Changelog
Version 2.0.1 (January 14, 2025)
- Fixed an issue introduced in version 2.0.0 that caused incorrect handling of special characters in credentials
Version 2.0.0 (January 10, 2025)
- Improved handling for Cargo.lock and Cargo.toml files now allows full exploration of Cargo project dependency trees in Lifecycle
- Added support for pipfile.lock files
- Fixed a bug related to pnpm-lock.yaml files found inside archives
- Added branch name collection when it runs in a Git repository context
- Fixed an issue for an edge case where Sonatype Container Security failed to detect the container registry
Version 1.185.0 (December 11, 2024)
- Added support for customizing container scans to include only OS components via the
NEXUS_CONTAINER_INCLUDE_ONLY_OS_COMPONENTS
environment variable
Version 1.184.1 (November 28, 2024)
Version 1.184.0 (November 08, 2024)
- Removed the mount path requirement for Sonatype Container Security
- Added support for files ending with the pattern .cdx.json
Version 1.183.0 (October 17, 2024)
- Added support for creating a dependency scanning report that can populate the Vulnerability Report section
- Added support for fetching an SBOM file associated with a previous policy evaluation step from Sonatype IQ Server
Version 1.182.0 (September 04, 2024)
Version 1.181.0 (August 20, 2024)
- Updated internal dependencies to ensure compatibility with Lifecycle 181
Version 1.180.0 (August 09, 2024)
- Updated internal dependencies to ensure compatibility with Lifecycle 180
Version 1.179.0 (July 11, 2024)
- Updated internal dependencies to ensure compatibility with Lifecycle 179
Version 1.178.0 (June 26, 2024)
- Updated internal dependencies to ensure compatibility with Lifecycle 178
Version 1.177.0 (Jun 4, 2024)
- Updated internal dependencies to ensure compatibility with Lifecycle 177
Version 1.176.0 (May 14, 2024)
- Updated internal dependencies to ensure compatibility with Lifecycle 176
Version 1.175.0 (Apr 9, 2024)
- Updated internal dependencies to ensure compatibility with Lifecycle 175
Version 1.174.0 (Mar 6, 2024)
- Updated internal dependencies to ensure compatibility with Lifecycle 174
Version 1.173.0 (Feb 7, 2024)
- Updated internal dependencies to ensure compatibility with Lifecycle 173
Version 1.171.0 (Jan 19, 2024)
- Updated internal dependencies to ensure compatibility with Lifecycle 171
Version 1.170.0 (Dec 11, 2023)
- Updated internal dependencies to ensure compatibility with Lifecycle 170
Version 1.169.0 (Nov 1, 2023)
- Updated internal dependencies to ensure compatibility with Lifecycle 169
Version 1.168.0 (Oct 16, 2023)
- Updated internal dependencies to ensure compatibility with Lifecycle 168
Version 1.167.0 (Sep 7, 2023)
- Updated internal dependencies to ensure compatibility with Lifecycle 167
Version 1.166.0 (Aug 25, 2023)
- Updated internal dependencies to ensure compatibility with Lifecycle 166
Version 1.165.0 (Jul 20, 2023)
- Updated internal dependencies to ensure compatibility with Lifecycle 165
Version 1.164.0 (Jun 30, 2023)
- Updated internal dependencies to ensure compatibility with Lifecycle 164
Version 1.163.0 (Jun 16, 2023)
- Updated internal dependencies to ensure compatibility with Lifecycle 163
Version 1.162.0 (Jun 9, 2023)
- Updated internal dependencies to ensure compatibility with Lifecycle 162
Version 1.161.0 (May 12, 2023)
- Updated internal dependencies to ensure compatibility with Lifecycle 161
Version 1.160.0 (Apr 20, 2023)
- Updated internal dependencies to ensure compatibility with Lifecycle 160
Version 1.159.0 (Apr 6, 2023)
- Updated internal dependencies to ensure compatibility with Lifecycle 159
Version 1.158.0 (Mar 21, 2023)
- Updates to Nexus Container Scanning
- Scanning remote images do not require providing environmental variables if the image is public
- Updated internal dependencies to ensure compatibility with Lifecycle 158
Version 1.156.0 (Feb 24, 2023)
- Updated internal dependencies to ensure compatibility with Lifecycle 156
