Changelog
Version 2.2.0 (March 06, 2025)
- Added support for the Report URL and the Priorities URL in the Scan Result Summary
- Added support for Dependency Scanning Report schemas 15.0.7 and 15.1.4
Version 2.1.0 (February 05, 2025)
Version 2.0.1 (January 14, 2025)
- Fixed an issue introduced in version 2.0.0 that caused incorrect handling of special characters in credentials
Version 2.0.0 (January 10, 2025)
- Improved handling for Cargo.lock and Cargo.toml files now allows full exploration of Cargo project dependency trees in Lifecycle
- Added support for pipfile.lock files
- Fixed a bug related to pnpm-lock.yaml files found inside archives
- Added branch name collection when it runs in a Git repository context
- Fixed an issue for an edge case where Sonatype Container Security failed to detect the container registry
Version 1.185.0 (December 11, 2024)
- Added support for customizing container scans to include only OS components via the
NEXUS_CONTAINER_INCLUDE_ONLY_OS_COMPONENTS environment variable
Version 1.184.1 (November 28, 2024)
Version 1.184.0 (November 08, 2024)
- Removed the mount path requirement for Sonatype Container Security
- Added support for files ending with the pattern .cdx.json
Version 1.183.0 (October 17, 2024)
- Added support for creating a dependency scanning report that can populate the Vulnerability Report section
- Added support for fetching an SBOM file associated with a previous policy evaluation step from Sonatype IQ Server
Version 1.182.0 (September 04, 2024)
- Added support for Java reachability analysis
Version 1.181.0 (August 20, 2024)
Version 1.180.0 (August 09, 2024)
Version 1.179.0 (July 11, 2024)
Version 1.178.0 (June 26, 2024)
Version 1.177.0 (Jun 4, 2024)
Version 1.176.0 (May 14, 2024)
Version 1.175.0 (Apr 9, 2024)
Version 1.174.0 (Mar 6, 2024)
Version 1.173.0 (Feb 7, 2024)
Version 1.171.0 (Jan 19, 2024)
Version 1.170.0 (Dec 11, 2023)
Version 1.169.0 (Nov 1, 2023)
Version 1.168.0 (Oct 16, 2023)
Version 1.167.0 (Sep 7, 2023)
Version 1.166.0 (Aug 25, 2023)
Version 1.165.0 (Jul 20, 2023)
Version 1.164.0 (Jun 30, 2023)
Version 1.163.0 (Jun 16, 2023)
Version 1.162.0 (Jun 9, 2023)
Version 1.161.0 (May 12, 2023)
Version 1.160.0 (Apr 20, 2023)
Version 1.159.0 (Apr 6, 2023)
Version 1.158.0 (Mar 21, 2023)
- Updates to Nexus Container Scanning
- Scanning remote images do not require providing environmental variables if the image is public
Version 1.156.0 (Feb 24, 2023)
Version 1.155.0 (Feb 9, 2023)
Version 1.153.0 (Jan 26, 2023)
Version 1.152.0 (Jan 13, 2023)
- Introduces call flow analysis in Java (or any JVM language) binaries found in the scan targets to find method signatures which trigger a security vulnerability
Version 1.151.0 (December 2022)
Version 1.150.0 (November 2022)
- Evaluations terminate with a non-zero exit code if there are any scanning errors
Version 1.149.0 (November 2022)
Version 1.148.0 (October 2022)
Version 1.147.0 (October 2022)
Version 1.146.0 (October 2022)
Version 1.145.0 (October 2022)
- Notable bug fix
- Releases 142 and above fix a bug where a manifest scan processed pom.xml files inside a META-INF directory. Files in this directory, in most cases (specifically for uber/shaded archives), do not represent the manifest file for the target application to be scanned. All pom.xml files inside a META-INF directory from release 142 and above are now ignored during a manifest scan.
- Updated internal dependencies to ensure compatibility with Lifecycle 145
Version 1.144.0 (September 2022)
- Users can now provide an additional parameter organization-id for a specific organization. If the application does not exist, IQ Server will create it under the specified organization, instead of the parent organization that is configured for Automatic Application Creation.
Version 1.142.0 (July 2022)
Version 1.141.0 (June 2022)
Version 1.139.0 (June 2022)
Version 1.138.0 (May 2022)
Version 1.137.0 (May 2022)
Version 1.135.0 (March 2022)
Version 1.134.0 (March 2022)
- Support for CycloneDX 1.4:
- The CycloneDX Application Analysis has been extended to support the CycloneDX schema version 1.4 for XML and JSON formats.
