Skip to main content

2020 Release Notes

To ensure accuracy, the API fails if there are any repository evaluations older than release 76, as new waiver information was added as part of that release. Please re-evaluate all repositories to get a successful response.

Note

Sonatype encourages using the most current IQ Server release and not trailing behind for more than six months.

IQ Release 103 (December 2020)

InnerSource Insight for Maven

InnerSource dependency analysis allows a user to visualize InnerSource components and their transitive dependencies in a report with links to any associated applications.

Support for Evaluating Java 14 and 15 Applications and Components

The application and component evaluation have been updated to support Java 14 and 15 bytecode.

IQ for SCM supports Gradle Projects

Automated pull request feedback is now available for Gradle projects in all supported Source Control Management platforms.

Read the SCM documentation to learn more about configuring automated PRs, PR reviews, and code line comments to work with Gradle.

Additional columns for Violations Export

Two additional columns have been added to the exported file from the dashboard's violation tab:

  • Reference: contains the CVE or Sonatype code assigned to the vulnerability that caused the policy violation

  • Policy Violation ID: contains the policy violation ID that triggered the violation

IQ Release 102 (November 2020)

Manage User Token

The User Token UI allows each user to manage their User Token directly from the IQ Server.

API to check if the User Token exists

The User Token API has a new endpoint that allows checking if a User Token exists for the current user.

Security Fixes

Fixed an XML External Entity (XXE) vulnerability affecting IQ Server parsing of admin-submitted SAML metadata.

See the CVE-2020-29436 advisory for details.

IQ Release 101 (November 2020)

Lifecycle XC Removed in Nexus IQ CLI

Nexus IQ CLI no longer supports Lifecycle XC. IQ Server now has native support for all languages that were supported in Lifecycle XC.

New Structure for .NET Pecoff PackageUrl

PackageUrl for pecoff has a new structure. The namespace is part of the qualifiers with the key "nexusnamespace", older versions will not change. More information can be found in our supported formats.

Manifest Evaluation REST API

The Manifest Evaluation REST API provides a way to perform an application policy evaluation on supported manifest files discovered in a source control branch.

Manage Waivers for Violation

The Waivers for Violation page allows viewing, adding, and deleting waivers for a violation.

Time-based Waivers

Now Add Waiver page allows setting an expiration timeframe for the waiver.

Docker Image User Permissions Migration

Note

The nexus-iq-server docker image for IQ version 101 changed the base image from Red Hat UBI (Universal Base Image) to a different Red Hat UBI that includes OpenJDK 1.8. As a result, the UID of the nexus user has changed from uid=998 to uid=997, which will impact access to persistent data.

See our upgrade instructions if you are upgrading to version 101 or later in a docker image.

IQ Release 100 (October 2020)

Advanced Development Pack

Advanced Remediation Strategies, Hygiene Ratings, Breaking Changes, and Release Integrity capabilities are made Generally Available as part of the Advanced Development Pack add-on product license.

Time-based Waivers via APIs

Add Waiver API now has the option to apply an expiry time to waivers as a means to better manage and remove waivers. When the timeframe for the expiry time has been met, the waiver will automatically expire.

IQ Release 99 (September 2020)

GitLab MR Reviews with Line Comments

GitLab MR reviews now provide MR line comments, noting the exact line of code that caused a policy violation. Supplemented with the summary of policy violations for a specific MR, developers have all the information at their fingertips to innovate with peace of mind.

IQ Release 98 (September 2020)

Improvements to Golang Application Analysis

IQ Server (through CLI) now supports evaluating policies against Go components defined in a Gopkg.lock file.

Automatic Migration to Root Organization

Installations that have not yet been created and configured in the Root Organization will automatically be migrated to a Root Organization with no policies defined.

Note

If you have not yet migrated and wish to use policies from an existing organization at the Root Organization level, it is recommended to do this before upgrading.

Automatic Update of Advanced Search Index

Previously, the search index had to be rebuilt manually to ensure search results reflected the latest policy configuration and application data. This release starts adding an incremental update of the search index that runs automatically when the application data is changed. Automatic indexing currently covers organizations, applications, application categories, component labels, policies, and security vulnerabilities found during policy evaluations.

Drop Requests with Unsafe Characters

IQ Server now drops inbound requests containing in-the-path characters known to be used for unsafe purposes (semicolons, backslash, and unescaped non-ASCII characters).

