Released: December 11, 2018
- Resolved an issue whereby scanning failed on the nil pointer exception when the range bound was missing.
- Resolved an issue whereby generating license metrics caused the server to crash on the nil pointer exception.
- Resolved an issue whereby impact analysis failed due to Postgres deadlock when trying to use Prepare statements.
- Resolved an issue whereby the build indexing process entered an endless loop causing the same layer file to be repeatedly regenerated on the disk.
Released: October 10, 2018
Watches have undergone significant changes to improve usability and effectiveness in detecting violations.
Multiple resources per watch: You can now add multiple resources to a watch and include any number of repositories or builds while specifying a separate set of filters to apply for each resource. When scanning an artifact, Xray processes each resource and its filters before going on to the next one. If an artifact passes through all filters, Xray will then process the policies defined for the Watch to determine what, if any, action should be taken.
Artifact path filter: You now specify a relative expression to filter artifacts according to their path within a repository. This is in addition to the "Name" filter (formerly known as the "Regex" filter) which filters artifacts based on their name.
Watches REST API: This release introduces V2 of the REST API. Currently, only the endpoints related to Watches have been updated to accommodate the significant changes to Watches in this release. Note that the REST API is backward compatible and will continue to support V1 endpoints, including those related to Watches for older versions of Xray.
Xray now supports indexing and scanning of Alpine OS packages including recursive analysis, component graph integration and providing detailed metadata information.
The UI of the Locations tab in the Component Details panel has been improved to give a clearer indication of where the artifacts of a scanned component can be found.
Red Hat 6 on GCP not supported
There is a known issue in this release in which Xray cannot be installed on a Red Hat 6 machine on Google Cloud Platform (GCP) due to a missing OS dependency in RHEL 6.
- Fixed an issue that allowed creation of policies with an invalid
- Fixed an issue in which the CentOS installer displayed an incorrect version number following installation.
- Fixed an issue in which the UI displayed an incorrect message when an offline DB sync was aborted.
- Fixed an issue in which a 500 Internal Server Error was erroneously returned by the Get Component By Name REST API endpoint when a component was not found instead of a 404 Not Found error.
- Fixed an issue in which a Violation due to an unknown license would sometimes be generated, even though the corresponding Watch would allow unknown licenses.
- Fixed an issue in which a group's permissions would not be applied to its users if the group name contained a space character.
- Fixed an issue in which a Policy could not be assigned to a Watch using the Create Policy REST API endpoint.
- Fixed an issue in which a Policy could not be assigned to a new Watch created using the Create Watch REST API endpoint.
- Fixed an issue in which when the connected Artifactory instance contained multiple Docker images with the same checksum, but different tags, and one of the tags was deleted, it would still show up in Xray with an invalid location.
- Fixed an issue in which indexing Docker images would not fail after encountering EOF errors in the indexing process.
- Fixed an issue in which the MongoDB database name was ignored even if it was provided in the connection string.
- Fixed an issue in which when scanning a component certain open source licenses would be erroneously detected as different ones. For example LGPL 2.1 license would sometimes be detected as LGPL 3.0, CDDI would sometimes be detected as CDDL-1.0 etc.
- Fixed an issue in which the number of indexed artifacts that Xray reported was sometimes larger than the total number of artifacts hosted in the repository.
- Fixed an issue in which Xray would not recognize Docker image tags that included a dash ("-") character.
- Fixed an issue in which when using Artifactory as the authentication provider, Xray would fail to authenticate users if they were included in Groups that had multiple spaces in their names.
- Fixed an issue in which a Watch on Docker images containing a Property filter would trigger violations on images even if they did not contain the specified property.
- Fixed an issue in which the Get Licenses Report Components REST API endpoint would report the same watch multiple times for a component.
- Fixed an issue in which disabling SSL/TLS in the Mail Server configuration using the UI would not work unless
mailNoSsl:truewas also configured in Xray's configuration file.
- Fixed an issue in which default credentials of RabbitMQ, PostgreSQL and MongoDB would be displayed in Xray's configuration file in plaintext. These credentials are now encrypted.
- Fixed an issue where usernames can now contain a hyphen.
Released: October 15, 2018
Fixed an issue in which Xray would report Critical vulnerabilities as Major.
- Fixed an issue in which the impact analysis queue would get flooded with messages about empty ZIP files in components.
- Fixed an issue in which PostgreSQL queries would not terminate even after running for hours
- Fixed an issue in which the Notify Email action for policies did not work, even if a mail server was properly configured.
- Fixed an issue in which Build resources added to a Watch would be duplicated in the Watches display.
Released: October 25, 2018
- Fixed an issue whereby the Violations email displayed a broken link to the component.
Released November 8, 2018
Fixed an issue that prevented creation of the impact analysis graph for complex components.
Fixed an issue in which Xray would ignore a scheduling parameter for maintenance cleanup jobs.
Fixed an issue that caused Xray to hang when presenting component details.
Released: August 20, 2018
Native HTTPS Support
Xray now supports configuring SSL on your web server in the Admin module in the HTTP Settings screen. By default, the HTTP port is set in the config.yaml file and all that is left is to specify the path that leads to your SSL key and SSL Certificate.
Automatic Component License Report
The Component License Report in Xray helps you stay compliant and avoid legal violations due to problematic components that may exist in your builds or artifacts. Based on the metadata generated in Xray, you can generate a license report for every build or artifact that will list all of the OSS licenses used directly or indirectly.
Xray Support Zone
As part of the JFrog SLA based support, you can now generate an information bundle in the Admin module in the Support Zone screen. When opening a support ticket, you can attach the information bundle to expedite handling of your issue.
Public APIs for Policies
JFrog Xray exposes its policies to any external source with access to its REST APIs. Through a set of simple REST API call, you can create, delete, view and assign policies to watches.
7z Indexing Support
7z compression has been added to the list of compression technologies that Artifactory already supports including Tar (Bz2, Gz, Z, infl, Xp3, xz), Zip, rpm, deb, and 7zip.
- Fixed an issue whereby temp files could not be found and deleted causing Persist to fail.
- Fixed an issue whereby huge RabbitMQ messages caused a queue overload after indexer which has been resolved by introducing file compression.
- Fixed an issue whereby Persist gets "connection reset by peer" errors from RabbitMQ and does not reconnect.
- Fixed an issue whereby multi-folder Docker images did not trigger violations and send alerts to CIs while leaving the build set as normal.
- Fixed an issue whereby failed messages in the ImpactAnalysis queue weren't displayed in the UI and could not be retried.
- Fixed an issue whereby running the watch filter by property did not filter Docker Images.
- Fixed an issue whereby database sync stopped when the trial license expired.
- Fixed an issue whereby a filter containing a specific build name was not triggered.
Released August 28, 2018
- Fixed an issue in which the Watches REST API endpoint would not work.
- Fixed an issue introduced in Xray 2.3 in which Xray would not run when Artifactory and Xray were activated with a trial license.
- Fixed an issue in which Impact Analysis would sometimes fail when trying to update a license for a component that had been indexed but was now missing.
Released September 2, 2018
- Fixed an issue whereby restarting Xray resulted in loss of user login permissions when using Crowd for Auth provider in Artifactory.
- Fixed an issue whereby after performing an upgrade, the admin user has no permissions.
Released September 26, 2018
Released July 2, 2018
Xray introduces a new Policy entity that enforces security and license compliance behaviors, which were previously part of a Watch. In previous versions, a watch included the target resources, such as repositories and builds, being scanned as well as the security and licence violation criteria and actions to take. From this version, these are separated for enhanced manageability and maintenance.
Policies now enable you to create a set of rules, in which each rule defines a license/security criteria, with a corresponding set of automatic actions according to your needs.
Watches now only define the scope of the resources you want to watch. You can define a policy once and assign it to as many watches as you like.
Separating the behavior you want to enforce from the context you want to enforce it on provides you with the following values:
- Efficiency. Reduce work and save time by configuring your policies once and assigning them to multiple watches.
- Flexibility. Configure multiple behaviours with additional functionality such as priority of your security rules.
- Separate Concerns. Delegate permissions to different teams in your organization. Everything related to resources and filters is in the watch, and everything related to security and license compliance is in policies.
- Xray can now classify OSS licenses, as known license types, from license files.
- Added the ability to manually invoke a scan on existing content so that new watches that were just defined can be applied immediately without having to wait for a scan-triggering event to happen.
- The General Configuration settings have been enhanced to provide more control over different parameters of Xray.
- Easily navigate from the Xray Components module directly to any component in Artifactory.
- Alerts are now fully deprecated.
- Added a REST API endpoints that get and update a list of repositories and builds that are or are not indexed for scanning.
- Added a REST API endpoint that provides a list of violations based on a set of search criteria.
Released July 8, 2018
- Fixed an issue where some indexing of Docker images inside a build did not work and threw an error.
Released July 16, 2018
- Fixed an issue in which when an Xray installation had an Artifactory instance set as its authentication provider, and it was upgraded from version 1.11.0 to version 2.2.1, the Xray Admin user ended up with no permissions.
- Fixed an issue in which an Artifactory instance set as the authentication provider would fail to successfully authenticate against Xray following an upgrade from version 1.11.0 and below to version 2.0.0 and above.
- Fixed an issue that prevented connection between Artifactory and Xray when Xray's base URL was specified with a trailing slash.
- Fixed an issue that prevented using a capital letter in Artifactory ID of an Artifactory instance set as the authentication provider for Xray
Released July 17, 2018
- Fixed an issue where some indexing of Docker images inside a build did not work and threw an error.
Released July 22, 2018
- Fixed an issue when using a CI integration (such as Jenkins), in some cases Xray responses would be very large and caused the CI to get stuck.
Released May 17, 2018
Announcing the new Enterprise+ Platform, that provides a complete solution for covering all the steps involved in creating a secure, trustworthy, and traceable software release in a multi-site development environment.
The solution works in conjunction with source version control, continuous integration, and deployment tools.
The JFrog Enterprise+ platform bundle includes:
- JFrog Artifactory: all features available with an Enterprise license as well as Access Federation and the ability to work with Artifactory Edge.
- JFrog Distribution: an on-premise, centralized platform that lets you provision software release distribution.
- JFrog Xray: universal analysis of binary software components at any stage of the application lifecycle providing unprecedented visibility into issues lurking in components anywhere in your organization.
JFrog Mission Control: all features available in Mission Control with the addition of:
the ability to add instances of Jenkins-CI, JFrog Distribution and JFrog Artifactory Edge as services in the system and monitor them
Insight and analytics on build processes through as set of metrics on the end to end build process
Ruby Gems and Python Wheels Support
- Recursive analysis and full component graph integration
- Component metadata, including versions, licenses and checksums
- Manually curated security vulnerabilities
In addition to SAML/LDAP authentication capabilities, enabled once you select an authentication provider, from version 2.1 Xray is also integrated with OAuth. This allows you to delegate authentication requests to external providers and let users login to Xray using their accounts with those providers, according to the OAuth configuration in the authentication provider.
Watch Violation Search
You can now filter the watch violations using the new search mechanism, according to text, created date, type, severity and CVE ID.
From Xray 2.1, SSO support has been added and allows you to log in to all your JFrog applications using a single set of user credentials that are stored in the Authentication Provider Artifactory instance. When SSO is applied, the user logs in to the JFrog product using a set of predefined credentials and is granted access across the board to the JFrog products. SSO eliminates the need to re-enter the credentials every time a product is accessed.
- The watch and component violations grid now include the exact infected component version and the impacted artifact name and version.
- The components in the violations impact analysis view are now clickable and will lead to the relevant component details.
- The watch violations sorting now works as expected
Released June 13, 2018
- Fixed an issue that prevented an offline sync of the database from completing successfully. From this version onwards, offline synchronization of the database requires JFrog CLI version 1.16.2 or higher.
Released April 16, 2018
Xray High Availability
JFrog Xray 2.0 introduces a highly available active-active cluster architecture, ensuring continuous security and governance to your software packages.
Improved Performance and Resilience
You can now scale your Xray environment with as many nodes as you need. This enhances Xray’s performance by delegating all workload across available cluster nodes, through a load balancer.
In case one or more nodes is unavailable or down for upgrade, the load is shared between the remaining nodes, ensuring optimal resilience and uptime.
Xray seamlessly and instantly synchronizes all data, configuration, cached objects and scheduled job changes across all cluster nodes.
Xray’s self-monitoring mechanism, which provides you with system availability issues, has now been enhanced to let you know which node is affected.
In addition, Xray will provide cluster health information in a new page called “High Availability”, showing health information of every node and every microservice.
Easy HA Setup
Xray allows you to easily install a full HA cluster in minutes, or upgrade your existing Xray environment.
Watch Violations View
In addition to viewing your policy violations in the component details view, the Xray UI has been enhanced with a new violations view that displays all defined violations in the context of a specific watch.
Automatic Xray Upgrade
Xray can now be upgraded automatically with a “use defaults” parameter, eliminating any manual script inputs. This parameter uses a default configuration for new installations and an existing configuration for upgrades.
Component Search by CVE
Xray now allows you to search for the components in your organization which are impacted by a specific security vulnerability CVE id.
Released April 23, 2018
- Fixed an issue in which when viewing certain Watch Violations, the name of the component that triggered the violation was not displayed
- Fixed an issue that prevented setting up Xray HA on cloud-native environments such as Kubernetes
- Fixed an issue that prevented upgrading some Docker installation from Xray 1.x to Xray 2.x
Released May 6, 2018
- Fixed multiple issues related to builds containing Docker Images
Released March 28, 2018
Improved Integration with Artifactory
JFrog Xray 1.12 jointly released with JFrog Artifactory 5.10, presents significant changes in how these two complementary applications are integrated to improve usability and stability.
Upgrade Xray first
For this joint release of JFrog Artifactory 5.10 and JFrog Xray 1.12, we strongly recommend first upgrading your Xray installation to version 1.12 and only then upgrading Artifactory.
Previously, an artifact's scan status was stored in Artifactory by annotating the artifact with a set of properties such as indexing status, last update, top vulnerability severity and block status. From this version, these properties will be removed. Artifactory will fetch an artifact's scan status on demand when it is selected in the tree browser.
This is a breaking change which restricts compatibility of Artifactory and Xray versions as described in the following table:
Since both Artifactory and Xray are upgraded, the new integration is fully functional as designed.
In this combination, the integration will not work since the new version of Artifactory will query Xray for scan status, however, the old version of Xray does not have the required REST API endpoints.
This combination is supported. Artifactory will continue to display each artifact's scan status, however, it will use previous mechanism that uses properties.
If neither Artifactory nor Xray are upgraded, the integration will work using the previous mechanism that displayed scan status as a set of properties on the artifact.
Improved Download Blocking
From this release, download blocking has been removed from Artifactory and is, instead, configured in Xray as "Block Download" action on a Watch. This creates a more intuitive and consistent workflow giving you full control over all actions on an Artifact that has a violation in one place.
Better Build Control
Previously, all builds in Artifactory were indexed by Xray potentially causing visual clutter as less important builds such as snapshots would get indexed. From this version, Xray lets you select which builds to index, letting you focus your analyses on more significant build processes.
Reapply Indexing to Your Builds
During the upgrade process to Xray 1.12, the indexing is cleared from all of the builds. To reapply indexing, you need to explicitly apply indexing to the builds of your choice.
Component-Driven Workflow: Watch Violations
Previously, Xray brought vulnerabilities to your attention in the form of Alerts. But since alerts may aggregate several issues, each of which may affect multiple artifacts and builds, they made it difficult to understand all the issues affecting a particular component. Continuing Xray's evolution to a component-driven workflow, this version introduces Watch Violations.
Watch violations are displayed directly on the Component Details panel making it easy to identify all the security, license and custom issues affecting the component.
Support for Additional Package Types
From this version, Xray supports indexing and scanning Gradle, Ivy and SBT packages.
Released April 2, 2018
This patch fixes these issues that were discovered in version 1.12:
- Fixed an issue in which the “Block Download” action did not work when creating a watch on a remote repository when Artifactory versions lower than 5.10.
- Fixed an issue in which deleting a custom issue did not impact the “Block Download” action when using Artifactory versions lower than 5.10.
- Added the ability to automatically index all builds by Xray via a configuration parameter.
Released February 18, 2018
Assign OSS Licences to Components
This release provides these advanced OSS licenses functionalities:
- Assign custom licenses to your components.
- View the source of the originated license - custom, JFrog, or a local file.
- View if the license was assigned directly to the component or propagated to parent components and is part of their license list.
Xray now displays all impact analysis and artifact scanning failures in the new Failure Messages page, in the Admin module. This page provides administrators a single place where they can easily identify the exact step in the scanning and impact analysis Xray process in which it failed, allowing them to fix the issue and retry the step.
Released January 2, 2018
Project Grafeas defines an open, unified metadata exchange format and API that will create a uniform and consistent way to produce and consume metadata from software components. By fully supporting the Grafeas API, Xray acts as a portal to Grafeas providing your software supply chain with an unprecedented abundance of metadata that can be easily be put to use in automated auditing and governance processes. This release of Xray exposes a set of Grafeas endpoints that are fully integrated into the Xray REST API.
Externalization of Databases
Xray works with a number of third party services, such as various databases, which were previously pre-installed with the other Xray microservices. From Xray 1.10, you have more control over your resource allocation and you can direct Xray to use an external RabbitMQ, MongoDB or PostgreSQL database in use in your organization. Keep in mind that if you direct Xray to use an external database, you have full control over the database, and also full responsibility to maintain and backup the database for Xray's use.
Improved Database Sync
Database synchronization has been significantly improved resulting in a smoother workflow, data compression and boosted performance. The enhanced compression and performance promote stability and robustness to transient network issues. Depending on your hardware, network and other factors, this may improve performance by up to 70%.
Expanded IDE Integration
In addition to UI improvements, the has been updated to support scanning of Gradle and npm package formats in addition to the existing Maven package format.
- Improved performance of Alerts page.
- Fixed an issue whereby Ignore Rules were not fetched when their associated Watch was deleted.
- Fixed an issue whereby the Event microservice crashed due to a missing checksum returned from a property search made for a build's items.
- Fixed an issue whereby deployed Docker Images with same SHA256 value got stuck in the analysis retry queue.
- Fixed an issue whereby the Xray API 'Update User' command does not update the user, and returns a 404 error.
Released January 4, 2018
This release includes UI display issue fixes in the Integrations and Permissions pages.
Released December 3, 2017
Authentication Through External Providers (LDAP, SAML, Crowd etc.)
User management in Xray has been greatly simplified by adding the ability to authenticate users through your corporate LDAP/Crowd or SAML provider. All you need to do is define one of the connected Artifactory instances as an "Authentication Provider". This lets you import the LDAP/Crowd, SAML and internal Artifactory users and groups from the specified Artifactory instance to Xray, and then assign them permissions as needed.
This version introduces a flexible permissions model that gives an administrator fine-grained control over how users and groups access the different features of Xray. "Resources" define the scope of a permission and specify the repositories and builds in the connected Artifactory instance to which the permission applies. You can then specify users and groups, internally defined in Xray or imported from a connected "authentication provider" as described above, and grant them privileges for the selected resources.
Improved performance of indexing and analysis for large-scale environments.
Improved database processes which significantly improve performance of certain recursive queries
Fixed an issue in which Xray would not delete files that were moved to the RabbitMQ failure queue.
Fixed several issues connected to identifying the OS layer and its installed packages in Docker images.
Fixed an issue that would cause RabbitMQ to drain available RAM on large scale environments by loading a large number of messages.
Released July 13, 2017
Xray's current work flow is event-driven creating alerts with stateless information; a snapshot of builds and components at an instant in time. In this release, we are adding support for a new and more intuitive workflow which is content-driven in that issues are displayed based on the components you are interested in. This has a huge impact on how you navigate your way to the most relevant content. The high-level flow can be summarized as:
Search for components → Drill down → Examine issues
Enhanced Search: Xray now provides enhanced search allowing you to search for specific components through a set of search filters such as package type, issue severity, version and more.
Rich component display: From the search results, you can select the component that interests you and view a rich display that provides details of all versions of the selected component
Examine issues: Selecting any issue from the components display provides detailed information on the issue as well as a list of all the artifacts and builds on which it has an impact.
Recommendations for Remediation
In addition to providing a comprehensive list of versions in which a vulnerability exists for an infected component, the rich component display in the content-driven workflow also indicates in which version a vulnerability has been fixed (if available) and recommends upgrading to that version
JFrog IntelliJ IDEA Plugin
With the JFrog IntelliJ IDEA Plugin, you can scan your Maven project dependencies using Xray and view vulnerabilities during development time directly from within the IntelliJ IDE. IDE integration support will continue to expand to additional industry-standard IDEs, and to additional package formats.
JFrog Xray expands its CI/CD integration capabilities by adding support for TeamCity, enabling you to scan builds, generate reports and even fail build jobs if they use components with known vulnerabilities. This is an effective way to prevent builds with vulnerabilities from entering production systems.
Enhanced Vulnerability Data
Processing of raw vulnerability data has been greatly enhanced based on improved algorithms and heuristics to correlate and match data from different sources to the right component and version. This new data model provides greater and more accurate details about vulnerabilities such as infected version ranges, fix versions and more. It also allows better identification of infected components. In the case of Maven components, the vulnerability data has been completely replaced and undergoes manual curation before being loaded into the database resulting in better coverage with fewer false-positives.
Note that you need to perform a database sync (whether you are working in online or offline mode) to work with the enhanced vulnerability data.
Improved Scanning Performance
Performance of scanning new builds and artifacts has been dramatically improved to orders of magnitude. Since this is the most common process that Xray performs the improvement results in Xray being more responsive on the whole. In particular, the performance and accuracy of Docker images analysis has been greatly improved.
Support for Docker Images in Builds
Docker images encased in builds are now scanned and indexed just like any other build dependency.
- Fixed an issue in which Xray listed a component as having an "Unknown" license, even though specific known licenses were identified.
- Fixed an issue in which npm dependencies with vulnerabilities were downloaded even when their hosting repository in Artifactory was set to block downloads.
Released July 17, 2017
- Fixed an issue which may have caused a slow database migration when upgrading Xray to a new version.
Released July 31, 2017
Fixed an issue with Xray's analysis process causing component license data to be saved multiple times, potentially consuming high amounts of memory and disk space.
Fixed an issue where license issues in alerts did not have an impact path.
SaaS users will now receive email notifications with a default mail server configuration.
Released August 3, 2017
Issues and their status, contained within Docker images in a build, are now properly propagated.
Released August 22, 2017
- Xray now gives you the option of selecting a custom location for your Xray data and PostgreSQL directories during an installation or upgrade process.
- Xray has undergone system-wide performance improvements which can be seen in several screens including Components, Issues in component details, Alerts, Security Reports and more.
- When viewing component details, you can filter the issues displayed by their Summary field.
- The Reports module has undergone several improvements in UI display and performance
Fixed an issue in which the All Alerts tab in the Alerts screen would appear empty even when alerts were present.
Released August 24, 2017
Fixed an issue where some filter selections in the Component Search did not return all applicable results.
- Fixed an issue with the “Cancel” button in the Artifactory instance details page.
- Fixed an issue where data migration was not running properly when upgrading to Xray 1.8.3 resulting in many errors in the log file.
Released September 25, 2017
This release brings significant OSS licenses functionalities for improved license coverage, including the ability to parse license from files, license content analysis and GitHub license matching.
- Xray will now support parsing OSS license information from all popular license file conventions, such as "*.pom" and "license.txt" metadata files.
- An additional layer of matching logic will now be used to help classify even more OSS licenses that may have been slightly modified, by analyzing the license content and comparing it to known license types.
- Xray is now able to get license information from GitHub for components with a GitHub page.
The Xray installer now supports writing the installation / upgrades outputs to an installer log for better traceability.
The license tab will now show a "0" in the tab header when a license cannot be identified. Licenses that are identified as "unknown" will include a proper placeholder in the component details page.
- Better handling of multiple files associated with the same component id.
The Xray Docker installation does no longer require root privileges to run.
Released October 17, 2017
- Performance improvements in the analysis process and Memory Consumption Enhancements.
Released October 19, 2017
- Fixed an issue in which when Xray's indexing process would fail, under certain conditions, temporary files would not be removed which could eventually deplete available storage on the filesystem.
Released April 20, 2017
New Home Page: The Xray Home page has been completely redesigned to act as a dashboard that provides a wealth of useful information. At a glance, understand your general system health, get an overview of components and alerts, system scan status, database sync status and more.
Package Type filter for Component search: The Components page now includes a Package Type filter that lets you focus on specific package types making it easier for you to search for specific components.
- If an external integration is removed, Xray will now also remove any alerts related to that integration
- Custom issues are now aggregated together with security vulnerabilities when viewing Component details and in REST API responses.
- Fixed an issue with updating properties in Artifactory that are related to Xray's indexing status.
Released April 24, 2017
- Fixed an issue with file paths that sometimes led to the wrong location.
- Fixed an issue with migration for component license migration.
Released June 5, 2017
- Xray now adds a timestamp indication to build snapshots. This ensures that each snapshot will have a unique name, making it easier to work with snapshots.
- When updating to a new version requires migration of the database (which may take some time), Xray will now show how the upgrade is progressing and provide error information if the upgrade fails.
- Xray's logging facility has been improved so that you no longer have to restart Xray if you want to change the log level for any of it's services.
- Xray's search has been enhanced so that in addition to package type, you can now also filter searches by component type (artifacts or builds).
- Fixed an issue that prevented creation of custom issues due to an error in parsing the timestamp when it included the Z timezone indicator.
- Fixed an issue that prevented Xray from annotating artifacts in Artifactory whose name included certain special characters.
- Fixed an issue in which the Xray base URL in the config descriptor for a connected Artifactory instance would not be updated when the base URL was modified.
- Fixed an issue in which the status of some artifacts would not be modified even after they were scanned, and, as a result, their download was blocked when download blocking was enabled in Artifactory for unscanned artifacts.
Released June 6, 2017
- Fixed an issue introduced in version 1.7.2 which, under certain conditions, caused a database connection leak.
Released June 8, 2017
- Fixed an issue that prevented Xray from synchronizing its database and indexing artifacts due to too many idle connections to its PostgreSQL database.
Released June 25, 2017
Xray now supports setting the system log level for each of the microservices without having to restart the Xray server.
- Fixed an issue in which Docker images, whose full set of layers were already included in another indexed image, would not get indexed.
- Fixed an issue in which the Artifact Summary REST API endpoint did not provide license information if there were no Allowed or Banner License filters defined for a watch.
Released January 18, 2017
JFrog Xray takes an active role in your CI/CD pipeline to indicate you should fail build jobs if your build or any of its dependencies have vulnerabilities. Your CI server (currently, Jenkins CI is supported) can now send a request to Xray to scan a build that was uploaded to Artifactory. In accordance with Watches you may define, Xray will scan the build, and if vulnerabilities that trigger an alert are found, Xray can now respond to the inquiring CI server that the build job should fail.
- Fail build jobs according to Watch specifications if build artifacts or their dependencies contain vulnerabilities.
- Changes in the UI for Watches replacing "Notifications" with "Actions", and the addition of the Fail Build Job action to support CI/CD integration
- "All Builds" has been added a new target type for watches so you can specify that all builds uploaded to Artifactory are scanned by Xray, not only specific builds you configure into the Watch.
Released January 25, 2017
- An issue that was causing artifact indexing to fail has been fixed.
Released February 12, 2017
Preventing Brute Force Attacks
Xray has been equipped with a login protocol to prevent brute force attacks. When Xray encounters multiple login attempts by the same user, Xray steadily increases the time interval that the user must wait before attempting login again. After a specific number of failed login attempts, the user will be locked out of his account. At that point, login can only be reset by an Xray administrator. The administrator has full control over the number of failed login attempts to lock the user out.
An Xray administrator may now view the Xray system log file in the Admin module, with the ability to filter log messages from the different services behind Xray.
- A bug preventing Xray from reaching the global database server when a proxy server is configured was fixed.
- Performance when synchronizing the global database to Xray has been greatly improved. The overall process time is dramatically reduced, both for a first-time synchronization, and for periodic updates.
- A mechanism has been added to prevent brute force attacks on Xray by locking out users with multiple failed login attempts.
- A bug that prevented upgrade when the upgrade archive was extracted in the same folder as the previous version, has been fixed.
- The impact path of an artifact is now displayed as a full path including the Artifactory instance and the repository in which the impacted artifact is hosted.
- The Xray log can now be viewed by an administrator in the Admin module System Logs page.
Released March 7, 2017
- Xray's analysis process performance has been greatly improved
- Performance when generating a security report has been greatly improved, especially for Xray instances that have indexed thousands of artifacts.
- Alerts can now be sorted by severity, and when viewing the details for a selected alert, the tab title also displays its severity.
- A bug in which some impacted artifacts were omitted from the security report has been fixed.
- A bug in which offline database sync was failing due to components not being found has been fixed.
- The scanning process performance has been greatly improved
- When viewing a component's details page, vulnerabilities and licenses of it's child components are also displayed.
Released March 14, 2017
- An issue causing proxy server functionality to fail has been fixed.
Released March 22, 2017
- Improve performance of both the indexing and scanning processes.
- Improve performance of security report generation.
Released January 4, 2017
Dependency Graph APIs
JFrog Xray exposes its dependency graphs to any external source with access to its REST APIs. Through a simple REST API call, you can now receive the full dependency graph of any component or build as a JSON object, or compare the dependency graphs of any two components or builds to get a clear indication of the differences between them and easily hone in on new dependencies that may have introduced issues and vulnerabilities.
Editing System Watches
System watches are created when a repository in Artifactory has been configured to block downloads. To provide more flexibility and finer control over when alerts should be generated, system watches can now be edited by Xray admin users.
Handling components with unknown licenses is a matter of your organization's policy. Xray now allows you to specify if these components should trigger alerts or not.
- Dependency Graph APIs allowing you to get the graph of any artifact or build, and compare any two artifacts or builds.
- System watches can now be edited by Admin users.
- Allowed and Banned License filters now allow you to specify "Unknown" so you can decide if components with unknown licenses should trigger alerts or not.
- When indexing Docker images, Xray now also indexes Debian and RPM packages in the image OS layer.
- The onboarding wizard UI has been improved for usability and to allow indexing selected repositories on the spot.
- The Security Report display has been improved.
Released January 9, 2017
- Fixed an issue that caused a database connection leak
- Fixed handling of gzip files with invalid headers
Released January 10, 2017
- Fixed an issue that prevented microservices from writing entries to system logs
Released December 20, 2016
JFrog Xray adds a new report that shows you which vulnerabilities have the most far reaching consequences in your code, and which components in your code base have the most reported vulnerabilities, as well as recent vulnerabilities and infected components that were detected.
Black Duck Integration
JFrog Xray has integrated with Black Duck Software as a new external vulnerability provider. Black Duck automates the process of securing and managing open source software by helping you comply with open source license requirements and providing security alerts about vulnerabilities discovered in open source components.
Released December 4, 2016
The onboarding experience has been improved in several ways including a wizard that guides you through the first essential steps of configuring Xray.
The Integrations UI has been modified to be more flexible and efficiently accommodate any number of integrations with external issue and vulnerability providers.
Artifact and Build Summary REST API
The Artifact and Build Summary REST API endpoints provides general information about an artifact or build as well as an aggregated list of issues and OSS licenses associated with them.
- Onboarding improvements including an Onboarding wizard
- Flexible UI for integrations
- Artifact Summary and Build Summary REST APIs
Released November 6, 2016
Generate a report that shows the distribution of open source licenses used by artifacts indexed by Xray, as well their compliance with "Allowed Licenses" and "Banned Licenses" filters defined in all watches in the system.
Xray now monitors a variety of system parameters and reports on their status to let you easily diagnose problems.
You can now create filters on watches based on the minimum severity of issues associated with indexed artifacts.
- License reports for distribution of OSS licenses and compliance with watches defined.
- Self-monitoring system status
- Checksum calculation has been optimized by running it asynchronously.
- Issue filters based on minimum severity of an issue associated with an artifact.
Released September 22, 2016
Support for Older Versions of Artifactory
JFrog Xray now supports all versions of JFrog Artifactory from v4.0 and above
Synchronization with the Global Database Server
Previously, Xray would synchronize with the global database server automatically at set time intervals. To give you more control over usage of your system resources, you can now manually invoke initial synchronization and update with the global database server, and pause/resume synchronization if necessary.
Support for Non-Docker Installation
In addition to Docker, JFrog Xray is now available for installation in a variety of flavors including Ubuntu, CentOS, Red Hat, and Debian.
Support Download Blocking
JFrog Xray will annotate artifacts that have been identified with an issue in any connected instance of JFrog Artifactory so that the Artifactory administrator may block download of that artifact.
Integration with Aqua
If you have an account with Aqua, this integration lets you enable their feed as a source for alerts using your Aqua API key.
OSS License Policy
You may now implement an OSS license policy by defining a filter for watches based on a whitelist or blacklist of OSS licenses. Any component in the system that does not pass through the filter you define will generate an alert.
- Support for older versions of Artifactory - v4.0 and above
- Visibility and control over resources with synchronizing with the global database server
- Support for Linux installations
- Support download blocking
- Support for manually invoking and operating synchronization with the global database server
- Integration with Aqua
- OSS license policies
- Connect to Artifactory via an HTTP proxy.
August 1, 2016
JFrog is proud to the first official release JFrog Xray 1.0. This version presents dramatic changes based on feedback recieved from customers using the previous "Preview" version released several weeks ago.
The entire onboarding process to get started with Xray is done within Xray. This includes adding Artifactory instances, specifying repositories for indexing, triggering indexing and getting status on the indexing process.
Watches and alerts now aggregate all types of analysis performed. You simply define the context you are interested in for a Watch (repository, build or all artifacts), and view aggregated information on issues detected and artifacts impacted in the resulting alert.
Focusing on the most relevant issues and alerts
You can now choose to ignore alerts or issues that have been resolved or are not interesting to you either for a specific alert instance or permanently.
While JFrog Xray comes preconfigured with a database of issues and affected software artifacts, it is also open to integration with additional vulnerability providers. This version comes with the ability to add Whitesource, a simple but powerful open source security and license management solution.
Manually Invoking a Scan
A new Watch will only apply to new Artifacts or issues that arise after it has been created. This version adds the ability to run an analysis manually and apply a new Watch on existing artiafcts and issues.
- Easy onboarding
- Unified analysis with Watches.
- Focusing on important issues using "ignore" rules.
- Integration with Whitesource.
- Manually invoking a scan.
- View all alerts or only those based on watches you defined.
- Support for an HTTP proxy to communicate with external networks.
August 11, 2016
This is a minor update that fixes an issue with indexing and adds a limitation on the storage Xray consumes.
- Fixed an issue that caused the indexing process to be terminated in certain cases.
- Xray now limits the storage it utilizes when downloading artifacts for indexing.
July 3, 2016
JFrog is proud to release JFrog Xray!
JFrog Xray performs universal artifact analysis, recursively scanning all layers of your binary packages to provide radical transparency and unparalleled insight into your software architecture. JFrog Xray works with most package formats and is fully integrated with JFrog Artifactory.
The Home screen is your dashboard where you can monitor Artifactory instance Xray are connected to, component graphs and alerts.
Watches monitor artifacts for issues, and trigger alerts if any are found. A Scanning watch monitors a named build or repository in Artifactory and triggers an alert if any dependency with issues is found. An Impact Analysis watch listens to all providers streaming information to Xray and performs an impact analysis on all components in its database for any issues reported.
Alerts provide details about any issue found with any component, showing the full infection path through the component hierarchy.
View component relationships in your repositories to understand how one component affects others.
Automate component analysis through the rich Xray REST API.