Cloud customer?
Start for Free >
Upgrade in MyJFrog >
What's New in Cloud >

Search





Overview

This page presents release notes for JFrog Xray describing the main fixes and enhancements made to each version as it is released. 

If you need release notes for earlier versions of Xray, please refer to the Release Notes in the Xray 2.x User Guide.

Before You Get Started!

Be sure to read the Xray 3.0 Release Notes carefully before installing or upgrading any version of Xray 3.X version to learn about the new features and functionality Introduced in the JFrog Platform.

Download 

Click to download the latest Xray version.

Installer Name Change!

From Xray 3.0, the installer naming convention has been changed to include the installer type.
The following table lists the official installer names.

Installer TypeInstaller Syntax
Linux archivejfrog-xray-<version>-linux.tar.gz
Composejfrog-xray-<version>-compose.tar.gz
RPM/Debianjfrog-xray-<version>.<rpm|deb>

Previous Versions

Previous versions of JFrog Xray are available for download in the Previous Releases page.

Installation and Upgrade

For installation instructions please refer to Installing Xray.

To upgrade to this release from your current installation please refer to Upgrading Xray.


Xray 3.22

This section includes all of the Xray version 3.21 releases.

Xray 3.22.1

Released: April 7, 2021

Feature Enhancements

Limit Storage Space Used by Indexer

You can now limit the storage space used by the Indexer microservice during concurrent downloads and extraction of artifacts. This will ensure that the used storage will not exceed the default 80% of allowed disk usage. 
To enable this, set the server.enableVirtualStorageManager parameter to true in the Xray system YAML file.

Resolved Issues

The resolved issues now contain the associated JIRA number to help you keep track of your issues that were fixed in the release.

JIRA NumberDescription

XRAY-6998

Fixed an issue whereby, when running a history scan on a Watch, the artifacts scanned time was not updated.

XRAY-6940

Fixed an issue whereby, when several files were deleted in the same directory inside a Docker container, Xray sometimes reported false positives on the deleted files.

XRAY-6826

Fixed an issue whereby, the UI configuration to stop email notifications was not working properly.

XRAY-6744

Fixed an issue whereby, false-positive security violations were generated in Maven Red Hat versions.

XRAY-6439

Fixed an issue whereby, the link provided in the Watch notification e-mail for violations alerts was incorrect.

XRAY-7349

Fixed an issue whereby, Red Hat generated incorrect CPEs for vulnerabilities related to alt-Linux, and therefore Xray reported false positives. Xray now only matches .el7a version suffixes with .el7a versions.

Xray 3.21

This section includes all of the Xray version 3.21 releases.


Xray 3.21.2

Released: March 31, 2021

Requires Artifactory

The Xray 3.21.2 features require Artifactory version 7.17.4 and above.

Highlights

Xray in Projects
CLOUD: Enterprise | Enterprise+  SELF-HOSTED: Enterprise | Enterprise+

Use Xray capabilities in the scope of JFrog Projects. JFrog Projects is a management entity for hosting your resources (repositories, builds, Release Bundles, and Pipelines), and for associating users/groups as members with specific entitlements. Offload and delegate Xray tasks to the different personas in your organization, such as assigning Xray security management capabilities to Project Admins on the scope of their specific projects. For more information, see Projects.

Xray CVSS v3 Scoring Support

Xray now supports CVSS v3 scoring in addition to the CVSS v2 scoring. This will ensure that Xray's scoring of vulnerabilities is up-to-date and provide the latest universally standard severity ratings of vulnerabilities. For more information, see CVSS Scoring in Xray

Xray Conan and C/C++ Support

Xray can now scan Conan packages deployed to Artifactory. Xray can also scan C/C++ dependencies as part of a build. For more information, see Conan and C/C++ Support in Xray.

Feature Enhancements

Xray UI Changes

The Xray UI in the JFrog Platform has changed to create a better division of Xray tasks reflecting the different tasks by persona. Management and creation of Watches and Policies have been moved to the Administration module, as these are tasks usually performed by the administrators or users with special privileges. The Watch Violations and Reports are in the Application module. 

Resolved Issues

The resolved issues now contain the associated JIRA number to help you keep track of your issues that were fixed in the release.

JIRA NumberDescription
XRAY-7211Fixed an issue whereby, the impactPathsDao.RemoveImpactPathByIds was passing too many arguments to PostgeSQL. 
XRAY-7299Fixed an issue whereby, the Xray Analysis Log contained too many error messages when a very long license string was extracted from a file during reindexing.
XRAY-7227Fixed an issue whereby, the Scan Build REST API returned vulnerabilities and failed the build, however, the Xray data tab in the UI showed no violations. 

XRAY-7193

Fixed an issue whereby, in some cases, Xray crashed when the DB sync contained a vulnerability with a large size of information.

XRAY-6593

Fixed an issue whereby, exporting data in CSV format produced less data than in JSON format.

XRAY-7257

Fixed an issue whereby, Xray was issuing errors when a user's permission target is empty.

Xray 3.18

Released: March 2, 2021

Xray versions 3.18.x and lower are not compatible with Artifactory version 7.17.4 and above. You need to upgrade to Xray 3.21.2.

Feature Enhancements

PostgreSQL Version Support

PostgreSQL 13 is certified to be used with Xray 3.x and above.

Resolved Issues

The resolved issues now contain the associated JIRA number to help you keep track of your issues that were fixed in the release.

JIRA NumberDescription

XRAY-7048

Fixed an issue, whereby the Xray server service might run out of memory when the Impact Analysis update impacted a large number of artifacts.

XRAY-7068

Fixed an issue whereby, in some cases, a Docker image was not indexed by Xray due to a runtime error.

XRAY-7006

Fixed an issue whereby, when a new license (from Xray Global Database) was added to a component (during DB Sync), the Impact Analysis process that was triggered was slow.

XRAY-6741

Improved the indexing of RPM packages by adding support for LZMA compress format scan

XRAY-6188

Fixed an issue whereby, Xray created new files and directories with maximum allowed permissions mask (777). Xray now will create any new files with mask 660 and new directories with mask 770.
XRAY-7058Fixed an issue whereby, the Impact analysis queue continued to grow when there were many RedHat based Docker images.

