Still using Xray 1.x ?
JFrog Xray 1.x User Guide
Need help with other JFrog products ?
Have a question? Want to report an issue? Contact JFrog support
Released: December 11, 2018
Released: October 10, 2018
Watches have undergone significant changes to improve usability and effectiveness in detecting violations.
Multiple resources per watch: You can now add multiple resources to a watch and include any number of repositories or builds while specifying a separate set of filters to apply for each resource. When scanning an artifact, Xray processes each resource and its filters before going on to the next one. If an artifact passes through all filters, Xray will then process the policies defined for the Watch to determine what, if any, action should be taken.
Artifact path filter: You now specify a relative expression to filter artifacts according to their path within a repository. This is in addition to the "Name" filter (formerly known as the "Regex" filter) which filters artifacts based on their name.
Watches REST API: This release introduces V2 of the REST API. Currently, only the endpoints related to Watches have been updated to accommodate the significant changes to Watches in this release. Note that the REST API is backward compatible and will continue to support V1 endpoints, including those related to Watches for older versions of Xray.
Xray now supports indexing and scanning of Alpine OS packages including recursive analysis, component graph integration and providing detailed metadata information.
The UI of the Locations tab in the Component Details panel has been improved to give a clearer indication of where the artifacts of a scanned component can be found.
Red Hat 6 on GCP not supported
There is a known issue in this release in which Xray cannot be installed on a Red Hat 6 machine on Google Cloud Platform (GCP) due to a missing OS dependency in RHEL 6.
mailNoSsl:truewas also configured in Xray's configuration file.
Released: October 15, 2018
Fixed an issue in which Xray would report Critical vulnerabilities as Major.
Released: October 25, 2018
Released November 8, 2018
Fixed an issue that prevented creation of the impact analysis graph for complex components.
Fixed an issue in which Xray would ignore a scheduling parameter for maintenance cleanup jobs.
Fixed an issue that caused Xray to hang when presenting component details.
Released: August 20, 2018
Xray now supports configuring SSL on your web server in the Admin module in the HTTP Settings screen. By default, the HTTP port is set in the config.yaml file and all that is left is to specify the path that leads to your SSL key and SSL Certificate.
The Component License Report in Xray helps you stay compliant and avoid legal violations due to problematic components that may exist in your builds or artifacts. Based on the metadata generated in Xray, you can generate a license report for every build or artifact that will list all of the OSS licenses used directly or indirectly.
As part of the JFrog SLA based support, you can now generate an information bundle in the Admin module in the Support Zone screen. When opening a support ticket, you can attach the information bundle to expedite handling of your issue.
JFrog Xray exposes its policies to any external source with access to its REST APIs. Through a set of simple REST API call, you can create, delete, view and assign policies to watches.
7z compression has been added to the list of compression technologies that Artifactory already supports including Tar (Bz2, Gz, Z, infl, Xp3, xz), Zip, rpm, deb, and 7zip.
Released August 28, 2018
Released September 2, 2018
Released September 26, 2018
Released July 2, 2018
Xray introduces a new Policy entity that enforces security and license compliance behaviors, which were previously part of a Watch. In previous versions, a watch included the target resources, such as repositories and builds, being scanned as well as the security and licence violation criteria and actions to take. From this version, these are separated for enhanced manageability and maintenance.
Policies now enable you to create a set of rules, in which each rule defines a license/security criteria, with a corresponding set of automatic actions according to your needs.
Watches now only define the scope of the resources you want to watch. You can define a policy once and assign it to as many watches as you like.
Separating the behavior you want to enforce from the context you want to enforce it on provides you with the following values:
Released July 8, 2018
Released July 16, 2018
Released July 17, 2018
Released July 22, 2018
Released May 17, 2018
Announcing the new Enterprise+ Platform, that provides a complete solution for covering all the steps involved in creating a secure, trustworthy, and traceable software release in a multi-site development environment.
The solution works in conjunction with source version control, continuous integration, and deployment tools.
