Released April 16, 2018
Xray High Availability
JFrog Xray 2.0 introduces a highly available active-active cluster architecture, ensuring continuous security and governance to your software packages.
Improved Performance and Resilience
You can now scale your Xray environment with as many nodes as you need. This enhances Xray’s performance by delegating all workload across available cluster nodes, through a load balancer.
In case one or more nodes is unavailable or down for upgrade, the load is shared between the remaining nodes, ensuring optimal resilience and uptime.
Xray seamlessly and instantly synchronizes all data, configuration, cached objects and scheduled job changes across all cluster nodes.
Xray’s self-monitoring mechanism, which provides you with system availability issues, has now been enhanced to let you know which node is affected.
In addition, Xray will provide cluster health information in a new page called “High Availability”, showing health information of every node and every microservice.
Easy HA Setup
Xray allows you to easily install a full HA cluster in minutes, or upgrade your existing Xray environment.
Watch Violations View
In addition to viewing your policy violations in the component details view, the Xray UI has been enhanced with a new violations view that displays all defined violations in the context of a specific watch.
Automatic Xray Upgrade
Xray can now be upgraded automatically with a “use defaults” parameter, eliminating any manual script inputs. This parameter uses a default configuration for new installations and an existing configuration for upgrades.
Component Search by CVE
Xray now allows you to search for the components in your organization which are impacted by a specific security vulnerability CVE id.
Released April 23, 2018
- Fixed an issue in which when viewing certain Watch Violations, the name of the component that triggered the violation was not displayed
- Fixed an issue that prevented setting up Xray HA on cloud-native environments such as Kubernetes
- Fixed an issue that prevented upgrading some Docker installation from Xray 1.x to Xray 2.x
Released May 6, 2018
- Fixed multiple issues related to builds containing Docker Images
Released March 28, 2018
Improved Integration with Artifactory
JFrog Xray 1.12 jointly released with JFrog Artifactory 5.10, presents significant changes in how these two complementary applications are integrated to improve usability and stability.
Upgrade Xray first
For this joint release of JFrog Artifactory 5.10 and JFrog Xray 1.12, we strongly recommend first upgrading your Xray installation to version 1.12 and only then upgrading Artifactory.
Previously, an artifact's scan status was stored in Artifactory by annotating the artifact with a set of properties such as indexing status, last update, top vulnerability severity and block status. From this version, these properties will be removed. Artifactory will fetch an artifact's scan status on demand when it is selected in the tree browser.
This is a breaking change which restricts compatibility of Artifactory and Xray versions as described in the following table:
Since both Artifactory and Xray are upgraded, the new integration is fully functional as designed.
In this combination, the integration will not work since the new version of Artifactory will query Xray for scan status, however, the old version of Xray does not have the required REST API endpoints.
This combination is supported. Artifactory will continue to display each artifact's scan status, however, it will use previous mechanism that uses properties.
If neither Artifactory nor Xray are upgraded, the integration will work using the previous mechanism that displayed scan status as a set of properties on the artifact.
Improved Download Blocking
From this release, download blocking has been removed from Artifactory and is, instead, configured in Xray as "Block Download" action on a Watch. This creates a more intuitive and consistent workflow giving you full control over all actions on an Artifact that has a violation in one place.
Better Build Control
Previously, all builds in Artifactory were indexed by Xray potentially causing visual clutter as less important builds such as snapshots would get indexed. From this version, Xray lets you select which builds to index, letting you focus your analyses on more significant build processes.
Reapply Indexing to Your Builds
During the upgrade process to Xray 1.12, the indexing is cleared from all of the builds. To reapply indexing, you need to explicitly apply indexing to the builds of your choice.
Component-Driven Workflow: Watch Violations
Previously, Xray brought vulnerabilities to your attention in the form of Alerts. But since alerts may aggregate several issues, each of which may affect multiple artifacts and builds, they made it difficult to understand all the issues affecting a particular component. Continuing Xray's evolution to a component-driven workflow, this version introduces Watch Violations.
Watch violations are displayed directly on the Component Details panel making it easy to identify all the security, license and custom issues affecting the component.
Support for Additional Package Types
From this version, Xray supports indexing and scanning Gradle, Ivy and SBT packages.
