2023 Release Notes
Sonatype encourages using the most current IQ Server release and not trailing behind for more than six months. Release notes for the most current versions can be viewed here.
Release 167 (September 2023)
Sonatype Repository Firewall offers Guided Setup
The new Firewall Guided Setup simplifies onboarding Nexus Repository Manager (NXRM) repositories to enable users to get started with Firewall in a few easy steps. The automated process guides first-time users to maximize the supply chain protection offered by Firewall by providing configuration recommendations.
Embracing Inclusion with Legacy Violations
As part of our inclusive language initiatives stemming from our core values "Embrace Inclusion", we are renaming the feature previously known as Policy Violation Grandfathering to Legacy Violations. Starting with this release, Sonatype Lifecycle will use the term Legacy Violations for policy violations that can be deferred during onboarding and prioritized to be remediated later. There is no change in functionality of this existing feature (previously known as Policy Violation Grandfathering.)
Temporary Distribution Issue with Plugin
Sonatype is actively working to resolve a distribution issue for the nexus-jenkins-plugin. This is a temporary distribution issue and could affect automatic upgrades of the plugin. It does not affect the existing installations or functionalities of the plugin.
Latest version of the nexus-jenkins-plugin will be available for download here.
Release 166 (August 2023)
Analyze SBOMs in SPDX format
Sonatype IQ Server extends the mission to promote open standards for communicating SBOM information, by introducing the capability to scan SBOMs compliant with SPDX® 2.3 standards. Users can also upload SPDX SBOMs (in XML or JSON file formats) directly, using the Third-Party Scan REST API for scan and analysis.
Horizontal Scaling for IQ Server High Availability Deployments
Starting with this release, IQ Server HA deployments can be configured to auto-scale to match the workload demands. This capability utilizes the native Kubernetes HorizontalPodAutoScaler feature that deploys more pods in response to increased load or scales back to the configured minimum (2 pods) when the workload decreases. Auto-scaling is disabled by default. Users can configure the thresholds for scaling up in the IQ Server helm chart, based on CPU or memory utilization for the workload.
Exclude devDependencies in poetry.lock for Python analysis
To align with the format changes of poetry.lock file from versions 1.5.1 onwards, we have improved the Python Application Analysis with this release. Sonatype IQ Server will now automatically exclude devDependencies for poetry versions 1.5.1 and higher, provided that pyproject.toml exists and is discoverable.
Lifecycle Dashboard Pagination
The UX enhancements to paginate all tabs of the Lifecycle Dashboard are complete with this release. Users can easily navigate to multiple pages to browse over all policy violations, components, applications and waivers, that are relevant to the applied filter. This improvement removes the previous limit of viewing only 100 rows of data on the dashboard.
Error Messages for Remediated Vulnerabilities
We have revised the error message that showed up when a previously occurring policy violation does not exist any more (due to remediation of the vulnerability.) The revised error message indicates the updated vulnerability status and prompts the user to run a new scan to detect the latest violations.
Notable Bug Fixes
Fix for SCM Bulk Import
This release fixes an issue with SCM bulk imports that caused IQ Server to stall at certain instances while performing multiple imports.
Client-side Timeouts Due to Slow Response Times
Improved performance of Sonatype IQ Server for better response times, compared to version 165.
Inconsistency in Waiver Visibility
Fixed discrepancies in waivers visibility across the policy violations table, waivers for violation table and scan report pages.
Fix for Clair and Conda Application Analysis
Fixed an issue with application scan report while scanning clair-scanner-output.json with other metadata type files (conda.txt).
Error in Integrating IQ Server with Firewall for Artifactory
Fixed an HTTP 401 error that occurred during integration of IQ Server with Firewall for Artifactory.
Fix for Policy Violation REST API
Fixed an issue with Policy Violation REST API that did not show displayName for Component-Unknown violations in the API response.
Line Comment Links in Bitbucket PRs
Fixed broken links generated in line comments in BitBucket PRs.
Track Resolved Issues
Click here to see resolved issues in this release.
Release 165 (July 2023)
Sonatype has become aware of a critical issue with Sonatype Nexus Repository versions 3.57.0 and 3.58.0 impacting deployments using and Sonatype IQ Server (Repository Firewall). The known issue may allow unintentional download of quarantined components.
