2015 Release Notes
Sonatype encourages using the most current IQ Server release and not trailing behind more than six months. Release notes for the most current versions can be viewed here .
The IQ Server 1.18 release contains the following updates:
New Root Organization
IQ Server now includes the Root Organization at the top of the system hierarchy, which acts as a container for all organizations in the system. Any policy set in the root organization is inherited globally by every organization and their associated applications. For more information about the Root Organization, see the Organization and Application Management chapter.
If you are upgrading from IQ Server version 1.17 or earlier, it is strongly recommended that you read the following documentation:
New Audit and Quarantine Features
For users of the Firewall solution, you can now evaluate repositories in your Nexus Repository Manager. When a repository is evaluated, use the Audit feature to identify policy violations associated with components inside the proxy repository. Additionally, you can use the Quarantine feature to prevent newly proxied components with policy violations from being served to clients. The evaluation results are provided in the new Repository Results (similar to the Application Composition Report). Note: At this time, only Maven and NuGet packages inside proxy repositories will provide results. For more information, see IQ Server and Repository Management.
- Screenshots and text were updated to reflect the new name, IQ Server. While there are a few chapters about plug-ins that need to be rebranded, the majority of the documentation is finished.
- Information about the products and licenses required to use the features discussed in a chapter has been added to the beginning of each chapter. The purpose is to help clarify the role of IQ Server in the licensed Nexus solutions: Firewall, Auditor, Lifecycle and Repository. To learn more about Nexus solutions and licenses, see IQ Server.
1.17 (our new name)
The IQ Server 1.17 release contains the following updates:
The Sonatype CLM rebranding and renaming effort is at the heart of this release. Going forward, Sonatype CLM is no more (oh how we miss thee). While you may still see this in some areas/screenshots, we believe this change will help add clarity to the symbiotic relationship between our products (IQ Server and Nexus Repository Manager). We also realize this may cause some confusion, and appreciate your patience as we move forward. In the event you have any scripts that use the previous binary names you will want to update those as part of your upgrade process.
Sonatype CLM for Maven and CI
As part of this release, a bug was fixed in Sonatype CLM for Maven. The bug fix addressed an issue where a POM file could be included among the identified files. This has been addressed so that the dependencies will still be used and identified, however, the POM file won’t be included. We recommend all users update to the latest version of Sonatype CLM for Maven. For anyone using Sonatype CLM for CI (Hudson/Jenkins or Bamboo) in combination with Sonatype CLM for Maven, we recommend you upgrade both integrations.
The Sonatype CLM 1.16 release contains the following updates:
This release represents a variety of improvements that came directly from customer requests. From adding improved API support and a new UI for viewing organizations and applications, there’s a little something for everyone. We even took the opportunity to update the way certain policy condition situations are handled. The summary of improvements is listed below, followed by details and links to the updated/new documentation.
Improved Policy Conditions for Security Vulnerabilities
To resolve situations where policy violations for components with more than one security vulnerability were produced, the evaluation for conditions about security vulnerabilities has been revised. Going forward, in situations where a constraint has multiple conditions, and all must be satisfied to trigger the constraint, if there are multiple vulnerabilities for a component, at least one vulnerability must meet all vulnerability-related conditions.
As a result of this change, some of the policy violations related to vulnerabilities that you observed in the past will resolve themselves after reevaluation with the new version of Sonatype CLM.
To better illustrate the expected changes, consider a component with two vulnerabilities, one with severity 9 and status Not Applicable and one with no severity and status Open. When evaluated against the Sonatype sample policies, prior versions of CLM reported violations of the Security-Unscored, Security-Low, Security-Medium and Security-High policies. After the update, only the Security-Unscored policy will be violated.
New API for Component Details
This new API allows you to gather information about any component known to Sonatype CLM. The details provided won’t list policy violation information (that’s already covered with the Component Details by Report API).
New CLM Server Option for CSRF Protection
To prevent unwanted attacks via cross-site request forgery, a new configuration item was added.
New UI for Viewing Organizations and Applications
In the Managing Organizations and Applications area of Sonatype CLM Server, the navigational list has been changed to a tree view in order to improve the display of organizations and applications and their parent-child relationships. A filter box has been added to allow for easy searching and filtering of organizations and applications by name.
Support for Reverse Proxy Authentication for Single Sign-On (SSO)
The Sonatype CLM Server now supports additional configuration options for reverse proxy authentication for single sign-on (SSO).
Reduced LDAP Connection Retry Delay
To reduce the delay in reconnecting to an LDAP Server when a connection is lost, the default value of the Retry Delay setting has changed from 300 seconds (5 minutes) to 30 seconds. If you want a different reconnection interval, you can manually change this setting in the LDAP Administration area of Sonatype CLM Server.
The Sonatype CLM 1.15 release focuses predominantly on improving security administration functionality. As part of this, you will likely notice some changes with regard to the associated interface in these areas.
Previously, the built-in (i.e. default) roles were only visible at the Organization and Application level, or in the Global Roles menu area. However, all available built-in roles can now be viewed from the System Preferences area.
Using the Roles menu option, you can look into exactly what permission(s) each role has.
The Violation Summary located on the CLM Server dashboard is calculated for all apps over all time. In installations with a large number of applications, this can take a fair amount of time. Based on user feedback around the general use of this feature, as well as the situation where this can make the dashboard feel unresponsive, we have moved this to a manual calculation.
If the built-in roles don’t provide the options you are looking for, create custom roles. This latest feature provides the ability to name and describe a completely new role, as well as define which permissions each role has.