Released April 2, 2018
This patch fixes these issues that were discovered in version 1.12:
- Fixed an issue in which the “Block Download” action did not work when creating a watch on a remote repository when Artifactory versions lower than 5.10.
- Fixed an issue in which deleting a custom issue did not impact the “Block Download” action when using Artifactory versions lower than 5.10.
- Added the ability to automatically index all builds by Xray via a configuration parameter.
Released February 18, 2018
Enhanced Snyk Integration
The Snyk integration has expanded in JFrog Xray to provide scanning for vulnerabilities in open source dependencies across all major programming languages. Snyk support includes six additional package types to the already supported npm packages. Xray also provides two levels of Snyk integrations: Snyk Basic and Snyk Premium.
Assign OSS Licences to Components
This release provides these advanced OSS licenses functionalities:
- Assign custom licenses to your components.
- View the source of the originated license - custom, JFrog, or a local file.
- View if the license was assigned directly to the component or propagated to parent components and is part of their license list.
Xray now displays all impact analysis and artifact scanning failures in the new Failure Messages page, in the Admin module. This page provides administrators a single place where they can easily identify the exact step in the scanning and impact analysis Xray process in which it failed, allowing them to fix the issue and retry the step.
Released January 2, 2018
Project Grafeas defines an open, unified metadata exchange format and API that will create a uniform and consistent way to produce and consume metadata from software components. By fully supporting the Grafeas API, Xray acts as a portal to Grafeas providing your software supply chain with an unprecedented abundance of metadata that can be easily be put to use in automated auditing and governance processes. This release of Xray exposes a set of Grafeas endpoints that are fully integrated into the Xray REST API.
Externalization of Databases
Xray works with a number of third party services, such as various databases, which were previously pre-installed with the other Xray microservices. From Xray 1.10, you have more control over your resource allocation and you can direct Xray to use an external RabbitMQ, MongoDB or PostgreSQL database in use in your organization. Keep in mind that if you direct Xray to use an external database, you have full control over the database, and also full responsibility to maintain and backup the database for Xray's use.
Improved Database Sync
Database synchronization has been significantly improved resulting in a smoother workflow, data compression and boosted performance. The enhanced compression and performance promote stability and robustness to transient network issues. Depending on your hardware, network and other factors, this may improve performance by up to 70%.
Expanded IDE Integration
In addition to UI improvements, the JFrog IntelliJ IDEA plugin has been updated to support scanning of Gradle and npm package formats in addition to the existing Maven package format.
- Improved performance of Alerts page.
- Fixed an issue whereby Ignore Rules were not fetched when their associated Watch was deleted.
- Fixed an issue whereby the Event microservice crashed due to a missing checksum returned from a property search made for a build's items.
- Fixed an issue whereby deployed Docker Images with same SHA256 value got stuck in the analysis retry queue.
- Fixed an issue whereby the Xray API 'Update User' command does not update the user, and returns a 404 error.
Released January 4, 2018
This release includes UI display issue fixes in the Integrations and Permissions pages.
Released December 3, 2017
Authentication Through External Providers (LDAP, SAML, Crowd etc.)
User management in Xray has been greatly simplified by adding the ability to authenticate users through your corporate LDAP/Crowd or SAML provider. All you need to do is define one of the connected Artifactory instances as an "Authentication Provider". This lets you import the LDAP/Crowd, SAML and internal Artifactory users and groups from the specified Artifactory instance to Xray, and then assign them permissions as needed.
This version introduces a flexible permissions model that gives an administrator fine-grained control over how users and groups access the different features of Xray. "Resources" define the scope of a permission and specify the repositories and builds in the connected Artifactory instance to which the permission applies. You can then specify users and groups, internally defined in Xray or imported from a connected "authentication provider" as described above, and grant them privileges for the selected resources.
Improved performance of indexing and analysis for large-scale environments.
Improved database processes which significantly improve performance of certain recursive queries
Fixed an issue in which Xray would not delete files that were moved to the RabbitMQ failure queue.
Fixed several issues connected to identifying the OS layer and its installed packages in Docker images.
Fixed an issue that would cause RabbitMQ to drain available RAM on large scale environments by loading a large number of messages.
