Changelog
Version 3.20.9 (December 11, 2024)
Version 3.20.8 (November 15, 2024)
- Added an option to mark Jenkins jobs as SUCESS instead of UNSTABLE if the policy evaluation has alerts with a warn action
Version 3.20.7 (November 08, 2024)
- Fixed a TOML parsing error that affected scanning of Python projects using pyproject.toml and poetry.lock
Version 3.20.6 (October 07, 2024)
- Fixed issue where the callflow algorithm parameter was not assigned the default value RTA_PLUS
Version 3.20.5 (September 25, 2024)
- Fixed issue with Jenkins DSL plugin treating optional parameters as required
- Improved the handling of Maven plugin-generated scan modules files (module.xml) to ensure a consistent approach across the policy evaluation step and the callflow analysis sub-step
- Added support for displaying both the App and Priorities Reports
Version 3.20.4 (September 04, 2024)
- Set Jenkins 2.452.x LTS as the minimum supported version
- Added an option to enable the Callflow feature from the UI configuration
Version 3.20.3 (August 20, 2024)
Version 3.20.2 (August 12, 2024)
- Added support for scanning CycloneDx version 1.6 files
- Added support for analyzing Java 21 and Java 22 bytecode
Version 3.20.1 (July 12, 2024)
Version 3.20.0 (June 27, 2024)
- Preview feature: Reachability Analysis
- Maintenance release
Version 3.19.6 (June 05, 2024)
Version 3.19.5 (May 17, 2024)
- Bug fix: exclude patterns work with archive files as well
Version 3.19.4 (April 09, 2024)
Version 3.19.3 (March 07, 2024)
Version 3.19.2 (February 08, 2024)
Version 3.19.1 (January 19, 2024)
- Added support for exclude scan patterns
Version 3.19.0 (December 08, 2023)
- Java 11 is the minimum supported Java version
Version 3.18.0 (November 02, 2023)
Version 3.17.518 (September 08, 2023)
- Renamed the feature previously known as Policy Violation Grandfathering to Legacy Violations
Version 3.17.514 (September 01, 2023)
- Added support for scanning SPDX version 2.3 files
Version 3.16.510 (August 01, 2023)
- Added support for scanning Java class binaries produced by Java 19 and 20
Version 3.16.508 (July 20, 2023)
Version 3.16.503 (July 05, 2023)
Version 3.16.501 (June 16, 2023)
Version 3.16.497 (June 13, 2023)
- Added full support for Java 17
Version 3.16.491 (May 12, 2023)
Version 3.16.489 (April 20, 2023)
Version 3.16.487 (April 06, 2023)
Version 3.16.485 (March 22, 2023)
- For remote image scanning, environmental variables NEXUS_CONTAINER_IMAGE_REGISTRY_USER and NEXUS_CONTAINER_IMAGE_REGISTRY_PASSWORD are not required and are now optional for public images
Version 3.16.481 (February 27, 2023)
Version 3.16.478 (February 13, 2023)
Version 3.16.476 (January 27, 2023)
Version 3.16.474 (January 16, 2023)
Version 3.16.471 (December 14, 2022)
- Removed support for scanning IaC targets
Version 3.16.465 (December 01, 2022)
- Scanning local images does not require providing environmental variables
- To scan remote images, the user will now have to provide only these variables:
- NEXUS_CONTAINER_IMAGE_REGISTRY_USER
- NEXUS_CONTAINER_IMAGE_REGISTRY_PASSWORD
Version 3.16.459 (November 17, 2022)
- Fixed for an edge case where the policy evaluation pipeline stage is marked UNSTABLE even though no policy violations are present
Version 3.16.455 (October 26, 2022)
Version 3.16.453 (October 20, 2022)
Version 3.16.449 (October 06, 2022)
- Policy evaluation stage is marked according to policy actions
- Fixed dependency conflict with certain versions of the credentials plugin
Version 3.16.444 (September 22, 2022)
- Added the organization ID parameter, used for automatic IQ apps
- Fixed Nexus IQ Build Report to properly show the icon for “notify” actions
Version 3.15.438 (September 07, 2022)
- Started using the lightweight Nexus Java API to reduce complexity on class loading for the plugin