If you are on OrientDB and using Sonatype IQ Server (Repository Firewall), please upgrade to Sonatype Nexus Repository versions 3.57.1 or 3.58.1 instead.
Generate SBOMs in SPDX format
Sonatype IQ Server extends the mission to promote open standards for communicating SBOM information, by generating SBOMs compliant with SPDX® 2.3 standards. The new SPDX REST API generates SBOMs in both XML and JSON outputs for all supported component formats. Users can also generate the SBOM (in JSON format) from the Application Scan Report page.
ALP Expanded Observed License Detection Coverage
Using Advanced Legal Pack (ALP), users can now detect observed licenses for open-source components for all supported ecosystems (Maven, npm, NuGet, PyPI, RubyGems, RPM, and Composer). New installations of Sonatype IQ Server (version 165 and up) will support the detection of observed licenses, by default. This capability can be enabled on existing installations that upgrade to release 165 or later, by using the alpObservedLicenseDetectionEnabled property of the Configuration REST API.
Waiver Requests Webhook
This improvement reduces the manual effort of copy-paste and sharing the curl command (containing the specific violation details to be waived) with a designated approver. Users can now configure a webhook for the Waiver Request event. Once configured, users can now automate requesting the waiver by triggering a webhook by clicking on the Submit button on the Request Waiver page.
Lifecycle Dashboard Pagination
This release starts our UX enhancements to paginate all tabs of the Lifecycle Dashboard. The Violations tab view will now be paginated and display more rows with fewer clicks to browse results.
Firewall Quarantine Message
A new property quarantinedItemCustomMessage added to the Configuration REST API enables users from the App Sec teams to set meaningful remediation messages or directives for the developers when a component is quarantined by Sonatype Repository Firewall. When set, the custom quarantine message will be visible to the developers at the command line, when requesting components.
This feature requires Sonatype Nexus Repository 3.58.1 or above.
Easy Search and Discovery of Repositories
The Repository Manager interface now shows repositories logically grouped under the Repository Manager to which they belong. Two new filters, for repository name and component format allow targeted searches to locate the required repository. The interface includes an additional field, enablement, to indicate the Firewall protection features that are enabled for every repository.
Customizable Names for Repository Manager
A Repository Manager can be renamed from its pre-assigned UUID to an identifiable, user-friendly name, that is visible throughout the Lifecycle and Firewall instances.
Notable Bug Fixes
Error Messages in Export Logs
Error messages generated in export logs during database migrations have been modified to indicate the exact root cause for better resolution of the export errors.
Release 164 (June 2023)
Improved Support zips for Better Troubleshooting
The support zips now include the customer-side configuration for reverse proxy authentication, a crucial parameter in troubleshooting unexpected behavior like broken links, caching, and general issues like performance, scalability, and availability of Sonatype IQ Server.
Notable Bug Fixes
OOM Errors Related to Evaluation of Proprietary Components Naming Patterns
This release resolves out-of-memory and other database memory management issues that occurred when the IQ Server evaluation processes encountered a large number of similarly named proprietary components.
Misconfiguration of Waived Components Upgrade Feature
This release fixes an IQ Server upgrade issue with release 163 that caused the Waived Component Upgrade Feature to be disabled, even if it was enabled previously.
Release 163 (June 2023)
Improved Identification of Conan Dependencies
Analysis of conaninfo.txt file now does not show duplicate dependencies that were earlier being referenced in the “requires” and “full_requires” sections. Dependencies under the “full_requires” section have higher precedence over those under the “requires” section and will be excluded to avoid duplication.
Eliminated Duplicates in SBOM
Scanning binaries that contain components with the same coordinates, but different hashes could lead to duplicates in the SBOM. The SBOM generation for all supported ecosystems has been improved to avoid such duplicates that resulted in invalid SBOM files.
Extended the Inclusion of Wildcard Characters in IQ for SCM
This improvement ensures that Sonatype (Nexus) IQ for SCM is compatible with all wildcard characters used in markdown across supported developer platforms. This fixes the issue of malformed pull request (PR) layouts on encountering wildcard characters.
Notable Bug Fixes
SCM Database Errors
This release resolves a duplicate primary key error condition that occurred in the Sonatype IQ Server database due to incompatibility in handling case sensitivity across platforms, specifically GitHub.
Gateway timeouts for ALP Attribution Reports
This release includes major performance enhancements to Advanced Legal Pack (ALP) Attribution Reports to avoid gateway timeouts when retrieving data for reports containing a large no. of components.
