2023 Release Notes

Users can now scan docker images saved as tar files, that were converted from OCI (Open Container Initiative) images using Skopeo.

Sonatype Lifecycle can now analyze and generate SBOMs in the most advanced CycloneDX 1.5 format. We have improved the Third-Party Scan REST API, CycloneDX Application Analysis, and CycloneDX REST API to support CycloneDX schema version 1.5.

Users can utilize the new optional query parameters openTimeAfter and openTimeBefore for the Policy Violation REST API, to filter the no. of violations returned, by a date range. This will eliminate the possibility of running into out-of-memory errors or slow response times for Lifecycle instances with multiple years of policy violation data.

The Application Composition Report has a new Active Waivers indicator. It is displayed for components with waived policy violations that are hidden in the aggregated view of the report. It also shows the total number of violations that were being actively waived at the time of the scan.

The Aggregate by component toggle on the Repository Results page can be switched off to view all violations, instead of the default view (toggle on) showing violations aggregated by components.

Advanced Search supports searching for components or vulnerabilities by organization. Users can include the organizationName or organizationId in their search query to fine tune the search within specific organizations.

This release fixes an issue when loading Lifecycle Reports of large sizes.

This release handles the null pointer exception that was thrown when attempting to scan poetry.lock file containing packages with no further dependencies.

This release fixes an error that occurred scanning SBOMs using the Third Party Scan REST API, when the length of the id field for vulnerability objects exceeded 20. This caused generation of empty scan reports.

This release contains a fix for an issue with IQ High Availability (HA) pods with terabytes of data, that prolonged the startup times,

Lifecycle users can now onboard unlimited applications (previously limited to 5000), to Sonatype Lifecycle to maximize the benefits and improve the security profile of their expanding supply chains. The application limit will be automatically removed at restart, after an upgrade. To avoid system downtimes due to a restart after the upgrade, users also have the option to reinstall their existing license to remove the application count limit, instead of an upgrade.

In investigating the root cause of unusual policy results for RPM components, we found that some RPM data was accidentally released for general availability. With data quality as our top priority, we have retracted this data from our catalog. As a result, some users might see changes in the policy results. We apologize for the inconvenience.

Using the new POST method, users can now add a repository manager using the Firewall REST API.

The Manifest Evaluation REST API (deprecation announced in release 126) has reached the end of the sunsetting window and can no longer be used. We recommend using the successor API, Source Control Evaluation REST API to perform application policy evaluations in a source control branch.

This release fixes a critical issue that caused CLI scanning to fail when scanning third-party SBOMs and containers in release 168 running on the embedded H2 database.

As part of our inclusive language initiatives, we have begun renaming the feature previously known as Policy Violation Grandfathering to Legacy Violations starting with release 167. There is no change in functionality of this existing feature (previously known as Policy Violation Grandfathering). In this release, we have updated Report REST APIs, Third-Party Scan REST API, Sonatype CLI, Sonatype for GitLab CI, and policy violation email alerts.

The response fields grandfatheredPolicyViolationCount and grandfathered for Report REST APIs have been deprecated. We recommend using the new response fields legacyViolationCount and legacyViolation.

The response field grandfatheredPolicyViolations for Third-Party Scan REST API has been deprecated. We recommend using the new response field legacyViolations.

The grandfatheredPolicyViolationCount field in the evaluation results of Sonatype CLI and Sonatype for GitLab CI has been deprecated. We recommend using the new response field legacyViolationCount.

We have added methods to the Firewall REST API. Users can retrieve repository configurations using the new GET operations, and update the repository configurations using the new POST operation. These operations can be used in system-to-system integration to customize the security governance processes.

As a result of the new optimized storage technique for resources shared across reports, Lifecyclelegacy reports will now utilize lesser storage space. Lifecycle installations with a high volume of reports (over a million) will see a marked decrease (in tens of GBs) in space utilization.

Inline comments in GitHub and GitLab will now include code suggestions for security issues and links to Vulnerability Reports in Lifecycle for easier navigation.

