Cloud customer?
Start for Free >
Upgrade in MyJFrog >
What's New in Cloud >

Search





Overview

This page presents release notes for JFrog Xray describing the main fixes and enhancements made to each version as it is released. 

If you need release notes for earlier versions of Xray, please refer to the Release Notes in the Xray 2.x User Guide.

Before You Get Started!

Be sure to read the Xray 3.0 Release Notes carefully before installing or upgrading any version of Xray 3.X version to learn about the new features and functionality Introduced in the JFrog Platform.

Download 

Click to download the latest Xray version.

Installer Name Change!

From Xray 3.0, the installer naming convention has been changed to include the installer type.
The following table lists the official installer names.

Installer TypeInstaller Syntax
Linux archivejfrog-xray-<version>-linux.tar.gz
Composejfrog-xray-<version>-compose.tar.gz
RPM/Debianjfrog-xray-<version>.<rpm|deb>

Previous Versions

Previous versions of JFrog Xray are available for download in the Previous Releases page.

Installation and Upgrade

For installation instructions please refer to Installing Xray.

To upgrade to this release from your current installation please refer to Upgrading Xray.

Xray Version Compatibility with Artifactory

The following table lists the Xray versions and the corresponding Artifactory version.

Note: For all purposes, Xray version 3.x and Artifactory version 7.x are forward and backward compatible, which means you can run any combination of these products. The recommended versions would enable the availability of certain features in the UI that are specific to the release versions.

Xray VersionRecommended Artifactory Version

3.33.3

7.27.3

3.31.1

7.25.0

3.27.2

7.21.3

3.21.2

7.17.4

3.18.0

7.17.4

3.17.2

7.15.0

3.11.0

7.10.6

3.8.0

7.7.0

3.6.0

7.6.0


Xray 3.34

This section includes all of the Xray version 3.34 releases.

Xray 3.34.1

Released: October 14, 2021 

Highlights

New REST API for Scan Status

You can now check the scan status of Packages, Builds, and Release Bundles using the new Scan Status REST API.

Resolved Issues

This release contains resolved vulnerabilities. To learn more, click here.

JIRADescription

XRAY-8413

Fixed an issue whereby, vulnerabilities detection was not accurate in SaaS when matching was done according to prefix instead of suffix.

XRAY-8399

Fixed an issue whereby, using special characters in the RabbitMQ password was not supported.

XRAY-7986

Fixed an issue whereby, the Violations and Vulnerabilities Reports were not generating critical violations data for violations with CVSS V3 score.

XRAY-7624

Fixed an issue whereby, creating a Watch failed, when the Watch contained a Policy with multiple rules all with the Block Download action.

XRAY-8260

Fixed an issue whereby, when there are many security violations in the Security tab, and the list spans over 1 page, the list was not ordered correctly sometimes resulting in duplicated or missed security violations in the list.

XRAY-8288

For security reasons, Xray now does not allow authentication with user type anonymous anymore.


Xray 3.33

This section includes all of the Xray version 3.33 releases.

Xray 3.33.3

Released: September 30, 2021 

The new features in this release are available with Artifactory version 7.27.3 and above.

Highlights

JFrog Security CVE Research and Enrichment

Xray's integration with Vdoo introduces JFrog security CVE research and enrichment, a new capability that provides additional CVE details by the JFrog security research team, which comprises security experts that perform manual research on CVEs and suggest a new JFrog Severity Score and a deep technical overview that allows you to better understand the actual risk posed by the CVEs.

Xray Integration with Jira

Xray now can be integrated with Atlassian’s Jira Software enabling the automatic creation of Jira tickets based on Xray identified security threats and violations. To learn more, see Xray Jira Integration.

Resolved Issues

JIRADescription

XRAY-8303

Fixed an issue whereby, in some cases, the violation's severity level in the On-Demand Binary Scan and Dependency Scan (both available through JFrog CLI) was different from the severity level given in Xray.

XRAY-8278

Improved the unknown licenses classification not to include Docker layers, manifest, and builds to avoid false positives.

XRAY-8215

Fixed an issue whereby, violations of a deleted Watch were still displayed in Xray.

XRAY-8163

Fixed an issue whereby, the Get Violations REST API by default was sorted by summary, which caused some performance issues.

XRAY-8097

Fixed an issue whereby, a license was not detected when the component version is missing in the Xray database.

XRAY-8043

Fixed an issue whereby, the On-Demand Binary Scan and Dependency Scan (both available through JFrog CLI) were not returning custom licenses properly.

XRAY-8007

Fixed an issue whereby, in some cases, when exporting Xray data on a generic artifact, the exported file (CSV/JSON/PDF) was empty.

XRAY-7977

Fixed an issue whereby generating a violations report for large repositories was taking too long.

XRAY-7491

Fixed an issue whereby, in some cases, the Xray system YAML file content was deleted when restarting Xray.

XRAY-7304

Fixed an issue whereby, returning the Watch violations count caused performance issues in the database when the number of violations was very high.

XRAY-7167

Fixed an issue whereby, for Docker images with different checksums but the same path, Xray was returning the image's previous vulnerabilities.

XRAY-8378

Fixed an issue whereby, the DB was overloaded with Impact Analysis messages when the same checksum was  associated with many public components.

Xray 3.33.4

Released: October 3, 2021 

Resolved Issues

JIRADescription

XRAY-8431

Fixed an issue whereby, a non-admin user was unable to view or edit Watches.

XRAY-7650

Fixed an issue whereby, in some cases, scanning specific archived files failed.

Xray 3.33.5

Released: October 6, 2021 

Resolved Issues

  1. Fixed an issue whereby, extra workers were being initiated for Xray which sometimes led to resource exhaustion.

Xray 3.32

This section includes all of the Xray version 3.32 releases.

Xray 3.32.1

Released: August 31, 2021 

Feature Enhancements

Grace Period REST API Support

Added a new parameter to support the Grace Period feature in the Create Policy REST API. 

Ignore Rules REST API Enhancement

You can now sort the Get Ignore Rules REST API by projects. 

Resolved Issues

JIRADescription

XRAY-8042

Fixed an issue whereby, reindexing an Alpine repository using the Force Reindex API, sometimes resulted in an error.

XRAY-7665

Fixed an issue whereby, in some cases, Xray status was incorrect for a build, when the build name contained special characters.

XRAY-7651

Fixed an issue whereby, when multiple components are affected by the same violation, the exported Violations report contained details only for one component and the rest were missing.

XRAY-8240

Fixed an issue whereby, Docker images sometimes appear as not indexed in Xray when the same tag (e.g. latest) is overwritten by the new image.

XRAY-8257

Fixed an issue whereby, in some cases, the Watch Violations page was taking a while to load due to the new filters of the latest build or Release Bundle version.

Xray 3.32.2

Released: September 1, 2021 

Resolved Issues

  1. Fixed an issue whereby, in some cases, existing values were overwritten when updating system parameters using the Configurations REST API. 

Xray 3.31

This section includes all of the Xray version 3.31 releases.

Xray 3.31.1

Released: August 23, 2021 

Highlights

Set a Grace Period before Failing Build

You can now set a grace period in a Policy for build failure, allowing you to stop a build from failing if violations exist, for the period of time you set. For more information, see Creating Xray Policies and Rules.

New Filter in Watches

Filter the Watches list in the Watches page in Xray to narrow down and display only Watches that are relevant to you. For more information, see Configuring Xray Watches.

Filter Ignore Rules

Use an array of different filtering options to narrow down the list of Ignore Rules by the filter criteria you select. For more information, see Ignore Rules.

The new features mentioned above require Artifactory version 7.25.x and higher.

Xray Reports Clone

Create a clone of an existing report in Xray Reports to reuse a report and its defined settings saving you the time of recreating reports that you use often. This feature requires Artifactory 7.23.x and above.

Hot Upgrade

You can now upgrade an Xray High Availability (HA) installation from version 3.31.0 to a higher version without turning off all the secondary nodes. You can complete an Xray HA upgrade with zero downtime. 

Feature Enhancements

Enhanced Xray Dependency Scanning and On-Demand Binary Scanning

Xray Dependencies and Xray On-Demand Binary  scanning now include the option to ignore violations. In the JSON report of each scan, an Ignore Rule URL (URL to Xray in the JFrog Platform) is included in the results, enabling you to create ignore rules for violations in the report, as described in Ignore Rules

Resolved Issues

JIRADescription

XRAY-7394

Fixed an issue whereby, in some cases, the Force Reindex REST API failed.