Version 1.133.0 (March 2022)
Version 1.132.0 (January 2022)
- Bug Fix for False Positives in Image Scans
Version 1.130.0 (December 2021)
- Update logback Library Version in IQ
- Nexus IQ Server does not use log4j versions and uses logback instead. It is therefore not at risk from vulnerabilities impacting log4j.
However, because of a low/moderate vulnerability existing in “logback”, we’re taking precautionary measures by updating the logback library version used in Nexus IQ products.
- Cran and Cargo Matching Improvements
- Conda Matching Improvements
Version 1.125.0-02a (October 2021)
- An optional environment variable, NEXUS_IQ_REPORT_FORMAT, can be set to control the content of the generated evaluation report
Version 1.125.0-02 (October 2021)
- Conan Matching Improvements
- Conan data and matching have been improved for both Lifecycle and Firewall.
- Dependency Information Improvements for NPM
- NPM Dependency Information detection has been improved to display more accurate results.
Version 1.123.0 (September 2021)
- Fixed an issue with some NPM scans that was causing IQ Server 122 evaluations to fail when reading dependency information.
Version 1.122.0 (September 2021)
- Dependency Information for NPM
- NPM project scans with manifests allow displaying dependency information for NPM components (Direct and Transitive).
Version 1.121.0 (August 2021)
- Support for container scanning via Nexus Container
Version 1.119.0 (July 2021)
- SBOM Improvements and Bug Fixes:
- CycloneDX SBOM scans have been improved to display better results
Version 1.118.0 (June 2021)
- Swift Application Analysis:
- IQ Server can now be used to evaluate policies against components from the dependency file of a Swift application.
Version 1.117.0 (June 2021)
- Support for CycloneDX 1.3:
- CycloneDX Application Analysis has been extended to support the schema version CycloneDX 1.3 for XML format.
Version 1.116.0 (June 2021)
- Improvements to Python Application Analysis:
- IQ Server now supports evaluating policies against Python components defined in poetry.lock files.
Version 1.114.0 (May 2021)
- Support for CycloneDX 1.2:
- CycloneDX Application Analysis have been extended to support the schema version CycloneDX 1.2 for XML format
Version 1.107.0 (March 2021)
- Java Manifest Application Analysis:
- IQ Server now supports evaluating policies against Java components in pom.xml and build.gradle files
Version 1.106.0 (March 2021)
- Improvements to manifest analysis:
- Updated CLI scanner to exclude development dependencies when scanning package-lock.json files.
- Updated CLI scanner to parse package-lock.json files stored inside an archive.
- Fixed parsing errors when scanning yarn.lock and *.csproj files.
Version 1.105.0 (Feb 2021)
- Fixed initialization error in NuGet manifest scanning
Version 1.104.0 (Jan 2021)
- Application analysis of components for:
- NPM, as defined in yarn.lock, pnpm-lock.yaml, package-lock.json, and npm-shrinkwrap.json files.
- NuGet, as defined in .csproj and packages.config files.
Version 1.103.0 (Dec 2020)
- Added support for analyzing Java 14 and 15 bytecode.
Version 1.101.0 (Nov 2020)
- Nexus IQ CLI no longer supports Lifecycle XC. IQ Server now has native support for all languages that were supported in Lifecycle XC.
Version 1.98.0 (Sep 2020)
- Application analysis of components for:
- Go components defined in a Gopkg.lock
Version 1.97.0 (Aug 2020)
- Application analysis of components for:
- C/C++ components defined in a conaninfo.txt file.
- Go components defined in a go.list file
Version 1.94.0 (Jun 2020)
- Now released in sync with IQ Server releases (which may or may not include updates relevant to this docker image’s release)
- Application analysis of components for:
- C/C++ conanfile.py Files
- Yum
- Alpine
- Debian
- Drupal
- R (CRAN)
- Rust (Cargo)
Version 1.88.0 (Mar 2020)
- Application analysis of components for:
- Swift/Objective-C CocoaPods
- Conda
Version 1.87.0 (Mar 2020)
- Identify components based on SHA-1 value (content hash)
- Application analysis of components for:
- C/C++ Conan
- PHP Composer
- RubyGems
- CycloneDX application analysis extended to support submitting component vulnerabilities
Version 1.2 (Sep 2019)
- pushed environment variables into processes for automated onboarding of applications for Nexus IQ for SCM
Version 1.1 (Apr 2019)
- expanded coverage option (-xc) fixed
- application ID added to the report filename
- policy violation counts added to the HTML report
Version 1.0 (Apr 2019)
- Known issues:
- Using the expanded coverage option (-xc) will incorrectly cause the pipeline job to fail
- Multiple evaluations in the same job will incorrectly append report information to the same policy-eval-report.html file