2021 Release Notes
Sonatype encourages using the most current IQ Server release and not trailing behind more than six months. Release notes for the most current versions can be viewed here .
Release 113 (April 2021)
Fix for Advanced Legal Pack Attribution Reports That Contain InnerSource Components
Fixed a critical error that prevented attribution report generation for applications that contained an InnerSource component.
Availability of Nexus IQ CLI as Debian/Ubuntu and Hombrew packages
The Nexus IQ CLI binaries are now available to be installed as a deb package on Debian/Ubuntu based Linux systems, and as a Homebrew package on Mac OSX. See the download page for installation instructions.
Release 112 (April 2021)
Enhanced Navigation Experience
As of this release, the navigation has been moved to the left side of the screen and the Dashboard Filter is now accesible via the "Filter" button on the upper right side of the Dashboard results pages. You can read more about it in this Sonatype Community Post.
Support for Evaluating Java 16 Applications and Components
The application and component evaluation have been updated to support Java 16 bytecode.
Release 111 (April 2021)
Fix for HTTPS/SSL Evaluations with Large Files
Fixed an error where evaluating a large file could cause an exception if IQ Server is configured to use HTTPS/SSL.
Advanced Remediation Strategies in IQ for SCM
Release 110 (April 2021)
Fix Evaluation for Java 14 and Higher Binaries from UI
Fixed an error occurring when evaluating a binary file from UI compiled with Java 14 or higher.
Release 109 (April 2021)
Easy SCM Onboarding
Allows users to quickly create IQ applications for the repositories IQ Server detects in their configured source control management (SCM) system
Instant Risk Profile
Performs an initial IQ Server scan of the contents of source control repositories for new IQ applications created by SCM Easy Onboarding.
Continuous Risk Assessment
As new pull requests are detected for IQ applications IQ Server may perform a one-time source control scan of the feature branch associated with the pull request and comment on the pull request if new vulnerabilities are discovered or if existing ones have been remediated. This source control scan will only be performed if the customer's CI system is not otherwise initiating scans and policy evaluations for the given application.
Release 108 (March 2021)
Breaking Changes Information in IQ for SCM
Breaking changes information is available in automated pull requests and pull request comments as part of the Advanced Development Pack add-on product license.
Added "Triggered by" information to application reports.
Advanced Legal Pack Initial Release
Building on the robust features available in Nexus Lifecycle, the Advanced Legal Pack adds the following capabilities:
- Automation of attribution reports that comply with 90+% of OSS obligations.
- Enhanced legal data pertinent to obligations (e.g. all copyright statements, all notice statements, and all license texts found in a component).
- Legal workflow to resolve license obligations (per component, per license).
- Ability to save attribution and obligation resolutions on a per component, per license basis at the organization or application level.
- Ability to customize and edit attribution reporting as needed.
Release 107 (March 2021)
Java Manifest Application Analysis
IQ Server (through CLI) now supports evaluating policies against Java components in pom.xml and build.gradle files
- Various bug fixes and performance enhancements.
Release 106 (February 2021)
Namespace Confusion Protection
Nexus users can now automate protection against dependency/namespace conflict at scale by connecting Nexus IQ Server's policy management and component intelligence data with proxy repositories in Nexus Repository Manager.
For more details, check out our demo video to see how Nexus users can start protecting against dependency/namespace confusion attacks at scale.
Improvements to Manifest Analysis
- Updated CLI scanner to exclude development dependencies when scanning package-lock.json files.
- Updated CLI scanner to parse package-lock.json files stored inside an archive.
- Fixed parsing errors when scanning yarn.lock and csproj files.
Release 105 (February 2021)
- Various bug fixes and performance enhancements.
- Fixed an edge case while using the external database where the application would run into a deadlock and cause the database pool to be exhausted.
Fixed NuGet Manifest Scanning Issue
Fixed Initialization error in NuGet manifest scanning with CLI.
Release 104 (January 2021)
Fix for GZip Expansion Vulnerability
Release 86 to 103 (inclusive) of IQ Server suffer from CVE-2020-27218 a security vulnerability that allows an attacker to inject data into the body of the request. We advise you to update your IQ Server to this new release which contains the required fix.
Update to Third-Party Scan REST API
Third-Party Scan REST API responses now contain additional report URLs to aid navigation.
IQ for SCM supports Go Projects
Automated pull request feedback is now available for Go projects in all supported Source Control Management platforms. Click here to learn more about configuring automated PRs, PR reviews, and code line comments to work with Go.
InnerSource Insight Improvements
InnerSource Insight was improved and now supports:
- Policy Condition Dependency Type now has the ability to tune policy using InnerSource dependency type, please click here for more information.
- Improved detection of proprietary modules that are not demarcated as InnerSource (instead of marking them as “unknown”).
- Better detection of Direct Dependencies when they are associated with both an InnerSource component and the parent application. Please check InnerSource Insight doc for more information.
NPM and NuGet Manifest Application Analysis
IQ Server (through CLI) now supports evaluating policies against:
- NPM Components defined in yarn.lock, pnpm-lock.yaml, package-lock.json, and npm-shrinkwrap.json files.
- NuGet Components defined in * .csproj and packages.config files.