2016 Release Notes

The IQ Server provides extended functionality to a number of tools (e.g. Nexus Repository Manager, Nexus IQ for Hudson/Jenkins 1.x, Nexus IQ for Bamboo, IQ for Eclipse, CLM for Maven, etc.). Authentication and authorization were added in version 1.14 of IQ Server, but disabled by default for backward compatibility.

Starting in version 1.24, this is now enabled by default; it forces tools to provide authentication details. While not recommended, if you need to preserve previous functionality, the IQ Server can be configured to allow anonymous access for all tools.

The affected tools include:

You can now use the Nexus IQ CLI to evaluate Docker images in a Twistlock environment. Twistlock version 1.5.56 or newer is required for this integration.

The Dashboard’s View menu now has an Export Violations Data button that lets you download data displayed in the current view to a .CSV file for use in spreadsheets.

The Filter menu on the left side of the Dashboard has a new Manage Filters menu. From here you can save Dashboard filter criteria allowing for recall and repeated use. Multiple saved filters can be created using different names.

The Dashboard Results now provide a heatmap representation of risk to highlight areas of concern. Results with lower risk are a light shade of blue and results with higher risk are a darker shade.

The IntelliJ IDEA Plugin has been updated to support the global configuration of the IQ Server.

Fixed a cross-site scripting (XSS) vulnerability exposed via the display of usernames.

The Dashboard has a new look that reduces visual noise and makes it easier to see the overall health of components used in your development cycle.

The Filter menu on the left side of the Dashboard has a new filter called Organizations. It allows you to view violations from one or more organizations, which includes violations from any applications attached to the organization(s).

IQ Server now provides JavaScript component data for application evaluations just like it does for Java components (in addition to the existing npm JavaScript package support for repositories). Refer to the in-product announcement for known issues and updates.

REST APIs v1 had the limitation of working only with Maven components while v2 works with any Java components and (as of IQ Server 1.23) JavaScript components. Be sure to review the paths or URLs in your REST calls, and update them to v2 as needed. Any remaining v1 calls will return a “404 Not Found” message.

The following plugins were updated to resolve a vulnerability: Sonatype CLM for Maven, Nexus IQ for Bamboo, and Nexus IQ for Hudson/Jenkins 1.x.

Proprietary components can now be defined at any level in the system hierarchy: Root organization, organization, or application. In addition, the configuration features for proprietary components have moved from the System Preferences menu to the Organization & Policy area.

If you use any of the following plug-ins, it’s recommended that you install the latest version of the plug-in to take advantage of the changes to proprietary components configuration:

On the Dashboard, it’s now easier to see which filters are active and which are not. The following filter behaviors have been added:

When all items of a filter are selected, a total count is shown.

When only some items of a filter are selected, a counter (e.g. "2 of 4") is displayed.

When no filter items are available for selection, the filter is disabled.

The names of a few security roles and permissions have been updated as follows:

The CLM Administrator is now the Policy Administrator.

The Edit CLM Elements permission is now Edit IQ Elements.

The View CLM Elements permission is now View IQ Elements.

A Quick Start Guide for Nexus IQ Server has been added to the documentation. It’ll help you get IQ Server up and running in minutes for the purpose of trying out its features before installing it in your development environment.

The ability to send notifications when a new component violates policy in an audited repository has been added.

In the Policy Editor, Notifications and Actions have been split into separate sections. See the Basic Policy Management chapter for details.

In the Organization & Policy area, two commands have been added to the Actions menu:

Add ID to Clipboard - To copy the Application ID to the Clipboard for easy use when configuring an IQ Server plugin.

Change App ID - To change the Application ID for use with IQ Server plugins.

The Application ID now appears next to the Application Name near the top of the Organization & Policy area.

In the Dashboard area, the design of filters has been updated.

The configuration file (config.yml) for IQ Server shipped with this release contains updated defaults for the number of log files to archive (archivedFileCount). To ease troubleshooting, both the server and request logs have been archived for the past 50 days. We recommend that customers with existing installations of IQ Server adopt this change for their configuration files after verifying that the disk holding the log files has sufficient free space left to account for the slight increase in storage requirements.

Pre-Authentication Deserialization Vulnerability - Versions of IQ Server prior to version 1.18 are vulnerable to remote code execution via a deserialization bug. The affected library was upgraded in IQ Server 1.18, reducing the impact, but other exploits involving deserialization may exist.

IQ Server 1.21 implements a complete fix by removing access to the deserialization functionality. We recommend you upgrade to IQ Server 1.21 as soon as possible.

HTTP Header Vulnerability - All previous versions of IQ Server up to and including 1.20 are vulnerable to an attack due to HTTP Host header value injection. We recommend you upgrade to IQ Server 1.21 as soon as possible.

The Nexus Firewall solution now has the ability to release a component from quarantine. Also, you can now override a vulnerability of a repository component. For more details, see the IQ for Nexus Repository Manager chapter.

IQ Server configuration features have a new user interface designed to make it easier to configure policies, organize system hierarchy, and manage user access. In the Organization & Policies area, several items have been renamed:

There are a few additions to managing user access:

You now have the ability to move an application from one organization to another. This makes it easier to reorganize the IQ Server system hierarchy when needed.

For component data, there’s a new license type called Not-Supported. It indicates that Sonatype or the target ecosystem does not currently support automated license collection for a component’s format.

In addition, the Sonatype Data Research group is now providing the following data:

The Nexus IQ for Bamboo plug-in has been updated to version 1.0.6. It fixes an error that can occur when connecting the Bamboo plug-in to IQ Server over SSL.

The loading times for the Dashboard, Reporting, and Organization & Policies areas have been significantly reduced, especially for systems with large data sets. If you have hundreds or thousands of organizations and applications, you should see faster loading of the Dashboard, reports, and configuration features. The Dashboard also has simplified summary results at the top, which makes it easier for you to focus on the Risk section.

Several changes were made to the Firewall solution:

Users of the Nexus Auditor solution can now access the Nexus IQ CLI features, which were previously available only for the Nexus Lifecycle solution.

npm packages are now supported in the Firewall. Available data includes identification, licenses, and vulnerabilities.

IQ Server has a new icon that appears on the IQ Server toolbar and its browser tab.

The scope of analytics information collected by IQ Server for proprietary packages is narrower. This change is incorporated into all IQ plugins.

The IQ Server Application Composition Report and Repository Results include additional information for Sonatype vulnerability types.

The SonarQube plugin version 1.0.4 now includes support for SonarQube 5.2 and 5.3.