Fixed pathnames in IQ Webhook payload
This release fixes a payload issue with the IQ Webhook for Application Evaluation that is triggered at Violation Alerts event.
Fix for Cyclone DX REST API
The response on executing Cyclone DX REST API now includes a predefined parent component name as a placeholder in the metadata section, if the application evaluation report does not contain any project data.
Release 162 (June 2023)
Waived Components Upgrade
This release offers users the ability to configure Lifecycle to monitor for waived components from the System Preferences menu. The Upgrade Available indicator on the Waivers dashboard will indicate when a safe-to-use version of the component is being recommended by the Sonatype Research Team. Users can remediate the violation by upgrading to the recommended component version and removing the waiver.
Configure Waived Component Upgrade Feature using REST API
A new property waivedComponentUpgradeMonitoringEnabled provides the added flexibility of configuring your Lifecycle instance for Waived Components Upgrades by using the Configuration REST API.
Support for Evaluating Java 19 and Java 20 Applications and Components
The application and component evaluation have been updated to support Java 19 and Java 20 bytecode.
Reports REST API Supports New Query Parameters for Retrieving Scan Report History
The Reports REST API now supports two new query parameters stage and limit. Users can now retrieve scan reports related to a specific stage and limit the number of reports returned by specifying the count of the most recent reports.
UI Improvements for Navigating N-Level Hierarchy
This release contains UI improvements related to window sizing and resolution for navigating multi-level organizations and linked dependent applications.
Default Branch Monitoring Cycle
We have improved the execution cycle of Default Branch Monitoring to prevent unnecessary exits on encountering errors.
Compatibility with Chrome Updates
Compatibility with the latest Google Chrome versions is now up-to-date.
Notable Bug Fixes
Truncation of Support Log Files
This release fixes an issue in the support zips generated by customers, that caused truncation of a few log files.
Filter Behavior on ALP application page
The filter on the Advanced Legal Pack (ALP) application page now resets contextually, when navigating to a new application.
Submit button on Source Control Monitoring page
The button text on the old “Submit” button on the Source Control Monitoring (SCM) configuration page now reflects the exact action, “Create” or “Update” to match creating a new SCM configuration or modifying an existing SCM configuration.
LDAP username authentication
The authentication exception related to LDAP naming error which caused session timeouts for IQ Server in multi-realm authentication environments, has been fixed.
Scanning Unknown Components using Maven plugin
This release fixes the incorrect identification of unknown dependencies, which were previously being identified as coming from a package manifest.
Error due to Non-English Characters
The internal server error that occurred when downloading an application report containing non-English characters has been resolved.
Fix for Incorrect License Violations
This release fixes an issue with the parsing of npm components that caused the application composition report to show incorrect license violations.
Release 161 (May 2023)
Introducing Sonatype Lifecycle and Sonatype Repository Firewall
We are updating our product names and logos for a new refreshed look. This release unveils brand-new logos for our new product names Sonatype Lifecycle (previously Nexus Lifecycle) and Sonatype Repository Firewall (previously Nexus Firewall.)
Customizable Security Vulnerability Attributes
This release offers the flexibility to customize Sonatype Vulnerability Data. Security experts can use the new "Customize" feature to edit the CWE-ID, CVSS vector string, severity, and remediation instructions for any vulnerability, to augment their company security regulations. The customized vulnerability data can be used to build constraints for Lifecycle policies and help with prioritizing the remediations.
Vulnerability Custom Attributes REST API
The new Vulnerability Custom Attributes REST API (experimental) extends the ability to customize the vulnerability data, beyond the UI. The custom vulnerability data can be used to build policy constraints in Lifecycle.
This feature allows users to move an organization, including its dependent organizations and applications to a new branch in the hierarchy. Using this feature, users can also transform an existing single-level organization hierarchy into an N-Level hierarchy, without having to recreate the entire organization structure in Lifecycle.
Vulnerability Details REST API Enhancement
The Vulnerability Details REST API includes an additional response field, customData to retrieve vulnerability attributes that are user customized.
PUT method in Organizations REST API
The new PUT method in Organizations REST API can be used to change the parent organizations and transform to N-level hierarchy, identical to the Move Organizations feature.