XRAY-7322

Fixed an issue whereby, the Watches page sometimes took a while to load when it contained a large number of defined Watches and Policies.

XRAY-6791

Fixed an issue whereby, the scanning of builds that contained artifacts within a repository that was not marked for indexing, sometimes returned incorrect results.

XRAY-8199

Fixed an issue, whereby in some cases, creating a violations report failed due to missing data in some of the violations.

XRAY-8151

Fixed an issue whereby, scan-build failed when the build name contained the '/' character.

XRAY-8071

Fixed an issue whereby, in some cases, deleting a Watch was not deleting the related violations.

Xray 3.31.2

Released: September 1, 2021 

Resolved Issues

  1. Fixed an issue whereby, in some cases, the Watch Violations page was taking a while to load due to the new filters of the latest build or Release Bundle version.

Xray 3.30

This section includes all of the Xray version 3.30 releases.

Xray 3.30.1

Released: August 15, 2021 

Highlights

Release Bundle Details REST API

Added a new Release Bundle Details REST API that returns license and security violations found in a Release Bundle. 

Resolved Issues

JIRADescription

XRAY-7839

Fixed an issue whereby, the Scan Build REST API output returned duplicated infected files.

XRAY-7930

Fixed an issue whereby, scanning an artifact with a corrupted inner component was failing.

XRAY-7084

XRAY-7737

Fixed an issue whereby, when using special characters in the Postgres DB password connection string, sometimes caused Xray to fail.

XRAY-7791

Fixed an issue whereby, CVE data was not displayed in reports for dom4j library.

Xray 3.30.2

Released: August 18, 2021

Resolved Issues

JIRA NumberDescription

XRAY-8213

Fixed an issue whereby scan-build failed when the build name contained the '/' character.

Xray 3.29

Released: July 21, 2021 

Highlights

Dependencies Scan 

The Xray Dependencies Scan feature enables you to scan your source code dependencies to find security vulnerabilities and licenses violations, with the ability to scan against your Xray policies. The dependencies scan is available using the JFrog CLI. With a simple command-line tool, you can scan a source code directory on your local file system, providing a fast and early scan during development.

On-Demand Binary Scan

Xray now provides on-demand binary scanning to address your needs using the JFrog CLI for fast results. Now, you can point to a binary in your local file system and receive a report that contains a list of vulnerabilities, licenses, and policy violations for that binary prior to uploading the binary or build to Artifactory. 

The new scanning capabilities require JFrog CLI version 2.1.0.

Feature Enhancements 

Additional REST API Projects Support

To further support Projects in Xray, the following additions were made in the Xray REST APIs:

Resolved Issues

JIRA NumberDescription

XRAY-7956

Fixed an issue whereby, in some cases, a circular dependency was causing a stack overflow in analysis during scanning.

XRAY-7942

Fixed an issue whereby, the Artifact summary API sometimes returned empty results for a Docker image that was pushed to several locations and these locations were deleted.

XRAY-7803

Fixed an issue whereby, the DB Sync was stuck due to the database restarting.

XRAY-7604

Fixed an issue whereby, e-mail notifications were not sent for builds when the Notify Deployer option was enabled in a Policy.

XRAY-5960

Fixed an issue whereby, when importing Xray configurations using the Import API, remote repositories were not assigned as indexed resources in Watches.

XRAY-7944

Fixed an issue whereby, a license without references was detected as an unknown license.

XRAY-7049

Fixed an issue whereby, in some cases, indexing builds or repositories was failing due to RabbitMQ failures.

XRAY-8019

Fixed an issue whereby, the Xray upgrade failed in rare cases of nonpublic schemas in Xray DB.

Xray 3.29.2

Released: August 11, 2021

Resolved Issues

JIRA NumberDescription

XRAY-7930

Fixed an issue whereby, scanning an artifact with a corrupted inner component was failing.

XRAY-8143

Fixed an issue whereby, scan-build failed when the build name contained the '/' character.

XRAY-8139

Fixed an issue whereby, in some cases, force reindex for Docker images caused Xray to fail.

Xray 3.27

This section includes all of the Xray version 3.27 releases.

Xray 3.27.2

Released: June 30, 2021 

The new features introduced in this release require Artifactory version 7.21.3 and above.

Highlights

New Security Manager Role in Projects

Security Manager can perform security-related project actions such as Manage Xray Data, Manage Reports, Manage Watches and Policies, and Ignore Global Violations. 

Generate Xray Reports on a Project Scope

You can now generate Global Xray Reports for selected Projects for all report types in Xray. 

Apply Global Watches on Projects 

You can now apply Global Watches on specific Projects enabling you to set rules and policies in the selected Projects. 

Feature Enhancements

Added DB Sync Metrics

To monitor the DB Sync status, new DB Sync metrics were added to the Open Metrics REST API and Log. 

Resolved Issues

JIRA NumberDescription

XRAY-6970

Fixed an issue whereby, Xray detected components with dual licenses consisting of CDDL-1.1 and GPL-2.0 as unknown licenses.

XRAY-6456

Fixed an issue whereby, when scan-build is activated shortly after a build is pushed to Artifactory, the two processes might run in parallel resulting in database errors and failures.

XRAY-6152

Fixed an issue whereby, the Xray server request log rotation is not archived in the default archive folder.

XRAY-7461

Fixed an issue whereby, in some cases, some vulnerabilities of an old sub-component were displayed in the Xray tab.
This fix is available with Artifactory version 7.21.2 and above.

XRAY-7312

Fixed an issue whereby, Xray did not display correct data when using the same properties in different Maven components.

XRAY-6717

Improved the Artifact Summary REST API performance. 

XRAY-7605

Fixed an issue whereby, Xray indexing was failing due to miscalculation of free disk storage.

Xray 3.27.3

Released: July 12, 2021 

Feature Enhancements

Health Check Readiness New Configurations

The Health Check Readiness feature can now be configured with the following new configuration parameters in the Xray system YAML.

  • shared.probes.readiness.samplers.database.enabled
  • shared.probes.readiness.samplers.rabbitmq.enabled
  • shared.probes.readiness.samplers.centraldb.enabled (Cloud only)
  • shared.probes.readiness.samplers.indexerDataFolderDiskUsage.enabled
  • shared.probes.readiness.samplers.indexerDataFolderDiskUsage.threshold 

Xray 3.27.4

Released: July 13, 2021 

Resolved Issues

JIRA NumberDescription

XRAY-7694

Fixed an issue whereby, sorting by Severity was not working properly in the Xray Security tab.

XRAY-7984

Fixed an issue whereby, the Xray trial license failed from version 3.27.x.


Xray 3.26

This section includes all of the Xray version 3.26 releases.

Xray 3.26.1

Released: June 10, 2021

Highlights

Xray's Garbage Collector (GC) feature enables you to avoid race conditions between delete/create events sent by Artifactory mainly when moving Artifacts and promoting images. This feature is active by default and is configurable in the Xray System YAML deleteMode (‘gc’/‘eager’) parameter. 
You can manage the Garbage Collector through a set of REST APIs, such as getting the GC status or forcing GC to run. For more information, see Garbage Collector (GC) REST APIs.

Resolved Issues

JIRA NumberDescription

XRAY-7634

Fixed an issue whereby, the Export Component Details REST API did not work properly when you have identical Docker images with different tags.

XRAY-7587

Fixed an issue whereby, in some cases, after force reindex, vulnerabilities and violations are not displayed for scanned builds or newly indexed Docker images.

XRAY-7316

Fixed an issue whereby, Xray was not scanning builds that contained ">" in the build name.

XRAY-7030

Fixed an issue whereby Xray did not find and display violations in a build when it contained special characters, such as "/" "\" in the build name.

XRAY-6682

Fixed an issue whereby, the URL provided in the Xray build scan results used by CI integrations did not point to the specific build in the Xray data tab.

XRAY-6405

Fixed an issue whereby, in some cases, updating system parameters using the REST API caused deletion of the jsFilesBatch parameter.

XRAY-6153

Fixed an issue whereby, in some cases, there were duplicated rows in the Xray data tab security export in PDF, CSV, and JSON formats.

XRAY-7613

Fixed an issue whereby, in some cases, Xray failed to scan a build that contained a Golang package with a replaced go.mod.

XRAY-7694

Fixed an issue whereby, sorting by Severity was not working properly in the Xray Security tab.

