2020 Release Notes

Sonatype encourages using the most current IQ Server release and not trailing behind more than six months. Release notes for the most current versions can be viewed here .


Release 88 (March 2020)

Recommended Remediation for Transitive Maven Dependencies

Now the Component Info tab in the Component Information Panel adds a Recommended Remediation section for transitive dependencies. It provides links to all direct dependencies that brought in the selected component. Available for maven components only.

Advanced Search (Early Access)

This release includes an Early Access version of Advanced Search. This new search feature provides a flexible way to locate items among your applications. For instance, Advanced Search can help find all applications that are affected by a given security vulnerability.

Component Details REST API Enhancement

The Component Details REST API now includes data about effective component licenses.

Swift/Objective-C and Conda Application Analysis

IQ Server (through CLI) can now be used to evaluate policies against components from dependency files of:

GitHub PR Reviews

GitHub PR reviews provide a PR comment to provide a summary of violations, affected components, and description of violations introduced in a specific PR to help developers resolve policy violations effectively and efficiently.

Release 87 (March 2020)

User Tokens REST API Enhancements

User Tokens REST API exposes endpoints to System Administrators for querying tokens by creation date and supports deletion. 

Fix for a critical issue with the Application Report in IQ 86

This release fixes a regression that prevented IQ Server 86 to load some reports.

Release 86 (March 2020)

Known Issue with the Application Report

There is an issue with IQ Server 86 failing to load some reports.
Customers should avoid upgrading to release 86 and instead upgrade to release 87 or newer.

New REST API for Moving an Application from one Organization to another

An application can now be moved from one organization to another using the REST API. See the Application REST API for details.

C/C++, Ruby and PHP Application Analysis

IQ Server (through CLI, Jenkins and Bamboo plugins) can now be used to evaluate policies against components from dependencies files for:

Release 85 (February 2020)

New Component Category Policy Condition

Component Category is now available as a policy condition. See Understanding the Parts of a Policy for details.

New Component Claim REST API

The new Component Claim REST API allows you to view, add, update, and delete component claims.

Extended Stale Waivers REST API

Stale Waivers REST API now returns stale evaluations along with the stale waivers.

Release 84 (February 2020)

Release 83 and Release 84 introduced migration steps in server startup where proxy server and mail server configurations are read from the existing config.yml file and transferred to the database. An issue was discovered which stops IQ Server from successfully starting when the password field for either of these configurations is an empty string. If that is the case for either of your configurations please comment out the password fields entirely instead of having an empty string. 

Using the proxy server configuration as an example, instead of having a configuration as below:

proxy:
  hostname: "proxy.server"
  port: 8081
  username: "proxy-user"
  password: ""

please configure your configuration as follows where password  is commented out:

proxy:
  hostname: "proxy.server"
  port: 8081
  username: "proxy-user"
  # password: ""

No special action is needed if a non-empty password exists. It will be stored in the database encrypted.

New Stale Waivers REST API

Stale Waivers REST API allows you to retrieve stale application and repository waivers.

To ensure accuracy, the API fails if there are any repository evaluations older than release 76, as new waiver information was added as part of that release. Please re-evaluate all repositories to get a successful response.

Email Server Configuration Verification in Email Server Configuration UI

A sample email can be sent in the Email configuration UI to verify the email server being configured by entering the desired recipient and using the  Send Test Email  button.

New HTTP Proxy Server Configuration REST API and UI

The proxy server configuration is now configurable via the new HTTP Proxy Server Configuration REST API or via the Proxy Server Configuration View found in System Preferences. Any existing proxy server configuration in config.yml will be migrated and become obsolete.

NPM support for Automated Pull Requests

Nexus IQ for SCM now supports the NPM ecosystem. See Automated Pull Requests for details.

Release 83 (January 2020)

New Email Server Configuration REST API and UI

The email server configuration for email notifications is now configurable via the new Mail REST API or via IQ Server's UI. Any existing email server configuration in config.yml will be migrated and become obsolete.

New Permissions for Waiving Policy Violations, Changing Licenses, and Changing Security Vulnerabilities

Three new permission Waive Policy ViolationsChange Licenses, and Change Security Vulnerabilities are now available for (un)waiving policy violations, changing component licenses, and changing component security vulnerabilities. Previously, the Edit IQ Elements permission was required for these operations. All roles that have the Edit IQ Elements permission are automatically updated to have these new permissions.

Binary Fingerprinting Improvements

This release includes improvements to our proprietary advanced binary fingerprinting and will increase scan file sizes up to four times.

SHA-1 Support for Third Party Scanning

The  Third-Party Scan REST API   and CLI has been extended to support the following feature.

  • Identify components based on SHA-1 value (content hash).

Legacy Application Report Link Moved

The Policy-centric Application Composition Report no longer contains a banner with a link to the legacy version of the Application Composition Report.  Instead, the legacy version may now be accessed via the Policy-centric report's Options menu.

Release 82 (January 2020)

Dependency Type Indicators and Filter

Application Composition Report now displays Dependency Type Indicators for maven components. Components can be filtered by dependency type using the new Dependency Type filter.

Note:  Dependency Type is only supported for maven components. Reports created prior to January 2, 2020 will show all non-maven components as a direct dependency type. Once the application is rescanned, the non-maven components will be shown as unknown dependency types.

New Permission for Changing Access Control

A new Edit Access Control permission was added for managing the access control for applications, organizations and repositories. Previously, the Edit IQ Elements permission was required for access control management. All roles that have the Edit IQ Elements permission are automatically updated to have the new Edit Access Control permission.