Released July 13, 2017
Xray's current work flow is event-driven creating alerts with stateless information; a snapshot of builds and components at an instant in time. In this release, we are adding support for a new and more intuitive workflow which is content-driven in that issues are displayed based on the components you are interested in. This has a huge impact on how you navigate your way to the most relevant content. The high-level flow can be summarized as:
Search for components → Drill down → Examine issues
Enhanced Search: Xray now provides enhanced search allowing you to search for specific components through a set of search filters such as package type, issue severity, version and more.
Rich component display: From the search results, you can select the component that interests you and view a rich display that provides details of all versions of the selected component
Examine issues: Selecting any issue from the components display provides detailed information on the issue as well as a list of all the artifacts and builds on which it has an impact.
Recommendations for Remediation
In addition to providing a comprehensive list of versions in which a vulnerability exists for an infected component, the rich component display in the content-driven workflow also indicates in which version a vulnerability has been fixed (if available) and recommends upgrading to that version
JFrog IntelliJ IDEA Plugin
With the JFrog IntelliJ IDEA Plugin, you can scan your Maven project dependencies using Xray and view vulnerabilities during development time directly from within the IntelliJ IDE. IDE integration support will continue to expand to additional industry-standard IDEs, and to additional package formats.
JFrog Xray expands its CI/CD integration capabilities by adding support for TeamCity, enabling you to scan builds, generate reports and even fail build jobs if they use components with known vulnerabilities. This is an effective way to prevent builds with vulnerabilities from entering production systems.
Enhanced Vulnerability Data
Processing of raw vulnerability data has been greatly enhanced based on improved algorithms and heuristics to correlate and match data from different sources to the right component and version. This new data model provides greater and more accurate details about vulnerabilities such as infected version ranges, fix versions and more. It also allows better identification of infected components. In the case of Maven components, the vulnerability data has been completely replaced and undergoes manual curation before being loaded into the database resulting in better coverage with fewer false-positives.
Note that you need to perform a database sync (whether you are working in online or offline mode) to work with the enhanced vulnerability data.
Improved Scanning Performance
Performance of scanning new builds and artifacts has been dramatically improved to orders of magnitude. Since this is the most common process that Xray performs the improvement results in Xray being more responsive on the whole. In particular, the performance and accuracy of Docker images analysis has been greatly improved.
Support for Docker Images in Builds
Docker images encased in builds are now scanned and indexed just like any other build dependency.
- Fixed an issue in which Xray listed a component as having an "Unknown" license, even though specific known licenses were identified.
- Fixed an issue in which npm dependencies with vulnerabilities were downloaded even when their hosting repository in Artifactory was set to block downloads.
Released July 17, 2017
- Fixed an issue which may have caused a slow database migration when upgrading Xray to a new version.
Released July 31, 2017
Fixed an issue with Xray's analysis process causing component license data to be saved multiple times, potentially consuming high amounts of memory and disk space.
Fixed an issue where license issues in alerts did not have an impact path.
SaaS users will now receive email notifications with a default mail server configuration.
Released August 3, 2017
Issues and their status, contained within Docker images in a build, are now properly propagated.
Released August 22, 2017
- Xray now gives you the option of selecting a custom location for your Xray data and PostgreSQL directories during an installation or upgrade process.
- Xray has undergone system-wide performance improvements which can be seen in several screens including Components, Issues in component details, Alerts, Security Reports and more.
- When viewing component details, you can filter the issues displayed by their Summary field.
- The Reports module has undergone several improvements in UI display and performance
Fixed an issue in which the All Alerts tab in the Alerts screen would appear empty even when alerts were present.
Released August 24, 2017
Fixed an issue where some filter selections in the Component Search did not return all applicable results.
- Fixed an issue with the “Cancel” button in the Artifactory instance details page.
- Fixed an issue where data migration was not running properly when upgrading to Xray 1.8.3 resulting in many errors in the log file.
Released September 25, 2017
This release brings significant OSS licenses functionalities for improved license coverage, including the ability to parse license from files, license content analysis and GitHub license matching.
- Xray will now support parsing OSS license information from all popular license file conventions, such as "*.pom" and "license.txt" metadata files.
- An additional layer of matching logic will now be used to help classify even more OSS licenses that may have been slightly modified, by analyzing the license content and comparing it to known license types.