Version 1.155.0 (Feb 9, 2023)
- Updated internal dependencies to ensure compatibility with Lifecycle 155
Version 1.153.0 (Jan 26, 2023)
- Updated internal dependencies to ensure compatibility with Lifecycle 153
Version 1.152.0 (Jan 13, 2023)
- Updated internal dependencies to ensure compatibility with Lifecycle 152
- Introduces call flow analysis in Java (or any JVM language) binaries found in the scan targets to find method signatures which trigger a security vulnerability
Version 1.151.0 (December 2022)
- Updated internal dependencies to ensure compatibility with Lifecycle 151
Version 1.150.0 (November 2022)
- Evaluations terminate with a non-zero exit code if there are any scanning errors
- Updated internal dependencies to ensure compatibility with Lifecycle 150
Version 1.149.0 (November 2022)
- Updated internal dependencies to ensure compatibility with Lifecycle 149
Version 1.148.0 (October 2022)
- Updated internal dependencies to ensure compatibility with Lifecycle 148
Version 1.147.0 (October 2022)
- Updated internal dependencies to ensure compatibility with Lifecycle 147
Version 1.146.0 (October 2022)
- Updated internal dependencies to ensure compatibility with Lifecycle 146
Version 1.145.0 (October 2022)
- Notable bug fix
- Releases 142 and above fix a bug where a manifest scan processed pom.xml files inside a META-INF directory. Files in this directory, in most cases (specifically for uber/shaded archives), do not represent the manifest file for the target application to be scanned. All pom.xml files inside a META-INF directory from release 142 and above are now ignored during a manifest scan.
- Updated internal dependencies to ensure compatibility with Lifecycle 145
Version 1.144.0 (September 2022)
- Users can now provide an additional parameter organization-id for a specific organization. If the application does not exist, IQ Server will create it under the specified organization, instead of the parent organization that is configured for Automatic Application Creation.
- Updated internal dependencies to ensure compatibility with Lifecycle 144
Version 1.142.0 (July 2022)
- Updated internal dependencies to ensure compatibility with Lifecycle 142
Version 1.141.0 (June 2022)
- Updated internal dependencies to ensure compatibility with Lifecycle 141
Version 1.139.0 (June 2022)
- Updated internal dependencies to ensure compatibility with Lifecycle 139
Version 1.138.0 (May 2022)
- Updated internal dependencies to ensure compatibility with Lifecycle 138
Version 1.137.0 (May 2022)
- Updated internal dependencies to ensure compatibility with Lifecycle 137
Version 1.135.0 (March 2022)
- Updated internal dependencies to ensure compatibility with Lifecycle 135
Version 1.134.0 (March 2022)
- Updated internal dependencies to ensure compatibility with Lifecycle 134
- Support for CycloneDX 1.4:
- The CycloneDX Application Analysis has been extended to support the CycloneDX schema version 1.4 for XML and JSON formats.
Version 1.133.0 (March 2022)
- Updated internal dependencies to ensure compatibility with Lifecycle 133
Version 1.132.0 (January 2022)
- Updated internal dependencies to ensure compatibility with Lifecycle 132
- Bug Fix for False Positives in Image Scans
Version 1.130.0 (December 2021)
- Update logback Library Version in IQ
- Nexus IQ Server does not use log4j versions and uses logback instead. It is therefore not at risk from vulnerabilities impacting log4j.
However, because of a low/moderate vulnerability existing in “logback”, we’re taking precautionary measures by updating the logback library version used in Nexus IQ products.
- Cran and Cargo Matching Improvements
- Conda Matching Improvements
Version 1.125.0-02a (October 2021)
- An optional environment variable, NEXUS_IQ_REPORT_FORMAT, can be set to control the content of the generated evaluation report
Version 1.125.0-02 (October 2021)
- Conan Matching Improvements
- Conan data and matching have been improved for both Lifecycle and Firewall.