GitLab MR Reviews

GitLab MR reviews provide an MR comment with a summary of violations, affected components, and a description of violations introduced in that specific MR to help developers resolve policy violations effectively and efficiently.

User Sessions Maintained on Restart

IQ Server user sessions are now kept when the server is stopped such that they can continue to be used when the server is restarted as long as they have not timed out.

Applicable Waivers REST API

The Applicable Waivers REST API enables retrieval of all the waivers applicable to a given policy violation.

New Add Waiver page

The Add Waiver page provides the ability to apply a waiver against a policy violation from two different workflows. You can access the Add Waiver page either directly from the Application Report or from the Violation Details page.

SAML Destination Field Required for Signed Messages

The SAML implementation in IQ Server has been updated and now requires the "Destination" field to be set if the SAML messages (request/response) are signed. This is in accordance with the SAML specification and if not done you may encounter an authentication error.

IQ Release 97 (August 2020)

Repository Policy Violation Notifications

Email notifications for repository policy violations are sent now when the policy violation is detected instead of periodically.

New Security Vulnerability Category Policy Condition

Security Vulnerability Category is now available as a policy condition. See Understanding the Parts of a Policy for details and Policy Management.

Security Vulnerability Override REST API

The addition of the Security Vulnerability Override API now allows security vulnerability status overrides to be retrieved alongside information about the components where they are currently taking effect.

Add Waiver REST API

Policy Waiver REST API allows adding waivers with Application, Organization, or Root Organization scope. The API has the option to apply a waiver to all components with matching policy violations.

Automated Pull Requests for GitLab

Support Automated Pull Requests for GitLab where pull requests are automatically created for policy violations with suggested remediation.

Source Control Configuration Test Button

Check the configuration of your source control setup for appropriate permissions for pull requests.

Automated Pull Requests Daily Activity View

Show recent automated pull request activity in the source control configuration screen.

IQ Release 96 (July 2020)

New Dependency Type Policy Condition

Dependency Type is now available as a policy condition. See Understanding the Parts of a Policy for details and Policy Management.

Improvements to Application Analysis

IQ Server (through CLI) now supports evaluating policies against

  • C/C++ components are defined in a conaninfo.txt file.

  • Go components are defined in a go.list file.

Performance Improvements for Accessing LDAP Servers

Various performance improvements for accessing LDAP servers

Fix Report Data Rendering Containing PE/COFF Data

Some PE/COFF component report data (raw/PDF-printed) and Component Information Panel (CIP) data may cause errors in rendering. The application log file would have contained messages such as MalformedPackageURLException: Segments in the namespace and the subpath may not be empty. This rendering problem is now resolved.

IQ Release 95 (July 2020)

Components Identified by Package Manifest

Components found in a manifest that were previously unknown by Sonatype will be shown in the CIP as identified by "Package Manifest" displaying the given coordinates in the scanned file.

.NET improvements

Nuget data matching has been enhanced with PE (Portable Executable)/COFF (Common Objective File Format) data:

  • The best-fit matching is replaced with DLL pecoff matching.

  • Exact matching to the .nupkg archive and for each .dll pecoff signature.

With the enhanced data, the identification of the following extensions is now supported: .acm, .ax, .cpl, .dll, .drv, .efi, .exe, .mui, .ocx, .scr, .sys, .tsp

Improved Reports Page Performance

The Reporting Area in IQ Server's UI is now paged, increasing performance by decreasing load time.

Various Performance Improvements

Improved the performance in various areas (UI, REST APIs, etc).

New Option to Ignore LDAP Referrals

The configuration for LDAP connections now features an additional option to control how LDAP referrals are handled.

PR Reviews with Line Comments

PR reviews available in GitHub and BitBucket now provide PR line comments, noting the exact line that introduced a policy violation. Supplemented with the summary of policy violations for a specific PR, developers have all the information at their fingertips to innovate with peace of mind.

Improved Dashboard Filter Management

The UI for saving, loading, and deleting Dashboard filters is simplified. Now the Save button is accessible directly in the sidebar footer. Saved filters can be loaded and deleted from the single dropdown menu.

IQ Release 94 (June 2020)

C/C++ Application Analysis to Support conanfile.py Files

IQ Server (through CLI) can now be used to evaluate policies against components defined in a conanfile.py file.

Cross-stage Violation REST API

Policy violations can now be retrieved using the Cross-stage violation API to get information on a particular policy violation across the different stages of the lifecycle.

