Release Notes

Security Fix

A critical security vulnerability has been found in 3.25.0. For details, please see CVE-2020-15871.

Sonatype recommends that administrators upgrade to 3.25.1 or newer immediately.

Nexus Repository Manager 3.25.1

2020-07-29

Sonatype is pleased to announce the immediate availability of Nexus Repository 3.25.1. The issues fixed in this release can be found below.

A critical bug was discovered in version 3.25.1-02, if a custom web context path is being used (e.g. "/nexus") UI logins will not work.  3.25.1-04 has been released with a fix.

General Improvements

Browse Storage, IQ Integration

  • [NEXUS-24488] Avoid excessive database queries in OSSIndex integration
  • [NEXUS-24489] Batch requests from browse UI for OSSIndex

Maven, REST

  • [NEXUS-24128] REST API delete requests for Maven components can have slow performance

Security

Staging

  • [NEXUS-24112] Staging move of Maven components can be very slow due to metadata rebuilds

UI

  • [NEXUS-24612] Unable to browse repository - OssIndexVulnerabilityClient Timeout

Nexus Repository Manager 3.25.0

2020-07-13

These notes are a compilation of new features and significant bug fixes for Nexus Repository Manager 3.25.0.

See the complete release notes for all resolved issues.

New and Noteworthy

NuGet V3 Group

NEXUS-10886

NuGet V3 Group support gives Nexus Repository users access to the up-to-date V3 API. This is the third and final part of a wider initiative to bring full V3 support (Proxy, Hosted, and Group).

Import/Export for npm and NuGet formats (PRO only)

NEXUS-24561

In 3.23.0, we released the Import task with Raw and Maven support. In this release, we added npm and NuGet support. You will now be able to import content into repositories (or export content from repositories) of these formats. This allows you to:

  • Import npm and NuGet components from Nexus Repository Manager v2
  • Move npm and NuGet components between Nexus Repository Manager v3 (with the Export task)

General Improvements

  • [NEXUS-24256] Password Complexity now enforcable
  • [NEXUS-23923] Email REST API out of beta
    (info) beta endpoints will continue to work
  • [NEXUS-24288OSS Index Link Integration (OSS Only)
  • [NEXUS-24568] Cache npm audit results to improve performance

Bug Fixes

Docker

  • [NEXUS-24124] OCI - Docker repos should respect accept headers
  • [NEXUS-20640] docker push may fail with blob upload unknown due to race condition

Export

  • [NEXUS-24283] Repository export errantly tries to validate delta files for every asset, even in other repositories

LDAP

  • [NEXUS-23895] Save of LDAP user and group settings fails with error
  • [NEXUS-23887] LDAP connection UI looks broken, constantly prompts for password

Maven,Scheduled Tasks

  • [NEXUS-24098] Snapshot GAV metadata rebuilt incorrectly if packaging has multiple segments

NuGet

  • [NEXUS-24222] Reduce likelihood of OOM when accessing NuGet feed
  • [NEXUS-24248] NuGet V3 proxy fails to work with HA-C
  • [NEXUS-24355] NuGet V3 - Impossible to use internal hosted/group/proxy as remote for proxy
  • [NEXUS-24194NuGet V3 Hosted - Search prerelease flag does not work

p2

  • [NEXUS-23550] proxy repository does not work with some sites

Nexus Repository Manager 3.24.0

2020-06-08

These notes are a compilation of new features and significant bug fixes for Nexus Repository Manager 3.24.0.

See the complete release notes for all resolved issues.

New and Noteworthy

Export for Raw and Maven formats (Pro Only)

NEXUS-23854

Export enables customers to export Raw and Maven contents from any repository to a target folder. The exports can then be imported into another repository in the same instance or a totally different instance. This is a great way to migrate content between two or more Nexus Repository Manager Pro 3 installations. Future releases will incude additional support for NuGet, NPM, RubyGems, Yum, Docker, and PyPI.

To use Export, configure the task from Settings → Tasks → Create Task → Repository - Export assets as shown here:

NuGet V3 Hosted Support

NEXUS-23970

NuGet V3 Hosted support gives Nexus Repository users access to the up-to-date V3 API. This is the second part of a wider initiative to bring full V3 support (Proxy, Hosted, and Group). Group repository support will be the final stage in an upcoming release.

New REST APIs

Several new and improved REST endpoints in this release. See below tickets for specifics including upgraded Blobstore, Atlassian Crowd, and Nexus IQ endpoints. New REST endpoints have also been released including CocoaPods, Maven Group, Raw, and RubyGems repositories.