- Dependency Information Improvements for NPM
- NPM Dependency Information detection has been improved to display more accurate results.
Version 1.123.0 (September 2021)
- Fixed an issue with some NPM scans that was causing IQ Server 122 evaluations to fail when reading dependency information.
Version 1.122.0 (September 2021)
- Dependency Information for NPM
- NPM project scans with manifests allow displaying dependency information for NPM components (Direct and Transitive).
Version 1.121.0 (August 2021)
- Support for container scanning via Nexus Container
Version 1.119.0 (July 2021)
- SBOM Improvements and Bug Fixes:
- CycloneDX SBOM scans have been improved to display better results
Version 1.118.0 (June 2021)
- Swift Application Analysis:
- IQ Server can now be used to evaluate policies against components from the dependency file of a Swift application.
Version 1.117.0 (June 2021)
- Support for CycloneDX 1.3:
- CycloneDX Application Analysis has been extended to support the schema version CycloneDX 1.3 for XML format.
Version 1.116.0 (June 2021)
- Improvements to Python Application Analysis:
- IQ Server now supports evaluating policies against Python components defined in poetry.lock files.
Version 1.114.0 (May 2021)
- Support for CycloneDX 1.2:
- CycloneDX Application Analysis have been extended to support the schema version CycloneDX 1.2 for XML format
Version 1.107.0 (March 2021)
- Java Manifest Application Analysis:
- IQ Server now supports evaluating policies against Java components in pom.xml and build.gradle files
Version 1.106.0 (March 2021)
- Improvements to manifest analysis:
- Updated CLI scanner to exclude development dependencies when scanning package-lock.json files.
- Updated CLI scanner to parse package-lock.json files stored inside an archive.
- Fixed parsing errors when scanning yarn.lock and *.csproj files.
Version 1.105.0 (Feb 2021)
- Fixed initialization error in NuGet manifest scanning
Version 1.104.0 (Jan 2021)
- Application analysis of components for:
- NPM, as defined in yarn.lock, pnpm-lock.yaml, package-lock.json, and npm-shrinkwrap.json files.
- NuGet, as defined in .csproj and packages.config files.
Version 1.103.0 (Dec 2020)
- Added support for analyzing Java 14 and 15 bytecode.
Version 1.101.0 (Nov 2020)
- Nexus IQ CLI no longer supports Lifecycle XC. IQ Server now has native support for all languages that were supported in Lifecycle XC.
Version 1.98.0 (Sep 2020)
- Application analysis of components for:
- Go components defined in a Gopkg.lock
Version 1.97.0 (Aug 2020)
- Application analysis of components for:
- C/C++ components defined in a conaninfo.txt file.
- Go components defined in a go.list file
Version 1.94.0 (Jun 2020)
- Now released in sync with IQ Server releases (which may or may not include updates relevant to this docker image’s release)
- Application analysis of components for:
- C/C++ conanfile.py Files
- Yum
- Alpine
- Debian
- Drupal
- R (CRAN)
- Rust (Cargo)
Version 1.88.0 (Mar 2020)
- Application analysis of components for:
- Swift/Objective-C CocoaPods
- Conda
Version 1.87.0 (Mar 2020)
- Identify components based on SHA-1 value (content hash)
- Application analysis of components for:
- C/C++ Conan
- PHP Composer
- RubyGems
- CycloneDX application analysis extended to support submitting component vulnerabilities
Version 1.2 (Sep 2019)
- pushed environment variables into processes for automated onboarding of applications for Nexus IQ for SCM
Version 1.1 (Apr 2019)
- expanded coverage option (-xc) fixed
- application ID added to the report filename
- policy violation counts added to the HTML report
Version 1.0 (Apr 2019)
- Known issues:
- Using the expanded coverage option (-xc) will incorrectly cause the pipeline job to fail
- Multiple evaluations in the same job will incorrectly append report information to the same policy-eval-report.html file