Automatic Commit Feedback for SCM
The Source Control Configuration section now allows SCM users to turn the Automatic Commit Feedback feature off. Previously enabled by default, users can disable this feature when importing a large number of applications and avoid hitting the SCM rate limits.
Quarantined Component Report in Firewall
Users can configure the expiration time of Quarantined Component Report in Firewall using the quarnatinedComponentReportExpirationTimeInHours property in Configurations REST API - v2. Setting the expiration time limit to longer durations (12 hours by default) will allow more time for users to process requests like releasing components from quarantine, which are based on the information in this report.
Users will now be able to view all hosted repositories, for which namespace confusion protection is enabled.
Prevent unintended build failures in IQ CLI
Users can now set the --ignore-scanning-errors switch in IQ Command Line Interface (CLI). This will prevent CLI from scanning invalid files in the target codebase and causing build failures.
Notable Bug Fixes
Fix for SCM URLs
This release fixes an issue with SCM URLs that occurred during importing applications.
Fix for Forwarded HTTP headers
This release resolves errors occurring with forwarded HTTP headers when used for reverse proxy.
Fix for Repository Policies
This release resolves the error that occurred with viewing policies at the Repositories level.
Release 160 (April 2023)
Search for Quarantined Components in Firewall
Users can search for a specific component quarantined by Firewall, by entering the component name in the new filter in the components column. This will help locate the component quickly, without having to look for it in the paginated lists that could run across multiple pages.
Settings for Sonatype IQ Server Base URL
Admins can now see a warning message on the Lifecycle homepage, when the base URL for IQ Server is not set, as part of configuration settings. Configuring the base URL for IQ Server is now easier and more accessible via the System Preferences menu in the UI.
Performance of SCM System Scans
We have improved the scanning performance of applications in the Source Control Monitoring (SCM) systems by first checking if pull request commenting (PR commenting) has been disabled for a specific SCM configuration. This allows the Lifecycle scan calls to return early, without consuming system resources.
Graceful Shutdown of Nodes
This release improves the node shutdown process of IQ Server in the cluster environment, and prevents IQ Server outages.
Notable Bug Fixes
Fix for Promote SCAN REST API
This release fixes an issue with the scan reports generated after using Promote Scan REST API - v2. Container scan reports now reflect the scan results.
User Group Searches for LDAP and SAML
The "Associate Group" search option will now be displayed if group search is disabled for LDAP even if SAML is enabled.
Database Migration Issues
This release fixes errors that occurred during migration from H2 database to external PostgreSQL database for certain installations.
Release 159 (April 2023)
Waived Component Upgrades
This release offers users the ability to configure Lifecycle to monitor for waived components.
(Note: This feature has undergone major improvements in release 162. We recommend upgrading to release 162 to derive maximum value.)
Sonatype IQ Server HA General Availability
Sonatype IQ Server for High Availability (HA) previously launched with release 155 for limited access, is now available to all customers.
Searching for Orgs and Applications in N-level Hierarchy
Users can navigate to a specific organization or application by entering its name in the search filter located in the tree view showing the inheritance hierarchy. This will improve navigating complex n-level hierarchy with fewer clicks.
Tooltips for Orgs and Applications
Tooltips will now appear in the filter search results, on hover over the titles of organizations and applications in the navigation sidebar. Data such as the name of the parent organization, the number of sub-organizations linked to the parent, and the total number of applications contained in the selected organization will be readily visible in these tooltips.
Flexibility to Control Namespace Confusion Protection
Users can disable namespaces for the namespace confusion protection feature to unblock components of specific hosted public repositories, if this protection is causing unnecessary blockers in the development cycles.
Improved UI to show Quarantined Components
We have improved the UI for Firewall users to clearly indicate policy violations due to quarantined components and other allowed versions of the quarantined component.
Improved UI for SCM Integrations
Threat levels of fixed policy violations are now included in the pull request comments.
GitLab Token Validation
This release improves the validation process of GitLab access tokens while setting up SCM integrations.
User Ownership for CLI scans
The generated scan_results.json file during a container scan is now owned by the user, instead of the root user.
Updated UI for Vulnerability Lookup
We have updated the title Vulnerability Search in the left navigation bar to Vulnerability Lookup.