XRAY-7683

Fixed an issue whereby, upgrading Xray from version 2.x to 3.x was failing when the XUC component filename was greater than 255 characters.

XRAY-7559

Fixed an issue whereby, when requesting an artifact's dependency graph in a repository by path using the GetArtifactDependencyGraph REST API, it returned incorrect results.

Xray 3.25

This section includes all of the Xray version 3.25 releases.

Xray 3.25.1

Released: May 27, 2021

Feature Enhancements

Watches and Reports REST APIs Enhancements for Projects

Added support for Projects when creating a report or Watch for the Build resource in the Watches V2 REST APIs and Reports REST APIs.  

Resolved Issues

The resolved issues now contain the associated JIRA number to help you keep track of your issues that were fixed in the release.

JIRA NumberDescription

XRAY-7570

Fixed formatting issues in open metrics log and Metrics REST API. 

XRAY-7496

Fixed an issue whereby, when failing a build, the scan report included both the ignored and active violations. The build scan report will now only include active violations.

XRAY-7482

Fixed an issue whereby, some messages that were too long in the logs were hard to read.

XRAY-7101

Fixed vulnerability issue CVE-2020-28852.

XRAY-7585

Fixed an issue whereby, Xray scanning of Alpine packages sometimes resulted in false-positive information when the package version was a release candidate version.

XRAY-7586

Fixed security vulnerability related to Xz package for Go.

XRAY-7362

Fixed an issue whereby Xray failed to index an artifact when it contained a file with the .apk suffix.

Xray 3.24

This section includes all of the Xray version 3.24 releases.

Xray 3.24.2

Released: May 2, 2021

Highlights

Distroless Scanning

Xray now can scan Google Distroless Images that only contain your application and its runtime dependencies.

Red Hat Vulnerability Scanner Certification

JFrog Xray is now certified with the Red Hat Vulnerability Scanner Certification. The certification recognizes Xray as a trusted Red Hat security partner, enabling Xray to deliver consistent and more accurate processing of Red Hat products and packages and reporting of vulnerabilities, minimizing false positives and other discrepancies.

Feature Enhancements

Impact Analysis Performance Improvements

Improved the Impact Analysis performance significantly reducing the database server CPU and I/O levels.

Red Hat Packages Enhancements

Improved Red Hat packages scanning to support CPE matching to enhance Red Hat vulnerabilities detection. Xray also supports Red Hat Modules for better scanning of Red Hat OS packages.

Go Version Upgrade

The Go version with Xray has been upgraded to version 1.16.1, solving some security vulnerabilities described in CVE-2021-27918.

PostgreSQL Version Bundling

Xray bundling with PostgreSQL has been updated to use a newer PostgreSQL version 13.x

Resolved Issues

JIRA NumberDescription

XRAY-7347

Fixed vulnerability issue CVE-2021-27918.

XRAY-6979

Fixed vulnerability issue CVE-2020-26160.

Xray 3.23

Released: April 22, 2021

Feature Enhancement

REST API Related Performance Improvement

Improved the performance when running the Scan Build API.

Resolved Issue

The resolved issues now contain the associated JIRA number to help you keep track of your issues that were fixed in the release.

JIRA Number

Description

XRAY-6123

Fixed an issue whereby, under certain circumstances, an unexpected increase of the DB size was experienced after the DB sync.

Xray 3.22

This section includes all of the Xray version 3.22 releases.

Xray 3.22.1

Released: April 7, 2021

Feature Enhancements

Limit Storage Space Used by Indexer

You can now limit the storage space used by the Indexer microservice during concurrent downloads and extraction of artifacts. This will ensure that the used storage will not exceed the default 80% of allowed disk usage. 
To enable this, set the server.enableVirtualStorageManager parameter to true in the Xray System YAML file.

Resolved Issues

The resolved issues now contain the associated JIRA number to help you keep track of your issues that were fixed in the release.

JIRA NumberDescription

XRAY-6998

Fixed an issue whereby, when running a history scan on a Watch, the artifacts scanned time was not updated.

XRAY-6940

Fixed an issue whereby, when several files were deleted in the same directory inside a Docker container, Xray sometimes reported false positives on the deleted files.

XRAY-6826

Fixed an issue whereby, the UI configuration to stop email notifications was not working properly.

XRAY-6744

Fixed an issue whereby, false-positive security violations were generated in Maven Red Hat versions.

XRAY-6439

Fixed an issue whereby, the link provided in the Watch notification e-mail for violations alerts was incorrect.

XRAY-7349

Fixed an issue whereby, Red Hat generated incorrect CPEs for vulnerabilities related to alt-Linux, and therefore Xray reported false positives. Xray now only matches .el7a version suffixes with .el7a versions.

Xray 3.21

This section includes all of the Xray version 3.21 releases.


Xray 3.21.2

Released: March 31, 2021

The new features introduced in this release require Artifactory version 7.17.4 and above.

Highlights

Xray in Projects
CLOUD: Enterprise | Enterprise+  SELF-HOSTED: Enterprise | Enterprise+

Use Xray capabilities in the scope of JFrog Projects. JFrog Projects is a management entity for hosting your resources (repositories, builds, Release Bundles, and Pipelines), and for associating users/groups as members with specific entitlements. Offload and delegate Xray tasks to the different personas in your organization, such as assigning Xray security management capabilities to Project Admins on the scope of their specific projects. For more information, see Projects.

Xray CVSS v3 Scoring Support

Xray now supports CVSS v3 scoring in addition to the CVSS v2 scoring. This will ensure that Xray's scoring of vulnerabilities is up-to-date and provide the latest universally standard severity ratings of vulnerabilities. For more information, see CVSS Scoring in Xray

Xray Conan and C/C++ Support

Xray can now scan Conan packages deployed to Artifactory. Xray can also scan C/C++ dependencies as part of a build. For more information, see Conan and C/C++ Support in Xray.

Feature Enhancements

Xray UI Changes

The Xray UI in the JFrog Platform has changed to create a better division of Xray tasks reflecting the different tasks by persona. Management and creation of Watches and Policies have been moved to the Administration module, as these are tasks usually performed by the administrators or users with special privileges. The Watch Violations and Reports are in the Application module. 

Resolved Issues

The resolved issues now contain the associated JIRA number to help you keep track of your issues that were fixed in the release.

JIRA NumberDescription
XRAY-7211Fixed an issue whereby, the impactPathsDao.RemoveImpactPathByIds was passing too many arguments to PostgeSQL. 
XRAY-7299Fixed an issue whereby, the Xray Analysis Log contained too many error messages when a very long license string was extracted from a file during reindexing.
XRAY-7227Fixed an issue whereby, the Scan Build REST API returned vulnerabilities and failed the build, however, the Xray data tab in the UI showed no violations. 

XRAY-7193

Fixed an issue whereby, in some cases, Xray crashed when the DB sync contained a vulnerability with a large size of information.

XRAY-6593

Fixed an issue whereby, exporting data in CSV format produced less data than in JSON format.

XRAY-7257

Fixed an issue whereby, Xray was issuing errors when a user's permission target is empty.

Xray 3.18

Released: March 2, 2021

Xray versions 3.18.x and lower are not compatible with Artifactory version 7.17.4 and above. You need to upgrade to Xray 3.21.2.

Feature Enhancements

PostgreSQL Version Support

PostgreSQL 13 is certified to be used with Xray 3.x and above.

Resolved Issues

The resolved issues now contain the associated JIRA number to help you keep track of your issues that were fixed in the release.

JIRA NumberDescription

XRAY-7048

Fixed an issue, whereby the Xray server service might run out of memory when the Impact Analysis update impacted a large number of artifacts.

XRAY-7068

Fixed an issue whereby, in some cases, a Docker image was not indexed by Xray due to a runtime error.

XRAY-7006

Fixed an issue whereby, when a new license (from Xray Global Database) was added to a component (during DB Sync), the Impact Analysis process that was triggered was slow.

XRAY-6741

Improved the indexing of RPM packages by adding support for LZMA compress format scan

XRAY-6188

Fixed an issue whereby, Xray created new files and directories with maximum allowed permissions mask (777). Xray now will create any new files with mask 660 and new directories with mask 770.
XRAY-7058Fixed an issue whereby, the Impact analysis queue continued to grow when there were many RedHat based Docker images.

Xray 3.18.1

Released: March 8, 2021

Resolved Issues

  1. Fixed an issue whereby, in some cases, Xray crashed when the DB sync contained a vulnerability with a large size of information.

Xray 3.18.2

Released: March 22, 2021

Resolved Issues

  1. Fixed an issue whereby, in some cases, Xray failed when validating permissions without resources.

Xray 3.17

This section includes all of the Xray version 3.17 releases.


Xray 3.17.2

Released: February 4, 2021

HIghlights

REST API Open Metrics 

Added metrics related to Xray DB sync time, and total number of scanned artifacts and components. For more information, see Open Metrics.

Feature Enhancements

Go Version Upgrade

Upgraded Go version to 1.15.7 to fix security vulnerabilities.

Impact Path Data in Reports

You can now view the Impact Path data in the Due Diligence Report in the Get Due Diligence Report Content REST API and JSON and CSV outputs.

Scan Build REST API Permissions

The Scan Build REST API no longer requires Admin permissions, only Manage Xray Metadata permissions.

Resolved Issues

The resolved issues now contain the associated JIRA number to help you keep track of your issues that were fixed in the release.

JIRA NumberDescription

XRAY-6955

Fixed an issue whereby, in the Builds UI page, when a build number contained characters in the Build Name, the build status did not show as scanned when the build was scanned.

XRAY-6795

Fixed an issue whereby, in some cases, the DB initial sync would unexpectedly pause.

XRAY-6708

Fixed an issue whereby, Violations were not created when the database server was down or in case of some failures occurring with the database.

XRAY-6887

Reduced the risk of getting affected by CVE-2020-29652.

XRAY-6883

Reduced the risk of getting affected by CVE-2020-26160.

XRAY-6257

Fixed an issue whereby, a security issue when indexing an artifact may cause DOS or override an OS file.

XRAY-6820

Fixed an issue whereby, a violation with multiple sources could not be ignored by an Ignore Rule with a specific component or a version of the component.

Requires Artifactory version 7.15.0 and above.

XRAY-6912

Fixed an issue whereby, ignoring a violation by using the artifact filter in the artifacts/watches screen, and the artifact existed in multiple repositories/paths and contains violations, the violation was not ignored.



Xray 3.17.4

Released: February 17, 2021

Resolved Issues

The resolved issues now contain the associated JIRA number to help you keep track of your issues that were fixed in the release.

JIRA NumberDescription

XRAY-6921

Fixed an issue, whereby in a Saas environment, an error was issued for an empty package.json in an npm audit.

XRAY-7031

Fixed a performance issue that resulted in extensive disk access.

XRAY-6515

Fixed an issue, whereby Xray incorrectly detected a CPL license as a CPAL license.



Xray 3.16

Released: January 21, 2021

Highlights

New REST API to Restore Ignored Violations 

Introduced a new Restore Ignored Violationss REST API, which allows you to restore violations that were ignored due to defined Ignore Rules.

Feature Enhancements

Impact Path Data in Reports

You can now view the Impact Path data for Vulnerabilities and Violations reports in JSON and CSV outputs.

Time-based Ignore Rule Filter for REST API

Filter and sort the Ignore Rules by expiration date using the Get Ignore Rules, such as time-based rules that will expire before or after a specific date. You can also sort Ignore Rules by expiration date.

View Ignored Violations in the Violations Report

You can view ignored violations data in the Violation Report including the Ignore Rule ID that can be used in REST APIs.

Resolved Issues

The resolved issues now contain the associated JIRA number to help you keep track of your issues that were fixed in the release.

JIRA NumberDescription

XRAY-6675

Fixed an issue, whereby the progress of the report displayed an incorrect percent value.

XRAY-6802

Upgraded Go version to 1.15.6 in order to resolve security vulnerabilities in prior versions.

XRAY-6855

Fixed an issue, whereby scanning Docker image-based builds, in some cases, failed with timeout.

XRAY-6856

Fixed an issue whereby, in some cases, migrating from Xray 2.x to 3.x on large environments failed due to timeout or memory exception.


Xray 3.15

This section includes all of the Xray version 3.15 releases.


Xray 3.15.1

Released: December 30, 2020

Feature Enhancements 

Sizing Improvement 

Improved the performance of the Xray Data tab in the UI.

Resolved Issues

The resolved issues now contain the associated JIRA number to help you keep track of your issues that were fixed in the release.

JIRA NumberDescription

XRAY-5560

Fixed an issue whereby, in some cases, assigning a custom license failed, and the component was assigned an unknown license.

XRAY-3988

Fixed an issue, whereby Microsoft custom freeware licenses were not recognized by Xray.

XRAY-6054

Fixed an issue whereby, in some cases, when scanning Debian/Ubuntu components, Xray reported vulnerabilities on all affected versions.

XRAY-6786

Fixed an issue, whereby vulnerabilities were not reported on some Debian packages if they were first uploaded as independent packages.

XRAY-6776

Fixed an issue, whereby DB Sync was not triggered after Xray was down or restarted on a SaaS environment.

XRAY-6780

Fixed an issue, whereby an email notification was sent twice when both the Notify Mail and Notify Watch Recipients options were configured with the same email in a policy.

XRAY-2560

Fixed an issue whereby, in some cases, Xray did not index new files due to events remaining in the event_states DB table.

XRAY-6220

Fixed an issue, whereby Xray did not scan Python packages that were installed inside a Docker image using the PIP client.

XRAY-602

Fixed an issue whereby, in some cases, the build-scan triggered duplicate notifications.

Xray 3.15.3

Released: January 7, 2021

Feature Enhancements

Xray Violations and Vulnerabilities reports now include additional information regarding the severity received from the Red Hat OS advisory board. This information will be included in the CSV and JSON export formats of the reports.

Resolved Issues

The resolved issues now contain the associated JIRA number to help you keep track of your issues that were fixed in the release.

JIRA NumberDescription

XRAY-6793

Fixed an issue, whereby the Xray database disk space significantly increased after upgrading to Xray version 3.x.

XRAY-6824

Fixed an issue whereby, in some cases, the Watches page was not loading correctly.



Xray 3.14

This section includes all of the Xray version 3.14 releases.


Xray 3.14.1

Released: December 22, 2020

Feature Enhancements

PostgreSQL Driver Upgrade

Upgraded PostgreSQL driver to the latest version.

Resolved Issues

The resolved issues now contain the associated JIRA number to help you keep track of your issues that were fixed in the release.

JIRA NumberDescription

XRAY-6727

Fixed an issue whereby, in some cases, errors in MDS update queues were not handled correctly and caused unnecessary retries.

XRAY-6711

Fixed an issue, whereby when using Basic Authentication there was a memory leak. This will most likely occur when you heavily use Xray APIs with Basic Authentication.

XRAY-3652

Fixed an issue, whereby Xray was detecting false positive vulnerabilities on OpenSUSE components.

XRAY-5962

Fixed an issue, whereby an access token generated by a user and belonged to an admin group, was not working properly.
XRAY-6758Fixed an issue, whereby Xray consumed high CPU and memory when analyzing certain artifact file structures.

XRAY-6763 

Fixed an issue, whereby Xray failed builds that contained ignored violations.

XRAY-6685

Improved the handling of cases where a violation occurs on multiple components in the binary, and the Ignore Rule is set only on a subset of these components. Prior to the fix, the system did not correctly indicate on which component the violation was ignored and not ignored.

Xray 3.14.3

Released: December 29, 2020

Resolved Issue

  1. Fixed an issue, whereby the Xray database disk space significantly increased after upgrading to Xray version 3.x.

Xray 3.13

Released: December 8, 2020

Feature Enhancements

Ignore Rules Enhancements
Time-based Ignore Rule

Time-based ignore rule enables you to set an expiration date for an Ignore Rule in which the violation will be ignored until the Ignore Rule expires. Once that period expires, the Ignore Rule will be deleted automatically, and if the violation occurs again it will not be ignored moving forward. For more information, see Ignore Rules. This feature is also supported through REST API, as described in IGNORE RULES REST API.

Ignored Violations Stored in the DB

All ignored violations are now stored in the DB which enables you to view all ignored violations on the artifact, build, and Release Bundle level.

UI Enhancements

The UI now provides more information about an ignored violation in the different screens, including in the violations list for an artifact, build, and Release Bundle.

Requires Artifactory 7.12.0 and above

Some of the Ignore Rules enhancements require Artifactory 7.12.0 and above. Artifactory 7.12.0 is not available yet, and will be soon.


Export Components Details API Enhancement

Added the include_ignored_violations parameter to Export Component Details RST API. This will return the ignore rule ID per matched policy. 

