Using the latest JFrog products?
JFrog Platform User Guide

Skip to end of metadata
Go to start of metadata


This page presents release notes for JFrog Xray describing the main fixes and enhancements made to each version as it is released.


Click to download the latest Xray.


For installation instructions please refer to Installing Xray

Xray 2.16.0

Released: August 2, 2020

Feature Enhancements

Go Version Upgrade

The Go version with Xray has been upgraded to version 1.14.6, solving some security vulnerabilities described in CVE-2020-15586.

Impact Analysis Improvements

Introduced performance improvements and memory footprint reduction to Impact Analysis.

Add Builds to Indexing Configuration API

A new Add Builds to Indexing Configuration API has been added to Xray REST API that enables you to add new builds by only providing the new build names to the list of builds selected for indexing.

Resolved Issues

  1. Fixed an issue whereby, the RPM docker images were stuck in the indexing stage on specific RPM packages.
  2. Improvement in RabbitMQ clustering logic.

Xray 2.15.0 

Released: July 19, 2020

Resolved Issues

  1. Fixed an issue whereby, Xray was not sending E-mail notifications to watch recipients when violations were found. 
  2. Fixed an issue whereby, the IU-Extreme-1.1.1 license URL was incorrect.
  3. Fixed an issue whereby, Xray misclassified Maven artifacts. Xray now provides a migration process to reindex existing misclassified maven artifacts.
  4. Fixed an issue whereby, Alert worker was consuming an excessive amount of memory.

Xray 2.14.0

Released: June 28, 2020

Resolved Issues

  1. Enhanced the indexing process performance. 
  2. Fixed an issue whereby, in High Availability, when an Xray node was attempting to start, it would hang on Initializing DB Tables. 
  3. Fixed an issue whereby, the scan-build failed when there were no policies, watches, and builds configured. The error message was changed to be clearer and indicative.
  4. Fixed an issue whereby, the Azure DevOps Artifactory Xray scan extension was returning the Xray scan result fail_build as true at all times. The error message was changed to be clearer and indicative.

Xray 2.13.0

Released: June 14, 2020

Resolved Issues

  1. Fixed an issue, whereby the CVE was not displayed in the Components tab in the Xray Data tab in the UI.
  2. Fixed an issue, whereby a false positive was declared for RPM packages due to incorrect RPM distribution comparisons.
  3. Fixed an issue, whereby Xray failed to process empty manifest.json files preventing the .wh components to be deleted.
  4. Fixed an issue, whereby the Update Builds Indexing Configuration REST API command was missing response messages.

Xray 2.12.0 

Released: May 10, 2020

Resolved issues

  1. Fixed an issue whereby, some Python packages were not indexed properly in Xray.
  2. Fixed an issue whereby, an invalid memory address or nil pointer error was issued when indexing GO packages in Xray. 
  3. Fixed an issue whereby, in a number of cases, the Docker pull did not work properly when a Docker remote repository was configured with the Block Download Block Unscanned Artifacts setting. 
  4. Fixed an issue whereby, Xray stopped functioning when indexing RPM files due to high memory consumption causing an out of memory issue.
  5. Fixed an issue whereby, Artifact summary Rest API returned an issues response for components that did not contain a ComponentID.
  6. Fixed an issue whereby, a security violation was generated for a .wh file component. 
  7. Fixed an issue whereby, when exporting data in Xray, the displayed results were inconsistent in the different file formats, JSON, PDF, and CSV where the CVE was not displayed in the PDF and CSV files. 
  8. Fixed an issue whereby, under certain rare circumstances, Artifactory would disconnect from Xray during a periodic license check.
  9. Fixed an issue whereby fetching all watches from the database overloaded the MongoDB.
  10. Fixed an issue whereby, a Bzip2 error message was thrown, and Xray stopped scanning the entire package. 
  11. Fixed an issue whereby, under certain circumstances, an empty license was added when indexing NuGet packages.
  12. Fixed an issue whereby, a component persist did not work due to character limit constraints.  
  13. Fixed an issue whereby a connection deadlock occurred when the number of workers were larger than the number of connections.

Xray 2.12.1

Released: May 24, 2020

Feature Enhancement

Improved performance of artifact deletion. 