Xray 3.18.1

Released: March 8, 2021

Resolved Issues

  1. Fixed an issue whereby, in some cases, Xray crashed when the DB sync contained a vulnerability with a large size of information.

Xray 3.18.2

Released: March 22, 2021

Resolved Issues

  1. Fixed an issue whereby, in some cases, Xray failed when validating permissions without resources.

Xray 3.17

This section includes all of the Xray version 3.17 releases.


Xray 3.17.2

Released: February 4, 2021

HIghlights

REST API Open Metrics 

Added metrics related to Xray DB sync time, and total number of scanned artifacts and components. For more information, see Open Metrics.

Feature Enhancements

Go Version Upgrade

Upgraded Go version to 1.15.7 to fix security vulnerabilities.

Impact Path Data in Reports

You can now view the Impact Path data in the Due Diligence Report in the Get Due Diligence Report Content REST API and JSON and CSV outputs.

Scan Build REST API Permissions

The Scan Build REST API no longer requires Admin permissions, only Manage Xray Metadata permissions.

Resolved Issues

The resolved issues now contain the associated JIRA number to help you keep track of your issues that were fixed in the release.

JIRA NumberDescription

XRAY-6955

Fixed an issue whereby, in the Builds UI page, when a build number contained characters in the Build Name, the build status did not show as scanned when the build was scanned.

XRAY-6795

Fixed an issue whereby, in some cases, the DB initial sync would unexpectedly pause.

XRAY-6708

Fixed an issue whereby, Violations were not created when the database server was down or in case of some failures occurring with the database.

XRAY-6887

Reduced the risk of getting affected by CVE-2020-29652.

XRAY-6883

Reduced the risk of getting affected by CVE-2020-26160.

XRAY-6257

Fixed an issue whereby, a security issue when indexing an artifact may cause DOS or override an OS file.

XRAY-6820

Fixed an issue whereby, a violation with multiple sources could not be ignored by an Ignore Rule with a specific component or a version of the component.

Requires Artifactory version 7.15.0 and above.

XRAY-6912

Fixed an issue whereby, ignoring a violation by using the artifact filter in the artifacts/watches screen, and the artifact existed in multiple repositories/paths and contains violations, the violation was not ignored.



Xray 3.17.4

Released: February 17, 2021

Resolved Issues

The resolved issues now contain the associated JIRA number to help you keep track of your issues that were fixed in the release.

JIRA NumberDescription

XRAY-6921

Fixed an issue, whereby in a Saas environment, an error was issued for an empty package.json in an npm audit.

XRAY-7031

Fixed a performance issue that resulted in extensive disk access.

XRAY-6515

Fixed an issue, whereby Xray incorrectly detected a CPL license as a CPAL license.



Xray 3.16

Released: January 21, 2021

Highlights

New REST API to Restore Ignored Violations 

Introduced a new Restore Ignored Violations REST API, which allows you to restore violations that were ignored due to defined Ignore Rules.

Feature Enhancements

Impact Path Data in Reports

You can now view the Impact Path data for Vulnerabilities and Violations reports in JSON and CSV outputs.

Time-based Ignore Rule Filter for REST API

Filter and sort the Ignore Rules by expiration date using the Get Ignore Rules, such as time-based rules that will expire before or after a specific date. You can also sort Ignore Rules by expiration date.

View Ignored Violations in the Violations Report

You can view ignored violations data in the Violation Report including the Ignore Rule ID that can be used in REST APIs.

Resolved Issues

The resolved issues now contain the associated JIRA number to help you keep track of your issues that were fixed in the release.

JIRA NumberDescription

XRAY-6675

Fixed an issue, whereby the progress of the report displayed an incorrect percent value.

XRAY-6802

Upgraded Go version to 1.15.6 in order to resolve security vulnerabilities in prior versions.

XRAY-6855

Fixed an issue, whereby scanning Docker image-based builds, in some cases, failed with timeout.

XRAY-6856

Fixed an issue whereby, in some cases, migrating from Xray 2.x to 3.x on large environments failed due to timeout or memory exception.


Xray 3.15

This section includes all of the Xray version 3.15 releases.


Xray 3.15.1

Released: December 30, 2020

Feature Enhancements 

Sizing Improvement 

Improved the performance of the Xray Data tab in the UI.

Resolved Issues

The resolved issues now contain the associated JIRA number to help you keep track of your issues that were fixed in the release.

JIRA NumberDescription

XRAY-5560

Fixed an issue whereby, in some cases, assigning a custom license failed, and the component was assigned an unknown license.

XRAY-3988

Fixed an issue, whereby Microsoft custom freeware licenses were not recognized by Xray.

XRAY-6054

Fixed an issue whereby, in some cases, when scanning Debian/Ubuntu components, Xray reported vulnerabilities on all affected versions.

XRAY-6786

Fixed an issue, whereby vulnerabilities were not reported on some Debian packages if they were first uploaded as independent packages.

XRAY-6776

Fixed an issue, whereby DB Sync was not triggered after Xray was down or restarted on a SaaS environment.

XRAY-6780

Fixed an issue, whereby an email notification was sent twice when both the Notify Mail and Notify Watch Recipients options were configured with the same email in a policy.

XRAY-2560

Fixed an issue whereby, in some cases, Xray did not index new files due to events remaining in the event_states DB table.

XRAY-6220

Fixed an issue, whereby Xray did not scan Python packages that were installed inside a Docker image using the PIP client.

XRAY-602

Fixed an issue whereby, in some cases, the build-scan triggered duplicate notifications.

Xray 3.15.3

Released: January 7, 2021

Feature Enhancements

Xray Violations and Vulnerabilities reports now include additional information regarding the severity received from the Red Hat OS advisory board. This information will be included in the CSV and JSON export formats of the reports.

Resolved Issues

The resolved issues now contain the associated JIRA number to help you keep track of your issues that were fixed in the release.

JIRA NumberDescription

XRAY-6793

Fixed an issue, whereby the Xray database disk space significantly increased after upgrading to Xray version 3.x.