New Violation Details Page

Centralized access point for policy violation information. It can be accessed from the Dashboard to obtain detailed information on a specific policy violation for an application, including report information across different stages of the lifecycle.

Permission-aware Results from Advanced Search

The Advanced Search is still an early access feature but one of its caveats has now been resolved: Search results are now filtered to only include those records the user has "View" permission for.

IQ Release 93 (June 2020)

Non-Failing Version Recommendation in CIP

An additional recommended version is added to Component Info - Next version with no build failure violations.

IQ Release 92 (May 2020)

Performance Improvements with External Databases

Improved the performance when using an external database for policy evaluations, application reports UI, application reports, and other REST APIs.

Use of TLS for Static Resources Referenced by Email Notifications

The static resources like images that are needed to view email notifications are now retrieved via HTTPS instead of HTTP. Please make sure your network allows outbound connections as detailed in Configuring Outbound Traffic.

Policy Waiver REST API Enhancement

Policy Waivers can now be retrieved using the updated Policy Waivers REST API.

IQ Release 91 (May 2020)

New REST API for Application Categories

Application Categories can now be managed using the REST API.

Improved Policy Evaluation Performance with External Databases

Improved the performance of policy evaluations when using an external database.

Yum Application Analysis

IQ Server (through CLI) can now be used to evaluate policies against components from dependency files of Yum

New Data Source Policy Condition

Data Source is now available as a policy condition.

Nexus Firewall Support of New Languages/Ecosystems

Firewall is extended to support packages of the following languages/ecosystems:

  • PHP (Composer)

  • Swift/Objective-C (Cocoapods)

  • Conda

  • Alpine (APK)

  • Bower

  • CRAN (R)

  • Debian (APT)

  • C/C++ (Conan)

It is recommended to upgrade to the latest Reference Policy Set (reference-policies-v4) with the Component-Unknown policy changes.

IQ Release 90 (April 2020)

Policy Waiver REST API Enhancement

Policy Waivers can now be deleted using the updated Policy Waivers REST API.

Component Labels REST API Enhancement

Component Labels can now be managed using the updated Component Labels REST API.

Alpine, Drupal, and Debian Application Analysis

IQ Server (through CLI) can now be used to evaluate policies against components from dependency files of:

  • Alpine

  • Debian

  • Drupal

Automated Pull Requests and Build Status for Bitbucket Server and Bitbucket Clou

Support for both Bitbucket Server and Bitbucket Cloud has been added to Automated Pull Requests and Build Status.

Improved Storage for Firewall Data

The storage for Firewall data has been refactored to be faster and to require less disk space. A small performance impact may be noticed after the upgrade (for a few hours) until the existing data is migrated.

IQ Release 89 (April 2020)

Component Evaluation REST API Enhancement

The Component Evaluation REST API now includes data about effective component licenses.

Report-related REST API Enhancement

The Report-related REST API now includes data about effective component licenses.

R and Rust Application Analysis

IQ Server (through CLI) can now be used to evaluate policies against components from dependency files of:

  • R (CRAN)

  • Rust (Cargo)

New PDF Report

The look and feel of the PDF Report for the Application Composition Report has been updated and streamlined to align more with the IQ Server's UI. This increases its focus on essential information in addition to improving PDF generation performance.

IQ Release 88 (March 2020)

Recommended Remediation for Transitive Maven Dependencies

Now the Component Info tab in the Component Information Panel adds a Recommended Remediation section for transitive dependencies. It provides links to all direct dependencies that are brought in the selected component. Available for maven components only.

Advanced Search (Early Access)

This release includes an Early Access version of Advanced Search. This new search feature provides a flexible way to locate items among your applications. For instance, Advanced Search can help find all applications that are affected by a given security vulnerability.

Component Details REST API Enhancement

The Component Details REST API now includes data about effective component licenses.

Swift/Objective-C and Conda Application Analysis

IQ Server (through CLI) can now be used to evaluate policies against components from dependency files of:

  • Swift/Objective-C CocoaPods

  • Conda

GitHub PR Reviews

GitHub PR reviews provide a PR comment to provide a summary of violations, affected components, and a description of violations introduced in a specific PR to help developers resolve policy violations effectively and efficiently.

IQ Release 87 (March 2020)

User Tokens REST API Enhancements

User Tokens REST API exposes endpoints to System Administrators for querying tokens by creation date and supports deletion.