Resolved Issues

The resolved issues now contain the associated JIRA number to help you keep track of your issues that were fixed in the release.

JIRA NumberDescription

XRAY-5875

Fixed an issue, whereby adding a custom license to packages with empty archive packages was failing.

XRAY-5816

Fixed an issue, whereby when the severity level of a vulnerability was updated, and a violation was created out of it, Xray created a new violation instead of updating the existing one.

XRAY-4575

Fixed an issue, whereby Xray failed to index corrupted tar.gz archive files.

XRAY-4767

Improved performance in many cases where the component graph is required for the process. For example, processing vulnerabilities update from the central database.

XRAY-6705

Improved performance of the license analysis process when, in some cases, a database update is not necessary.

XRAY-6607

Fixed an issue whereby, in some cases, the Xray data tabs are taking a while to load.


Xray 3.13.3

Released: 17 December 2020

Resolved Issues

The resolved issues now contain the associated JIRA number to help you keep track of your issues that were fixed in the release.

XRAY-6758Fixed an issue, whereby Xray consumed high CPU and memory when analyzing certain artifact files structures.

XRAY-6763 

Fixed an issue, whereby scan-build reports were not cleared from ignored violations.

Xray 3.12

Released: November 29, 2020

Feature Enhancements

Improved Indexer Functionality 

Enhanced the indexer functionality with improved classification of artifacts and identification of complex cases, such as identifying inner components within other components.

This enhancement resolves the following issues: XRAY-5380, XRAY-6032, XRAY-6023, XRAY-5601, XRAY-5200, XRAY-5022, XRAY-4551, XRAY-4540, XRAY-4505, XRAY-4081, XRAY-2167, XRAY-5355, XRAY-5448, XRAY-5786, XRAY-5694, XRAY-5534, XRAY-3716, XRAY-6583, XRAY-6441, XRAY-5449.

Build Scanning Improvement

Improved the build scanning process by having Xray only download artifacts from Artifactory that are part of the build in which Xray can scan them to save resources and time.

Resolved Issues

The resolved issues now contain the associated JIRA number to help you keep track of your issues that were fixed in the release.

JIRA NumberDescription

XRAY-5550

Fixed an issue, whereby after installing Xray from scratch, it took Xray 5 minutes to fetch the Platform Proxy and Mail Configuration, which caused Xray to ignore this configuration and fail in tasks that depend on this configuration.

XRAY-6419

Fixed an issue, whereby, in some cases, Xray reported Kernel vulnerabilities on Debian/Ubuntu User Space Debian packages.

XRAY-6376

Fixed an issue, whereby creating a Support Bundle was unsuccessful when the time taken to generate it was over 30 seconds.

XRAY-6231

Fixed an issue, whereby the Violation summary page did not display all the infected components related to this violation.
The fix requires Artifactory 7.11.0 and above.

XRAY-4124

Fixed an issue, whereby when exporting violations for an artifact or a build the component data was missing the component version.

XRAY-3472

Fixed an issue, whereby PostgreSQL vacuum configuration was not working when Xray is in a HA setup.

XRAY-6284

Fixed a stored XSS (Cross-Site Scripting) vulnerability.

XRAY-6250

Fixed an issue whereby, in some cases, Xray was unable to sync security configuration to disable anonymous access.

XRAY-6224

Fixed an issue whereby the Update Watch API was failing when all-builds was selected for that watch.

XRAY-6598

Added an option to mark certain components for reevaluation during scanning instead of reusing former scan results.

XRAY-6638

Fixed an issue whereby, permissions defined on Build resources did not work.

XRAY-6610

Fixed an issue, whereby the daily DB Sync process might not complete and cause a load on the DB if stopped in the middle of the process in HA, SaaS, or K8s environments.

Xray 3.11

Released: November 8, 2020

Refrain from Upgrading to 3.11 and 3.11.1

A critical issue was identified in versions 3.11 and 3.11.1 (XRAY-6597). This issue was fixed in version 3.11.2 , we recommend upgrading directly to 3.11.2.


Highlights

Violations Report

Introduced the new Violations report, which provides you with information on security and license violations for each component in the selected scope. Violations information includes information such as type of violation, impacted artifacts, and severity. 

The Violations report is available with Artifactory version 7.10.6 and above

Feature Enhancements

Ignore Rules 

Enhanced the Ignore Rules feature functionalities, including the ability to set granularity on a defined Ignore Rule. All of the Ignore Rule functionalities are supported via the REST API.

To enable these enhancements, it requires Artifactory version 7.10.5 (available) or above.

To learn more, see Ignore Rules.

New Connection Parameters in the Xray system YAML

Added support for the following two new parameters in the Xray system YAML:

  • maxLifetimeSecs: The number of seconds to allow a connection to be alive before a connection is recycled and another connection is established in its place.
  • maxIdleSecs: The number of seconds a connection may be in idle mode before it is closed.

Resolved Issues

The resolved issues now contain the associated JIRA number to help you keep track of your issues that were fixed in the release.

JIRA NumberDescription

XRAY-6565

Fixed an issue whereby, a build number that contained a colon was not being scanned in Xray.

XRAY-6493

XRAY-6517

Fixed an issue whereby, in some cases, the DB sync failed to update database rows.

XRAY-6454

Fixed an issue whereby, Xray in some cases, was not recognizing licenses of some RPM packages.

XRAY-6232

Fixed an issue whereby, the Impact Analysis sometimes ignored messages in case of errors, which caused some information loss.

XRAY-5291

Fixed an issue whereby, build selection in the Watch configuration and in the report definition is very slow when there is a large number of builds available.

XRAY-4323

Fixed an issue whereby, Xray failed to add custom licenses to components due to a race condition in the code.

XRAY-3412

Fixed an issue whereby, indexing all repositories sometimes failed when there was a large number of repositories.

XRAY-3104

Fixed an issue whereby, the Analysis microservice failed to process some messages due to panic errors.

XRAY-6275

Performance improvements to reduce the load on the database.

XRAY-6501

Fixed an issue, whereby, in some cases, Xray misclassified RPM packages as generic packages.
XRAY-6265 Fixed an issue, whereby the Persist & Analysis processes in some cases crashed due to high memory consumption.
XRAY-6247 Added a configurable limit for the number of rows that appear in a report. The default limit is 100,000 rows for each report.

Deprecated CommonName Field on X.509 Certificates

Disabled using the CommonName field on X.509 certificates as host name, when the certificate does not include Subject Alternative Names.


Xray 3.11.1

Released: November 9, 2020

Resolved Issues

  1. Fixed an issue, whereby Xray Docker Compose was pointing to an incorrect Docker Registry.

Xray 3.11.2

Released: November 11, 2020

This version of Xray replaces 3.11 and 3.11.1. 

Resolved Issues

The resolved issues now contain the associated JIRA number to help you keep track of your issues that were fixed in the release.

JIRA NumberDescription
XRAY-6597Fixed an issue whereby, when a call to an Xray endpoint that requires authentication is done with bad credentials, consecutive API calls, even with good credentials, might fail as well.
XRAY-6274Fixed an issue whereby, duplicate update Metadata server events were created causing redundant load on internal systems like RabbitMQ, PostgreSQL and MDS.

XRAY-6591

Fixed an issue whereby, lack of data sanitation sometimes led to SQL injection.



Xray 3.10

This section includes all of the Xray version 3.10 releases.


Xray 3.10.3

Released: October 22, 2020

Highlights

Alpine Package Support in Xray

Xray now scans and indexes your Alpine Repositories and Alpine Packages, including recursive analysis, component graph integration, and providing detailed metadata information. 

Feature Enhancements

Python Package File Format Support

Xray now supports the indexing of Python files (PyPI) inside .tar, .gz, .tgz, .whl, and .egg file formats.

Support PHP files in *.tar Archives

Xray now supports PHP files inside *.tar archives.

New Metadata REST API 

Added a new Resend Artifacts Metadata REST API that enables administrators to resend artifact metadata to the Metadata Server.

Resolved Issues

The resolved issues now contain the associated JIRA number to help you keep track of your issues that were fixed in the release.

JIRA NumberDescription

XRAY-6196

Fixed an issue, whereby Xray did not process rules in a policy according to their order.

XRAY-6181

Fixed an issue, whereby the Index Existing option was not working properly for RPM packages.

XRAY-6127

Fixed an issue, whereby if a PostgreSQL password was not escaped correctly in the Xray system YAML file, it appeared in the Xray console log.