The JFrog Enterprise+ platform bundle includes:
JFrog Mission Control: all features available in Mission Control with the addition of:
the ability to add instances of Jenkins-CI, JFrog Distribution and JFrog Artifactory Edge as services in the system and monitor them
Insight and analytics on build processes through as set of metrics on the end to end build process
In addition to SAML/LDAP authentication capabilities, enabled once you select an authentication provider, from version 2.1 Xray is also integrated with OAuth. This allows you to delegate authentication requests to external providers and let users login to Xray using their accounts with those providers, according to the OAuth configuration in the authentication provider.
You can now filter the watch violations using the new search mechanism, according to text, created date, type, severity and CVE ID.
From Xray 2.1, SSO support has been added and allows you to log in to all your JFrog applications using a single set of user credentials that are stored in the Authentication Provider Artifactory instance. When SSO is applied, the user logs in to the JFrog product using a set of predefined credentials and is granted access across the board to the JFrog products. SSO eliminates the need to re-enter the credentials every time a product is accessed.
Released June 13, 2018
Released April 16, 2018
JFrog Xray 2.0 introduces a highly available active-active cluster architecture, ensuring continuous security and governance to your software packages.
You can now scale your Xray environment with as many nodes as you need. This enhances Xray’s performance by delegating all workload across available cluster nodes, through a load balancer.
In case one or more nodes is unavailable or down for upgrade, the load is shared between the remaining nodes, ensuring optimal resilience and uptime.
Xray seamlessly and instantly synchronizes all data, configuration, cached objects and scheduled job changes across all cluster nodes.
Xray’s self-monitoring mechanism, which provides you with system availability issues, has now been enhanced to let you know which node is affected.
In addition, Xray will provide cluster health information in a new page called “High Availability”, showing health information of every node and every microservice.
Xray allows you to easily install a full HA cluster in minutes, or upgrade your existing Xray environment.
In addition to viewing your policy violations in the component details view, the Xray UI has been enhanced with a new violations view that displays all defined violations in the context of a specific watch.
Xray can now be upgraded automatically with a “use defaults” parameter, eliminating any manual script inputs. This parameter uses a default configuration for new installations and an existing configuration for upgrades.
Xray now allows you to search for the components in your organization which are impacted by a specific security vulnerability CVE id.
Released April 23, 2018
Released May 6, 2018
Released March 28, 2018
JFrog Xray 1.12 jointly released with JFrog Artifactory 5.10, presents significant changes in how these two complementary applications are integrated to improve usability and stability.
Upgrade Xray first
For this joint release of JFrog Artifactory 5.10 and JFrog Xray 1.12, we strongly recommend first upgrading your Xray installation to version 1.12 and only then upgrading Artifactory.
Previously, an artifact's scan status was stored in Artifactory by annotating the artifact with a set of properties such as indexing status, last update, top vulnerability severity and block status. From this version, these properties will be removed. Artifactory will fetch an artifact's scan status on demand when it is selected in the tree browser.
This is a breaking change which restricts compatibility of Artifactory and Xray versions as described in the following table:
Since both Artifactory and Xray are upgraded, the new integration is fully functional as designed.
In this combination, the integration will not work since the new version of Artifactory will query Xray for scan status, however, the old version of Xray does not have the required REST API endpoints.
This combination is supported. Artifactory will continue to display each artifact's scan status, however, it will use previous mechanism that uses properties.
If neither Artifactory nor Xray are upgraded, the integration will work using the previous mechanism that displayed scan status as a set of properties on the artifact.
From this release, download blocking has been removed from Artifactory and is, instead, configured in Xray as "Block Download" action on a Watch. This creates a more intuitive and consistent workflow giving you full control over all actions on an Artifact that has a violation in one place.
Previously, all builds in Artifactory were indexed by Xray potentially causing visual clutter as less important builds such as snapshots would get indexed. From this version, Xray lets you select which builds to index, letting you focus your analyses on more significant build processes.
Reapply Indexing to Your Builds
During the upgrade process to Xray 1.12, the indexing is cleared from all of the builds. To reapply indexing, you need to explicitly apply indexing to the builds of your choice.
Previously, Xray brought vulnerabilities to your attention in the form of Alerts. But since alerts may aggregate several issues, each of which may affect multiple artifacts and builds, they made it difficult to understand all the issues affecting a particular component. Continuing Xray's evolution to a component-driven workflow, this version introduces Watch Violations.