Xray 2.11.0

Released: 2 December 2019

Feature Enhancements

Exporting and Importing Xray Settings

You can export Xray user-defined configurations to be imported to other Xray instances using a set of dedicated REST APIs. This is mainly useful when duplicating settings across multiple environments (Dev, Testing, Staging, and Production) or when moving to a single Xray to Artifactory instance ratio. The following settings include policies, watches, Ignore Rules, custom licenses, custom issues, webhooks, mail server, proxy configurations, and indexed resource settings. For more information, see the Exporting and Importing Configuration Settings section.

Improved Ignore Violations Functionality 

From Xray 2.11.0, the Ignore Violations on a Watch functionality, that was previously limited, has been enhanced to perform a full set of Ignore violations-related actions. Violations created prior to this version could not be retrieved. This enhancement applies to ignored violations set from this version and above. In the UI, you can now search for Ignored violations on a watch, view the security or license violation information for an ignored rule view, restore ignored violations, delete an ignore rule and restore its previously associated violations. Further more, you can retrieve a list of all ignored violations using the Get Ignored Violations.

Added Support Bundle REST APIs

From this version, you can easily create support bundles in the Xray REST API. 

Issues Resolved

  1. Setting all builds to be scanned using the “indexAllBuilds” system property, will result in all builds being available and can be selected in the “Select Builds” list in the Watch configuration.
  2. Xray indexing process supports special characters. 
  3. Mapping Maven packages LGPL licenses was improved. 
  4. Impact analysis deletes bad licenses in the MongoDB after running a JXray update. 
  5. A repository called "Builds" in Artifactory is processed correctly by Xray. 
  6. You can delete custom license types in the "Manage License' page in Xray. 
  7. Filtering in the Watch page for violations using the "created" filter returns the correct response. 
  8. Alpine components and vulnerabilities are matched according to branches.  
  9. Scan builds do not stop due to alert queue overloads. 
  10. Scan results are identical when uploading the same image with different tags.
  11. Xray blocks directory listing.
  12. Improved performance when retrieving a large number of violations on a watch via the UI.
  13. Xray successfully connects to Postgres even if the Postgres DB names contain special characters.

Xray 2.11.3

Released: 30 December, 2019

Issues Resolved

  1. Fixed an issue whereby under certain circumstances, Xray failed to scan large builds. Applies to Xray versions 2.11.0 and above. 
  2. Fixed an issue whereby under certain circumstances, executing the Exporting Component Details request through the REST API failed. 
  3. Browser caching for HTTP responses is now disabled in alignment with JFrog security best practices. 
  4. Scanning Docker images will not get stuck when encountering Conda packages.
  5. Support Bundles Ready status is now correctly displayed in the Release Bundles page in the UI.
  6. Fixed an issue whereby under certain circumstances, Xray failed to index 7zip files.

Xray 2.11.4

Released: February 17, 2020

Issues Resolved

  1. Fixed an issue, whereby a number of DB queries caused insufficient performance.
  2. Fixed an issue, whereby restarting Xray was prolonged due to loading of licenses to the database.
  3. Fixed an issue, whereby Xray failed to index Docker images with an invalid tar.gz format.
  4. Fixed an issue, whereby Xray failed to index Docker images that contained specific Python whiteout format.
  5. Fixed an issue, whereby searching components by CVE did not function properly.
  6. Fixed an issue, whereby all manifest.json files were processed as Docker manifest files causing indexing to fail.
  7. Fixed an issue, whereby when deploying to Non-Docker repositories, Xray failed to index builds containing the following characters: a-z,A-Z,0-9]*  in manifest.json file names.

Xray 2.11.5

Released: March 31, 2020

Feature Enhancements

Force Full Reindex of Existing Components Rest API

The new Force Reindex Rest API command allows you to easily reindex artifacts that were indexed in the past. This is useful if you would like to rescan artifacts containing package types that were not supported in the past but now are, for example, Go, Python package in Docker or Alpine OS packages. 