Fix for a critical issue with the Application Report in IQ 86

This release fixes a regression that prevented IQ Server 86 from loading some reports.

IQ Release 86 (March 2020)

Warning

There is an issue with IQ Server 86 failing to load some reports.

Customers should avoid upgrading to release 86 and instead upgrade to release 87 or newer.

New REST API for Moving an Application from one Organization to another

An application can now be moved from one organization to another using the REST API.

C/C++, Ruby, and PHP Application Analysis

IQ Server (through CLI, Jenkins, and Bamboo plugins) can now be used to evaluate policies against components from dependencies files for:

  • C/C++ Conan

  • PHP Composer

  • RubyGems

IQ Release 85 (February 2020)

Component Category Policy Condition

Component Category is now available as a policy condition.

New Component Claim REST API

The Component Claim REST API allows you to view, add, update, and delete component claims.

Extended Stale Waivers REST API

Stale Waivers REST API now returns stale evaluations along with the stale waivers.

IQ Release 84 (February 2020)

Note

Release 83 and Release 84 introduced migration steps in server startup where proxy server and mail server configurations are read from the existing config.yml file and transferred to the database. An issue was discovered that stops IQ Server from successfully starting when the password field for either of these configurations is an empty string. If that is the case for either of your configurations please comment out the password fields entirely instead of having an empty string.

Using the proxy server configuration as an example, instead of having a configuration as below:

proxy:
  hostname: "proxy.server"
  port: 8081
  username: "proxy-user"
  password: ""

please configure your configuration as follows where the password is commented out:

proxy:
  hostname: "proxy.server"
  port: 8081
  username: "proxy-user"
  # password: ""

No special action is needed if a non-empty password exists. It will be stored in the database encrypted.

Stale Waivers REST API

Stale Waivers REST API allows you to retrieve stale application and repository waivers.

Note

To ensure accuracy, the API fails if there are any repository evaluations older than release 76, as new waiver information was added as part of that release. Please re-evaluate all repositories to get a successful response.

Email Server Configuration Verification in Email Server Configuration UI

A sample email can be sent in the Email configuration UI to verify the email server being configured by entering the desired recipient and using the Send Test Email button.

HTTP Proxy Server Configuration REST API and UI

The proxy server configuration is now configurable via the HTTP Proxy Server Configuration REST API or via the Proxy Server Configuration View found in System Preferences. Any existing proxy server configuration in config.yml will be migrated and become obsolete.

NPM support for Automated Pull Requests

Nexus IQ for SCM now supports the NPM ecosystem.

IQ Release 83 (January 2020)

New Email Server Configuration REST API and UI

The email server configuration for email notifications is now configurable via the new Mail REST API or via IQ Server's UI. Any existing email server configuration in config.yml will be migrated and become obsolete.

New Permissions for Waiving Policy Violations, Changing Licenses, and Changing Security Vulnerabilities

Three new permissions Waive Policy Violations, Change Licenses, and Change Security Vulnerabilities are now available for (un)waiving policy violations, changing component licenses, and changing component security vulnerabilities. Previously, the Edit IQ Elements permission was required for these operations. All roles that have the Edit IQ Elements permission are automatically updated to have these new permissions.

Binary Fingerprinting Improvements

This release includes improvements to our proprietary advanced binary fingerprinting and will increase scan file sizes up to four times.

SHA-1 Support for Third-Party Scanning

The Third-Party Scan REST API and CLI have been extended to support identifying components based on SHA-1 value (content hash).

Legacy Application Report Link Moved

The Policy-centric Application Composition Report no longer contains a banner with a link to the legacy version of the Application Composition Report. Instead, the legacy version may now be accessed via the Policy-centric report's Options menu.

IQ Release 82 (January 2020)

Dependency Type Indicators and Filte

Application Composition Report now displays Dependency Type Indicators for maven components. Components can be filtered by dependency type using the new Dependency Type filter.

Note: Dependency Type is only supported for maven components. Reports created prior to January 2, 2020, will show all non-maven components as a direct dependency type. Once the application is rescanned, the non-maven components will be shown as unknown dependency types.

New Permission for Changing Access Control

A new Edit Access Control permission was added for managing the access control for applications, organizations, and repositories. Previously, the Edit IQ Elements permission was required for access control management. All roles that have the Edit IQ Elements permission are automatically updated to have the new Edit Access Control permission.