2021 Release Notes

Sonatype encourages using the most current IQ Server release and not trailing behind more than six months. Release notes for the most current versions can be viewed here .


Release 113 (April 2021)

Fix for Advanced Legal Pack Attribution Reports That Contain InnerSource Components

Fixed a critical error that prevented attribution report generation for applications that contained an InnerSource component.

Availability of Nexus IQ CLI as Debian/Ubuntu and Hombrew packages

The Nexus IQ CLI binaries are now available to be installed as a deb package on Debian/Ubuntu based Linux systems, and as a Homebrew package on Mac OSX. See the download page for installation instructions.

Release 112 (April 2021)

Enhanced Navigation Experience

As of this release, the navigation has been moved to the left side of the screen and the Dashboard Filter is now accesible via the "Filter" button on the upper right side of the Dashboard results pages. You can read more about it in this Sonatype Community Post.

Support for Evaluating Java 16 Applications and Components 

The application and component evaluation have been updated to support Java 16 bytecode.

Release 111 (April 2021)

Fix for HTTPS/SSL Evaluations with Large Files

Fixed an error where evaluating a large file could cause an exception if IQ Server is configured to use HTTPS/SSL.

Advanced Remediation Strategies in IQ for SCM

Advanced Remediation Strategies are available in automated pull requests and pull request comments as part of the Advanced Development Pack add-on product license.

Release 110 (April 2021)

Fix Evaluation for Java 14 and Higher Binaries from UI

Fixed an error occurring when evaluating a binary file from UI compiled with Java 14 or higher.

Release 109 (April 2021)

Easy SCM Onboarding

Allows users to quickly create IQ applications for the repositories IQ Server detects in their configured source control management (SCM) system

Instant Risk Profile

Performs an initial IQ Server scan of the contents of source control repositories for new IQ applications created by SCM Easy Onboarding.

Continuous Risk Assessment

As new pull requests are detected for IQ applications IQ Server may perform a one-time source control scan of the feature branch associated with the pull request and comment on the pull request if new vulnerabilities are discovered or if existing ones have been remediated.  This source control scan will only be performed if the customer's CI system is not otherwise initiating scans and policy evaluations for the given application.

Release 108 (March 2021)

Breaking Changes Information in IQ for SCM

Breaking changes information is available in automated pull requests and pull request comments as part of the Advanced Development Pack add-on product license.

Application Reports

Added "Triggered by" information to application reports.

Advanced Legal Pack Initial Release

Building on the robust features available in Nexus Lifecycle, the Advanced Legal Pack adds the following capabilities:

  • Automation of attribution reports that comply with 90+% of OSS obligations.
  • Enhanced legal data pertinent to obligations (e.g. all copyright statements, all notice statements, and all license texts found in a component).
  • Legal workflow to resolve license obligations (per component, per license).
  • Ability to save attribution and obligation resolutions on a per component, per license basis at the organization or application level.
  • Ability to customize and edit attribution reporting as needed.

Release 107 (March 2021)

Java Manifest Application Analysis

IQ Server (through CLI) now supports evaluating policies against Java components in pom.xml and build.gradle files

Performance Improvements

  • Various bug fixes and performance enhancements.

Release 106 (February 2021)

Namespace Confusion Protection

Nexus users can now automate protection against dependency/namespace conflict at scale by connecting Nexus IQ Server's policy management and component intelligence data with proxy repositories in Nexus Repository Manager.

For more details, check out our demo video to see how Nexus users can start protecting against dependency/namespace confusion attacks at scale.

Improvements to Manifest Analysis

  • Updated CLI scanner to exclude development dependencies when scanning package-lock.json files.
  • Updated CLI scanner to parse package-lock.json files stored inside an archive.
  • Fixed parsing errors when scanning yarn.lock and csproj files.

Release 105 (February 2021)

Performance Improvements

  • Various bug fixes and performance enhancements.
  • Fixed an edge case while using the external database where the application would run into a deadlock and cause the database pool to be exhausted.

Fixed NuGet Manifest Scanning Issue

Fixed Initialization error in NuGet manifest scanning with CLI.

Release 104 (January 2021)

Fix for GZip Expansion Vulnerability

Release 86 to 103 (inclusive) of IQ Server suffer from CVE-2020-27218 a security vulnerability that allows an attacker to inject data into the body of the request. We advise you to update your IQ Server to this new release which contains the required fix.  

Update to Third-Party Scan REST API

Third-Party Scan REST API  responses now contain additional report URLs to aid navigation. 

IQ for SCM supports Go Projects

Automated pull request feedback is now available for Go projects in all supported Source Control Management platforms. Click here to learn more about configuring automated PRs, PR reviews, and code line comments to work with Go.

InnerSource Insight Improvements

InnerSource Insight was improved and now supports:

  • Policy Condition Dependency Type now has the ability to tune policy using InnerSource dependency type, please click here for more information.
  • Improved detection of proprietary modules that are not demarcated as InnerSource (instead of marking them as “unknown”).
  • Better detection of Direct Dependencies when they are associated with both an InnerSource component and the parent application. Please check InnerSource Insight doc for more information.

NPM and NuGet Manifest Application Analysis

IQ Server (through CLI) now supports evaluating policies against: