Nexus Repository 3.37.0 - 3.37.3 Release Notes

Highlights in This Release 

New Log4j Visualizer (3.37.2)

In response to the recently reported vulnerability in Apache's "Log4j2" logging utility (CVE-2021-44228, also known as "log4shell"), Sonatype is providing a Log4j Visualizer for a limited time to all Nexus Repository OSS and Pro users. The Log4j Visualizer will provide insight into Maven log4j component downloads impacted by CVE-2021-44228 in your organization. Read more below.

Update to logback Library Version (3.37.1)

Because of a low/moderate vulnerability existing in logback, we're taking precautionary measures by updating the logback library version used in Nexus Repository products. Read more below.

Repository Replication for NuGet and PyPI (3.37.0) PRO

Repository replication now supports the NuGet and PyPI formats. Read more below.

New Repair - Rebuild npm metadata Task (3.37.0)

Use the new Repair - Rebuild npm metadata task to rebuild the npm metadata for a hosted repository based on the components found in the storage of a hosted repository. Read more below.

What's New and Noteworthy in Nexus Repository 3.37.3?


Released December 29, 2021

Log4j Visualizer Text Update

This release includes an update to the text on the Log4j Visualizer screen.

What's New and Noteworthy in Nexus Repository 3.37.2?


Released December 28, 2021

See the complete release notes for everything included in this release.

New Log4j Visualizer

As we detailed in our blog and are still monitoring in our Log4j Vulnerability Resource Center, vulnerability researchers uncovered a critical vulnerability in Apache's "Log4j2" logging utility (CVE-2021-44228, also known as "log4shell"). In an effort to help the global software community defend themselves against this threat, we are providing a Log4j Visualizer to all Nexus Repository OSS and Pro users to allow greater visibility into Maven log4j component downloads. 

The visualizer looks at your request logs to show you information about Maven log4j component downloads in your organization, including the number of times someone has downloaded a log4j component impacted by CVE-2021-44228 by repository, username, and IP address. 

This is a temporary feature currently limited to only identifying components impacted by CVE-2021-44228, and we may modify or remove it completely in future releases. Note that enabling the capability may impact Nexus Repository performance. Also note that the Log4j Visualizer only captures information about the log4j-core component in Maven and only identifies those impacted by CVE-2021-44228. It does not currently identify or track other log4j vulnerabilities.

You can enable the capability from a message that will appear upon upgrading or from Nexus Repository's capabilities section. Learn more in our Log4j Visualizer documentation

The Log4j Visualizer does not work in High-Availability Clustering (HA-C) environments.

What's New and Noteworthy in Nexus Repository 3.37.1?


Released December 17, 2021

See the complete release notes for everything included in this release.

Update logback Library Version

Nexus Repository does not use log4j versions and uses logback instead. It is therefore not at risk from vulnerabilities impacting log4j. However, because of a low/moderate vulnerability existing in logback, we're taking precautionary measures by updating the logback library version used in Nexus Repository products from version 1.2.3 to version 1.2.9.

What's New and Noteworthy in Nexus Repository 3.37.0?


Released November 24, 2021

New in Nexus Repository Pro

See the complete release notes for everything included in this release.

Replication Support for NuGet and PyPI PRO 

Repository replication now supports the NuGet and PyPI formats. For more information about repository replication, check out our help documentation.

Improved Performance for those Migrating to Nexus Repository 3 with an External PostgreSQL Database PRO 

We previously noticed performance issues related to SQL INSERT performance into format specific browse_node tables. In this release, we have made improvements to prevent these issues from slowing down or halting migration.

Improved Resilient Deployment Options PRO 

We have made the node id persistent in the event of a node failover so that Nexus Repository is able to read blob store metrics files that were generated by Nexus whilst running on another node. This allows for accurate blob store metrics in the user interface.

We have also modified the Repair - Rebuild repository search task for rebuilding the Elastic Search (ES) index when a Kubernetes node starts up to only rebuild the ES index if it is not present on the node. This allows the ES index to persist across Nexus Repository pod restarts.

Be sure to check out our help documentation on resilient deployment options.

New for Everyone

New Repair - Rebuild npm metadata Task 

You can now rebuild the npm metadata for a hosted repository based on the components found in the storage of a hosted repository. This new Repair - Rebuild npm metadata task can serve as a recovery tool in cases of corrupted npm metadata. 

The Repair - Rebuild Maven repository metadata Task Fixes Invalid Blob References for maven-metadata.xml 

After restoring from backup, the component database may contain references to files that no longer exist in blob storage. We have discovered that the fastest way to repair this is to allow the Repair - rebuild Maven repository metadata task to recreate hosted metadata files when it encounters one that is an invalid blob reference. We have now made this the standard behavior for this task.

Retain Information About Assets Migrated from Nexus Repository Version 2 to Version 3

When migrating from Nexus Repository version 2 to version 3, Nexus Repository will now retain information about when assets from that Nexus Repository 2 instance were created and who created them.

Improved S3 Blob Store Performance 

We reworked our implementation to avoid copy operations while uploading components so as to improve S3 storage performance.


Bug Fixes 


3.37.0 Bug Fixes

Ticket NumberDescription

NEXUS-29290

A suspected XSS vulnerability was reported. After investigation, it was found to not be exploitable; however, we have put a change in place to make sure it can never become exploitable.
NEXUS-28918The Search API sorts Maven content by version following the typical Maven standards for versioning.
NEXUS-22125You can now query image tags via the Registry API for proxied gcr.io as expected.
NEXUS-21878A failure in the start of one docker connector will no longer prevent other connectors from attempting to start.