2021 Release Notes

An issue with the SCM onboarding feature has been fixed, where the onboarding process could not load all unarchived repositories if there is a large number of archived repositories in a git organization.

Application dependency tree data for Java & NPM components is now available using the Report REST APIs

Nexus IQ Server does not use log4j versions and uses logback instead. It is therefore not at risk from vulnerabilities impacting log4j. However, because of a low/moderate vulnerability existing in "logback", we're taking precautionary measures by updating the logback library version used in Nexus IQ products.

Cran and Cargo data have been improved for both Lifecycle and Firewall.

Conda data has been improved for both Lifecycle and Firewall. Adopt the updated command and file for better results, refer to Conda Application Analysis for more information.

The Application PDF Report now lists the Effective, Declared, and Observed licenses separately in the Licenses table and indicates if an Effective license is Overridden.

Added some performance improvements affecting component remediation (both UI and API).

Fixed an issue that could cause the legal tab on the component details page to not load for some components.

This new Component Details Page is a fully redesigned experience within a singularly dedicated page. This new page provides an improved layout, new comparison functionality to better identify ideal component versions, an increased focus on waiver statuses, and dedicated Security and Legal tabs.

Fixed an issue that caused attribution report generation to fail when a report contained an InnerSource or proprietary component.

Users can now reset an organization or application source control configuration.

The license tab in the Component Information Panel (CIP) now contains a link from that tab to the component's legal obligation details page in the Advanced Legal Pack. This is useful for legal reviewers who are attempting to remediate legal policy violations from a Firewall report, an IDE integration, or a policy evaluation.

The Advanced Legal Pack (ALP) now allows users to customize their attribution reports. Initial options allow users to add custom headers, footers, titles, and various appendixes. The ability to include standard license text as an appendix can reduce report sizes by as much as 80% and the ability to include generic legal text allows users to include legacy third-party notices or legacy attribution reports with the newer ALP attribution reports.

The Manifest Evaluation REST API was deprecated in favor of the new Source Control Evaluation REST API, which is 100% backward compatible.

SSH is now supported as a transport protocol for Git operations in IQ for SCM.

A potential regression in policy evaluation performance introduced in Release 104 has been mitigated. This reduces the chance of lock timeout exceptions especially when using the default embedded H2 database.

Two new options were added to the Source Control Configuration to allow users to enable or disable pull request commenting and IQ-initiated source control evaluations.

The policy evaluation selection for Pull Request Commenting has been optimized.

Conan data and matching have been improved for both Lifecycle and Firewall.

NPM Dependency Information detection has been improved to display more accurate results.

The repository configured under source control has been made more visible in the Organizations and Applications view.

The Easy SCM Onboardingfor Bitbucket Server has received some performance improvements.

The policy result for a scan is now available in the Azure DevOps pull request screen. This enables target branch protection for Azure DevOps.

The application and component evaluation have been updated to support Java 17 bytecode.

Fixed an issue with the Source Control REST API whereby some fields in the response JSON had been renamed. The previous names have been restored.

Fixed an issue with some NPM scans that were causing IQ Server 122 evaluations to fail when reading dependency information.

NPM project scans with manifests allow the displaying of dependency information for NPM components (Direct and Transitive).

Refer to npm Application Analysis and Application Composition Report for more information.

InnerSource dependency analysis allows a user to visualize NPM InnerSource components and their transitive dependencies in a report with links to any associated applications.

Refer to InnerSource Insight for more information.

Reports containing InnerSource Insight components will have more and better information about their transitive dependencies and relationships.

Refer to InnerSource Insight and the Component Information Panel for more information.

IQ Server now has the ability to group waive InnerSource transitive policy violations.

IQ report filters now allow filtering by a component's InnerSource status.

Support for Azure DevOps in Automated Pull Requests, Pull Request Commenting, and Automated Commit Feedback.

In this version, we have addressed a few bugs in IQ and made some performance improvements.

Continuous Risk Profile keeps default branch policy evaluations up to date with fresh source control policy evaluations regularly (configurable). In addition, IQ server will keep feature branch policy evaluations updated with new source control policy evaluations as new commits are made to those feature branches (assuming a pull request exists for that feature branch).