The Policy Compliant Component Selection in Sonatype Repository Firewall with Nexus Repository Manager has been enhanced to cover Python components. The minimum requirements for this feature is Sonatype IQ Server version 167 and Nexus Repository version 3.61.

This release fixes an issue with setting up Data Retention for orgs, that caused insufficient permissions error for allowed users.

Fixed an error that occurred with long group names in SAML configurations when upgrading to other versions of Sonatype IQ Server.

SCM configuration will no longer perform a case-sensitive comparison of repository names in Bitbucket, which caused it to fail previously. Repository names will be compared case-insensitive.

Starting with this release, IQ Server HA deployments can be configured to auto-scale to match the workload demands. This capability utilizes the native Kubernetes HorizontalPodAutoScaler feature that deploys more pods in response to increased load or scales back to the configured minimum (2 pods) when the workload decreases. Auto-scaling is disabled by default.

Users can configure the thresholds for scaling up in the IQ Server helm chart, based on CPU or memory utilization for the workload.

To align with the format changes of poetry.lock file from version 1.5.1 onwards, we have improved the Python Application Analysis with this release. IQ Server will now automatically exclude devDependencies for poetry versions 1.5.1 and higher, provided that pyproject.toml exists and is discoverable.

The UX enhancements to paginate all tabs of the Lifecycle Dashboard are complete with this release. Users can easily navigate to multiple pages to browse over all policy violations, components, applications, and waivers, that are relevant to the applied filter.

This improvement removes the previous limit of viewing only 100 rows of data on the dashboard.

We have revised the error message that showed up when a previously occurring policy violation does not exist anymore (due to remediation of the vulnerability.) The revised error message indicates the updated vulnerability status and prompts the user to run a new scan to detect the latest violations.

This release fixes an issue with SCM bulk imports that caused IQ Server to stall at certain instances while performing multiple imports.

Improved performance of Sonatype IQ Server for better response times, compared to version 165.

Fixed discrepancies in waivers visibility across the policy violations table, waivers for violation table, and scanned report pages.

Fixed an issue with the application scan report while scanning clair-scanner-output.json with other metadata type files (conda.txt).

Fixed an HTTP 401 error that occurred during the integration of IQ Server with Firewall for Artifactory.

Fixed an issue with Policy Violation REST API that did not show displayName for Component-Unknown violations in the API response.

Fixed broken links generated inline comments in BitBucket PRs.

IQ Server extends the mission to promote open standards for communicating SBOM information, by generating SBOMs compliant with SPDX® 2.3 standards. The SPDX REST API generates SBOMs in both XML and JSON outputs for all supported component formats. Users can also generate the SBOM (in JSON format) from the Software Bill of Materials (SBOM).

Using Advanced Legal Pack (ALP), users can now detect observed licenses for open-source components for all supported ecosystems (Maven, npm, NuGet, PyPI, RubyGems, RPM, and Composer). New installations of Sonatype IQ Server (version 165 and up) will support the detection of observed licenses, by default. This capability can be enabled on existing installations that upgrade to release 165 or later, by using the alpObservedLicenseDetectionEnabled property of the Configuration REST API.

This improvement reduces the manual effort of copy-pasting and sharing the curl command (containing the specific violation details to be waived) with a designated approver. Users can now configure a webhook for the Waiver Request event. Once configured, users can now automate requesting the waiver by triggering a webhook by clicking on the Submit button on the Working with Waivers page.

This release starts our UX enhancements to paginate all tabs of the Lifecycle Dashboard. The violations tab view will now be paginated and display more rows with fewer clicks to browse results.

A new property quarantinedItemCustomMessage added to the Configuration REST API enables users from the App Sec teams to set meaningful remediation messages or directives for the developers when a component is quarantined by the Repository Firewall. When set, the custom quarantine message will be visible to the developers at the command line, when requesting components. This feature requires Nexus Repository 3.58.1 or above.

The Repository Manager interface now shows repositories logically grouped under the Repository Manager to which they belong. Two new filters, for repository name and component format, allow targeted searches to locate the required repository. The interface includes an additional field, enablement, to indicate the Firewall protection features that are enabled for every repository.