Resolved Issues

  1. Fixed an issue when running NPM audits with Xray, the vulnerabilities were added by Xray with unavailable links to VulDB as sources. 
  2. Fixed an issue whereby, we reduced the load on PostgreSQL DB during scanning. 
  3. Fixed an issue whereby triggering Support Bundles inconsistently failed in Xray HA.
  4. Fixed an issue whereby scanning of Docker images for potential infected JavaScript files heavily impacted MongoDB. 
  5. Improved the performance of loading watches and policies page in the WebUI. 
  6. Fixed an issue whereby Support Bundles returned request.logs excluding Xray logs. 
  7. Improved performance when running the Update Watch REST API v.2 command with thousands of watches in an HA environment. 
  8. Improved performance when running the Get Violations REST API command to retrieve a list for a specific watch from a database containing millions of violations. 
  9. Improved Debian package vulnerability detection based on the Distribution property that the user needs to provide when deploying Debian packages to a local repository in Artifactory.
  10. Fixed an issue whereby an error was generated when updating a watch that included repositories or builds that previously deleted in Artifactory. Repositories and builds are now automatically deleted when saving the Watch.
  11. Fixed an issue whereby policies did not take into consideration aliases.
  12. Fixed an issue whereby Xray Server suffered from a memory leak during NPM audit.

Xray 2.11.7

Released: 12 April, 2020

Issue Resolved
  • Improved the performance of the JFrog Xray mechanism for deleting artifacts.

Xray 2.11.8

Released: 16 April, 2020

Before Upgrading to 2.11.8

The following known issue was found:

  • Indexing of Docker artifacts with updated OS packages failed.

A fix for this issue is available in 2.11.9 and we, therefore, we recommend upgrading directly to 2.11.9.

Resolved Issue
  • Improved performance when customers had multiple different components containing the same checksum.

Xray 2.11.9

Released: 26 April, 2020

Resolved Issues

  1. Impact Analysis performance improvements.
  2. Fixed an issue whereby Docker artifact indexing with updated OS packages failed. This issue can happen whenever there is an OS package (Debian/RPM/Alpine) in one Docker layer that is updated or removed in another Docker layer.

Xray 2.10.0 

Released: 3 October, 2019

Deprecation Notice

From Xray 3.0, the following features will be deprecated or replaced:

  • 3rd party integrations will be deprecated including Black Duck, White Source, and Aqua. JFrog does not guarantee the integrations will be functional following the upgrade. Since February 2019, JFrog included RBS VulnDB as part of its out-of-the-box solution that replaces the need for 3rd party integrations.
  • Artifactory Xray Ratio has been changed: You can no longer connect JFrog Xray to multiple JFrog Artifactory instances. A 1:1 ratio between the Xray to Artifactory is now required.
  • MongoDB Deprecated: The MongoDB database has been replaced with PostgreSQL. Data migration will be applied as part of the upgrade process.

Features Under Construction - Coming Soon!

The following features will not be available in the Xray 3.0 release:

  • Xray Reports: We are currently developing new advanced reporting capabilities and the existing Reports will not be available in the next major Xray release. You can export the relevant data using alternative methods that currently exist today.
  • Xray LogsWe are currently developing a new representation for JFrog logs in the UI. JFrog logs will still accessible via the REST API. Xray logs unlike Artifactory will not be available in the UI in the next major Xray release but will be added soon.
  • Xray Components View: We have revised the way components are displayed in the UI and the Components page will be replaced with an alternative search soon.

Before Upgrading to Xray 2.10

The following known issue were found:

  1. Large binary files caused out of memory during indexing.
  2. High memory usage for the Indexer microservice at the end of the artifact indexing process

A fix for these issues is available in version 2.10.7 and we therefore recommend upgrading directly to 2.10.7.


Go Package Support in Xray

Xray now supports indexing and scanning of Go Registries, Go Modules and Go packages including recursive analysis, component graph integration and providing detailed metadata information. 

PHP Composer Support in Xray

Xray now supports indexing and scanning of PHP Packages including recursive analysis, component graph integration and providing detailed metadata information. 

Feature Enhancements

Email Notifications Now Triggered to More Users

The email notification capabilities in Xray has been expanded to include users who deploy components and Watch recipients about just discovered vulnerabilities.

Getting Component List per Watch API

The new Get Component List per Watch API command allows you to retrieve a list of components (artifacts and packages) associated with the watch. The Get command will return the Checksum, Path, Repository name, Artifact/Package Name and Version. 