REST
REST v1 endpoints (beta endpoints still active and fully functional)

General Improvements

  • [NEXUS-23897] Memory settings in docker image standardized to our recommended minimums
    (warning) This changes default memory allocations from 1200m to 2703m as well as a larger heap. If your instance cannot handle these settings you may need to make manual adjustments but be aware your instance is likely under resourced in this case.
  • [NEXUS-23870] "Node already has an asset" for browse tree rebuild no longer fails Transactions status check

Bug Fixes

Docker

  • [NEXUS-23903] Long running database queries for Docker repositories can lead to thread and db connection pool exhaustion performance

Maven, Scheduled Tasks

  • [NEXUS-23800] Race condition in lazy maven metadata rebuild causes build failures, slow builds

REST

  • [NEXUS-23872] Unable to set repository HTTP client auth via REST

UI

  • [NEXUS-19529] Viewing the UI repositories list will trigger s3 blobstore metrics retrieval even if that blobstore is not used

Nexus Repository Manager 3.23.0

2020-05-05

We are pleased to present Nexus Repository Manager 3.23.0.

Import for Raw and Maven formats (Pro Only)

NEXUS-23853

In Nexus Repository Manager 3.23.0, we focus on importing content from an external source and for a subset of formats. This can help customers migrate content from Nexus Repository Manager 2 to Nexus Repository Manager 3 at their own pace.

Import is implemented as a task. You can configure the Repository - Import external files task from Settings → Tasks → Create Task as show here:

Nexus Intelligence via npm audit

NEXUS-16954

We are excited to announce enhanced Javascript support with Nexus Intelligence via npm audit for Nexus Repository Manager. Nexus Intelligence via npm audit will allow developers to check for policy violations in their Javascript projects, using the npm audit command built into the npm CLI, coupled with the precise data of Nexus Intelligence. Running the npm audit command lists all known vulnerable dependencies from your package.json file while gaining the benefits of the most precise intelligence regarding security vulnerabilities, license risk, and architectural quality of open source components.

This feature will be available to both Nexus Repository OSS and Pro users and will require a license of Nexus Firewall or Nexus Lifecycle (Nexus IQ version 89 and above). Nexus Repository Manager admins can enable Nexus Intelligence via npm audit across all development teams without having to modify any setup on the developers’ machines.

General Improvements

Bug Fixes

Docker

Helm

  • [NEXUS-23548] Helm Chart Repository API version format incorrect

NuGet

  • [NEXUS-20349] NuGet repository returns multiple versions as islatest=true

PyPI

  • [NEXUS-23420] NonResolvablePackageException thrown when downloading a package through the PyPI group
  • [NEXUS-23398] Retrieval of some packages from PyPI fails
  • [NEXUS-23487] PyPI repository returns 500 error response if remote returns an invalid response.

Miscellaneous

  • [NEXUS-23379] Invalid content returned through proxy prevents valid content from being retreived
  • [NEXUS-23616] Blob Store API allows users to create a blobstore without path

Nexus Repository Manager 3.22.1

Includes Security Fix for Improper Access Control CVE. See the CVE-2020-11753 advisory for details.

Sonatype recommends that administrators running 3.22.0 and earlier upgrade immediately.

2020-04-16

Sonatype is pleased to announce the immediate availability of Nexus Repository 3.22.1. The issues fixed in this release can be found below.  See the complete release notes for all resolved issues.

General Improvements

Security

  • NEXUS-23556CVE-2020-11415: LDAP system credentials can be exposed by admin user
  • NEXUS-23504 - Privileged user can create, modify and execute scripting tasks

SAML

  • NEXUS-23359 - NPE thrown if IdP metadata does not contain SingleLogoutService element
  • NEXUS-23348 - UI Login SSO Button does not respect the nexus-context-path

Conan

  • NEXUS-23352 - Conan integration in 3.22.0 does not handle Header Only packages

Nuget

  • NEXUS-23399 - NuGet v3 proxy repository will not serve cached content if remote is blocked

Tasks

  • NEXUS-23396 - Admin - Cleanup repositories using their associated policies task should lazily mark maven metadata for rebuild

Nexus Repository Manager 3.22.0

Includes Security Fix for Improper Access Control CVE. See the CVE-2020-11444 advisory for details.

Sonatype recommends that administrators running 3.21.2 and earlier upgrade immediately.

2020-03-27

Sonatype is pleased to announce the immediate availability of Nexus Repository 3.22.0. The issues fixed in this release can be found below. See the complete release notes for all resolved issues. 

New and Noteworthy

SAML Authentication support

NEXUS-20939 

Nexus Repository Manager allows users to authenticate with SAML identity providers.


