2017 Release Notes

Oracle Java 8 is now required in order to run Nexus IQ Server and Nexus IQ CLI (previously Java 7 was supported). Using prior versions of Java will fail with an UnsupportedClassVersionError on startup.

The Organization REST API has been enhanced to allow the creation of new organizations via POST operations. The Organization REST API documentation provides more details on usage.

The Nexus IQ CLI now displays the number of archives and files fingerprinted and the duration (in seconds) required to fingerprint them.

Nexus IQ Server 1.41 failed to load fonts and icons when running behind a reverse proxy that changed the web application context path. The forceBaseUrl option now works as intended in such circumstances.

Sonatype encourages the use of the X-Forwarded-Proto and X-Forwarded-Host headers set by proxies to match a user-facing URL. If you are not able to use these headers then please contact our customer support team for assistance on how to force the use of the baseUrl.

The application and component evaluation have been updated to support Java 9 bytecode.

We added support for the new Twistlock CLI tool. The new integration requires at least Twistlock 2.2.100. The old twistlock-scanner Twistlock CLI tool is not supported anymore. If you cannot update to at least Twistlock 2.2.100, you can still use previous versions of Nexus IQ CLI.

The Calculate Trends feature previously available in the IQ Dashboard has been removed.

Setting the baseURL will only change the application URL for email notifications. Requests from any application URL through IQ Server will be maintained. Specifically, proxies should make use of the X-Forwarded-Proto and X-Forwarded-Host headers to match a user-facing URL.

Repeated loads of a Success Metrics Report within the same aggregation interval will now load more quickly due to additional data caching within the IQ Server.

Success Metrics Reports can now be configured to update constantly. Previously, the reports would only update at the beginning of each calendar month. When creating a Success Metrics Report, the user may now choose the aggregation interval for the report, with options of "by calendar month" and "by most recent evaluation." This replaces the "daily aggregations" feature that was added to Success Metrics in the 1.36 release of IQ Server.

The Save Filter modal on the IQ Dashboard has been updated to help the user more clearly distinguish between overwriting an existing filter and saving a filter under a new name.

Manually sorting columns within the IQ Dashboard will now sort over the entire result set instead of only the limited number of rows that are displayed within the browser.

New versions of Maven, Hudson/Jenkins 1.x, and SonarQube plugins have been released to resolve vulnerable, but not exploitable, dependencies.

Component names in the Identified Components section of Lifecycle XC reports have been standardized across several of the supported ecosystems and formats. This improvement aims to bring further clarity to the user in recognizing the reported components.

Users can now configure Success Metrics reports for a specified scope made up of a selection of organizations and applications. The user may either specify exactly what they want or select an option to include all applications. Each user can now have multiple Success Metrics reports, whereas previously only a report for the entire Root Organization was available.

In an effort to reduce redundant policy conditions, the Security Vulnerability present policy condition has been replaced by the Security Vulnerability Severity greater than or equal to 0 policy condition. Additionally, the Security Vulnerability absent policy condition has been removed. If any of your policies use the Security Vulnerability absent policy condition, contact our customer support team or your customer success representative for assistance in changing them before upgrading to ensure a successful migration.

Success Metrics has been updated to calculate aggregations daily for new installations where historical data is limited.

Lifecycle XC (Expanded Coverage) is a new capability of Nexus Lifecycle that utilizes OWASP dependency-check to provide basic coverage for additional languages. Specifically, Nexus IQ CLI features a new option to run in normal (Lifecycle) or XC mode. When XC mode is enabled Nexus IQ CLI will be configured to scan and analyze a different set of ecosystems and formats including Ruby, Swift, CocoaPods, and PHP. For more information, please see the Lifecycle XC topic.

Success Metrics has been updated with a new Components tile that breaks down which components are used across most applications and which components have the most policy violations.

Nexus Repository Manager 3.5.0 enables you to upgrade from Nexus Repository Manager 2.14.5 and retain the state of any proxy repositories that use the audit or quarantine functionality of Nexus Firewall. This version of IQ Server is required to assist the upgrade process for those repositories using Nexus Firewall.

In the toolbar, you can now find a link to Success Metrics, which summarizes important IQ Server activity over the last 12 months. The data is gathered for all organizations and applications you have access to. Please note that you need at least one month of historical evaluation data to generate Success Metrics. They can be disabled by the System Administrator via the System Preferences menu.

Support for the Nexus IQ CLI to load parameters from files has been added. For more information, please see "Loading Parameters from a File" in the Nexus IQ CLI topic.

Starting with this version, Nexus IQ CLI requires Java 7 (was Java 6 before).