- Xray is now able to get license information from GitHub for components with a GitHub page.
The Xray installer now supports writing the installation / upgrades outputs to an installer log for better traceability.
The license tab will now show a "0" in the tab header when a license cannot be identified. Licenses that are identified as "unknown" will include a proper placeholder in the component details page.
- Better handling of multiple files associated with the same component id.
The Xray Docker installation does no longer require root privileges to run.
Released October 17, 2017
- Performance improvements in the analysis process and Memory Consumption Enhancements.
Released October 19, 2017
- Fixed an issue in which when Xray's indexing process would fail, under certain conditions, temporary files would not be removed which could eventually deplete available storage on the filesystem.
Released April 20, 2017
New Home Page: The Xray Home page has been completely redesigned to act as a dashboard that provides a wealth of useful information. At a glance, understand your general system health, get an overview of components and alerts, system scan status, database sync status and more.
Package Type filter for Component search: The Components page now includes a Package Type filter that lets you focus on specific package types making it easier for you to search for specific components.
- If an external integration is removed, Xray will now also remove any alerts related to that integration
- Custom issues are now aggregated together with security vulnerabilities when viewing Component details and in REST API responses.
- Fixed an issue with updating properties in Artifactory that are related to Xray's indexing status.
Released April 24, 2017
- Fixed an issue with file paths that sometimes led to the wrong location.
- Fixed an issue with migration for component license migration.
Released June 5, 2017
- Xray now adds a timestamp indication to build snapshots. This ensures that each snapshot will have a unique name, making it easier to work with snapshots.
- When updating to a new version requires migration of the database (which may take some time), Xray will now show how the upgrade is progressing and provide error information if the upgrade fails.
- Xray's logging facility has been improved so that you no longer have to restart Xray if you want to change the log level for any of it's services.
- Xray's search has been enhanced so that in addition to package type, you can now also filter searches by component type (artifacts or builds).
- Fixed an issue that prevented creation of custom issues due to an error in parsing the timestamp when it included the Z timezone indicator.
- Fixed an issue that prevented Xray from annotating artifacts in Artifactory whose name included certain special characters.
- Fixed an issue in which the Xray base URL in the config descriptor for a connected Artifactory instance would not be updated when the base URL was modified.
- Fixed an issue in which the status of some artifacts would not be modified even after they were scanned, and, as a result, their download was blocked when download blocking was enabled in Artifactory for unscanned artifacts.
Released June 6, 2017
- Fixed an issue introduced in version 1.7.2 which, under certain conditions, caused a database connection leak.
Released June 8, 2017
- Fixed an issue that prevented Xray from synchronizing its database and indexing artifacts due to too many idle connections to its PostgreSQL database.
Released June 25, 2017
Xray now supports setting the system log level for each of the microservices without having to restart the Xray server.
- Fixed an issue in which Docker images, whose full set of layers were already included in another indexed image, would not get indexed.
- Fixed an issue in which the Artifact Summary REST API endpoint did not provide license information if there were no Allowed or Banner License filters defined for a watch.
Released January 18, 2017
JFrog Xray takes an active role in your CI/CD pipeline to indicate you should fail build jobs if your build or any of its dependencies have vulnerabilities. Your CI server (currently, Jenkins CI is supported) can now send a request to Xray to scan a build that was uploaded to Artifactory. In accordance with Watches you may define, Xray will scan the build, and if vulnerabilities that trigger an alert are found, Xray can now respond to the inquiring CI server that the build job should fail.
- Fail build jobs according to Watch specifications if build artifacts or their dependencies contain vulnerabilities.
- Changes in the UI for Watches replacing "Notifications" with "Actions", and the addition of the Fail Build Job action to support CI/CD integration
- "All Builds" has been added a new target type for watches so you can specify that all builds uploaded to Artifactory are scanned by Xray, not only specific builds you configure into the Watch.
Released January 25, 2017
- An issue that was causing artifact indexing to fail has been fixed.
Released February 12, 2017
Preventing Brute Force Attacks
Xray has been equipped with a login protocol to prevent brute force attacks. When Xray encounters multiple login attempts by the same user, Xray steadily increases the time interval that the user must wait before attempting login again. After a specific number of failed login attempts, the user will be locked out of his account. At that point, login can only be reset by an Xray administrator. The administrator has full control over the number of failed login attempts to lock the user out.