Watch violations are displayed directly on the Component Details panel making it easy to identify all the security, license and custom issues affecting the component.
From this version, Xray supports indexing and scanning Gradle, Ivy and SBT packages.
Released April 2, 2018
This patch fixes these issues that were discovered in version 1.12:
Released February 18, 2018
This release provides these advanced OSS licenses functionalities:
Xray now displays all impact analysis and artifact scanning failures in the new Failure Messages page, in the Admin module. This page provides administrators a single place where they can easily identify the exact step in the scanning and impact analysis Xray process in which it failed, allowing them to fix the issue and retry the step.
Released January 2, 2018
Project Grafeas defines an open, unified metadata exchange format and API that will create a uniform and consistent way to produce and consume metadata from software components. By fully supporting the Grafeas API, Xray acts as a portal to Grafeas providing your software supply chain with an unprecedented abundance of metadata that can be easily be put to use in automated auditing and governance processes. This release of Xray exposes a set of Grafeas endpoints that are fully integrated into the Xray REST API.
Xray works with a number of third party services, such as various databases, which were previously pre-installed with the other Xray microservices. From Xray 1.10, you have more control over your resource allocation and you can direct Xray to use an external RabbitMQ, MongoDB or PostgreSQL database in use in your organization. Keep in mind that if you direct Xray to use an external database, you have full control over the database, and also full responsibility to maintain and backup the database for Xray's use.
Database synchronization has been significantly improved resulting in a smoother workflow, data compression and boosted performance. The enhanced compression and performance promote stability and robustness to transient network issues. Depending on your hardware, network and other factors, this may improve performance by up to 70%.
In addition to UI improvements, the has been updated to support scanning of Gradle and npm package formats in addition to the existing Maven package format.
Released January 4, 2018
This release includes UI display issue fixes in the Integrations and Permissions pages.
Released December 3, 2017
User management in Xray has been greatly simplified by adding the ability to authenticate users through your corporate LDAP/Crowd or SAML provider. All you need to do is define one of the connected Artifactory instances as an "Authentication Provider". This lets you import the LDAP/Crowd, SAML and internal Artifactory users and groups from the specified Artifactory instance to Xray, and then assign them permissions as needed.
This version introduces a flexible permissions model that gives an administrator fine-grained control over how users and groups access the different features of Xray. "Resources" define the scope of a permission and specify the repositories and builds in the connected Artifactory instance to which the permission applies. You can then specify users and groups, internally defined in Xray or imported from a connected "authentication provider" as described above, and grant them privileges for the selected resources.
Improved performance of indexing and analysis for large-scale environments.
Improved database processes which significantly improve performance of certain recursive queries
Fixed an issue in which Xray would not delete files that were moved to the RabbitMQ failure queue.
Fixed several issues connected to identifying the OS layer and its installed packages in Docker images.
Fixed an issue that would cause RabbitMQ to drain available RAM on large scale environments by loading a large number of messages.
Released July 13, 2017
Xray's current work flow is event-driven creating alerts with stateless information; a snapshot of builds and components at an instant in time. In this release, we are adding support for a new and more intuitive workflow which is content-driven in that issues are displayed based on the components you are interested in. This has a huge impact on how you navigate your way to the most relevant content. The high-level flow can be summarized as:
Search for components → Drill down → Examine issues
Enhanced Search: Xray now provides enhanced search allowing you to search for specific components through a set of search filters such as package type, issue severity, version and more.
Rich component display: From the search results, you can select the component that interests you and view a rich display that provides details of all versions of the selected component
Examine issues: Selecting any issue from the components display provides detailed information on the issue as well as a list of all the artifacts and builds on which it has an impact.
In addition to providing a comprehensive list of versions in which a vulnerability exists for an infected component, the rich component display in the content-driven workflow also indicates in which version a vulnerability has been fixed (if available) and recommends upgrading to that version
With the JFrog IntelliJ IDEA Plugin, you can scan your Maven project dependencies using Xray and view vulnerabilities during development time directly from within the IntelliJ IDE. IDE integration support will continue to expand to additional industry-standard IDEs, and to additional package formats.