Version 3.14.431 (July 28, 2022)
- Improved summary message for policy evaluations
Version 3.14.424 (July 07, 2022)
Version 3.14.418 (June 16, 2022)
Version 3.14.415 (June 01, 2022)
Version 3.14.412 (May 19, 2022)
Version 3.14.407 (April 29, 2022)
- Added support for scanning Java class binaries produced by Java 18
Version 3.14.405 (March 28, 2022)
- Fixed a
IllegalAccessError
that prevents the plugin to run properly in certain cases
Version 3.14.403 (March 24, 2022)
- Fixed a
NoSuchMethodError
exception that prevents the plugin to run in certain cases
Version 3.14.401 (March 15, 2022)
Version 3.13.20220304 (March 04, 2022)
Version 3.13.20220201 (February 01, 2022)
- Reduced logging on INFO level
Version 3.13.20220124 (January 24, 2022)
- Bug fix for false positives in container scans
Version 3.13.20220121 (January 21, 2022)
- Added support for scanning IaC targets
Version 3.13.20211220 (December 20th, 2021)
- Conda Matching Improvements
- Cran and Cargo Matching Improvements
Version 3.13.20211207 (December 7th, 2021)
- Updated the min Jenkins version required to 2.249.1
- Removed obsolete dependencies
Version 3.13.20211117 (November 18th, 2021)
- Added support for multiple Nexus IQ Servers
Version 3.12.20211110 (November 11th, 2021)
- Fixed java.lang.NoClassDefFoundError: io/jenkins/cli/shaded/org/xml/sax/ContentHandler
Version 3.12.20211019 (October 21th, 2021)
- Added support for scanning Java class binaries produced by Java 17
Version 3.11.20210920 (September 20, 2021)
- Added support for using environment variables and credentials for required values for container scanning
- Made default mount folder for nexus container analysis workspace temp folder
Version 3.11.20210915 (September 16, 2021)
- Bug fixes
- NPM manifest file scans now include dependency information and can identify InnerSource components
Version 3.11.20210824 (August 25, 2021)
- Made mount folder for nexus container analysis customisable
- Made default mount folder /tmp for nexus container analysis
- Improvements in log statements for nexus container analysis
Version 3.11.20210811 (August 11, 2021)
Version 3.11.20210729 (July 30, 2021)
- Handle yarn v2 files
- Exclude package-lock.json in favour of npm-shrinkwrap.json
- Bug fixes
Version 3.11.20210716 (July 16, 2021)
- Add support for nexus container analysis
- Make build unstable on scan error
Version 3.11.20210621 (June 21st, 2021)
- Deleted temp files from scan after eval
- Send licensed features into the scanner
- Fixed runtime error due to stax2 conflict
- Added jenkins version to user agent
Version 3.11.20210420 (April 20th, 2021)
- Added support for scanning Java class binaries produced by Java 16
- Fixed XStream parser error when scanning nuget manifests
Version 3.11.20210323 (March 24th, 2021)
- Fixed a regression in configuring the Policy Evaluation task in the UI
Version 3.11.20210308 (March 8th, 2021)
- Added scanning and application/package analysis support for Java using a pom.xml or build.gradle file
Version 3.11.20210301 (March 1, 2021)
- Added a Global Configuration option to remove direct IQ reporting of policy violations from Jenkins
Version 3.10.20210222 (February 23rd, 2021)
- Updated the resultant structure to include the nested dependencies to form a dependency tree when scanning a module.xml file
- Added scanning and application/package analysis support for the following ecosystems:
- NPM using files : yarn.lock, pnpm-lock.yaml, package-lock.json, npm-shrinkwrap.json
- Nuget using packages.config file or .csproj files
Version 3.10.20201208 (December 8th, 2020)
- Added support for running the plugin with Java 11 and 14
- Added support for scanning Java class binaries produced by Java 14 and 15