An Xray administrator may now view the Xray system log file in the Admin module, with the ability to filter log messages from the different services behind Xray.
- A bug preventing Xray from reaching the global database server when a proxy server is configured was fixed.
- Performance when synchronizing the global database to Xray has been greatly improved. The overall process time is dramatically reduced, both for a first-time synchronization, and for periodic updates.
- A mechanism has been added to prevent brute force attacks on Xray by locking out users with multiple failed login attempts.
- A bug that prevented upgrade when the upgrade archive was extracted in the same folder as the previous version, has been fixed.
- The impact path of an artifact is now displayed as a full path including the Artifactory instance and the repository in which the impacted artifact is hosted.
- The Xray log can now be viewed by an administrator in the Admin module System Logs page.
Released March 7, 2017
- Xray's analysis process performance has been greatly improved
- Performance when generating a security report has been greatly improved, especially for Xray instances that have indexed thousands of artifacts.
- Alerts can now be sorted by severity, and when viewing the details for a selected alert, the tab title also displays its severity.
- A bug in which some impacted artifacts were omitted from the security report has been fixed.
- A bug in which offline database sync was failing due to components not being found has been fixed.
- The scanning process performance has been greatly improved
- When viewing a component's details page, vulnerabilities and licenses of it's child components are also displayed.
Released March 14, 2017
- An issue causing proxy server functionality to fail has been fixed.
Released March 22, 2017
- Improve performance of both the indexing and scanning processes.
- Improve performance of security report generation.
Released January 4, 2017
Dependency Graph APIs
JFrog Xray exposes its dependency graphs to any external source with access to its REST APIs. Through a simple REST API call, you can now receive the full dependency graph of any component or build as a JSON object, or compare the dependency graphs of any two components or builds to get a clear indication of the differences between them and easily hone in on new dependencies that may have introduced issues and vulnerabilities.
Editing System Watches
System watches are created when a repository in Artifactory has been configured to block downloads. To provide more flexibility and finer control over when alerts should be generated, system watches can now be edited by Xray admin users.
Handling components with unknown licenses is a matter of your organization's policy. Xray now allows you to specify if these components should trigger alerts or not.
- Dependency Graph APIs allowing you to get the graph of any artifact or build, and compare any two artifacts or builds.
- System watches can now be edited by Admin users.
- Allowed and Banned License filters now allow you to specify "Unknown" so you can decide if components with unknown licenses should trigger alerts or not.
- When indexing Docker images, Xray now also indexes Debian and RPM packages in the image OS layer.
- The onboarding wizard UI has been improved for usability and to allow indexing selected repositories on the spot.
- The Security Report display has been improved.
Released January 9, 2017
- Fixed an issue that caused a database connection leak
- Fixed handling of gzip files with invalid headers
Released January 10, 2017
- Fixed an issue that prevented microservices from writing entries to system logs
Released December 20, 2016
JFrog Xray adds a new report that shows you which vulnerabilities have the most far reaching consequences in your code, and which components in your code base have the most reported vulnerabilities, as well as recent vulnerabilities and infected components that were detected.
Black Duck Integration
JFrog Xray has integrated with Black Duck Software as a new external vulnerability provider. Black Duck automates the process of securing and managing open source software by helping you comply with open source license requirements and providing security alerts about vulnerabilities discovered in open source components.
Released December 4, 2016
The onboarding experience has been improved in several ways including a wizard that guides you through the first essential steps of configuring Xray.
The Integrations UI has been modified to be more flexible and efficiently accommodate any number of integrations with external issue and vulnerability providers.
Artifact and Build Summary REST API
The Artifact and Build Summary REST API endpoints provides general information about an artifact or build as well as an aggregated list of issues and OSS licenses associated with them.
- Onboarding improvements including an Onboarding wizard
- Flexible UI for integrations
- Artifact Summary and Build Summary REST APIs
Released November 6, 2016
Generate a report that shows the distribution of open source licenses used by artifacts indexed by Xray, as well their compliance with "Allowed Licenses" and "Banned Licenses" filters defined in all watches in the system.