A Repository Manager can be renamed from its pre-assigned UUID to an identifiable, user-friendly name, that is visible throughout the Lifecycle and Firewall instances.

Error messages generated in export logs during database migrations have been modified to indicate the exact root cause for better resolution of the export errors.

The support zips now include the customer-side configuration for reverse proxy authentication, a crucial parameter in troubleshooting unexpected behavior like broken links, caching, and general issues like performance, scalability, and availability of IQ Server.

This release resolves out-of-memory and other database memory management issues that occurred when the IQ Server evaluation processes encountered a large number of similarly named proprietary components.

This release fixes an IQ Server upgrade issue with release 163 that caused the Waived Component Upgrades Configuration to be disabled, even if it was enabled previously.

Analysis of conaninfo.txt file now does not show duplicate dependencies that were earlier being referenced in the “requires” and “full_requires” sections. Dependencies under the “full_requires” section have higher precedence over those under the “requires” section and will be excluded to avoid duplication.

Scanning binaries that contain components with the same coordinates, but different hashes could lead to duplicates in the SBOM. The SBOM generation for all supported ecosystems has been improved to avoid such duplicates that result in invalid SBOM files.

This improvement ensures that Sonatype (Nexus) IQ for SCM is compatible with all wildcard characters used in markdown across supported developer platforms. This fixes the issue of malformed pull request (PR) layouts on encountering wildcard characters.

This release resolves a duplicate primary key error condition that occurred in the Sonatype IQ Server database due to incompatibility in handling case sensitivity across platforms, specifically GitHub.

This release includes major performance enhancements to Advanced Legal Pack (ALP) Attribution Reports to avoid gateway timeouts when retrieving data for reports containing a large number of components.

This release fixes a payload issue with the IQ Webhook for Application Evaluation that is triggered at the Violation Alerts event.

The response on executing Cyclone DX REST API now includes a predefined parent component name as a placeholder in the metadata section, if the application evaluation report does not contain any project data.

This release offers users the ability to configure Lifecycle to monitor for waived components from the System Preferences menu. The Upgrade Available indicator on the Waivers dashboard will indicate when a safe-to-use version of the component is being recommended by the Sonatype Research Team.

Users can remediate the violation by upgrading to the recommended component version and removing the waiver.

A new property waivedComponentUpgradeMonitoringEnabled provides the added flexibility of configuring your Sonatype Lifecycle instance for Waived component upgrades by using the Configuration REST API.

The application and component evaluation have been updated to support Java 19 and Java 20 bytecode.

The Report REST APIs now supports two new query parameters stage and limit. Users can now retrieve scan reports related to a specific stage and limit the number of reports returned by specifying the count of the most recent reports.

This release contains UI improvements related to window sizing and resolution for linked-dependent applications.

We have improved the execution cycle of Continuous Risk Profile to prevent unnecessary exits on encountering errors.

Compatibility with the latest Google Chrome versions is now up-to-date.

This release fixes an issue in the support zips generated by customers, that caused truncation of a few log files.

The filter on the Advanced Legal Pack (ALP) application page now resets contextually, when navigating to a new application.

The button text on the old “Submit” button on the Source Control Monitoring (SCM) configuration page now reflects the exact action, “Create” or “Update” to match creating a new SCM configuration or modifying an existing SCM configuration.

The authentication exception related to the LDAP naming error which caused session timeouts for IQ Server in multi-realm authentication environments, has been fixed.

This release fixes the incorrect identification of unknown dependencies, which were previously identified as coming from a package manifest.

The internal server error that occurred when downloading an application report containing non-English characters has been resolved.

This release fixes an issue with the parsing of npm components that caused the application composition report to show incorrect license violations.

We are updating our product names and logos for a new refreshed look. This release unveils brand-new logos for our new product names Sonatype Lifecycle (previously Nexus Lifecycle) and Sonatype Repository Firewall (previously Nexus Firewall.)

This release offers the flexibility to customize Sonatype Vulnerability Data. Security experts can use the customize feature to edit the CWE-ID, CVSS vector string, severity, and remediation instructions for any vulnerability, to augment their company security regulations. The customized vulnerability data can be used to build constraints for Lifecycle policies and help with prioritizing the remediations.

