against components from dependency files of:
GitHub PR Reviews
GitHub PR reviews provide a PR comment to provide a summary of violations, affected components, and description of violations introduced in a specific PR to help developers resolve policy violations effectively and efficiently.
Release 87 (March 2020)
User Tokens REST API Enhancements
User Tokens REST API exposes endpoints to System Administrators for querying tokens by creation date and supports deletion.
Fix for a critical issue with the Application Report in IQ 86
This release fixes a regression that prevented IQ Server 86 to load some reports.
Release 86 (March 2020)
Known Issue with the Application Report
There is an issue with IQ Server 86 failing to load some reports.
Customers should avoid upgrading to release 86 and instead upgrade to release 87 or newer.
New REST API for Moving an Application from one Organization to another
An application can now be moved from one organization to another using the REST API. See the Application REST API for details.
C/C++, Ruby and PHP Application Analysis
IQ Server (through CLI, Jenkins and Bamboo plugins) can now be used to evaluate policies against components from dependencies files for:
Release 85 (February 2020)
New Component Category Policy Condition
Component Category is now available as a policy condition. See Understanding the Parts of a Policy for details.
New Component Claim REST API
The new Component Claim REST API allows you to view, add, update, and delete component claims.
Extended Stale Waivers REST API
Stale Waivers REST API now returns stale evaluations along with the stale waivers.
Release 84 (February 2020)
Release 83 and Release 84 introduced migration steps in server startup where proxy server and mail server configurations are read from the existing config.yml file and transferred to the database. An issue was discovered which stops IQ Server from successfully starting when the password field for either of these configurations is an empty string. If that is the case for either of your configurations please comment out the password fields entirely instead of having an empty string.
Using the proxy server configuration as an example, instead of having a configuration as below:
proxy: hostname: "proxy.server" port: 8081 username: "proxy-user" password: ""
please configure your configuration as follows where password is commented out:
proxy: hostname: "proxy.server" port: 8081 username: "proxy-user" # password: ""
No special action is needed if a non-empty password exists. It will be stored in the database encrypted.
New Stale Waivers REST API
Stale Waivers REST API allows you to retrieve stale application and repository waivers.
To ensure accuracy, the API fails if there are any repository evaluations older than release 76, as new waiver information was added as part of that release. Please re-evaluate all repositories to get a successful response.
Email Server Configuration Verification in Email Server Configuration UI
A sample email can be sent in the Email configuration UI to verify the email server being configured by entering the desired recipient and using the
Send Test Email
button.
New HTTP Proxy Server Configuration REST API and UI
The proxy server configuration is now configurable via the new HTTP Proxy Server Configuration REST API or via the Proxy Server Configuration View found in System Preferences. Any existing proxy server configuration in config.yml will be migrated and become obsolete.
NPM support for Automated Pull Requests
Nexus IQ for SCM now supports the NPM ecosystem. See Automated Pull Requests for details.
Release 83 (January 2020)
New Email Server Configuration REST API and UI
The email server configuration for email notifications is now configurable via the new Mail REST API or via IQ Server's UI. Any existing email server configuration in config.yml will be migrated and become obsolete.
New Permissions for Waiving Policy Violations, Changing Licenses, and Changing Security Vulnerabilities
Three new permissions Waive Policy Violations, Change Licenses, and Change Security Vulnerabilities are now available for (un)waiving policy violations, changing component licenses, and changing component security vulnerabilities. Previously, the Edit IQ Elements permission was required for these operations. All roles that have the Edit IQ Elements permission are automatically updated to have these new permissions.
Binary Fingerprinting Improvements
This release includes improvements to our proprietary advanced binary fingerprinting and will increase scan file sizes up to four times.
SHA-1 Support for Third Party Scanning
The Third-Party Scan REST API and CLI has been extended to support the following feature.
- Identify components based on SHA-1 value (content hash).
Legacy Application Report Link Moved
The Policy-centric Application Composition Report no longer contains a banner with a link to the legacy version of the Application Composition Report. Instead, the legacy version may now be accessed via the Policy-centric report's Options menu.
Release 82 (January 2020)
Dependency Type Indicators and Filter
Application Composition Report now displays Dependency Type Indicators for maven components. Components can be filtered by dependency type using the new Dependency Type filter.
Note: Dependency Type is only supported for maven components. Reports created prior to January 2, 2020 will show all non-maven components as a direct dependency type. Once the application is rescanned, the non-maven components will be shown as unknown dependency types.
New Permission for Changing Access Control
A new Edit Access Control permission was added for managing the access control for applications, organizations and repositories. Previously, the Edit IQ Elements permission was required for access control management. All roles that have the Edit IQ Elements permission are automatically updated to have the new Edit Access Control permission.