Note: The fix for NEXUS-22770 will cause some content previously cached in PyPi proxy repositories to be removed.  This only affects proxy repositories, and the content will show up again as your builds request it.  Please see the issue for details.


Conan Format support

NEXUS-14310

Nexus Repository Manager now provides native support for proxying Conan repositories.  Conan is a C/C++ package manager.

General Improvements

REST

  • [NEXUS-21910] Additional REST provisioning support for npm, NuGet and PyPI repositories
  • [NEXUS-22896] performance regression in search REST API

Security

  • [NEXUS-23377] CVE-2020-11444: Improper Access Control
  • [NEXUS-5716] All signed-in users can be assigned a default role
  • [NEXUS-23272] Inability to add * permission to user on 3.21.2

  • [NEXUS-16159] "Require user tokens for repository authentication" now enforced properly

Maven

  • [NEXUS-23393a GA level maven-metadata.xml GET request may trigger rebuilding unrelated GA maven-metadata.xml
  • [NEXUS-23392potentially long running transaction rebuilding metadata triggered by GET of GA level maven-metadata.xml while under concurrent access
  • [NEXUS-22602Repair - Rebuild Maven repository metadata (maven-metadata.xml) task with GA restrictions does not work

npm

NuGet

  • [NEXUS-23048] Allow proxying NuGet packages hosted by GitHub Packages

PyPI

  • [NEXUS-22770] Change in stored PyPI proxy package paths creates duplicate assets and breaks browse node creation

Tasks

  • [NEXUS-22054] "Repair - reconcile component database from blob store" task does not remove invalid component db references.

  • [NEXUS-22729] Cleanup Policy task results in removal of maven-metadata from non-timestamped snapshots


Nexus Repository Manager 3.21.2

2020-03-23

Contains fixes for security vulnerabilities, it is recommended that administrators running earlier versions upgrade immediately.

Disabled Groovy Scripting By Default

In order to make NXRM more secure, we have disabled Groovy scripting engine by default. This affects Groovy scripts as used through the REST API and through scheduled tasks.

For more information (including how to re-enable Groovy scripting), see NEXUS-23205.

NEXUS-23146

Fixes a remote code execution vulnerability.

NEXUS-23147

Fixes a remote code execution vulnerability for users with administrator permissions.

NEXUS-23148

Fixes a stored cross-site scripting vulnerability

Nexus Repository Manager 3.21.1

2020-02-18

Removes a broken menu entry incorrectly appearing for some users.

Nexus Repository Manager 3.21.0

2020-02-18

Sonatype is pleased to announce the immediate availability of Nexus Repository 3.21.0. The issues fixed in this release can be found below. See the complete release notes for all resolved issues. 

New and Noteworthy

p2 Format support

NEXUS-11730 

Nexus Repository Manager now provides native support for proxying p2 repositories. p2 is a technology for provisioning and managing Eclipse- and Equinox-based applications.

Note

This implementation does not include any ability to migrate p2 repositories from NXRM2 to NXRM3.  Interest for that feature is being tracked in NEXUS-22824.

Helm Format support

NEXUS-13325

Helm is the first application package manager running atop Kubernetes(k8s). It allows describing the application structure through convenient helm-charts and managing it with simple commands. 

NuGet V3 Proxy support

NEXUS-10886

NuGet V3 Proxy support gives Nexus Repository Manager users access to the up-to-date V3 API. This is the first part of a wider initiative to bring full V3 support, group and hosted will follow in future releases.

Serve Yum GPG key URLs

NEXUS-16251

Nexus Repository Manager now provides a common facility to allow RPM clients to get GPG keys to verify package signatures in remote repositories.

npm ping support

NEXUS-13434

Nexus Repository Manager is providing npm cli ping support. 

General Improvements

Docker

  • [NEXUS-18186] Disabling redeploy for a private Docker repo breaks the "latest" tag

Audit

  • [NEXUS-21730] Audit log does not log all attributes for repository change events

Blobstore, Scheduled Tasks

  • [NEXUS-21329] "Remove a member from a blob store group" task processes missing files in the source blob store

Cleanup

  • [NEXUS-18905] Cleanup tasks fail with "No search context found for id" error

Crowd

  • [NEXUS-13306] Usernames containing non URL safe characters cannot authenticate using the Crowd realm 

NuGet

  • [NEXUS-16009] Browse tree for NuGet proxy repositories shows packages that are not locally cached

PyPI

R

  • [NEXUS-22351] R PACKAGES file lost on upgrade to 3.20.x

RubyGems

  • [NEXUS-17477] Unable to install hosted gem which has multiple version requirements

Yum

  • [NEXUS-22052] Yum Metadata not rebuilt after staging deletion of rpm