Xray now monitors a variety of system parameters and reports on their status to let you easily diagnose problems.
You can now create filters on watches based on the minimum severity of issues associated with indexed artifacts.
- License reports for distribution of OSS licenses and compliance with watches defined.
- Self-monitoring system status
- Checksum calculation has been optimized by running it asynchronously.
- Issue filters based on minimum severity of an issue associated with an artifact.
Released September 22, 2016
Support for Older Versions of Artifactory
JFrog Xray now supports all versions of JFrog Artifactory from v4.0 and above
Synchronization with the Global Database Server
Previously, Xray would synchronize with the global database server automatically at set time intervals. To give you more control over usage of your system resources, you can now manually invoke initial synchronization and update with the global database server, and pause/resume synchronization if necessary.
Support for Non-Docker Installation
In addition to Docker, JFrog Xray is now available for installation in a variety of flavors including Ubuntu, CentOS, Red Hat, and Debian.
Support Download Blocking
JFrog Xray will annotate artifacts that have been identified with an issue in any connected instance of JFrog Artifactory so that the Artifactory administrator may block download of that artifact.
Integration with Aqua
If you have an account with Aqua, this integration lets you enable their feed as a source for alerts using your Aqua API key.
OSS License Policy
You may now implement an OSS license policy by defining a filter for watches based on a whitelist or blacklist of OSS licenses. Any component in the system that does not pass through the filter you define will generate an alert.
- Support for older versions of Artifactory - v4.0 and above
- Visibility and control over resources with synchronizing with the global database server
- Support for Linux installations
- Support download blocking
- Support for manually invoking and operating synchronization with the global database server
- Integration with Aqua
- OSS license policies
- Connect to Artifactory via an HTTP proxy.
August 1, 2016
JFrog is proud to the first official release JFrog Xray 1.0. This version presents dramatic changes based on feedback recieved from customers using the previous "Preview" version released several weeks ago.
The entire onboarding process to get started with Xray is done within Xray. This includes adding Artifactory instances, specifying repositories for indexing, triggering indexing and getting status on the indexing process.
Watches and alerts now aggregate all types of analysis performed. You simply define the context you are interested in for a Watch (repository, build or all artifacts), and view aggregated information on issues detected and artifacts impacted in the resulting alert.
Focusing on the most relevant issues and alerts
You can now choose to ignore alerts or issues that have been resolved or are not interesting to you either for a specific alert instance or permanently.
While JFrog Xray comes preconfigured with a database of issues and affected software artifacts, it is also open to integration with additional vulnerability providers. This version comes with the ability to add Whitesource, a simple but powerful open source security and license management solution.
Manually Invoking a Scan
A new Watch will only apply to new Artifacts or issues that arise after it has been created. This version adds the ability to run an analysis manually and apply a new Watch on existing artiafcts and issues.
- Easy onboarding
- Unified analysis with Watches.
- Focusing on important issues using "ignore" rules.
- Integration with Whitesource.
- Manually invoking a scan.
- View all alerts or only those based on watches you defined.
- Support for an HTTP proxy to communicate with external networks.
August 11, 2016
This is a minor update that fixes an issue with indexing and adds a limitation on the storage Xray consumes.
- Fixed an issue that caused the indexing process to be terminated in certain cases.
- Xray now limits the storage it utilizes when downloading artifacts for indexing.
July 3, 2016
JFrog is proud to release JFrog Xray!
JFrog Xray performs universal artifact analysis, recursively scanning all layers of your binary packages to provide radical transparency and unparalleled insight into your software architecture. JFrog Xray works with most package formats and is fully integrated with JFrog Artifactory.
The Home screen is your dashboard where you can monitor Artifactory instance Xray are connected to, component graphs and alerts.
Watches monitor artifacts for issues, and trigger alerts if any are found. A Scanning watch monitors a named build or repository in Artifactory and triggers an alert if any dependency with issues is found. An Impact Analysis watch listens to all providers streaming information to Xray and performs an impact analysis on all components in its database for any issues reported.
Alerts provide details about any issue found with any component, showing the full infection path through the component hierarchy.
View component relationships in your repositories to understand how one component affects others.
Automate component analysis through the rich Xray REST API.