XRAY-6076

Fixed an issue, whereby when upgrading from Xray version 2.x to 3.x, the data migration failed when one of the Docker layers that were previously scanned by Xray contained "fslayers" with the prefix "tarsum.v1+sha256:" in the Docker's manifest.json.

XRAY-5271

Fixed an issue, whereby not all license violations were created when the same watch had more than one license policy.
XRAY-6371Fixed an issue whereby, scan build might take longer than usual, when the builds' artifacts contained many references.
XRAY-6418Fixed an issue whereby in some extreme cases, a message can cause Xray to crash. A mechanism was added to prevent those messages from repeatedly crashing Xray.
XRAY-6446Fixed an issue whereby, in some cases, the scan builds did not detect any violations when the build should have failed.
XRAY-6281Fixed an issue whereby, when searching for violations by an X number of days, the search returned all violations.
XRAY-6372Fixed an issue whereby, two builds with the same docker images returned different violations.
XRAY-6417Fixed an issue whereby, corrupted Certain ELF files caused the Indexer to fail.
XRAY-6449Fixed an issue whereby, in some cases, the API /xray/ui/userIssues/details ended with 500 Server Error due to long processing.

XRAY-6475

Fixed an issue whereby, In some cases, Xray initiated a full DB sync, even when it was not needed.

Xray 3.9 

This section includes all of the Xray version 3.9 releases.


Xray 3.9.1

Released: October 4, 2020

Highlights

Due Diligence Licenses Report

Introduced the new Due Diligence Licenses Report, which provides you with a list of components and artifacts and their relevant licenses. This enables you to review and verify that the components and artifacts comply with the license requirements. 

DB Sync Improvements 

Improved initial vulnerabilities database synchronization by 92%. The total time is down to less than one hour with minimum Xray system requirements.

Resolved Issues

  1. Fixed an issue whereby, in some cases, Docker layers descendants were not displayed in the UI.
  2. Fixed an issue whereby, if violations were found, Webhooks was not triggered if the Fail Build option was enabled.
  3. Improved the Xray request log format to be aligned with the JFrog Platform standards. If you have automation that is based on the old format, make sure to update it accordingly.
  4. Improved performance in Xray when responding to requests coming from Xray IDE plugins.
  5. Improved the database connection pool configuration by reducing the default number of idle connections to the database to a lower value of 5. The system YAML parameter names have been changed to support this enhancement, however, the old parameter names are supported for backward compatibility. For more information, see Xray System YAML.


Deprecated APIs

The following APIs are not supported starting from Xray version 3.9.1:

/ui/api/v1/xray/api/v1/projects/<project_name>/notes/*

v1alpha1/projects/{projectsId}/occurrences


Xray 3.8

Released: August 13, 2020

Highlights

Vulnerabilities Report

You can now create and generate a Vulnerabilities Report that gives you a visual representation of vulnerabilities found in your artifacts, builds, and release bundles. Narrow down what data you would like to see by setting a specific scope and advanced filters to display the exact data you want to analyze. A new reports page now is part of the JFrog platform where you can create, generate, and perform various actions on reports with the capability to export to PDF, JSON, and CSV file formats for further analysis. The Vulnerabilities report is also supported by REPORTS REST APIs.

This report type is the first of the Xray Reports feature that was introduced in this release. Other report types are planned for future releases that will provide you with further capabilities. 

Manage Reports User Role

A new role was added to the users' permissions allowing users to create, generate, and manage the new Reports feature in Users and Groups. This role is also required by some APIs such as Get Component List Per Watch and Find Component by CVE.

Multiple License Permissive Approach

The new Multiple License Permissive Approach enables you to have more flexibility in the policy level and to configure a more permissive approach that allows components that have at least one of the licenses as permitted to go through without triggering a violation even if some licenses are not allowed. 

Dedicated Features that Require Artifactory

The Vulnerabilities Report, the Manage Reports User Role, and the Multiple License Permissive Approach features all require Artifactory version 7.7.0 and above on the Cloud, and version 7.7.3 and above On-Prem.

System Metrics Information API and log

Xray has been enhanced to support open metrics. The new Metrics API has been added and returns metrics in the Open Metrics formatThe new metric-related log file xray-{microservice}-metrics.log was added to the file system.

RabbitMQ Upgrade

RabbitMQ has been upgraded to version 3.8.x.

Feature Enhancements

Go Version Upgrade

The Go version with Xray has been upgraded to version 1.14.6, solving some security vulnerabilities described in CVE-2020-15586.

PostgreSQL Version Support

Xray is now certified to run with PostgreSQL versions 11.x, and 12.x.

Resolved Issues

  1. Fixed an issue whereby, the IU-Extreme-1.1.1 license URL was incorrect.
  2. Fixed an issue whereby, after DB Sync failure, the DB Sync was reading the same faulty bundle and not downloading fixed bundles. 
  3. Fixed an issue whereby, Debian OS packages were named by "Source" instead of "Package". 
  4. Fixed an issue whereby, the Get Component List Per Watch API required Admin permissions only, preventing non-admin users from calling this REST API. A new Manage Reports user role was added to enable you to use this API.
  5. Fixed an issue whereby, the Find Component by CVE API did not return results for users with read permissions. A new Manage Reports user role was added to enable you to use this API.
  6. Fixed an issue whereby, Xray was not sending E-mail notifications to watch recipients when violations were found. 
  7. Fixed an issue whereby, Alert worker was consuming an excessive amount of memory.
  8. Fixed an issue whereby, the RPM docker images were stuck in the indexing stage in an infinite loop.
  9. Improvement in RabbitMQ clustering logic. 


Xray 3.8.2

Released: August 23, 2020

Due to a known bug in this version, we recommend you upgrade to version 3.8.5.

Feature Enhancements

Add Builds to Indexing Configuration API

A new Add Builds to Indexing Configuration API has been added to Xray REST API that enables you to add new builds by only providing the new build names to the list of builds selected for indexing.

Archive Installer Improvements

Install as a service was modified to use systemd scripts for systemd supported machines.

PostgreSQL Version Bundling

Xray bundling with PostgreSQL has been updated to use a newer PostgreSQL version 12.x

Resolved Issues

  1. Improved the performance of Impact Analysis processing.
  2. Fixed an issue, whereby in some cases, Artifacts were not indexed and scanned properly if the database was not available for a period of time (e.g. database restart or failover).
  3. Fixed an issue, whereby Release bundle repo mapping caused Xray scanning to not find the files.
  4. Fixed an issue, whereby there was a discrepancy in the component ID of PHP composer between Artifactory and Xray. The mismatch was fixed to always match vendor/package name in lower case.
  5. Fixed an issue, whereby a vulnerability, in the Xray web application prior to version 3.8.2, did not properly restrict access to the license pages, which could have allowed an unauthenticated user to obtain information regarding the server license.

Xray 3.8.3

Released: September 8, 2020

Xray 3.8.3 is Available as a Cloud Version

The Xray 3.8.3 release is currently available only as a Cloud version. For the On-Premise version, the 3.8.3 content is available as part of version 3.8.5. 

Feature Enhancements

License Detection Improvements

Improved license detection performance and success rate to reduce CPU utilization.

Resolved Issues

  1. Fixed an issue, whereby, in some cases, viewing or exporting licenses of an artifact led to a PostgreSQL server malfunction.
  2. Fixed an issue, whereby in some cases, PyPI package licenses inside a docker image were not detected.
  3. Fixed an issue, whereby when scanning component with GPL-2.0 with a classpath exception license, Xray recognized it as GPL-2.0.
  4. Fixed an issue, whereby in some cases RPM OS packages were indexed with the wrong epoch in docker images. For packages that were already indexed with the wrong epoch, you can reindex to fix this using the Force Reindex API.
  5. Fixed an issue, whereby, when trying to drill down to an inner component in the impact path graph of a vulnerability or violation, a 500 error was issued. This issue affects only SaaS users with Xray version 3.8.2.
  6. Fixed an issue, whereby, Xray could not be set up with Azure managed PostgreSQL. A property was added to the system.yaml in order to support connecting to externally managed databases where the actual database username may differ from the connection username. The new property is shared.database.actualUsername.

Xray 3.8.5

Released: September 10, 2020

Resolved Issues

  1. Fixed an issue whereby, when migrating from Xray 2.x to Xray 3.x, the impact path records were being duplicated.
  2. Fixed an issue whereby, installing Xray was failing on running wrapper scripts (RPM flavor) in AWS instances due to a PostgreSQL dependency.
  3. Fixed an issue whereby, after upgrading to 3.8.x a full DB Sync was triggered, even when it was not needed.