XRAY-6824

Fixed an issue whereby, in some cases, the Watches page was not loading correctly.



Xray 3.14

This section includes all of the Xray version 3.14 releases.


Xray 3.14.1

Released: December 22, 2020

Feature Enhancements

PostgreSQL Driver Upgrade

Upgraded PostgreSQL driver to the latest version.

Resolved Issues

The resolved issues now contain the associated JIRA number to help you keep track of your issues that were fixed in the release.

JIRA NumberDescription

XRAY-6727

Fixed an issue whereby, in some cases, errors in MDS update queues were not handled correctly and caused unnecessary retries.

XRAY-6711

Fixed an issue, whereby when using Basic Authentication there was a memory leak. This will most likely occur when you heavily use Xray APIs with Basic Authentication.

XRAY-3652

Fixed an issue, whereby Xray was detecting false positive vulnerabilities on OpenSUSE components.

XRAY-5962

Fixed an issue, whereby an access token generated by a user and belonged to an admin group, was not working properly.
XRAY-6758Fixed an issue, whereby Xray consumed high CPU and memory when analyzing certain artifact file structures.

XRAY-6763 

Fixed an issue, whereby Xray failed builds that contained ignored violations.

XRAY-6685

Improved the handling of cases where a violation occurs on multiple components in the binary, and the Ignore Rule is set only on a subset of these components. Prior to the fix, the system did not correctly indicate on which component the violation was ignored and not ignored.

Xray 3.14.3

Released: December 29, 2020

Resolved Issue

  1. Fixed an issue, whereby the Xray database disk space significantly increased after upgrading to Xray version 3.x.

Xray 3.13

Released: December 8, 2020

Feature Enhancements

Ignore Rules Enhancements
Time-based Ignore Rule

Time-based ignore rule enables you to set an expiration date for an Ignore Rule in which the violation will be ignored until the Ignore Rule expires. Once that period expires, the Ignore Rule will be deleted automatically, and if the violation occurs again it will not be ignored moving forward. For more information, see Ignore Rules. This feature is also supported through REST API, as described in Ignore Rules API.

Ignored Violations Stored in the DB

All ignored violations are now stored in the DB which enables you to view all ignored violations on the artifact, build, and Release Bundle level.

UI Enhancements

The UI now provides more information about an ignored violation in the different screens, including in the violations list for an artifact, build, and Release Bundle.

Requires Artifactory 7.12.0 and above

Some of the Ignore Rules enhancements require Artifactory 7.12.0 and above. Artifactory 7.12.0 is not available yet, and will be soon.


Export Components Details API Enhancement

Added the include_ignored_violations parameter to Export Component Details API. This will return the ignore rule ID per matched policy. 

Resolved Issues

The resolved issues now contain the associated JIRA number to help you keep track of your issues that were fixed in the release.

JIRA NumberDescription

XRAY-5875

Fixed an issue, whereby adding a custom license to packages with empty archive packages was failing.

XRAY-5816

Fixed an issue, whereby when the severity level of a vulnerability was updated, and a violation was created out of it, Xray created a new violation instead of updating the existing one.

XRAY-4575

Fixed an issue, whereby Xray failed to index corrupted tar.gz archive files.

XRAY-4767

Improved performance in many cases where the component graph is required for the process. For example, processing vulnerabilities update from the central database.

XRAY-6705

Improved performance of the license analysis process when, in some cases, a database update is not necessary.

XRAY-6607

Fixed an issue whereby, in some cases, the Xray data tabs are taking a while to load.


Xray 3.13.3

Released: 17 December 2020

Resolved Issues

The resolved issues now contain the associated JIRA number to help you keep track of your issues that were fixed in the release.

XRAY-6758Fixed an issue, whereby Xray consumed high CPU and memory when analyzing certain artifact files structures.

XRAY-6763 

Fixed an issue, whereby scan-build reports were not cleared from ignored violations.

Xray 3.12

Released: November 29, 2020

Feature Enhancements

Improved Indexer Functionality 

Enhanced the indexer functionality with improved classification of artifacts and identification of complex cases, such as identifying inner components within other components.

This enhancement resolves the following issues: XRAY-5380, XRAY-6032, XRAY-6023, XRAY-5601, XRAY-5200, XRAY-5022, XRAY-4551, XRAY-4540, XRAY-4505, XRAY-4081, XRAY-2167, XRAY-5355, XRAY-5448, XRAY-5786, XRAY-5694, XRAY-5534, XRAY-3716, XRAY-6583, XRAY-6441, XRAY-5449.

Build Scanning Improvement

Improved the build scanning process by having Xray only download artifacts from Artifactory that are part of the build in which Xray can scan them to save resources and time.

Resolved Issues

The resolved issues now contain the associated JIRA number to help you keep track of your issues that were fixed in the release.

JIRA NumberDescription

XRAY-5550

Fixed an issue, whereby after installing Xray from scratch, it took Xray 5 minutes to fetch the Platform Proxy and Mail Configuration, which caused Xray to ignore this configuration and fail in tasks that depend on this configuration.

XRAY-6419

Fixed an issue, whereby, in some cases, Xray reported Kernel vulnerabilities on Debian/Ubuntu User Space Debian packages.

XRAY-6376

Fixed an issue, whereby creating a Support Bundle was unsuccessful when the time taken to generate it was over 30 seconds.

XRAY-6231

Fixed an issue, whereby the Violation summary page did not display all the infected components related to this violation.
The fix requires Artifactory 7.11.0 and above.

XRAY-4124

Fixed an issue, whereby when exporting violations for an artifact or a build the component data was missing the component version.

XRAY-3472

Fixed an issue, whereby PostgreSQL vacuum configuration was not working when Xray is in a HA setup.

XRAY-6284

Fixed a stored XSS (Cross-Site Scripting) vulnerability.

XRAY-6250

Fixed an issue whereby, in some cases, Xray was unable to sync security configuration to disable anonymous access.

XRAY-6224

Fixed an issue whereby the Update Watch API was failing when all-builds was selected for that watch.

XRAY-6598

Added an option to mark certain components for reevaluation during scanning instead of reusing former scan results.

