Critical fix for Nexus Repository 3.57.0 or 3.58.0 + Repository Firewall
Jamie Whitehouse
This bug could allow for users to unintentionally download quarantined components. We have previously retracted versions 3.57.0 and 3.58.0; please use 3.57.1 or 3.58.1 instead.
--Hi all,
Latest version of Sonatype IQ Server version 165 has been released and is freely available for download for all existing users.
Important for users of Sonatype Repository Firewall running Nexus Repository Manager (NXRM versions 3.57.0 and 3.58.0)
NXRM versions 3.57.0 and 3.58.0 have been found to have a critical issue that causes download of previously quarantined components. We are actively working to resolve this issue. Bug fix patches for NXRM 3.57.0 and 3.58.0 will be released soon. We highly recommend installing the latest patches for NXRM to ensure the highest quality and security with Sonatype Repository Firewall.
What’s New in Sonatype IQ Server Release 165?
Generate SBOMs in SPDX format
Sonatype IQ Server version 165 extends the mission to promote open standards for communicating SBOM information, by generating SBOMs compliant with the current SPDX® 2.3 standards. The new SPDX REST API can generate SBOMs in both XML and JSON outputs for all supported component formats. A new option on the Application Scan Report page, “Export SPDX”, has been added to generate the SPDX SBOM in JSON format.
More Ecosystems Coverage for Observed Licenses Detection
We have expanded our observed license detection capability from Maven to include other ecosystems. Users with Advanced Legal Pack (ALP) license and running Sonatype IQ Server release 165 (or higher) can detect and review observed licenses in npm, NuGet, PyPI, RubyGems, RPM, and Composer ecosystems, in addition to Maven.
Impact on existing users:
Fresh installations of Sonatype IQ Server will have this capability enabled by default.
There is no impact of this change on earlier versions of Sonatype IQ Server/Lifecycle.
To enable the Observed License Detection capability after upgrading to release 165, use the configuration option. (Note: You will see more policy violations after turning this option on.)
What’s Improved in Release 165?
One-click Submit for Waiver Requests
Users who do not have permissions to add waivers on policy violations, can request waivers automatically, when a webhook is configured for the Waiver Request event.
This reduces the manual effort of copy-paste and sharing the curl command (containing the specific violation details to be waived) with a designated approver. Once configured, users can now trigger a webhook event to request a waiver by clicking on the Submit button on the Request Waiver page.
Other Improvements
View more rows of Violations on the Lifecycle Dashboard with extended pagination.
The App Sec team can set meaningful remediation messages and directives for the developers when Sonatype Repository Firewall detects a quarantined component request.(Requires Nexus Repository ver 3.58 with bug fix patch or higher)
The Repository Manager interface now shows repositories logically grouped under the respective Repository Manager. A new “enablement” column indicates the specific Sonatype Repository Firewall protection features that are enabled for every repository.
The pre-assigned UUID for a Repository Manager in Sonatype Repository Firewall can be associated with a customizable human readable name that is easy to identify throughout Lifecycle and Firewall instances.
Notable Bug Fix
We have modified the error messages generated in export logs during database migrations, to indicate the exact root cause for better resolution of export errors.
For more detailed information on release 165, please refer to the release notes.
Thank you,
Dariush Griffin
Sonatype Lifecycle - Product Manager
You received this message because you are subscribed to the Google Groups "CLM Announcements" group.
To unsubscribe from this group and stop receiving emails from it, send an email to clm-announceme...@glists.sonatype.com.
To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/clm-announcements/CAEEGaTcOMZXSdC26PSCQiuba8dH4TSbB%3Dx8QHeYzgCZDwSM2%3Dg%40mail.gmail.com.