The Vulnerability Custom Attributes REST API extends the ability to customize the vulnerability data, beyond the UI. The custom vulnerability data can be used to build policy constraints in Sonatype Lifecycle.

This feature allows users to include their dependent organizations and applications in a new branch in the hierarchy. Using this feature, users can also transform an existing single-level organization hierarchy into an N-Level hierarchy, without having to recreate the entire organization structure in Lifecycle.

The Vulnerability Details REST API includes an additional response field, customData to retrieve vulnerability attributes that are user-customized.

The new PUT method in Organizations REST API can be used to change the parent organizations and transform to an N-level hierarchy, identical to the Move Organizations feature.

The Source Control Configuration section now allows SCM users to turn the Automated Commit Feedback feature off. Previously enabled by default, users can disable this feature when importing a large number of applications and avoid hitting the SCM rate limits.

Users can configure the expiration time of Quarantined Component View in Firewall using the time-out property in Configuration REST API. Setting the expiration time limit to longer durations (12 hours by default) will allow more time for users to process requests like releasing components from quarantine, which are based on the information in this report.

Users will now be able to view all hosted repositories, for which Namespace Confusion Protection is enabled.

Users can now set the --ignore-scanning-errors switch in the IQ Command Line Interface (CLI). This will prevent CLI from scanning invalid files in the target codebase and causing build failures.

This release fixes an issue with SCM URLs that occurred during importing applications.

This release resolves errors occurring with forwarded HTTP headers when used for reverse proxy.

This release resolves the error that occurred with viewing policies at the Repository level.

Users can search for a specific component quarantined by Firewall, by entering the component name in the new filter in the components column. This will help locate the component quickly, without having to look for it in the paginated lists that could run across multiple pages.

Admins can now see a warning message on the Lifecycle homepage, when the base URL for IQ Server is not set, as part of configuration settings.Configuring Base URL for IQ Server is now easier and more accessible via the System Preferences menu in the UI.

We have improved the scanning performance of applications in the Source Control Monitoring (SCM) systems by first checking if Pull Request Commenting has been disabled for a specific Source Control Configuration.

This allows the Lifecycle scan calls to return early, without consuming system resources.

This release improves the node shutdown process of IQ Server in the cluster environment and prevents IQ Server outages.

This release fixes an issue with the scan reports generated after using Promote Scan REST API. Container scan reports now reflect the scan results.

The "Associate Group" search option will now be displayed if group search is disabled for LDAP even if SAML is enabled.

This release fixes errors that occurred during migration from the H2 database to the external PostgreSQL database for certain installations.

This release offers users the ability to configure Lifecycle to monitor for waived components.

Sonatype IQ Server High Availability Installation previously launched with release 155 for limited access, is now available to all customers.

Users can navigate to a specific organization or application by entering its name in the search filter located in the tree view. This will improve navigating with fewer clicks.

Tooltips will now appear in the filter search results, on hovering over the titles of organizations and applications in the navigation sidebar. Data such as the name of the parent organization, the number of sub-organizations linked to the parent, and the total number of applications contained in the selected organization will be readily visible in these tooltips.

Users can disable namespaces for the namespace confusion protection feature to unblock components of specific hosted public repositories if this protection is causing unnecessary blockers in the development cycles.

We have improved the Quarantined Component View to indicate policy violations due to quarantined components and other allowed versions of the quarantined component.

Threat levels of fixed policy violations are now included in the pull request comments.

This release improves the validation process of GitLab access tokens while setting up SCM integrations.

The generated scan_results.json file during a container scan is now owned by the user, instead of the root user.

We have updated the title Vulnerability Search in the left navigation bar to Vulnerability Lookup.

IQ Server now supports a multi-level hierarchical model for organizations and policies. Users will now have the flexibility to set up organizations at different levels (n levels) of hierarchy, to mimic their company's organizational structure and business units. We have introduced a new left navigation bar that lets users manage the Orgs and Policies configured at different levels of the hierarchy.