XRAY-6638

Fixed an issue whereby, permissions defined on Build resources did not work.

XRAY-6610

Fixed an issue, whereby the daily DB Sync process might not complete and cause a load on the DB if stopped in the middle of the process in HA, SaaS, or K8s environments.

Xray 3.11

Released: November 8, 2020

Refrain from Upgrading to 3.11 and 3.11.1

A critical issue was identified in versions 3.11 and 3.11.1 (XRAY-6597). This issue was fixed in version 3.11.2 , we recommend upgrading directly to 3.11.2.


Highlights

Violations Report

Introduced the new Violations report, which provides you with information on security and license violations for each component in the selected scope. Violations information includes information such as type of violation, impacted artifacts, and severity. 

The Violations report is available with Artifactory version 7.10.6 and above

Feature Enhancements

Ignore Rules 

Enhanced the Ignore Rules feature functionalities, including the ability to set granularity on a defined Ignore Rule. All of the Ignore Rule functionalities are supported via the REST API.

To enable these enhancements, it requires Artifactory version 7.10.5 (available) or above.

To learn more, see Ignore Rules.

New Connection Parameters in the Xray system YAML

Added support for the following two new parameters in the Xray system YAML:

  • maxLifetimeSecs: The number of seconds to allow a connection to be alive before a connection is recycled and another connection is established in its place.
  • maxIdleSecs: The number of seconds a connection may be in idle mode before it is closed.

Resolved Issues

The resolved issues now contain the associated JIRA number to help you keep track of your issues that were fixed in the release.

JIRA NumberDescription

XRAY-6565

Fixed an issue whereby, a build number that contained a colon was not being scanned in Xray.

XRAY-6493

XRAY-6517

Fixed an issue whereby, in some cases, the DB sync failed to update database rows.

XRAY-6454

Fixed an issue whereby, Xray in some cases, was not recognizing licenses of some RPM packages.

XRAY-6232

Fixed an issue whereby, the Impact Analysis sometimes ignored messages in case of errors, which caused some information loss.

XRAY-5291

Fixed an issue whereby, build selection in the Watch configuration and in the report definition is very slow when there is a large number of builds available.

XRAY-4323

Fixed an issue whereby, Xray failed to add custom licenses to components due to a race condition in the code.

XRAY-3412

Fixed an issue whereby, indexing all repositories sometimes failed when there was a large number of repositories.

XRAY-3104

Fixed an issue whereby, the Analysis microservice failed to process some messages due to panic errors.

XRAY-6275

Performance improvements to reduce the load on the database.

XRAY-6501

Fixed an issue, whereby, in some cases, Xray misclassified RPM packages as generic packages.
XRAY-6265 Fixed an issue, whereby the Persist & Analysis processes in some cases crashed due to high memory consumption.
XRAY-6247 Added a configurable limit for the number of rows that appear in a report. The default limit is 100,000 rows for each report.

Deprecated CommonName Field on X.509 Certificates

Disabled using the CommonName field on X.509 certificates as host name, when the certificate does not include Subject Alternative Names.


Xray 3.11.1

Released: November 9, 2020

Resolved Issues

  1. Fixed an issue, whereby Xray Docker Compose was pointing to an incorrect Docker Registry.

Xray 3.11.2

Released: November 11, 2020

This version of Xray replaces 3.11 and 3.11.1. 

Resolved Issues

The resolved issues now contain the associated JIRA number to help you keep track of your issues that were fixed in the release.

JIRA NumberDescription
XRAY-6597Fixed an issue whereby, when a call to an Xray endpoint that requires authentication is done with bad credentials, consecutive API calls, even with good credentials, might fail as well.
XRAY-6274Fixed an issue whereby, duplicate update Metadata server events were created causing redundant load on internal systems like RabbitMQ, PostgreSQL and MDS.

XRAY-6591

Fixed an issue whereby, lack of data sanitation sometimes led to SQL injection.



Xray 3.10

This section includes all of the Xray version 3.10 releases.


Xray 3.10.3

Released: October 22, 2020

Highlights

Alpine Package Support in Xray

Xray now scans and indexes your Alpine Repositories and Alpine Packages, including recursive analysis, component graph integration, and providing detailed metadata information. 

Feature Enhancements

Python Package File Format Support

Xray now supports the indexing of Python files (PyPI) inside .tar, .gz, .tgz, .whl, and .egg file formats.

Support PHP files in *.tar Archives

Xray now supports PHP files inside *.tar archives.

New Metadata REST API 

Added a new Resend Artifacts Metadata REST API that enables administrators to resend artifact metadata to the Metadata Server.

Resolved Issues

The resolved issues now contain the associated JIRA number to help you keep track of your issues that were fixed in the release.

JIRA NumberDescription

XRAY-6196

Fixed an issue, whereby Xray did not process rules in a policy according to their order.

XRAY-6181

Fixed an issue, whereby the Index Existing option was not working properly for RPM packages.

XRAY-6127

Fixed an issue, whereby if a PostgreSQL password was not escaped correctly in the Xray system YAML file, it appeared in the Xray console log.

XRAY-6076

Fixed an issue, whereby when upgrading from Xray version 2.x to 3.x, the data migration failed when one of the Docker layers that were previously scanned by Xray contained "fslayers" with the prefix "tarsum.v1+sha256:" in the Docker's manifest.json.

XRAY-5271

Fixed an issue, whereby not all license violations were created when the same watch had more than one license policy.
XRAY-6371Fixed an issue whereby, scan build might take longer than usual, when the builds' artifacts contained many references.
XRAY-6418Fixed an issue whereby in some extreme cases, a message can cause Xray to crash. A mechanism was added to prevent those messages from repeatedly crashing Xray.
XRAY-6446Fixed an issue whereby, in some cases, the scan builds did not detect any violations when the build should have failed.
XRAY-6281Fixed an issue whereby, when searching for violations by an X number of days, the search returned all violations.
XRAY-6372Fixed an issue whereby, two builds with the same docker images returned different violations.
XRAY-6417Fixed an issue whereby, corrupted Certain ELF files caused the Indexer to fail.
XRAY-6449Fixed an issue whereby, in some cases, the API /xray/ui/userIssues/details ended with 500 Server Error due to long processing.