Release 81 (December 2019)
Extended Organization REST API
The organization REST API now supports retrieving information for a single organization by its identifier or name.
Extended Component Label REST API
The component label REST API can now manage component labels for an entire organization.
clm-maven-plugin 2.15.0-01 Requires Java 8
Starting with version 2.15.0-01, the clm-maven-plugin requires Java 8.
License Data and Coordinates Support for Third Party Scanning
The Third-Party Scan REST API and CycloneDX Application Analysis has been extended to support the following features.
- Identify component license data.
- Support coordinate based matching (in addition to Package URL).
Release 80 (December 2019)
Updated Main Header Design
Visual refresh of IQ Server main header.
Fix for HTTPS/SNI Issue in IQ 79
This release fixes a regression that prevented IQ Server 79 to start if configured with an HTTPS connector that employed a server certificate making use of SNI.
Release 79 (November 2019)
Known Issue with HTTPS Connector
We are investigating an issue with IQ Server 79 failing to start when configured with a direct (config.yml) HTTPS connector.
Customers using this specific scenario should avoid upgrading to release 79 and instead upgrade to release 80 or newer.
Component Waiver REST API
Added policy waiver scope to the Component Waivers REST API.
Nexus IQ for SCM Configuration UI
The Nexus IQ for SCM Configuration UI allows for configuration of the integration between Nexus IQ Server and an external Source Control Management provider.
Automated Pull Requests
Automated Pull Requests allows for automatic creation of pull requests for policy violations on components that have an available version which remediates those violations.
Stable Link to Latest Application Composition Report
The report-related REST API has been extended to include the new property latestReportHtmlUrl in its response, providing a stable link to view the most recent report for a given application and stage.
Release 78 (November 2019)
Components In Quarantine REST API
Components in Quarantine REST API allows you to list repository components that are quarantined.
Release Component from Quarantine REST API
Release Component from Quarantine REST API allows you to release a quarantined repository component by waiving the policy violations causing the component to be quarantined.
Vulnerabilities Support for CycloneDX Application Analysis
CycloneDX Application Analysis is now extended to support submitting component vulnerabilities. For more details please refer to:
Release 77 (November 2019)
Clair Scan Evaluation
IQ Server integration with Clair provides you the ability to identify and apply IQ policies against Clair scanner results.
CycloneDX Application Analysis
IQ Server can now be used to evaluate policies against a software component list supplied in CycloneDX SBOM (software bill-of-material) format. This can be used in the following ways.
- Third-Party Scan API allows you to evaluate a CycloneDX SBOM via REST interface.
- CycloneDX Application Analysis allows you to evaluate a CycloneDX SBOM via Nexus IQ CLI / IQ Server UI.
Release 76 (October 2019)
Component Waiver REST API
Component Waivers REST API allows you to retrieve components with waivers for applications and repositories.
All repository reports must be re-evaluated in order to include the most accurate policy waiver information used by the new API.
User Tokens REST API
User Tokens REST API allows IQ users to create and delete user tokens. It also allows IQ Server administrators to purge obsolete tokens. See User Tokens for details.
General improvements and bug fixes:
- Fix bug with Firewall Audit and Quarantine where IQ Server database errors were more likely to occur on under resourced hosts.
- IQ Server UI links to Firewall results from the Repository settings page in Organizations and Applications configuration.
Release 75 (October 2019)
Anonymous Vulnerability Lookup
You can now look up a vulnerability without logging in. See Vulnerability Lookup for details.
Vulnerability Details REST API
Vulnerability Details REST API allows you to retrieve vulnerability details in the form of JSON.
Release 74 (September 2019)
Single Sign-On via SAML
IQ Server can now be configured to enable single sign-on via SAML during login, which can be done by a system administrator via the UI or via the SAML REST API.
Support for Evaluating Java 13 Applications and Components
The application and component evaluation have been updated to support Java 13 bytecode.
Release 73 (September 2019)
Internal Release
Shortly after wide release a rare issue was found that can prevent successful upgrade of IQ Server.
To help avoid upgrade failures and forced rollback procedures, this release is not a recommended install. Use release 72 or release 74 and newer instead.
Fix for Remote Code Execution Vulnerability
All previous releases of IQ Server suffer from a security vulnerability that allows authenticated users with the Edit System Configuration and Users permission to execute arbitrary code. We advise you to update your IQ Server at the earliest opportunity to this new release which contains the required fix. Details have been published on October 17: CVE-2019-16530 .