Release 158 (March 2023)
Override Policy Notifications
Users will now be able to override policy notifications for inherited policies. Using this option, it is possible to change the pre-configured policy notification settings for the desired DevSecOps pipeline stage. This improvement also offers the flexibility of changing the recipient type and recipient emails, if applicable, from what was set at the parent level.
Extended Support for SAML Users and Groups
We have extended the support for SAML users and groups to allow them to be discoverable via searches in the UI. SAML users and groups are now accessible from the UI to set up access control, assign as application contacts and receive role notifications. Note that SAML users and their associated groups must login to this or later releases at least once before they will be discoverable.
Clone Repositories using SSH Protocol
This release allows using the SSH protocol for Automatic Source Control Monitoring (SCM) configuration when cloning a repository. The repository clone URL is now successfully derived and displayed on the SCM UI. This is currently supported for the cloud-version of SCMs only.
Support Long Passwords for Jira Integrations
We have updated our backend to accommodate the increased length of Atlassian API tokens. This will resolve the error related to passwords exceeding 255 characters when setting up Jira configurations.
Notable Bug Fixes
IQ CLI Exceptions for Empty NuGet Manifests
The IQ Command Line Interface (CLI) scan continues graceful execution with warnings, instead of exceptions, on encountering empty NuGet manifests.
Firewall Exception for Unknown Quarantined Components
This release handles the null pointer exception that was thrown when attempting to load unknown components that are quarantined.
Default Branch Monitoring
This release fixes issues with default branch monitoring that affected release 156. Default branch monitoring is now fully functional.
Release 157 (March 2023)
This release did not meet the critical product acceptance criteria and will not be made available.
Release 156 (February 2023)
Launching N-Level Organization Hierarchy
Sonatype IQ Server now supports a multi-level hierarchical model for Orgs and Policies. Users will now have the flexibility to set up organizations at different levels (n levels) of hierarchy, to mimic their company's organizational structure and business units. We have introduced a new left navigation bar that lets users manage the Orgs and Policies configured at different levels of the hierarchy. Users can utilize the N-level Org model to create context-sensitive policies and remediation steps that apply locally to their domain.
Namespace Confusion Protection Status for Repositories
Users can now view the proprietary namespaces from hosted repositories for which the namespace confusion protection is enabled. This will give a better visibility into scenarios where the download of certain OSS components is blocked due to policy violations related to dependency confusion.
Improved Sorting for Repositories
This release includes secondary sorting of results displayed on the Repositories and Repositories Results page.
Clean up of Older Scan Files
We have modified the behavior of the purgeScanFiles property of Configuration REST API - v2. Setting the purgeScanFiles property to null will now also clean up the retained older scan files, in addition to pausing the retention of new scan files.
Policy Violation Fixes
To maintain and improve stability and security, we continually scan all Sonatype products and applications internally for vulnerabilities. For a strong and most current security posture, components used by our development teams are continually scanned and compared with our proprietary advanced vulnerability detection systems. This section contains information on component upgrades made to mitigate or remediate risks due to our internal policy violations as below:
Fix for SONATYPE-2023-0962
SONATYPE-2023-0962, Sonatype Discovered February 15, 2023, High Risk, Severity 7.5
Resolution: Upgraded to non-vulnerable version of the component core-js-pure : 3.28.0
Notable Bug Fixes
Abnormal Disk Usage and Wait Times
This release fixes an issue with application evaluations that take longer than a few minutes to complete. We have optimized memory and performance parameters for IQ Server to support long-running evaluations.
Release 155 (February 2023)
This release fixes issues in the previous release 154.
Users facing issues with release 154 installations, should upgrade to this version immediately. For users planning an upgrade, we recommend upgrading to release 155 and skipping release 154.
Emergency Bug Fix Release
This Release Includes All Features, Improvements, and Notable Bug Fixes of Release 154.
Release 154 (February 2023)
Launching Sonatype Lifecycle High Availability
Starting with this release, users can configure Sonatype Lifecycle for High Availability (HA). Currently offered on AWS and on-premises, the HA installations will enable recovery from failures or disruptions with near-zero downtime.
Sorting results in Repository Results View
Users can now run a multi-column sort in the Repository Results View to retrieve the most relevant repository details.
SBOM with Richer Metadata
The SBOM generated from CycloneDX REST API - v2 will now include vendor and software name (Sonatype and Sonatype IQ Server version). This additional information will improve the quality of SBOMs generated using this REST API.