XRAY-6475

Fixed an issue whereby, In some cases, Xray initiated a full DB sync, even when it was not needed.

Xray 3.9 

This section includes all of the Xray version 3.9 releases.


Xray 3.9.1

Released: October 4, 2020

Highlights

Due Diligence Licenses Report

Introduced the new Due Diligence Licenses Report, which provides you with a list of components and artifacts and their relevant licenses. This enables you to review and verify that the components and artifacts comply with the license requirements. 

DB Sync Improvements 

Improved initial vulnerabilities database synchronization by 92%. The total time is down to less than one hour with minimum Xray system requirements.

Resolved Issues

  1. Fixed an issue whereby, in some cases, Docker layers descendants were not displayed in the UI.
  2. Fixed an issue whereby, if violations were found, Webhooks was not triggered if the Fail Build option was enabled.
  3. Improved the Xray request log format to be aligned with the JFrog Platform standards. If you have automation that is based on the old format, make sure to update it accordingly.
  4. Improved performance in Xray when responding to requests coming from Xray IDE plugins.
  5. Improved the database connection pool configuration by reducing the default number of idle connections to the database to a lower value of 5. The system YAML parameter names have been changed to support this enhancement, however, the old parameter names are supported for backward compatibility. For more information, see Xray System YAML.


Deprecated APIs

The following APIs are not supported starting from Xray version 3.9.1:

/ui/api/v1/xray/api/v1/projects/<project_name>/notes/*

v1alpha1/projects/{projectsId}/occurrences


Xray 3.8

Released: August 13, 2020

Highlights

Vulnerabilities Report

You can now create and generate a Vulnerabilities report that gives you a visual representation of vulnerabilities found in your artifacts, builds, and release bundles. Narrow down what data you would like to see by setting a specific scope and advanced filters to display the exact data you want to analyze. A new reports page now is part of the JFrog platform where you can create, generate, and perform various actions on reports with the capability to export to PDF, JSON, and CSV file formats for further analysis. The Vulnerabilities report is also supported by REST API.

This report type is the first of the Reports feature that was introduced in this release. Other report types are planned for future releases that will provide you with further capabilities. 

Manage Reports User Role

A new role was added to the users' permissions allowing users to create, generate, and manage the new Reports feature in Users and Groups. This role is also required by some APIs such as Get Component List Per Watch and Find Component by CVE.

Multiple License Permissive Approach

The new Multiple License Permissive Approach enables you to have more flexibility in the policy level and to configure a more permissive approach that allows components that have at least one of the licenses as permitted to go through without triggering a violation even if some licenses are not allowed. 

Dedicated Features that Require Artifactory

The Vulnerabilities Report, the Manage Reports User Role, and the Multiple License Permissive Approach features all require Artifactory version 7.7.0 and above on the Cloud, and version 7.7.3 and above On-Prem.

System Metrics Information API and log

Xray has been enhanced to support open metrics. The new Metrics API has been added and returns metrics in the Open Metrics formatThe new metric-related log file xray-{microservice}-metrics.log was added to the file system.

RabbitMQ Upgrade

RabbitMQ has been upgraded to version 3.8.x.

Feature Enhancements

Go Version Upgrade

The Go version with Xray has been upgraded to version 1.14.6, solving some security vulnerabilities described in CVE-2020-15586.

PostgreSQL Version Support

Xray is now certified to run with PostgreSQL versions 11.x, and 12.x.

Resolved Issues

  1. Fixed an issue whereby, the IU-Extreme-1.1.1 license URL was incorrect.
  2. Fixed an issue whereby, after DB Sync failure, the DB Sync was reading the same faulty bundle and not downloading fixed bundles. 
  3. Fixed an issue whereby, Debian OS packages were named by "Source" instead of "Package". 
  4. Fixed an issue whereby, the Get Component List Per Watch API required Admin permissions only, preventing non-admin users from calling this REST API. A new Manage Reports user role was added to enable you to use this API.
  5. Fixed an issue whereby, the Find Component by CVE API did not return results for users with read permissions. A new Manage Reports user role was added to enable you to use this API.
  6. Fixed an issue whereby, Xray was not sending E-mail notifications to watch recipients when violations were found. 
  7. Fixed an issue whereby, Alert worker was consuming an excessive amount of memory.
  8. Fixed an issue whereby, the RPM docker images were stuck in the indexing stage in an infinite loop.
  9. Improvement in RabbitMQ clustering logic. 


Xray 3.8.2

Released: August 23, 2020

Due to a known bug in this version, we recommend you upgrade to version 3.8.5.

Feature Enhancements

Add Builds to Indexing Configuration API

A new Add Builds to Indexing Configuration API has been added to Xray REST API that enables you to add new builds by only providing the new build names to the list of builds selected for indexing.

Archive Installer Improvements

Install as a service was modified to use systemd scripts for systemd supported machines.

PostgreSQL Version Bundling

Xray bundling with PostgreSQL has been updated to use a newer PostgreSQL version 12.x

Resolved Issues

  1. Improved the performance of Impact Analysis processing.
  2. Fixed an issue, whereby in some cases, Artifacts were not indexed and scanned properly if the database was not available for a period of time (e.g. database restart or failover).
  3. Fixed an issue, whereby Release bundle repo mapping caused Xray scanning to not find the files.
  4. Fixed an issue, whereby there was a discrepancy in the component ID of PHP composer between Artifactory and Xray. The mismatch was fixed to always match vendor/package name in lower case.
  5. Fixed an issue, whereby a vulnerability, in the Xray web application prior to version 3.8.2, did not properly restrict access to the license pages, which could have allowed an unauthenticated user to obtain information regarding the server license.

Xray 3.8.3

Released: September 8, 2020

Xray 3.8.3 is Available as a Cloud Version

The Xray 3.8.3 release is currently available only as a Cloud version. For the On-Premise version, the 3.8.3 content is available as part of version 3.8.5. 

Feature Enhancements

License Detection Improvements

Improved license detection performance and success rate to reduce CPU utilization.