Release 72 (September 2019)
Removed Support for Anonymous Access
The support for anonymous access used by very old IQ clients and plugins was removed from IQ Server. This doesn't affect you unless you are still using very old IQ clients or plugins. If present, the optional anonymousClientAccessAllowed setting should be removed from the config yml file used to configure the IQ Server.
Request Waiver Workflow
The policy violation id has been added to the REST API to faciliate with Requesting a Waiver
Source Control Onboarding
During policy evaluation, the commit hash and repository URL are automatically deduced allowing our scanners (CLI, Jenkins, GitLab, etc) to pick up which commit and repository they are evaluating against. This will allow Nexus IQ for Git to push policy evaluation report summaries to Git commits and pull requests with minimal configuration.
Release 71 (August 2019)
Request Waiver Workflow
You can now Request a Waiver when your workflow for waivers is handled outside of IQ Server.
Policy Evaluation Summary in GitLab
Policy evaluation report summaries and a link to the report can now be viewed on GitLab commits and pull requests. See Nexus IQ for SCM
for details.
Release 70 (August 2019)
New REST APIs to Manage Users and Roles
Several additions to the public REST API of IQ Server were made to help automate the management of users and their roles:
New CycloneDX REST API - v2
We now support generation of SBOM using industry standard CycloneDX specifications. The new CycloneDX REST API - v2 returns a SBOM containing coordinates and licenses for components in a scan report.
Release 69 (July 2019)
Package URL (purl-spec) Support in Policy Configuration
You can now use package URL when configuring constraints in policy management.
Mitigate IQ Server Client Timeouts
IQ Server clients now poll for application evaluation results rather than waiting on the socket. Clients affected by this change are CLI, Jenkins, Bamboo, and Maven plugins.
IQ Server needs to be upgraded first in order for new clients to work properly.
Docker Image User Permissions Migration
The sonatype/nexus-iq-server docker image for IQ version 69 changed the base image from CentOS to RedHat UBI (Universal Base Image). As a result, the UID of the nexus user has changed from uid=999 to uid=998, which will impact access to persistent data. See our upgrade instructions if you are upgrading to version 69 or later in a docker image.
Release 68 (July 2019)
Fix for Caching of UI Resources Between IQ versions
Recent versions of IQ have had a bug where user interface resources could be cached within the browser across IQ version upgrades. This could cause a mismatch between the IQ frontend and backend code, or even a mismatch between different parts of the frontend code. This would result in UI breakages, such as an oversized IQ logo rendering the page unusable in Release 67. IQ 68 differs from IQ 67 only in that it fixes this issue.
Release 67 (July 2019)
Policy Evaluation Summary in GitHub
Policy evaluation report summaries and a link to the report can now be viewed on GitHub commits and pull requests. See Nexus IQ for SCM for details.
Package URL (purl-spec) Support in Public APIs
The following APIs are extended to support package URL in requests and responses:
- Component Search REST APIs - v2
- Component Evaluation REST APIs - v2
- Component Details REST APIs - v2
- Component Remediation REST APIs - v2
- Violation REST APIs - v2
- Report-related REST APIs - v2
Vulnerability List in the Application Composition Report
The Application Composition report now includes the option to easily see a list of the vulnerabilities that triggered policy violations associated with a given application.
Vulnerability Search
You can now search for and view information about specific vulnerabilities directly from the top navigation bar in IQ Server.
Dropped Support for IE9 and IE10
As of Release 67 IQ no longer provides support for Internet Explorer 9 & 10.
Release 66 (June 2019)
Command to Reset the Admin Account Password and Roles
A new command was added to reestablish the default admin account in a shutdown IQ Server including its default password and roles.
Package URL (purl-spec) Support in Public APIs
We are rolling out package URL based component information access as an alternative to the coordinate based component information retrieval in REST APIs. The following API is extended to support package URL.
Optional 'Description' Field for Webhook Configurations
The webhook description is displayed in the UI where webhooks can be selected such as the webhook list or the policy editor.
Component Remediation Information added to the Component Information Panel
Component Remediation Suggestions have been added to the Component Information Panel. For components that have policy violations, it will show the next available version that does not violate any policies for the given application, if such a version exists. This will be shown in the Application Composition Report and the IDE plugins.
Release 65 (May 2019)
Policy-centric Application Composition Report
The policy-centric Application Composition Report is no longer in preview mode and has now replaced the previous version of the report. The previous version is still accessible through the link provided in the new UI.
Application Composition Report API - Policy Violations
A new endpoint was added in order to provide policy violations data for a given report. See "Policy Violations by Report REST API (v2)" in Report-related REST APIs - v2.
Component Remediation API - Next Non-failing Remediation Type
Added new remediation type for the next closest component version which does not fail any policy violations.