Xray 3.8.6

Released: September 16, 2020

Resolved Issues

  1. Fixed an issue whereby, in some cases, the migration from Xray 2.x to Xray 3.x failed.

Xray 3.8.7

Released: September 25, 2020

Resolved Issues

  1. Fixed an issue, whereby in some cases the migration from Xray 2.x to 3.8.4-3.8.6 may fail.

Xray 3.8.8

Released: September 26, 2020

Resolved Issues

  1. Fixed an issue, whereby in some cases the migration from Xray 2.x to 3.8.4-3.8.6 may fail.
  2. Fixed an issue, whereby PostgreSQL binary was missing and caused the migration to Xray 3.x to fail.

Xray 3.6

Released: June 28, 2020

Database Sync Known Issue

In all current Xray 3.x versions up to Xray 3.6.2, you might experience the Database sync process getting stuck. To resolve this, it is recommended to abort the process and retry. To learn more, click here.


Feature Enhancements

Schedule Background Tasks

Xray now provides a way to schedule the DB sync background task using the Update DB Sync Daily Update Time REST API. Xray chooses a random time on startup to get daily updates from XUC. This time can be configured through the API, and restart is not required.

Prioritization of Scan Events

Xray now prioritizes the scanning of new Artifacts/Builds/Release Bundles over events originating from a history scan or a full repository scan, and provides the capability to control the number of workers for new content versus history/full repository scan using the Configuring the Workers Count REST API. Requires Artifactory version 7.6 and above.

Resolved Issues

  1. Fixed an issue whereby, an error was ignored in the code when fetching the bin manager ID, which caused a nil pointer error.
  2. Fixed an issue whereby, the scan-build failed when there were no policies, watches, and builds configured, and an unclear message was issued. 
  3. Fixed an issue whereby, in Xray REST APIs where the artifactory_id parameter (or within a path) was required in Xray 2.x, and it is no longer required in 3.x and will be ignored.

Xray 3.6.1

Released: July 6, 2020

Database Sync Known Issue

In all current Xray 3.x versions up to Xray 3.6.2, you might experience the Database sync process getting stuck. To resolve this, it is recommended to abort the process and retry. To learn more, click here.

This release includes all of the enhancements and resolved issues of the 3.6.0 Cloud release, including the resolved issue below. 

Resolved Issues

  1. Fixed an issue whereby Xray was crashing upon starting DB sync with the proxy enabled. 

Xray 3.6.2

Released: July 9, 2020

Database Sync Known Issue

In all current Xray 3.x versions up to Xray 3.6.2, you might experience the Database sync process getting stuck. To resolve this, it is recommended to abort the process and retry. To learn more, click here.

Resolved Issues

  1. Fixed an issue whereby, when migrating from Xray 2.x to 3.x, an error occurred when the changed_file field value was too long in the user_components_docker_layer_changed_files table.
  2. Fixed an issue whereby, when trying to upgrade Xray and the xrayConfig field in the configuration table contained the special character %, the upgrade failed. 

Xray 3.5.2

Released: June 21, 2020

Database Sync Known Issue

In all current Xray 3.x versions up to Xray 3.6.2, you might experience the Database sync process getting stuck. To resolve this, it is recommended to abort the process and retry. To learn more, click here.

Feature Enhancements

Artifactory Connection Management

Improved the process of Xray's active connections to Artifactory. To reduce the load in Artifcatory and improve performance, all HTTP client connections have a limited number of concurrent connections to Artifactory.

Repository Scan Improvement 

The process of repository indexing was enhanced. Indexing requests of Artifacts that were initiated from an index repository request are no longer persisted in the Artifactory database. This improvement reduces the network and database load in Artifactory.

Resolved Issues

  1. Fixed an issue, whereby the CVE was not displayed in the PDF reports.
  2. Fixed an issue, whereby a false positive was declared for RPM packages due to incorrect RPM distribution comparisons.
  3. Fixed an issue, whereby Xray failed to process empty manifest.json files preventing the .wh components to be deleted.
  4. Fixed an issue, whereby the Update Builds Indexing Configuration REST API command was missing response messages.
  5. Fixed an issue, whereby when an invalid or expired license was detected by Xray, an error was displayed at the debug level instead of the error log level.
  6. Fixed an issue, whereby when loading a watch, ignore rules were being loaded slowly.
  7. Fixed an issue, whereby when migrating from Xray 2.x to 3.x, client SSL configurations were not migrated properly. 
  8. Fixed an issue, whereby in a High Availability cluster, an error occurred when reloading the config cache.

Xray 3.4

Released: May 17, 2020

Database Sync Known Issue

In all current Xray 3.x versions up to Xray 3.6.2, you might experience the Database sync process getting stuck. To resolve this, it is recommended to abort the process and retry. To learn more, click here.

Highlights

Externalization of the PosgreSQL Database

From Xray 3.4, you have more control over your resource allocation and you can direct Xray to use an external PostgreSQL database in use in your organization. Keep in mind that if you direct Xray to use an external database, you have full control over the database, and also full responsibility to maintain and backup the database for Xray's use.

Resolved Issues

  1. Improved performance and time of the initial DB sync with Xray Update Center (XUC). 
  2. Fixed an issue whereby, in a number of cases, the Docker pull did not work properly when a Docker remote repository was configured with the Block Download Block Unscanned Artifacts setting. 
  3. Fixed an issue whereby, the Impact Analysis process did not work properly due to a stack overflow error. 
  4. Fixed an issue whereby, Impact Analysis stopped functioning due to an out of memory issue caused by multiple infected artifacts.
  5. Fixed an issue whereby, Xray stopped functioning when indexing RPM files due to high memory consumption causing an out of memory issue. 
  6. Fixed an issue whereby, a connection deadlock occurred when the number of workers was larger than the number of connections. 
  7. Fixed an issue whereby, applying a watch for a history scan triggered scans on all watches.
  8. Fixed an issue whereby, under certain rare circumstances, Artifactory would disconnect from Xray during a periodic license check.
  9. Fixed an issue whereby, when exporting data in Xray, the displayed results were inconsistent in the different file formats, JSON, PDF, and CSV where the CVE was not displayed in the PDF and CSV files.
  10. Fixed an issue whereby, after migrating from Xray 2.0 to Xray 3.0, stored messages were not passed correctly during migration, and retrying the messages in Xray 3.0 did not work properly. 
  11. Fixed an issue whereby, a component persist did not work due to character limit constraints. 
  12. Fixed an issue whereby, an invalid memory address or nil pointer error was issued when indexing GO packages in Xray.
  13. Fixed an issue whereby, the Artifact Summary Rest API returned an issues response for components that did not contain a ComponentID.
  14. Fixed an issue whereby fetching all watches from the database overloaded the database.
  15. Fixed an issue whereby, upon installation, the initial Xray URL was defined incorrectly with /xray path.
  16. Fixed an issue whereby, under certain circumstances, an empty license was added when indexing NuGet packages. 
  17. Fixed an issue whereby, a number of Python packages were not indexed properly in Xray.

Xray 3.3

Released: April 22, 2020

Database Sync Known Issue

In all current Xray 3.x versions up to Xray 3.6.2, you might experience the Database sync process getting stuck. To resolve this, it is recommended to abort the process and retry. To learn more, click here.

Feature Enhancements

Force Full Reindex of Existing Components Rest API

The new Force Reindex Rest API command allows you to easily reindex artifacts that were indexed in the past. This is useful if you would like to rescan artifacts containing package types that were not supported in the past but now are, for example, Go, Python package in Docker or Alpine OS packages. 

Added Manual Linux Archive Installation

You can now install Xray using a Linux Archive installer in addition to the existing options giving more control over how to set up your environment. For more information, see Manual Linux Archive Installation.

Added Dedicated Policy REST API V.2 Commands

Xray now supports Policy commands REST API V.1 and V.2. The V.2 commands support blocking Release Bundles and allowing you now to notify Watch recipients and File deployers.