Expanded License Identification Capabilities 

You can now manually assign aliases to a license name in the Manage Licenses page in the UI to provide Xray with more flexibility when identifying a license type in cases where a license was misspelled or inaccurately added. The aliases will be scanned from version 2.10.0. If you add an alias to an existing license, the components that were already scanned will not identify the alias, and therefore requires you to reindex the relevant artifacts or repository.

Issues Resolved

  1. Improved the way Event States are managed in Xray.   
  2. NuGet package names are not case sensitive.
  3. Extracting 7zip files in CGo is supported.
  4. The display of security issues in the exported data is now aligned with the display in UI. 
  5. Xray associates vulnerabilities to specific package types within a WAR file and not only to npm packages. 

Xray 2.10.1 

Released: 7 October, 2019

Before Upgrading to Xray 2.10.1

The following known issue was found:

  1. Large binary files caused out of memory during indexing.

A fix for these issues is available in version 2.10.7 and we therefore recommend upgrading directly to 2.10.7.

Issues Resolved

1. Artifactory now sends indexing events for Go packages following the upgrade to Xray 2.10.0.
2. Enhanced license logic matching for Golang binary dependencies.

Xray 2.10.4

Released: 24 October, 2019

Before Upgrading to Xray 2.10.4

The following known issue was found:

  1. Docker Indexing failed after performing changes to layers.

A fix for these issues is available in version 2.10.7 and we therefore recommend upgrading directly to 2.10.7.

Issues Resolved

  1. Fixed an issue whereby Large binary files caused out of memory during indexing.

Xray 2.10.5

Released: 28th October, 2019

Before Upgrading to Xray 2.10.5

The following known issue was found:

  1. High memory usage for the Indexer microservice at the end of the artifact indexing process.

A fix for these issues is available in version 2.10.7 and we therefore recommend upgrading directly to 2.10.7.

Issues Resolved

  1. Fixed an issue whereby Docker Indexing failed after performing changes to layers.

Xray 2.10.7

Released November 7, 2019

Issues Resolved

  1. Fixed an issue where there was a high memory usage for the Indexer microservice at the end of the artifact indexing process.
  2. Improved the Xray update policy REST API for large environments.
  3. Improved Xray’s license refresh mechanism with Artifactory.
Page Contents

Xray 2.9.0

Released: September 2, 2019

Feature Enhancements

Securing MongoDB with TLS Support on Xray

You can add an additional layer of encryption to Xray by configuring TLS support in MongoDB

Improved RabbitMQ Clustering for HA

Xray supports full RabbitMQ clustering allowing new nodes to connect to any active node in the cluster removing the limitation of only connecting to an active Master node and is enabled during adding HA Nodes installation process.

Enhanced Python Support
  • Expanded Python Package Type Support in Docker: As part of our effort to support the Python community, Xray now also scans the Python .py file extension in Docker images in addition to the existing Python packages extensions: .whl, .egg, tar.gz, .tgz.
  • Scanning Entire Python Builds: You can now scan an entire Python build following the JFrog CLI 1.28.0 release that supported creating build info for Python builds
Increased Queue Worker Ranges in the UI  

The Queue Workers ranges in the UI have been increased to provide flexibility when configuring your system queues in large systems.

Issues Resolved

  1. Security mapping correctly maps medium and minor issues.
  2. Creating or using a webhook will not display the password in the response.
  3. When running the automatic npm audit fix command, the Xray audit fix failed due to a format issue. Now, the npm audit fix runs successfully. 
  4. Xray SaaS user can now view the License Management section.
  5. Passwords containing special characters are supported in the xray_config.yaml file.
  6. Changing the Xray port during the Docker installation is supported. 
  7. The filters.json file is not returned to the default settings upon Xray restart. 
  8. RabbitMQ is now masterless and the user can remove inactive nodes during the HA installation process. 
  9. The DB sync progress bar shows synchronization progress correctly. 

Xray 2.8.0

Released: April 8, 2019

Feature Enhancements

Securing PostgreSQL and RabbitMQ with TLS Support on Xray

You can add an additional layer of encryption to Xray by configuring TLS support in RabbitMQ or PostgreSQL

Added Ubuntu 16.04 and 18.04 Support for Non-Docker Installs

Xray can run on top of Ubuntu 16.04 and 18.04 for non-Docker installs. 