Resolved Issues

  1. Fixed an issue, whereby, in some cases, viewing or exporting licenses of an artifact led to a PostgreSQL server malfunction.
  2. Fixed an issue, whereby in some cases, PyPI package licenses inside a docker image were not detected.
  3. Fixed an issue, whereby when scanning component with GPL-2.0 with a classpath exception license, Xray recognized it as GPL-2.0.
  4. Fixed an issue, whereby in some cases RPM OS packages were indexed with the wrong epoch in docker images. For packages that were already indexed with the wrong epoch, you can reindex to fix this using the Force Reindex API.
  5. Fixed an issue, whereby, when trying to drill down to an inner component in the impact path graph of a vulnerability or violation, a 500 error was issued. This issue affects only SaaS users with Xray version 3.8.2.
  6. Fixed an issue, whereby, Xray could not be set up with Azure managed PostgreSQL. A property was added to the system.yaml in order to support connecting to externally managed databases where the actual database username may differ from the connection username. The new property is shared.database.actualUsername.

Xray 3.8.5

Released: September 10, 2020

Resolved Issues

  1. Fixed an issue whereby, when migrating from Xray 2.x to Xray 3.x, the impact path records were being duplicated.
  2. Fixed an issue whereby, installing Xray was failing on running wrapper scripts (RPM flavor) in AWS instances due to a PostgreSQL dependency.
  3. Fixed an issue whereby, after upgrading to 3.8.x a full DB Sync was triggered, even when it was not needed.

Xray 3.8.6

Released: September 16, 2020

Resolved Issues

  1. Fixed an issue whereby, in some cases, the migration from Xray 2.x to Xray 3.x failed.

Xray 3.8.7

Released: September 25, 2020

Resolved Issues

  1. Fixed an issue, whereby in some cases the migration from Xray 2.x to 3.8.4-3.8.6 may fail.

Xray 3.8.8

Released: September 26, 2020

Resolved Issues

  1. Fixed an issue, whereby in some cases the migration from Xray 2.x to 3.8.4-3.8.6 may fail.
  2. Fixed an issue, whereby PostgreSQL binary was missing and caused the migration to Xray 3.x to fail.

Xray 3.6

Released: June 28, 2020

Database Sync Known Issue

In all current Xray 3.x versions up to Xray 3.6.2, you might experience the Database sync process getting stuck. To resolve this, it is recommended to abort the process and retry. To learn more, click here.


Feature Enhancements

Schedule Background Tasks

Xray now provides a way to schedule the DB sync background task using the Update DB Sync Daily Update Time REST API. Xray chooses a random time on startup to get daily updates from XUC. This time can be configured through the API, and restart is not required.

Prioritization of Scan Events

Xray now prioritizes the scanning of new Artifacts/Builds/Release Bundles over events originating from a history scan or a full repository scan, and provides the capability to control the number of workers for new content versus history/full repository scan using the Configuring the Workers Count REST API. Requires Artifactory version 7.6 and above.

Resolved Issues

  1. Fixed an issue whereby, an error was ignored in the code when fetching the bin manager ID, which caused a nil pointer error.
  2. Fixed an issue whereby, the scan-build failed when there were no policies, watches, and builds configured, and an unclear message was issued. 
  3. Fixed an issue whereby, in Xray REST APIs where the artifactory_id parameter (or within a path) was required in Xray 2.x, and it is no longer required in 3.x and will be ignored.

Xray 3.6.1

Released: July 6, 2020

Database Sync Known Issue

In all current Xray 3.x versions up to Xray 3.6.2, you might experience the Database sync process getting stuck. To resolve this, it is recommended to abort the process and retry. To learn more, click here.

This release includes all of the enhancements and resolved issues of the 3.6.0 Cloud release, including the resolved issue below. 

Resolved Issues

  1. Fixed an issue whereby Xray was crashing upon starting DB sync with the proxy enabled. 

Xray 3.6.2

Released: July 9, 2020

Database Sync Known Issue

In all current Xray 3.x versions up to Xray 3.6.2, you might experience the Database sync process getting stuck. To resolve this, it is recommended to abort the process and retry. To learn more, click here.

Resolved Issues

  1. Fixed an issue whereby, when migrating from Xray 2.x to 3.x, an error occurred when the changed_file field value was too long in the user_components_docker_layer_changed_files table.
  2. Fixed an issue whereby, when trying to upgrade Xray and the xrayConfig field in the configuration table contained the special character %, the upgrade failed. 

Xray 3.5.2

Released: June 21, 2020

Database Sync Known Issue

In all current Xray 3.x versions up to Xray 3.6.2, you might experience the Database sync process getting stuck. To resolve this, it is recommended to abort the process and retry. To learn more, click here.

Feature Enhancements

Artifactory Connection Management

Improved the process of Xray's active connections to Artifactory. To reduce the load in Artifcatory and improve performance, all HTTP client connections have a limited number of concurrent connections to Artifactory.

Repository Scan Improvement 

The process of repository indexing was enhanced. Indexing requests of Artifacts that were initiated from an index repository request are no longer persisted in the Artifactory database. This improvement reduces the network and database load in Artifactory.

Resolved Issues

  1. Fixed an issue, whereby the CVE was not displayed in the PDF reports.
  2. Fixed an issue, whereby a false positive was declared for RPM packages due to incorrect RPM distribution comparisons.
  3. Fixed an issue, whereby Xray failed to process empty manifest.json files preventing the .wh components to be deleted.
  4. Fixed an issue, whereby the Update Builds Indexing Configuration REST API command was missing response messages.
  5. Fixed an issue, whereby when an invalid or expired license was detected by Xray, an error was displayed at the debug level instead of the error log level.
  6. Fixed an issue, whereby when loading a watch, ignore rules were being loaded slowly.
  7. Fixed an issue, whereby when migrating from Xray 2.x to 3.x, client SSL configurations were not migrated properly. 
  8. Fixed an issue, whereby in a High Availability cluster, an error occurred when reloading the config cache.