Java 1.8 Compatibility
The Sonatype CLM Server now supports the Java 1.8 runtime.
This is in addition to a previous update that allows Sonatype CLM to analyze Java8 bytecode.
The Sonatype CLM 1.14.2 release contains the following updates:
- Cross site scripting (XSS) vulnerability
- LDAP injection vulnerability
- Dashboard performance improvements
- Component details (via Dashboard) performance improvements
The latest version of Sonatype CLM is free for all existing users of Sonatype CLM. This includes the Sonatype CLM Server as well as the entire Sonatype CLM suite of tools (e.g. Sonatype CLM for Nexus).
The following updates are included in the 1.14 release:
A new notification panel located next to the name of the logged-in user provides a mechanism for the Sonatype CLM development team to communicate directly with Sonatype CLM users. Look to this location for important announcements that affect your CLM Server.
Sonatype CLM Authorization
The Sonatype CLM Server provides extended functionality to a number of tools (e.g. Sonatype CLM for Nexus, Hudson, Jenkins, Bamboo, Eclipse, Maven, etc.). Previously these tools allowed limited, or no direct, authorization options when evaluating applications.
Starting with Sonatype CLM 1.14, CLM Server authorization for these tools is optional by default. This means a username and password can be entered if desired. Additionally, the Sonatype CLM Server can be configured to force authorization for all tools.
If you desire to turn off the anonymous access, we recommend you upgrade your Sonatype CLM Server first, and then follow with the various tools. In cases where you can’t upgrade the tools as quickly or easily as the Sonatype CLM Server, we recommend waiting until those tools are updated before forcing authorization.
The affected tools includes Sonatype CLM for:
- IDE (Eclipse)
Role-based Notifications and Monitoring
The Sonatype CLM Server allows notifications and monitoring to be configured such that when a policy violation occurs, users will be notified. Previously, policy notifications and monitoring required an email to be added.
In the Sonatype CLM 1.14 update, users can select a particular role in addition to entering a specific email. When policy violations occur, any user assigned to that role will be emailed.
CLM Server Config Update
An update to the application log has been made. These changes provide a foundation for more detailed logging in the future. Previous users of Sonatype CLM who are upgrading to 1.14, and want to take advantage of this feature, will need to update their logFormat configuration.
Please review the
config.yml file included with the Sonatype CLM Server download. An example of the new logging is provided below:
Vulnerability Details in Application Report
The Edit Security Vulnerability area of the Component Information Panel (CIP) located in the Application Composition Report has been modified. A new information column has been added with an icon in each row. Clicking on this icon will display a summary of the Security Vulnerability Information Sonatype has curated.
The 1.13 release of Sonatype CLM encompasses a number of the related CLM tools including:
A Special Note About the CIP
This release features a number of improvements that affect the Component Information Panel (CIP). The CIP is the graphical display used in a number of CLM tools including Nexus, Eclipse, and the Application Composition Report.
Nexus CompatibilityFor Nexus users, if you upgrade to version 1.13 of the Sonatype CLM Server, you must also upgrade Nexus to version 2.11 or higher. Failure to do so will result in errors in the Nexus CIP due to an incompatibility between CLM and Nexus.Report Viewing and Browser CachingOur recommendation is that the browser’s cache be cleared once the CLM Server has been upgraded to 1.13. This will prevent issues when interacting with previously opened reports.
Without clearing the browser’s cache users may experience undesirable behavior such as HTTP errors, or appear like the report functionality is broken.
This has been corrected in 1.13, and by clearing the browser’s cache as part of this upgrade, it will not be required in future versions.
What’s New in Sonatype CLM 1.13?
Sonatype Data Services
A number of improvements around providing data will be reflected in this release, and will improve the quality of data Sonatype provides. The most notable impact seen in this release includes the update of license related information.
Because of these data related changes, Sonatype recommends all users delete their browsing cache to ensure the latest and most up-to-date information is provided.
A number of new publicly available APIs are now available including API functionality allowing you to:
- Evaluate a component against specific policy.
- Retrieve policy violation information.
- Retrieve report information.
Sonatype CLM Server (Web Application)
As a result of Sonatype Data Services updates, a number of user interface improvements have been made. This includes:
- Dots, dashes, and underscores are now permissible in CLM related names (e.g. Application, Policy, etc.).
- License types available to License Threat Groups.
- Policies that detect unassigned licenses can now be created.
CLM for Hudson and Jenkins
For users of Sonatype CLM for Hudson and Jenkins, users now have the ability to:
Specify CLM stage
Configure if a build fails due to a CLM failure.
This is provided in the latest CLM for Hudson and Jenkins documentation.
CLM for Maven
Scope is now configurable in CLM for Maven. This functionality is described in the latest update of the CLM for Maven documentation.CLM for EclipseSimilar to the CLM for Maven update, CLM for Eclipse now allows scope to be configured. This functionality is described in the latest update of the CLM for Eclipse documentation.
Help and Documentation
While all features and updates described in these release notes are included in the latest documentation, work has been made to improve access to documentation specific to the version of CLM.
Specifically, from this release forward, when clicking on the Help menu item within the CLM Server Web Application, a user will be taken to the matching version of the documentation. Once there, any search of the documentation will only return those results related to that specific version.
- Removed Bulk license and SV editor tools from Application Composition Report.
- Increased max allowed components for CLM scans.
- Allow manual selection of multiple license options for a component via the Application Composition Report.
- Support for Operate phase in the CLM Command Line Scanner (CLI).
- Various Other Bug Fixes.