Resolved Issues

  1. Fixed an issue whereby, all partnership integrations that were deprecated in previous Xray versions (Xray 1.x and 2.x), were displayed in the Integrations page in the UI. From version 3.3, the deprecated integrations are automatically removed when upgrading to Xray 3.x including all the vulnerabilities in the database related to the deprecated integrations. 
  2. Fixed an issue whereby, the CVE IDs were missing from the JSON Security report. 
  3. Fixed an issue whereby, when sorting component vulnerabilities in the Security tab by Severity, all the vulnerabilities were tagged with the "High" severity. 
  4. Fixed an issue whereby after upgrading to Xray version 3.2.0, Xray did not start due to database migration issues. 
  5. Fixed an issue whereby the graph located under the Xray Data | Descendants or Ancestors tab did not display for Debian packages.
  6.  Fixed an issue whereby, impact analysis for Gems packages was not functioning. 
  7.  Fixed an issue whereby when running the Get Policy REST API command, regardless of whether the minimum severity was defined as Low, Medium or High, all the severities were retrieved.
  8. Fixed an issue whereby, the DB sync did not perform impact analysis on NuGet packages. 
  9. Fixed an issue whereby, configuring a Watch with a Mime type filter did not function for .gz and .7z file types. 
  10. Fixed an issue whereby, custom issues could not be assigned to Debian packages in the UI.
  11. Improved the performance of loading watches and policies page in the WebUI. 
  12. Improved performance when running the Get Violations REST API command to retrieve a list for a specific watch from a database containing millions of violations. 
  13. Improved Debian package vulnerability detection based on the Distribution property that the user needs to provide when deploying Debian packages to a local repository in Artifactory.
  14. Fixed an issue whereby an error was generated when updating a watch that included repositories or builds that previously deleted in Artifactory. Repositories and builds are now automatically deleted when saving the Watch.
  15. Fixed an issue whereby Xray Server suffered from a memory leak during NPM audit.
  16. Fixed an issue when running NPM audits with Xray, the vulnerabilities were added by Xray with unavailable links to VulDB as sources. 
  17. Fixed an issue whereby, we reduced the load on PostgreSQL DB during scanning. 
  18. Fixed an issue whereby scanning of Docker images for potentially infected JavaScript files heavily impacted the DB. 
  19. Fixed an issue whereby Support Bundles returned request.logs excluding Xray logs. 
  20. Improved performance when running the Update Watch REST API v.2 command with thousands of watches in an HA environment. 
  21. Fixed an issue whereby an error was generated when updating a watch that included repositories or builds that previously deleted in Artifactory. Repositories and builds are now automatically deleted when saving the Watch.

Xray 3.2

Released: February 23, 2020

Database Sync Known Issue

In all current Xray 3.x versions up to Xray 3.6.2, you might experience the Database sync process getting stuck. To resolve this, it is recommended to abort the process and retry. To learn more, click here.

Resolved Issue

  1. Fixed an issue whereby Xray analysis failed due to an out of memory issue caused by duplications of user-component licences.

Xray 3.2.3

Released: March 30, 2020

Database Sync Known Issue

In all current Xray 3.x versions up to Xray 3.6.2, you might experience the Database sync process getting stuck. To resolve this, it is recommended to abort the process and retry. To learn more, click here.

Resolved Issue

  1. Fixed an issue whereby Xray failed to connect to Artifactory when trying to assign an Xray trial license.

Xray 3.0

Released: January 12, 2020

Database Sync Known Issue

In all current Xray 3.x versions up to Xray 3.6.2, you might experience the Database sync process getting stuck. To resolve this, it is recommended to abort the process and retry. To learn more, click here.

Deprecated Features
Xray 3.0 introduces several deprecated features. Learn More > 
Also read about the features that are currently out of scope and will be available soon, in forthcoming release. Read More >

Breaking Changes
For a list of breaking changes in XrayLearn More >

REST API Changes
For a list of REST API changes in Xray, click here >

Important: The JFrog Platform web UI is now accessed through port 8082 (For example, http://SERVER_HOSTNAME:8082/ui/). Accessing Xray directly for REST API and downloads is still possible through port 8081. Learn More >

Highlights

JFrog Platform

Announcing the new JFrog Platform, designed to provide developers and administrators with a seamless DevOps experience across all JFrog products, supporting the following main features:

  • Universal package management with all major packaging formats, build tools, and CI servers.
  • Security and Compliance that's fully integrated into the JFrog Platform, providing full trust of your pipeline from code to production.
  • Radically simplified administration with all configurations in one place.
  • Complete trust in your pipeline all the way from code to production.
  • Seamless DevOps experience from on-prem, cloud, hybrid or multi-cloud of your choice.

JFrog Platform New Functionalities

System Architecture

Xray 3.0 is now part of the JFrog Platform Deployment (JPD) which defines a single logical unit shared by all JFrog products. Xray pairing process to JPD was simplified and now requires only URL and shared secret (Join key). Learn More >

Xray system.yaml
This release introduces a new system configuration file, allowing system configurations to be handled externally to the application, before/after the installation process.  Learn More >
Installation and Upgrade

Xray 3.0 comes with a new installer, which affects the installation and upgrade procedures. As part of the new installers, the file structure was changed and is now aligned with the other JFrog products. When upgrading to the JFrog Platform, Xray must be connected only to a single Artifactory instance. If you have a single Xray instance connected to multiple Artifactory instances, before upgrading Artifactory and Xray, you will need to split your Xray instance to multiple instances to support this requirement. See details here

Additional enhancements:

  • The new Docker installer has been improved and now supports setting the uid/gid of the Xray container and image.
  • The new system architecture includes a new system.yaml configuration which provides the option of silent installation.
Unified Permission Model

This version unifies all JFrog product permissions, allowing easier permission management across all products from one unified UI. The Unified Permission Model enables you to create a single permission target that applies to all products installed in the JFrog Platform. Since the products are unified within the Platform, you can now use a single permission target to control the permissions of all products. Learn More >

Unified User Interface

This version introduces a new UI that is unified for the entire JFrog Platform, including all JFrog products. If you are using Artifactory and other JFrog products such as JFrog Xray, JFrog Distribution, JFrog Mission Control and JFrog Insights, you will now be able to access them all from within a single UI with one URL address. Xray data is located within each of your resource pages allowing you to quickly review the status of for your scanned resources - Packages, Builds, Artifacts or Release Bundles. To find the changes in Artifactory UI. Learn More >

Logging

All JFrog products now follow a standardized logging format and naming convention. Learn More >

Feature Enhancements

Removed the MongoDB Database

The MongoDB database used by Xray prior to the Unified Platform, is no longer required (except during the data migration process). If you are upgrading to the new JFrog Platform, your data will automatically be migrated to PostgreSQL as part of the upgrade process.

Release Bundles Scan

In addition to scanning repositories and builds, the Unified Platform now allows Xray 3.0 to scan Release Bundles for vulnerability and license compliance.  You can now protect your releases by defining policies and watches on your Release Bundles. Policy violations can block the distribution of a Release Bundle

Configure Indexed Resources Using Patterns

You now have more flexibility when configuring Xray indexed resources by using Exclude or Include Patterns for Builds and Release Bundles.

Configure Watch Scope Using Patterns

You now have more flexibility when configuring the Watch resources scope of repositories, builds and Release Bundles by name or using Exclude/Include patterns.

Dedicated Security and Compliance Search Experience

Xray 3.0 introduces a new Security and Compliance Search, part of the new Global Search Experience in the JFrog Platform. You can now search for specific vulnerability and license compliance information by resource name, CVE number, license, severity level and scan date range.  Learn More >

Issues Resolved

  1. Xray now collects "branch" information for Alpine components and vulnerabilities. 
  2. Xray now displays the ignored violation upon creation.
  3. Security improvements to Xray-related Docker base images.  
  4. Fixed an issue whereby under certain circumstances, an exported Xray data file in a component could not be unzipped. 

Xray 3.0.13

Released: February 17, 2020

Database Sync Known Issue

In all current Xray 3.x versions up to Xray 3.6.2, you might experience the Database sync process getting stuck. To resolve this, it is recommended to abort the process and retry. To learn more, click here.

Resolved Issues

  1.  Fixed an issue whereby loading and displaying vulnerability and violation data prolonged.
  2.  Fixed an issue whereby assigning custom issue to descendent components failed.
  3.  Fixed an issue whereby Go packages were indexed incorrectly.
  4.  Fixed an issue whereby aborting the DB sync did not remove old zip packages. 
  5.  Fixed an issue whereby under certain circumstances violations were not triggered when a package with vulnerabilities was detected. 
  6.  Fixed an issue whereby Xray incorrectly detected Debian package names.
Copyright © 2021 JFrog Ltd.