Version 3.9.20201109 (November 9th, 2020)
- Added flag to enable debug logging
Version 3.9.20200722 (July 22nd, 2020)
- Added scanning and application/package analysis support for Conan using a conaninfo.txt file (in addition to the files conanfile.txt and conanfile.py)
Version 3.9.20200716 (July 16th, 2020)
- Added scanning and application/package analysis support for Golang using a go.list file (in addition to the file go.sum)
Version 3.9.20200623 (June 23rd, 2020)
- Added scanning and application/package analysis support for the following ecosystems:
- Alpine
- Conda
- Debian
- Drupal
- R (Cran)
- Rust (Cargo)
- Swift (Cocoapods)
- Yum
- Use policy violation counts instead of component counts in the policy evaluation summary
- Fixed an issue with y-axis labels on the new trend graph
Version 3.8.20200204 (February 6th, 2020)
- Fixed to ensure that all Nexus IQ for SCM logging goes to the build log instead of the server log
Version 3.8.20191216 (December 18th, 2019)
- Fixed additional marshalling issue with new trend graph
Version 3.8.20191213 (December 13th, 2019)
- Fixed marshalling issue with new trend graph
- Fixed issue with y-axis number on new trend graph
Version 3.8.20191204 (December 4th, 2019)
- Added Nexus IQ Build Report which shows details for warn/fail vulnerabilities
- Support slave nodes for automatic repository URL discovery for usage with Nexus IQ for SCM
Version 3.8.20191127 (November 27th, 2019)
- Added trend graph to a Pipeline, which depicts the information about the last 5 builds with critical, severe and moderate violation numbers
- Added support to scan and evaluate Clair identified container dependencies
- Added support to scan and evaluate identified dependencies from a CycloneDX SBOM file
Version 3.8.20190920 (September 20th, 2019)
- Added support for automatically deducing the repository URL for usage with Nexus IQ for SCM
Version 3.7.20190823 (August 23rd, 2019)
- Added support for automatically deducing git commit hash for usage with Nexus IQ for SCM
Version 3.6.20190722 (July 22nd, 2019)
- BREAKING CHANGES: Nexus IQ 69 or newer is a required upgrade to use the Nexus Platform Plugin
- BREAKING CHANGES: Support for Scanning Go Modules
- BREAKING CHANGES: Mitigate IQ Server Client Timeouts
Version 3.5.20190425 (April 25th, 2019)
- Added messages about Nexus Vulnerability Scanner to the plugin
- Added ability to provide custom/advanced properties to IQ scanner
Version 3.5.20190422 (April 22nd, 2019)
- Fixed for environmental variables not getting resolved in the tags field
Version 3.5.20190313 (March 13th, 2019)
- Added support for Java 12 IQ evaluations
Version 3.5.20190215 (February 18th, 2019)
- Added support for Scanning Python Wheel Packages
Version 3.4.20190116 (January 16th, 2019)
- Added support for Java 10, 11 IQ evaluations
- Added support for Python coordinate detection via requirements.txt files
Version 3.3.20190108 (January 8th, 2019)
- Added support for multiple policy evaluations per Jenkins job
- Added application name and IQ stage to the entries in the build results
- Renamed the “Application Composition Report” to “Nexus IQ Policy Evaluation”
Version 3.3.20181207 (December 12, 2018)
- Bug fix: Could not connect to Nexus Repository servers exposed over HTTPS
- Bug Fix: Proxy settings were not respected when verifying connection to Nexus Repository
Version 3.3.20181129 (November 29, 2018)
- Bug fix: IQ application list incorrect for jobs configured to use job specific credentials
Version 3.3.20181102 (November 2, 2018)
- Bug fix: Environment variables weren’t expanded for manual application IDs
Version 3.3.20181025 (October 25, 2018)
- Bug fix: When configuring the ‘Invoke Nexus Policy Evaluation’ build step, the ‘module excludes’ field is not persisted on save.