IQ for SCM makes use of 'gradle.properties' files in providing SCM feedback.

CycloneDX SBOM scans using the Third-Party Scan REST API and CLI have been improved to display better results in the report and some bugs have been fixed as well.

IQ Server (through CLI) can now be used to evaluate policies against components from the dependency file of a Swift Application Analysis.

Starting June 30, Nexus Lifecycle and Nexus Firewall users may experience a change in CocoaPods results due to some major improvements to our identity and security data services.

Fixed an issue where using the Component Search REST API could render application reports inaccessible without setting the experimental feature flag componentSearchApiWithInnerSource to false. It is now safe to remove this flag or to set it to true.

The Third-Party Scan REST API, CycloneDX Application Analysis, and View SBOM option have been extended to support the schema version CycloneDX 1.3 for XML format.

experimentalFeatures:
  componentSearchApiWithInnerSource: false

Fixes a regression for automatic pull requests when using Linux or Mac and the native git support.

Dependency data for Java components is now available using the Report REST APIs and Component Search REST API.

Options Dropdown in the evaluation report allows you to view the component bill of materials of the report in CycloneDx REST API.

IQ Server (through CLI) now supports evaluating policies against Python components defined in poetry.lock files.

IQ Server now allows the configuration of multiple source code management systems.

The Third-Party Scan REST API and CycloneDX Application Analysis have been extended to support the schema version CycloneDX 1.2 for XML format.

This add-on to Nexus Lifecycle will help you automatically comply with the components’ terms of use.

This new product from Sonatype helps you stop known risks, novel malware, and 0-day attacks from being downloaded into your repositories.

Fixed a critical error that prevented attribution report generation for applications that contained an InnerSource component.

The Nexus IQ CLI binaries are now available to be installed as a deb package on Debian/Ubuntu-based Linux systems and as a Homebrew package on Mac OSX.

As of this release, the navigation has been moved to the left side of the screen and the Dashboard Filter is now accessible via the "Filter" button on the upper right side of the Lifecycle Dashboard pages.

The application and component evaluation have been updated to support Java 16 bytecode.

Fixed an error where evaluating a large file could cause an exception if IQ Server is configured to use HTTPS/SSL.

Advanced Remediation Strategies are available in automated pull requests and pull request comments as part of the Advanced Development Pack add-on product license.

Fixed an error occurring when evaluating a binary file from UI compiled with Java 14 or higher.

Allows users to quickly create IQ applications for the repositories IQ Server detects in their configured source control management (SCM) system.

Performs an initial IQ Server scan of the contents of source control repositories for new IQ applications created by SCM Easy Onboarding.

As new pull requests are detected for IQ applications IQ Server may perform a one-time source control scan of the feature branch associated with the pull request and comment on the pull request if new vulnerabilities are discovered or if existing ones have been remediated. This source control scan will only be performed if the customer's CI system is not otherwise initiating scans and policy evaluations for the given application.

Breaking changes information is available in automated pull requests and pull request comments as part of the Advanced Development Pack add-on product license.

Added "Triggered by" information to application reports.

Building on the robust features available in Nexus Lifecycle, the Advanced Legal Pack adds the following capabilities:

IQ Server (through CLI) now supports evaluating policies against Java components in pom.xml and build.gradle files

Nexus users can now automate protection against dependency/namespace conflict at scale by connecting Nexus IQ Server's policy management and component intelligence data with proxy repositories in Nexus Repository Manager.

For more details, check out our demo video to see how Nexus users can start protecting against dependency/namespace confusion attacks at scale.

Fixed Initialization error in NuGet manifest scanning with CLI.

Release 86 to 103 (inclusive) of IQ Server suffer from CVE-2020-27218 a security vulnerability that allows an attacker to inject data into the body of the request. We advise you to update your IQ Server to this new release which contains the required fix.

Third-Party Scan REST API responses now contain additional report URLs to aid navigation.

Automated pull request feedback is now available for Go projects in all supported Source Control Management platforms.

InnerSource Insight was improved and now supports:

IQ Server (through CLI) now supports evaluating policies against: