Released April 24, 2017
- Fixed an issue with file paths that sometimes led to the wrong location.
- Fixed an issue with migration for component license migration.
Released January 18, 2017
JFrog Xray takes an active role in your CI/CD pipeline to indicate you should fail build jobs if your build or any of its dependencies have vulnerabilities. Your CI server (currently, Jenkins CI is supported) can now send a request to Xray to scan a build that was uploaded to Artifactory. In accordance with Watches you may define, Xray will scan the build, and if vulnerabilities that trigger an alert are found, Xray can now respond to the inquiring CI server that the build job should fail.
- Fail build jobs according to Watch specifications if build artifacts or their dependencies contain vulnerabilities.
- Changes in the UI for Watches replacing "Notifications" with "Actions", and the addition of the Fail Build Job action to support CI/CD integration
- "All Builds" has been added a new target type for watches so you can specify that all builds uploaded to Artifactory are scanned by Xray, not only specific builds you configure into the Watch.
Released January 25, 2017
- An issue that was causing artifact indexing to fail has been fixed.
Released February 12, 2017
Preventing Brute Force Attacks
Xray has been equipped with a login protocol to prevent brute force attacks. When Xray encounters multiple login attempts by the same user, Xray steadily increases the time interval that the user must wait before attempting login again. After a specific number of failed login attempts, the user will be locked out of his account. At that point, login can only be reset by an Xray administrator. The administrator has full control over the number of failed login attempts to lock the user out.
An Xray administrator may now view the Xray system log file in the Admin module, with the ability to filter log messages from the different services behind Xray.
- A bug preventing Xray from reaching the global database server when a proxy server is configured was fixed.
- Performance when synchronizing the global database to Xray has been greatly improved. The overall process time is dramatically reduced, both for a first-time synchronization, and for periodic updates.
- A mechanism has been added to prevent brute force attacks on Xray by locking out users with multiple failed login attempts.
- A bug that prevented upgrade when the upgrade archive was extracted in the same folder as the previous version, has been fixed.
- The impact path of an artifact is now displayed as a full path including the Artifactory instance and the repository in which the impacted artifact is hosted.
- The Xray log can now be viewed by an administrator in the Admin module System Logs page.
Released March 7, 2017
- Xray's analysis process performance has been greatly improved
- Performance when generating a security report has been greatly improved, especially for Xray instances that have indexed thousands of artifacts.
- Alerts can now be sorted by severity, and when viewing the details for a selected alert, the tab title also displays its severity.
- A bug in which some impacted artifacts were omitted from the security report has been fixed.
- A bug in which offline database sync was failing due to components not being found has been fixed.
- The scanning process performance has been greatly improved
- When viewing a component's details page, vulnerabilities and licenses of it's child components are also displayed.
Released March 14, 2017
- An issue causing proxy server functionality to fail has been fixed.
Released March 22, 2017
- Improve performance of both the indexing and scanning processes.
- Improve performance of security report generation.
Released January 4, 2017
Dependency Graph APIs
JFrog Xray exposes its dependency graphs to any external source with access to its REST APIs. Through a simple REST API call, you can now receive the full dependency graph of any component or build as a JSON object, or compare the dependency graphs of any two components or builds to get a clear indication of the differences between them and easily hone in on new dependencies that may have introduced issues and vulnerabilities.
Editing System Watches
System watches are created when a repository in Artifactory has been configured to block downloads. To provide more flexibility and finer control over when alerts should be generated, system watches can now be edited by Xray admin users.
Handling components with unknown licenses is a matter of your organization's policy. Xray now allows you to specify if these components should trigger alerts or not.
- Dependency Graph APIs allowing you to get the graph of any artifact or build, and compare any two artifacts or builds.
- System watches can now be edited by Admin users.
- Allowed and Banned License filters now allow you to specify "Unknown" so you can decide if components with unknown licenses should trigger alerts or not.
- When indexing Docker images, Xray now also indexes Debian and RPM packages in the image OS layer.
- The onboarding wizard UI has been improved for usability and to allow indexing selected repositories on the spot.
- The Security Report display has been improved.
Released January 9, 2017
- Fixed an issue that caused a database connection leak
- Fixed handling of gzip files with invalid headers
Released January 10, 2017
- Fixed an issue that prevented microservices from writing entries to system logs
Released December 20, 2016
JFrog Xray adds a new report that shows you which vulnerabilities have the most far reaching consequences in your code, and which components in your code base have the most reported vulnerabilities, as well as recent vulnerabilities and infected components that were detected.
Black Duck Integration
JFrog Xray has integrated with Black Duck Software as a new external vulnerability provider. Black Duck automates the process of securing and managing open source software by helping you comply with open source license requirements and providing security alerts about vulnerabilities discovered in open source components.
Released December 4, 2016
The onboarding experience has been improved in several ways including a wizard that guides you through the first essential steps of configuring Xray.
The Integrations UI has been modified to be more flexible and efficiently accommodate any number of integrations with external issue and vulnerability providers.
Artifact and Build Summary REST API
The Artifact and Build Summary REST API endpoints provides general information about an artifact or build as well as an aggregated list of issues and OSS licenses associated with them.
- Onboarding improvements including an Onboarding wizard
- Flexible UI for integrations
- Artifact Summary and Build Summary REST APIs
Released November 6, 2016
Generate a report that shows the distribution of open source licenses used by artifacts indexed by Xray, as well their compliance with "Allowed Licenses" and "Banned Licenses" filters defined in all watches in the system.
Xray now monitors a variety of system parameters and reports on their status to let you easily diagnose problems.
You can now create filters on watches based on the minimum severity of issues associated with indexed artifacts.
- License reports for distribution of OSS licenses and compliance with watches defined.
- Self-monitoring system status
- Checksum calculation has been optimized by running it asynchronously.
- Issue filters based on minimum severity of an issue associated with an artifact.
Released September 22, 2016
Support for Older Versions of Artifactory
JFrog Xray now supports all versions of JFrog Artifactory from v4.0 and above
Synchronization with the Global Database Server
Previously, Xray would synchronize with the global database server automatically at set time intervals. To give you more control over usage of your system resources, you can now manually invoke initial synchronization and update with the global database server, and pause/resume synchronization if necessary.
Support for Non-Docker Installation
In addition to Docker, JFrog Xray is now available for installation in a variety of flavors including Ubuntu, CentOS, Red Hat, and Debian.
Support Download Blocking
JFrog Xray will annotate artifacts that have been identified with an issue in any connected instance of JFrog Artifactory so that the Artifactory administrator may block download of that artifact.
Integration with Aqua
If you have an account with Aqua, this integration lets you enable their feed as a source for alerts using your Aqua API key.
OSS License Policy
You may now implement an OSS license policy by defining a filter for watches based on a whitelist or blacklist of OSS licenses. Any component in the system that does not pass through the filter you define will generate an alert.
- Support for older versions of Artifactory - v4.0 and above
- Visibility and control over resources with synchronizing with the global database server
- Support for Linux installations
- Support download blocking
- Support for manually invoking and operating synchronization with the global database server
- Integration with Aqua
- OSS license policies
- Connect to Artifactory via an HTTP proxy.
August 1, 2016
JFrog is proud to the first official release JFrog Xray 1.0. This version presents dramatic changes based on feedback recieved from customers using the previous "Preview" version released several weeks ago.
The entire onboarding process to get started with Xray is done within Xray. This includes adding Artifactory instances, specifying repositories for indexing, triggering indexing and getting status on the indexing process.
Watches and alerts now aggregate all types of analysis performed. You simply define the context you are interested in for a Watch (repository, build or all artifacts), and view aggregated information on issues detected and artifacts impacted in the resulting alert.
Focusing on the most relevant issues and alerts
You can now choose to ignore alerts or issues that have been resolved or are not interesting to you either for a specific alert instance or permanently.
While JFrog Xray comes preconfigured with a database of issues and affected software artifacts, it is also open to integration with additional vulnerability providers. This version comes with the ability to add Whitesource, a simple but powerful open source security and license management solution.
Manually Invoking a Scan
A new Watch will only apply to new Artifacts or issues that arise after it has been created. This version adds the ability to run an analysis manually and apply a new Watch on existing artiafcts and issues.
- Easy onboarding
- Unified analysis with Watches.
- Focusing on important issues using "ignore" rules.
- Integration with Whitesource.
- Manually invoking a scan.
- View all alerts or only those based on watches you defined.
- Support for an HTTP proxy to communicate with external networks.
August 11, 2016
This is a minor update that fixes an issue with indexing and adds a limitation on the storage Xray consumes.
- Fixed an issue that caused the indexing process to be terminated in certain cases.
- Xray now limits the storage it utilizes when downloading artifacts for indexing.
July 3, 2016
JFrog is proud to release JFrog Xray!
JFrog Xray performs universal artifact analysis, recursively scanning all layers of your binary packages to provide radical transparency and unparalleled insight into your software architecture. JFrog Xray works with most package formats and is fully integrated with JFrog Artifactory.
The Home screen is your dashboard where you can monitor Artifactory instance Xray are connected to, component graphs and alerts.
Watches monitor artifacts for issues, and trigger alerts if any are found. A Scanning watch monitors a named build or repository in Artifactory and triggers an alert if any dependency with issues is found. An Impact Analysis watch listens to all providers streaming information to Xray and performs an impact analysis on all components in its database for any issues reported.
Alerts provide details about any issue found with any component, showing the full infection path through the component hierarchy.
View component relationships in your repositories to understand how one component affects others.
Automate component analysis through the rich Xray REST API.