- Bug fix: Jenkins Platform Plugin unable to determine Nexus Repository Manager version using Server URL with trailing slash
- Bug fix: Jenkins plugin fails requests when Nexus is not at base context path
- Added link to plugin documentation for NXRM3 to readme
Version 3.3.20180912 (September 12, 2018)
- The plugin will now emit a warning when the scanner encounters an invalid JAR file:
“[WARN] Could not open some.jar as an archive. Will scan it as regular file.”
Version 3.3.20180830 (August 30, 2018)
- BREAKING CHANGES: Nexus IQ 1.50 or newer is a required upgrade to use the Nexus Platform Plugin
- BREAKING CHANGES: Support for Nexus IQ Policy Violation Grandfathering
- BREAKING CHANGES: Fixed snippet generation
Version 3.3.20180801 (August 1, 2018)
- New build step available for tag association
- Moved components using NXRM3 search criteria from Pipeline
Version 3.2.20180724 (July 24, 2018)
- Added support of Nexus Repository Manager 3.13.0 servers for Maven component uploads, and new staging features (for Pro versions): tags, move, and delete
Version 3.1.20180702 (July 2, 2018)
- Fixes for recording of component occurrences
Version 3.1.20180605 (June 5, 2018)
- Log additions for Automatic application creation
Version 3.0.20180531 (May 31, 2018)
- UI fixes for chiclet style on older versions of Jenkins
Version 3.0.20180425 (April 25, 2018)
- BREAKING CHANGES: Nexus IQ 1.47 or newer is a required upgrade to use the Nexus Platform Plugin
- BREAKING CHANGES: Support for Nexus IQ Automatic application creation
Version 3.0.20180214 (February 14, 2018)
- BREAKING CHANGES: Pipeline jobs using the plugin will now fail during execution if a policy action is set to fail the build. This is different from previous behavior which would set the build result to failure but allow the build to continue. This is adopting standard practice for Jenkins pipeline plugins and allows more visibility into what has failed and why. Pipelines that require continuation of the build will have to surround the plugin step with try catch, where the evaluation information is now wrapped in the exception argument.
- BREAKING CHANGES: The pipeline step has always returned a model for the evaluation containing information about the results. The ApplicationPolicyEvaluation will no longer include a boolean for reevaluation therefore calls to get or set this will fail. The Jenkins pipeline has never supported reevaluation and this boolean has always returned false. For simplification, it has been removed.
- Module.xml evaluation support. The Nexus Platform Plugin for Jenkins now supports policy evaluations against results generated by the clm-maven-plugin index goal. The new plugin will scan module.xml files available in ’/sonatype-clm/module.xml’, ‘/nexus-iq/module.xml’ and will support module exclude patterns to exclude these files if desired.
- Fix for directory structure of JavaScript files scanned by the plugin
- No longer requires optional parameters to be declared in declarative pipelines
- All users can now select credentials for jobs as long as they have the appropriate permissions to configure the job and view the credentials
Version 1.6.20180123 (January 23, 2018)
- Whitelist updates to support JEP-200
Version 1.5.20171121 (November 21, 2017)
- Added support for Java 9 IQ evaluations
Version 1.4.20170929 (September 29, 2017)
- Updated upstream dependencies to consume latest IQ server Application Evaluation result
- Fix for throwing serializable exception upon client exception
Version 1.3.20170728 (July 28, 2017)
- Added support for Docker image evaluations
Version 1.2.20170627 (June 27th, 2017)
- Added support for credentials in Folder stores
- Added support for Certificate credentials through the Credentials Plugin
Version 1.2.20170428 (April 28th, 2017)
- Added support for Nexus Publish when remote agent is used for build
Version 1.2.20170417 (April 17th, 2017)
- Fix for connection pool saturation when publishing many components
Version 1.2.20170404 (April 4th, 2017)
- Initial release to the Jenkins Update Center