JFrog Xray expands its CI/CD integration capabilities by adding support for TeamCity, enabling you to scan builds, generate reports and even fail build jobs if they use components with known vulnerabilities. This is an effective way to prevent builds with vulnerabilities from entering production systems.
Processing of raw vulnerability data has been greatly enhanced based on improved algorithms and heuristics to correlate and match data from different sources to the right component and version. This new data model provides greater and more accurate details about vulnerabilities such as infected version ranges, fix versions and more. It also allows better identification of infected components. In the case of Maven components, the vulnerability data has been completely replaced and undergoes manual curation before being loaded into the database resulting in better coverage with fewer false-positives.
Note that you need to perform a database sync (whether you are working in online or offline mode) to work with the enhanced vulnerability data.
Performance of scanning new builds and artifacts has been dramatically improved to orders of magnitude. Since this is the most common process that Xray performs the improvement results in Xray being more responsive on the whole. In particular, the performance and accuracy of Docker images analysis has been greatly improved.
Docker images encased in builds are now scanned and indexed just like any other build dependency.
Released July 17, 2017
Released July 31, 2017
Fixed an issue with Xray's analysis process causing component license data to be saved multiple times, potentially consuming high amounts of memory and disk space.
Fixed an issue where license issues in alerts did not have an impact path.
SaaS users will now receive email notifications with a default mail server configuration.
Released August 3, 2017
Issues and their status, contained within Docker images in a build, are now properly propagated.
Released August 22, 2017
Fixed an issue in which the All Alerts tab in the Alerts screen would appear empty even when alerts were present.
Released August 24, 2017
Fixed an issue where some filter selections in the Component Search did not return all applicable results.
Released September 25, 2017
This release brings significant OSS licenses functionalities for improved license coverage, including the ability to parse license from files, license content analysis and GitHub license matching.
The Xray installer now supports writing the installation / upgrades outputs to an installer log for better traceability.
The license tab will now show a "0" in the tab header when a license cannot be identified. Licenses that are identified as "unknown" will include a proper placeholder in the component details page.
The Xray Docker installation does no longer require root privileges to run.
Released October 17, 2017
Released October 19, 2017
Released April 20, 2017
New Home Page: The Xray Home page has been completely redesigned to act as a dashboard that provides a wealth of useful information. At a glance, understand your general system health, get an overview of components and alerts, system scan status, database sync status and more.
Package Type filter for Component search: The Components page now includes a Package Type filter that lets you focus on specific package types making it easier for you to search for specific components.
Released April 24, 2017
Released June 5, 2017
Released June 6, 2017
Released June 8, 2017
Released June 25, 2017
Xray now supports setting the system log level for each of the microservices without having to restart the Xray server.
Released January 18, 2017
JFrog Xray takes an active role in your CI/CD pipeline to indicate you should fail build jobs if your build or any of its dependencies have vulnerabilities. Your CI server (currently, Jenkins CI is supported) can now send a request to Xray to scan a build that was uploaded to Artifactory. In accordance with Watches you may define, Xray will scan the build, and if vulnerabilities that trigger an alert are found, Xray can now respond to the inquiring CI server that the build job should fail.
Released January 25, 2017
Released February 12, 2017
Xray has been equipped with a login protocol to prevent brute force attacks. When Xray encounters multiple login attempts by the same user, Xray steadily increases the time interval that the user must wait before attempting login again. After a specific number of failed login attempts, the user will be locked out of his account. At that point, login can only be reset by an Xray administrator. The administrator has full control over the number of failed login attempts to lock the user out.
An Xray administrator may now view the Xray system log file in the Admin module, with the ability to filter log messages from the different services behind Xray.
Released March 7, 2017
Released March 14, 2017
Released March 22, 2017
Released January 4, 2017
JFrog Xray exposes its dependency graphs to any external source with access to its REST APIs. Through a simple REST API call, you can now receive the full dependency graph of any component or build as a JSON object, or compare the dependency graphs of any two components or builds to get a clear indication of the differences between them and easily hone in on new dependencies that may have introduced issues and vulnerabilities.
System watches are created when a repository in Artifactory has been configured to block downloads. To provide more flexibility and finer control over when alerts should be generated, system watches can now be edited by Xray admin users.