The policy coordinate condition has been updated to allow the extension and classifier coordinates to be specified when creating a Maven coordinate condition for a policy constraint. Inputting coordinates has also been changed such that required coordinates must have a value specified whereas optional coordinates can be left empty. For Maven, only the classifier coordinate is optional, and for A-Name only the qualifier coordinate is optional. A coordinate with an empty value will only match a component if it does not have that coordinate. A coordinate with a wildcard value will match a component with any value for that coordinate as well as if it did not have that coordinate.

The Application Categories Filter on the Dashboard now has a new option: "No Category". This option allows the user to explicitly control whether they want applications that are not a member of any category to appear in the Dashboard results. Previously, uncategorized applications would never be included when any specific category filters were selected.

Both Nexus IQ for Bamboo and Nexus IQ for Hudson/Jenkins 1.x suffered from a vulnerability related to the deserialization of XML files that could crash the JVM. This release provides updated versions of those two plugins to resolve the issue.

To facilitate the aforementioned security fix, version 1.4.0 of Nexus IQ for Bamboo now requires at least Bamboo 5.10 as host runtime. This also implies a requirement on Java 8 as needed to run Bamboo.

Likewise, version 2.18.0 of Nexus IQ for Hudson/Jenkins 1.x requires Java 8 as runtime, and versions of Hudson before 3.2.0 are no longer supported.

Please note that in the next few months, we plan to adopt Java 8 as the minimum runtime requirement for all other client integrations and IQ Server itself.

Support for the Nexus IQ Extension for Microsoft Visual Studio has been added to the IQ Server. The extension can be installed from within Microsoft Visual Studio using the Extensions Manager or from the Visual Studio Marketplace.

In the system preferences, system administrators can now configure a system notice. When enabled, the system notice will be displayed in the login dialog as well as on top of every page of the web UI.

The Violations tab on the Dashboard has been enhanced for easier readability. Results are now shown in a single row, and the Latest Report link has its own column for simple access.

This release includes an option to change the behavior of the initial dashboard state to alleviate performance concerns. Contact the product team if you’re interested in trying this feature and providing feedback.

PyPI packages are now supported in Nexus Firewall. Available data includes identification, licenses, and security vulnerabilities.

The Dashboard now allows you to filter its views by the state of a policy violation. That is, you can also include waived violations in your reviews of application health. Likewise, you can exclude all open violations and focus on the effects from policy waivers.

This release extends protection against cross-site request forgery (CSRF) to cover the case where the public REST API of IQ Server is exposed via reverse proxy authentication. As a consequence, clients accessing the REST API in combination with reverse proxy authentication need to be updated to include additional HTTP headers in their requests to IQ Server when these requests can alter data.

To reduce the storage requirements, especially during long-term use, this version of IQ Server no longer archives the binary fingerprints (sonatype-work/clm-server/scan) for all application evaluations. Going forward, only the binary fingerprints for the most recent evaluation of a given application and stage are kept on disk. The fingerprints used for a previous application evaluation at the same stage are automatically deleted.

To address security requirements, the IQ Server user interface now resets to the login state upon session expiration. This results in a loss of in-progress changes when your session times out. The session expires after thirty minutes of inactivity. To avoid loss of changes, complete all tasks prior to the timeout.

Tools and plugins can be configured to use PKI authentication, which delegates authentication to the Java Virtual Machine (JVM). A reverse proxy server is required when using PKI authentication.

A new Nexus IQ for Jenkins 2.x plugin is now available. For Pipeline projects, Nexus IQ for Jenkins 2.x allows for more advanced customization and automation for evaluating a Jenkins Workspace. Nexus IQ for Jenkins 2.x is best suited for new users running Jenkins 2.x.

In this release, protection was added to reverse proxy authentication to address Cross-Site Request Forgery (CSRF) attacks at integration API endpoints. CSRF protection is now enabled specifically for requests authenticated via reverse proxy authentication, including SSO and PKI authentication.

All integrations in the 1.26 release support CSRF protection. Older integrations are not compatible and should be upgraded. If not upgraded, you may need to disable CSRF protection.

The public API is subject to CSRF attacks when made available through reverse proxy authentication. In typical use, the public API is for system-to-system integrations, and in those scenarios reverse proxy authentication is not expected between the two systems. CSRF protection will be added to public APIs exposed via reverse proxy authentication in a future release.

IQ Server now supports authenticating against multiple LDAP servers, each with its own unique configuration. These updates allow you to add, remove, and reorder multiple LDAP servers. Once arranged, authentication searches the ordered list for a positive match on credentials.

Webhooks allow you to integrate IQ Server into your process. For example, you can set up webhooks to fire when application evaluations are complete, letting you automate processes that tie into the IQ Server.

The name of a saved filter is now added to the file name when exporting data.

When you open a saved filter, the filter name now appears at the top of the Manage Filters menu.

JIRA Notifications can now be configured to supply a predefined value to any field via the Custom Fields section. This allows the configuration of JIRA issue types that have required fields that are not configurable through the IQ Server UI.