Users can utilize the n-level org model to create context-sensitive policies and remediation steps that apply locally to their domain.

Users can now view the proprietary namespaces from hosted repositories for which the namespace confusion protection is enabled. This will give better visibility into scenarios where the download of certain OSS components is blocked due to policy violations related to dependency confusion.

This release includes secondary sorting of results displayed on the Repositories and Repositories Results page.

We have modified the behavior of the purgeScanFiles property of Configuration REST API. Setting the purgeScanFiles property to null will now also clean up the retained older scan files, in addition to pausing the retention of new scan files.

To maintain and improve stability and security, we continually scan all Sonatype products and applications internally for vulnerabilities. For a strong and most current security posture, components used by our development teams are continually scanned and compared with our proprietary advanced vulnerability detection systems. This section contains information on component upgrades made to mitigate or remediate risks due to our internal policy violations as below:

SONATYPE-2023-0962, Sonatype Discovered February 15, 2023, High Risk, Severity 7.5

Resolution: Upgraded to a non-vulnerable version of the component core-js-pure : 3.28.0

This release fixes an issue with application evaluations that take longer than a few minutes to complete. We have optimized memory and performance parameters for IQ Server to support long-running evaluations.

This release fixes an issue related to the “Test Configuration” button being disabled while setting up an SCM configuration.

The grouping of results obtained on running the Advanced Search REST API is now consistent, regardless of the value specified for pageSize in the search query.

This release fixes an HTTP 400 response while overriding a component license.

This release offers users better control over running anpm Application Analysis. Using a POST and DELETE request, users can choose to enable/disable scanning development dependencies and optional dependencies in manifest and lock files of JavaScript packages.

Users with large repositories of OSS components will experience a marked improvement in the loading times of the Repository Results view.

The Repository Results view search by component functionality is now more responsive and will enable users to search by specifying multiple component coordinates.

This release marks our shift to the React framework. In addition to performance benefits, the new UI offers a general overhaul and simplicity of use, while maintaining the familiar user experience.

This release fixes an issue associated with the context path while importing GitLab applications. Users can now import GitLab applications into Sonatype Lifecycle by specifying the complete context path in the GitLab URL of their applications.

Attribution reports generated for applications containing unknown components no longer trigger a 404 error condition. Such reports will now be displayed as empty reports with no data.

Users can use the Vulnerability Group REST API to organize vulnerability IDs into custom groups. These groups can then be used as a condition within a policy constraint to aid in risk management and remediation. This should be used in those few edge cases where policy should directly be tied to a class or group of vulnerabilities.

Sonatype IQ CLI now includes experimental flags that will enable call flow analysis on application scans. Once the scan completes, the CLI will automatically apply a "Security-Reachable" label on any component that has a vulnerability with reachable code. Users are free to create a policy around this label to aid in prioritization and remediation.

The Repository Results view and the Repository Component Details Page have been re-designed and updated. The view delivers meaningful insights into violation counts, component identification, and quarantined components with improved filtering, pagination, and UI.

This release offers an option to set policy conditions to check whether a component has undergone Fast Track or Deep Dive research.

Docker image consumers can now use the trusted, signed Sonatype IQ Docker image, now available to inspect at the Docker Hub.

The Waivers View on the Dashboard includes Repository waivers.

The Repository Results view view now has better support for pagination and filtering. These changes should improve the performance of this page for large repositories.

A waiver applied to one version of a component can now be applied to all future versions of that component for the 'Root Organization' scope.

Setting environment variables for scanning Sonatype Container with Sonatype Lifecycle is optional.

Users can choose to retain or delete older scan files using the property purgeScanFiles for Configuration REST API.

Older scan files that are retained can be promoted to other stages using Promote Scan REST API.

Users can choose how often Automatic Quarantine Release is scheduled to run using the quarantine release property for Configuration REST API. By default, it is set to run on an hourly basis.

Sonatype Vulnerability Data contains two new labels, Deep Dive (indicates the vulnerability data includes Sonatype researched details and recommendations) and Advance Vulnerability Detection (indicates that the vulnerability has been detected from an embedded dependency).