Release 64 (April 2019)
Application Reports as Point-in-Time Data
Existing Application Composition Reports are not updated anymore when changes are made in the Component Information Panel. These changes become visible only when the application is re-analyzed (via the re-evaluation button or a new evaluation being triggered from CI, CLI, policy monitoring, etc). This ensures that the reports reflect the state of the application and policy evaluation results at the time the application was analyzed.
Web UI to Configure Data Retention Policy for Success Metrics
This release completes the data retention and purging feature introduced in release 63 by extending the IQ Server UI with the elements needed to inspect and edit the data retention for Success Metrics.
Component Remediation API
In order to facilitate automation and customization of component remediation, IQ Server now supports a Component Remediation API. The first release of the API provides similar data from the component intelligence panel version graph into a machine readable format. The result of the request provides component remediation suggestions of policy violations on a per component basis.
Release 63 (March 2019)
Data Retention Policies for Automatic Purging of Obsolete Application Reports and Success Metrics
To reduce the disk space consumption of IQ Server, you can now specify data retention policies for application reports and Success Metrics. Reports, that according to these retention policies are deemed obsolete, are automatically purged from sonatype-work/clm-server/report. Likewise, policy violation history that is no longer relevant for Success Metrics is purged from sonatype-work/clm-server/data. But note that automatic purging needs to be manually enabled after IQ Server was upgraded to the new version.
Release 62 (March 2019)
Support for Specifying Python Coordinates in Policy Constraints
Users can now specify python (PyPI) component coordinates when configuring constraints in policy management.
Support for Evaluating Java 12 Applications and Components
The application and component evaluation have been updated to support Java 12 bytecode.
Release 61 (February 2019)
Firewall now supports Artifactory repositories. See more in the press release.
Cleanup of Obsolete Scan Files
To reclaim disk space, this release includes a background task that deletes obsolete files from the sonatype-work/clm-server/scan directory. This task is only run once and scheduled automatically for 11 pm local time after IQ Server was upgraded. Depending on the number of obsolete scan files in your installation, you might see elevated IO activity during that time when the files are removed.
Nexus Firewall Bug Fix
Fixed a bug that resulted in Component IQ not being displayed in Nexus Repository Manager.
Release 60 (February 2019)
Note: Build 1 of this IQ Server release (denoted by 1.60.0-01 in its filename) had a flaw that prevented its startup without a license. If you were quick enough to download this version, please re-download the latest build (1.60.0-02).
Policy Violation Logging
A new policy violation logging feature, which must be explicitly enabled, is now available. It logs its data to a dedicated log file in JSON format. This allows for easy line-by-line parsing for inspection, analysis, and extraction of desired data. It can be enabled/customized in your IQ Server configuration.
Support for Scanning Python Wheel Packages
Python wheel packages are now recognized by the Sonatype IQ Server , CLI, Jenkins, Bamboo, and Maven plugins as well as the Vulnerability Scanner .
Release 59 (January 2019)
Security-related HTTP Headers
For added security protection against cross-site scripting and other attack vectors, the IQ server now sets the Content-Security-Policy and X-XSS-Protection HTTP headers.
Release 58 (January 2019)
Support for Evaluating Java 10/11 Applications and Components
The application and component evaluation have been updated to support Java 10/11 bytecode.
Audit Logging for Policy Violation Notifications and Webhooks
Audit logging functionality has been extended to include
- Sending notifications for policy violations.
- Invoking a webhook .
Python Coordinate-Based Matching for More Clients
Python coordinate detection via the requirements.txt file has been extended from just the Sonatype IQ Server and CLI to also include the Jenkins, Bamboo, and Maven plugins as well as the Vulnerability Scanner.
Release 57 (January 2019)
Audit Logging for Reporting
Audit logging functionality has been extended to include
- Viewing repository results.
- Viewing component information panel data .
- Accessing and managing success metrics.
- Accessing dashboard table data.
- Exporting policy violations.
- Searching components.
- Evaluating IDE projects.
- Evaluating individual components via the REST API.
Component Category in CIP
The Component Information Panel has been updated to display the component category identified by Sonatype.
Policy Centric App Report Preview
A new look of the Application Report is being added to IQ which will allow the user to interpret the report in a more policy-centric manner. We call this the Policy Centric App Report , and a preview of this new look is now available alongside the existing reports.
Other Versions
IQ Server release notes are organized by year:
- 2020 Release Notes (82 and up)
- 2019 Release Notes (57 - 81)
- 2018 Release Notes (1.43 - 56)
- 2017 Release Notes (1.25 - 1.42)
- 2016 Release Notes (1.19 - 1.24)
- 2015 Release Notes (1.13 - 1.18)
- 2014 Release Notes (1.12)