Improved Persistence for Filters
We have improved persisting and resetting filter values to match the navigation steps to and from the Reports view page.
Improved Release Integrity for Maven
We have added malicious component protection for Java (Maven) All Next-Gen Firewall users might experience blocking of the latest version of Maven artifacts. Blocking of these components will continue until Next-Gen Firewall determines they are safe for your development pipelines.
Notable Bug Fixes
Test Configuration for SCM
This release fixes an issue related to the “Test Configuration” button being disabled while setting up an SCM configuration.
Advanced Search Results
The grouping of results obtained on running the Advanced Search REST API - v2 is now consistent, regardless of the value specified for pageSize in the search query.
Overriding Component License in Firewall Repository
This release fixes an HTTP 400 response while overriding a component license.
Release 153 (January 2023)
npm Application Analysis includes development Dependencies and optional Dependencies
Performance Improvements to the Sonatype Firewall
Users with large repositories of OSS components will experience a marked improvement in loading times of the Firewall Repository Results page.
Refined Search Relevance for Sonatype Firewall Repository Results Page
The Repository Results search by component functionality is now more responsive and will enable users to search by specifying multiple component coordinates.
Upgraded UI Elements
This release marks our shift to the React framework. In addition to performance benefits, the new UI offers a general overhaul and simplicity of use, while maintaining the familiar user experience.
Notable Bug Fixes
GitLab URLs for SCM Onboarding
This release fixes an issue associated with the context path while importing GitLab applications. Users can now import GitLab applications into Sonatype Lifecycle by specifying the complete context path in the GitLab URL of their applications.
Attribution Report Fix on Legal Dashboard
Attribution reports generated for applications containing unknown components no longer trigger a 404 error condition. Such reports will now be displayed as empty reports with no data.
Release 152 (January 2023)
New experimental REST API to add custom security vulnerability groups
Users can use the Vulnerability Groups REST API - experimental to organize vulnerability IDs into custom groups. These groups can then be used as a condition within a policy constraint to aid in risk management and remediation. This should be used in those few edge cases where policy should directly be tied to a class or group of vulnerabilities. Refer to Policy Constraints for more information.
New Experimental Call Flow Analysis
Sonatype IQ CLI now includes experimental flags that will enable call flow analysis on application scans. Once the scan completes, the CLI will automatically apply a "Security-Reachable" label on any component that has a vulnerability with reachable code. Users are free to create a policy around this label to aid in prioritization and remediation.
Updated Firewall Repository Results and Repository Component Details Page
The Repository Results and the Repository Component Details Page have been re-designed and updated. The view delivers meaningful insights into violation counts, component identification, and quarantined components with improved filtering, pagination, and UI.
Support to build more granular security Policies using Security Research Type
This release offers an option to set policy conditions to check whether a component has undergone Fast Track or Deep Dive research. More on Policy constraints and conditions.
Verify the authenticity of the Sonatype IQ Docker image with Docker Content Trust
Docker image consumers can now use the trusted, signed Sonatype IQ Docker image, now available to inspect at the Docker Hub.
Repository Waivers View on Dashboard
The Waivers View on the Dashboard includes Repository waivers.
Performance enhancements to Repositories Results View
The repository results view now has better support for pagination and filtering. These changes should improve the performance of this page for large repositories.
Waive all versions of a component with Root Org Scope
A waiver applied to one version of a component can now be applied to all future versions of that component for the 'Root Organization' scope.
Environment variables for Sonatype Container Scanning are optional
Setting environment variables for scanning Sonatype Container with Sonatype Lifecycle is optional. Refer to the Sonatype Container Scanning page for default values.
New configuration setting for deletion of Scan Files
Users can choose to retain or delete older scan files using the property purgeScanFiles for Configuration REST API - v2. Older scan files that are retained can be promoted to other stages using Promote Scan API - v2.
New configuration setting for Automatic Quarantine Release scheduling
Users can choose how often Automatic Quarantine Release is scheduled to run using the property automaticQuarantineReleaseTimeIntervalInMinutes for Configuration REST API - v2. By default, it is now set to run on an hourly basis.
New labels to highlight specific vulnerabilities in Violations DetailsViolation details contain two new labels, Deep Dive (indicates the vulnerability data includes Sonatype researched details and recommendations) and Advance Vulnerability Detection (indicates that the vulnerability has been detected from an embedded dependency).