Handling components with unknown licenses is a matter of your organization's policy. Xray now allows you to specify if these components should trigger alerts or not.
Released January 9, 2017
Released January 10, 2017
Released December 20, 2016
JFrog Xray adds a new report that shows you which vulnerabilities have the most far reaching consequences in your code, and which components in your code base have the most reported vulnerabilities, as well as recent vulnerabilities and infected components that were detected.
JFrog Xray has integrated with Black Duck Software as a new external vulnerability provider. Black Duck automates the process of securing and managing open source software by helping you comply with open source license requirements and providing security alerts about vulnerabilities discovered in open source components.
Released December 4, 2016
The onboarding experience has been improved in several ways including a wizard that guides you through the first essential steps of configuring Xray.
The Integrations UI has been modified to be more flexible and efficiently accommodate any number of integrations with external issue and vulnerability providers.
The Artifact and Build Summary REST API endpoints provides general information about an artifact or build as well as an aggregated list of issues and OSS licenses associated with them.
Released November 6, 2016
Generate a report that shows the distribution of open source licenses used by artifacts indexed by Xray, as well their compliance with "Allowed Licenses" and "Banned Licenses" filters defined in all watches in the system.
Xray now monitors a variety of system parameters and reports on their status to let you easily diagnose problems.
You can now create filters on watches based on the minimum severity of issues associated with indexed artifacts.
Released September 22, 2016
JFrog Xray now supports all versions of JFrog Artifactory from v4.0 and above
Previously, Xray would synchronize with the global database server automatically at set time intervals. To give you more control over usage of your system resources, you can now manually invoke initial synchronization and update with the global database server, and pause/resume synchronization if necessary.
In addition to Docker, JFrog Xray is now available for installation in a variety of flavors including Ubuntu, CentOS, Red Hat, and Debian.
JFrog Xray will annotate artifacts that have been identified with an issue in any connected instance of JFrog Artifactory so that the Artifactory administrator may block download of that artifact.
If you have an account with Aqua, this integration lets you enable their feed as a source for alerts using your Aqua API key.
You may now implement an OSS license policy by defining a filter for watches based on a whitelist or blacklist of OSS licenses. Any component in the system that does not pass through the filter you define will generate an alert.
August 1, 2016
JFrog is proud to the first official release JFrog Xray 1.0. This version presents dramatic changes based on feedback recieved from customers using the previous "Preview" version released several weeks ago.
The entire onboarding process to get started with Xray is done within Xray. This includes adding Artifactory instances, specifying repositories for indexing, triggering indexing and getting status on the indexing process.
Watches and alerts now aggregate all types of analysis performed. You simply define the context you are interested in for a Watch (repository, build or all artifacts), and view aggregated information on issues detected and artifacts impacted in the resulting alert.
You can now choose to ignore alerts or issues that have been resolved or are not interesting to you either for a specific alert instance or permanently.
While JFrog Xray comes preconfigured with a database of issues and affected software artifacts, it is also open to integration with additional vulnerability providers. This version comes with the ability to add Whitesource, a simple but powerful open source security and license management solution.
A new Watch will only apply to new Artifacts or issues that arise after it has been created. This version adds the ability to run an analysis manually and apply a new Watch on existing artiafcts and issues.
August 11, 2016
This is a minor update that fixes an issue with indexing and adds a limitation on the storage Xray consumes.
July 3, 2016
JFrog is proud to release JFrog Xray!
JFrog Xray performs universal artifact analysis, recursively scanning all layers of your binary packages to provide radical transparency and unparalleled insight into your software architecture. JFrog Xray works with most package formats and is fully integrated with JFrog Artifactory.
The Home screen is your dashboard where you can monitor Artifactory instance Xray are connected to, component graphs and alerts.
Watches monitor artifacts for issues, and trigger alerts if any are found. A Scanning watch monitors a named build or repository in Artifactory and triggers an alert if any dependency with issues is found. An Impact Analysis watch listens to all providers streaming information to Xray and performs an impact analysis on all components in its database for any issues reported.
Alerts provide details about any issue found with any component, showing the full infection path through the component hierarchy.
View component relationships in your repositories to understand how one component affects others.
Automate component analysis through the rich Xray REST API.