Xray 3.4

Released: May 17, 2020

Database Sync Known Issue

In all current Xray 3.x versions up to Xray 3.6.2, you might experience the Database sync process getting stuck. To resolve this, it is recommended to abort the process and retry. To learn more, click here.

Highlights

Externalization of the PosgreSQL Database

From Xray 3.4, you have more control over your resource allocation and you can direct Xray to use an external PostgreSQL database in use in your organization. Keep in mind that if you direct Xray to use an external database, you have full control over the database, and also full responsibility to maintain and backup the database for Xray's use.

Resolved Issues

  1. Improved performance and time of the initial DB sync with Xray Update Center (XUC). 
  2. Fixed an issue whereby, in a number of cases, the Docker pull did not work properly when a Docker remote repository was configured with the Block Download Block Unscanned Artifacts setting. 
  3. Fixed an issue whereby, the Impact Analysis process did not work properly due to a stack overflow error. 
  4. Fixed an issue whereby, Impact Analysis stopped functioning due to an out of memory issue caused by multiple infected artifacts.
  5. Fixed an issue whereby, Xray stopped functioning when indexing RPM files due to high memory consumption causing an out of memory issue. 
  6. Fixed an issue whereby, a connection deadlock occurred when the number of workers was larger than the number of connections. 
  7. Fixed an issue whereby, applying a watch for a history scan triggered scans on all watches.
  8. Fixed an issue whereby, under certain rare circumstances, Artifactory would disconnect from Xray during a periodic license check.
  9. Fixed an issue whereby, when exporting data in Xray, the displayed results were inconsistent in the different file formats, JSON, PDF, and CSV where the CVE was not displayed in the PDF and CSV files.
  10. Fixed an issue whereby, after migrating from Xray 2.0 to Xray 3.0, stored messages were not passed correctly during migration, and retrying the messages in Xray 3.0 did not work properly. 
  11. Fixed an issue whereby, a component persist did not work due to character limit constraints. 
  12. Fixed an issue whereby, an invalid memory address or nil pointer error was issued when indexing GO packages in Xray.
  13. Fixed an issue whereby, the Artifact Summary Rest API returned an issues response for components that did not contain a ComponentID.
  14. Fixed an issue whereby fetching all watches from the database overloaded the database.
  15. Fixed an issue whereby, upon installation, the initial Xray URL was defined incorrectly with /xray path.
  16. Fixed an issue whereby, under certain circumstances, an empty license was added when indexing NuGet packages. 
  17. Fixed an issue whereby, a number of Python packages were not indexed properly in Xray.

Xray 3.3

Released: April 22, 2020

Database Sync Known Issue

In all current Xray 3.x versions up to Xray 3.6.2, you might experience the Database sync process getting stuck. To resolve this, it is recommended to abort the process and retry. To learn more, click here.

Feature Enhancements

Force Full Reindex of Existing Components Rest API

The new Force Reindex Rest API command allows you to easily reindex artifacts that were indexed in the past. This is useful if you would like to rescan artifacts containing package types that were not supported in the past but now are, for example, Go, Python package in Docker or Alpine OS packages. 

Added Manual Linux Archive Installation

You can now install Xray using a Linux Archive installer in addition to the existing options giving more control over how to set up your environment. For more information, see Manual Linux Archive Installation.

Added Dedicated Policy REST API V.2 Commands

Xray now supports Policy commands REST API V.1 and V.2. The V.2 commands support blocking Release Bundles and allowing you now to notify Watch recipients and File deployers.

Resolved Issues

  1. Fixed an issue whereby, all partnership integrations that were deprecated in previous Xray versions (Xray 1.x and 2.x), were displayed in the Integrations page in the UI. From version 3.3, the deprecated integrations are automatically removed when upgrading to Xray 3.x including all the vulnerabilities in the database related to the deprecated integrations. 
  2. Fixed an issue whereby, the CVE IDs were missing from the JSON Security report. 
  3. Fixed an issue whereby, when sorting component vulnerabilities in the Security tab by Severity, all the vulnerabilities were tagged with the "High" severity. 
  4. Fixed an issue whereby after upgrading to Xray version 3.2.0, Xray did not start due to database migration issues. 
  5. Fixed an issue whereby the graph located under the Xray Data | Descendants or Ancestors tab did not display for Debian packages.
  6.  Fixed an issue whereby, impact analysis for Gems packages was not functioning. 
  7.  Fixed an issue whereby when running the Get Policy REST API command, regardless of whether the minimum severity was defined as Low, Medium or High, all the severities were retrieved.
  8. Fixed an issue whereby, the DB sync did not perform impact analysis on NuGet packages. 
  9. Fixed an issue whereby, configuring a Watch with a Mime type filter did not function for .gz and .7z file types. 
  10. Fixed an issue whereby, custom issues could not be assigned to Debian packages in the UI.
  11. Improved the performance of loading watches and policies page in the WebUI. 
  12. Improved performance when running the Get Violations REST API command to retrieve a list for a specific watch from a database containing millions of violations. 
  13. Improved Debian package vulnerability detection based on the Distribution property that the user needs to provide when deploying Debian packages to a local repository in Artifactory.
  14. Fixed an issue whereby an error was generated when updating a watch that included repositories or builds that previously deleted in Artifactory. Repositories and builds are now automatically deleted when saving the Watch.
  15. Fixed an issue whereby Xray Server suffered from a memory leak during NPM audit.
  16. Fixed an issue when running NPM audits with Xray, the vulnerabilities were added by Xray with unavailable links to VulDB as sources. 
  17. Fixed an issue whereby, we reduced the load on PostgreSQL DB during scanning. 
  18. Fixed an issue whereby scanning of Docker images for potentially infected JavaScript files heavily impacted the DB. 
  19. Fixed an issue whereby Support Bundles returned request.logs excluding Xray logs. 
  20. Improved performance when running the Update Watch REST API v.2 command with thousands of watches in an HA environment. 
  21. Fixed an issue whereby an error was generated when updating a watch that included repositories or builds that previously deleted in Artifactory. Repositories and builds are now automatically deleted when saving the Watch.

Xray 3.2

Released: February 23, 2020

Database Sync Known Issue

In all current Xray 3.x versions up to Xray 3.6.2, you might experience the Database sync process getting stuck. To resolve this, it is recommended to abort the process and retry. To learn more, click here.

Resolved Issue

  1. Fixed an issue whereby Xray analysis failed due to an out of memory issue caused by duplications of user-component licences.

Xray 3.2.3

Released: March 30, 2020

Database Sync Known Issue

In all current Xray 3.x versions up to Xray 3.6.2, you might experience the Database sync process getting stuck. To resolve this, it is recommended to abort the process and retry. To learn more, click here.

Resolved Issue

  1. Fixed an issue whereby Xray failed to connect to Artifactory when trying to assign an Xray trial license.

Xray 3.0

Released: January 12, 2020

Database Sync Known Issue

In all current Xray 3.x versions up to Xray 3.6.2, you might experience the Database sync process getting stuck. To resolve this, it is recommended to abort the process and retry. To learn more, click here.

Deprecated Features
Xray 3.0 introduces several deprecated features. Learn More > 
Also read about the features that are currently out of scope and will be available soon, in forthcoming release. Read More >

Breaking Changes
For a list of breaking changes in XrayLearn More >

REST API Changes
For a list of REST API changes in Xray, click here >

Important: The JFrog Platform web UI is now accessed through port 8082 (For example, http://SERVER_HOSTNAME:8082/ui/). Accessing Xray directly for REST API and downloads is still possible through port 8081. Learn More >

Highlights

JFrog Platform

Announcing the new JFrog Platform, designed to provide developers and administrators with a seamless DevOps experience across all JFrog products, supporting the following main features:

  • Universal package management with all major packaging formats, build tools, and CI servers.
  • Security and Compliance that's fully integrated into the JFrog Platform, providing full trust of your pipeline from code to production.
  • Radically simplified administration with all configurations in one place.
  • Complete trust in your pipeline all the way from code to production.
  • Seamless DevOps experience from on-prem, cloud, hybrid or multi-cloud of your choice.

JFrog Platform New Functionalities

System Architecture

Xray 3.0 is now part of the JFrog Platform Deployment (JPD) which defines a single logical unit shared by all JFrog products. Xray pairing process to JPD was simplified and now requires only URL and shared secret (Join key). Learn More >

Xray system.yaml
This release introduces a new system configuration file, allowing system configurations to be handled externally to the application, before/after the installation process.  Learn More >
Installation and Upgrade

Xray 3.0 comes with a new installer, which affects the installation and upgrade procedures. As part of the new installers, the file structure was changed and is now aligned with the other JFrog products. When upgrading to the JFrog Platform, Xray must be connected only to a single Artifactory instance. If you have a single Xray instance connected to multiple Artifactory instances, before upgrading Artifactory and Xray, you will need to split your Xray instance to multiple instances to support this requirement. See details here

Additional enhancements:

  • The new Docker installer has been improved and now supports setting the uid/gid of the Xray container and image.
  • The new system architecture includes a new system.yaml configuration which provides the option of silent installation.
Unified Permission Model

This version unifies all JFrog product permissions, allowing easier permission management across all products from one unified UI. The Unified Permission Model enables you to create a single permission target that applies to all products installed in the JFrog Platform. Since the products are unified within the Platform, you can now use a single permission target to control the permissions of all products. Learn More >

Unified User Interface

This version introduces a new UI that is unified for the entire JFrog Platform, including all JFrog products. If you are using Artifactory and other JFrog products such as JFrog Xray, JFrog Distribution, JFrog Mission Control and JFrog Insights, you will now be able to access them all from within a single UI with one URL address. Xray data is located within each of your resource pages allowing you to quickly review the status of for your scanned resources - Packages, Builds, Artifacts or Release Bundles. To find the changes in Artifactory UI. Learn More >

Logging

All JFrog products now follow a standardized logging format and naming convention. Learn More >

Feature Enhancements

Removed the MongoDB Database

The MongoDB database used by Xray prior to the Unified Platform, is no longer required (except during the data migration process). If you are upgrading to the new JFrog Platform, your data will automatically be migrated to PostgreSQL as part of the upgrade process.

Release Bundles Scan

In addition to scanning repositories and builds, the Unified Platform now allows Xray 3.0 to scan Release Bundles for vulnerability and license compliance.  You can now protect your releases by defining policies and watches on your Release Bundles. Policy violations can block the distribution of a Release Bundle

Configure Indexed Resources Using Patterns

You now have more flexibility when configuring Xray indexed resources by using Exclude or Include Patterns for Builds and Release Bundles.

Configure Watch Scope Using Patterns

You now have more flexibility when configuring the Watch resources scope of repositories, builds and Release Bundles by name or using Exclude/Include patterns.

Dedicated Security and Compliance Search Experience

Xray 3.0 introduces a new Security and Compliance Search, part of the new Global Search Experience in the JFrog Platform. You can now search for specific vulnerability and license compliance information by resource name, CVE number, license, severity level and scan date range.  Learn More >

Issues Resolved

  1. Xray now collects "branch" information for Alpine components and vulnerabilities. 
  2. Xray now displays the ignored violation upon creation.
  3. Security improvements to Xray-related Docker base images.  
  4. Fixed an issue whereby under certain circumstances, an exported Xray data file in a component could not be unzipped. 

Xray 3.0.13

Released: February 17, 2020

Database Sync Known Issue

In all current Xray 3.x versions up to Xray 3.6.2, you might experience the Database sync process getting stuck. To resolve this, it is recommended to abort the process and retry. To learn more, click here.

Resolved Issues

  1.  Fixed an issue whereby loading and displaying vulnerability and violation data prolonged.
  2.  Fixed an issue whereby assigning custom issue to descendent components failed.
  3.  Fixed an issue whereby Go packages were indexed incorrectly.
  4.  Fixed an issue whereby aborting the DB sync did not remove old zip packages. 
  5.  Fixed an issue whereby under certain circumstances violations were not triggered when a package with vulnerabilities was detected. 
  6.  Fixed an issue whereby Xray incorrectly detected Debian package names.
Copyright © 2021 JFrog Ltd.