Issues Resolved

  1. Fixed an issue whereby RPM false positives were generated when running an epoch comparison between Red Hat to non-Red Hat distributions. 

  2. Fixed an issue whereby Docker indexing failed when containing corrupted files.

  3. Fixed an issue whereby encryption failed if the connection string contained special characters. 

  4. Fixed an issue whereby pulling certain Docker images caused the Indexer to throw ("Slice out of bounds") errors.

  5. Fixed an issue whereby setting the authenticator provider during Xray onboarding would not take applied.

  6. Fixed an issue whereby self-signed certificates could not be added to the Xray Docker and Non-docker installation.

  7. Fixed an issue whereby Xray reported the existence of multiple incorrect licenses due to mismatched npm 3.0.4 component.

  8. Fixed an issue whereby the X-Forwarded-For header was enabled in the Xray request log causing the requests to appear as if they were all sent from the load balancer IP address.

  9. Fixed an issue whereby handling RMQ/PSQL connections when running Xray on Docker was improved to ensure errorless startup.

  10. Fixed an issue whereby the call home function didn't work for standalone installations.

  11. Fixed an issue whereby the 'AMQP Cleartext Authentication security' vulnerability was found in Xray.

  12. Fixed an issue whereby the Authentication provider could not be moved to another Artifactory if Access was unavailable.

  13. Fixed an issue whereby an incorrect message was generated when indexing failed due to corrupted blobs.

Known Issues

Ubuntu 18.04 Support

There is a known issue in this release in which Xray cannot be installed on Ubuntu 18.04

Xray 2.8.2

Released: May 13, 2019

Before Upgrading to Xray 2.8.2

The following known issues were found:

  1. An NPM Audit request failed.
  2. A memory leak was detected in root files during DB migration.
  3. Root file migration failed when a package was not found.
  4. Root file migration failed due to timeout issues.

A fix for these issues are available in version 2.8.6 and we therefore recommend upgrading to 2.8.6.

Feature Enhancements

Searching for Root Components

From Xray 2.8.2, the Xray component search is set by default to only display the high-level root components list in the search results based on the artifacts that were deployed to Artifactory. You can choose to view the entire hierarchy by disabling this field. 

Issues Resolved 

  1. Fixed an issue where the author and notes were left not displayed even though they were added in the Watch Ignore Rule. 
  2. Fixed an issue whereby the Support Bundle page displayed an incorrect Status summary. 
  3. Fixed an issue whereby support bundles were not downloaded from all the HA Xray nodes.
  4. Fixed an issue whereby during Xray startup, analysis failed to start due to a PostgreSQL deadlock. 
  5. Fixed an issue whereby possible connection leaks to RabbitMQ were encountered. 
  6. Fixed an issue whereby the Xray admin password could not be changed if the Authentication provider was configured. 

Xray 2.8.3

Released: May 15, 2019

Before Upgrading to Xray 2.8.3

The following known issue was found:

  1. A memory leak was detected in root files during DB migration.
  2. Root file migration failed when a package was not found.
  3. Root file migration failed due to timeout issues.

A fix for these issues are available in version 2.8.6 and we therefore recommend upgrading to 2.8.6.

Issues Resolved 

  1. Fixed an issue that applies to Xray 2.8.2, whereby an NPM Audit request failed.

Xray 2.8.4

Released: May 16, 2019

Before Upgrading to Xray 2.8.4

The following known issue was found:

  1. Root file migration failed when a package was not found.
  2. Root file migration failed due to timeout issues.

A fix for these issues are available in version 2.8.6 and we therefore recommend upgrading to 2.8.6.

Issues Resolved 
  1. Fixed an issue whereby a memory leak was detected in root files during DB migration.

Xray 2.8.5

Released: May 16, 2019

Before Upgrading to Xray 2.8.5

The following known issue was found:

  1. Root file migration failed due to timeout issues.

A fix for these issues are available in version 2.8.6 and we therefore recommend upgrading to 2.8.6.

Issues Resolved 
  1. Fixed an issue whereby root file migration failed when a package was not found.

Xray 2.8.6

Released: May 17, 2019

Issues Resolved 
  1. Fixed an issue whereby the root file migration failed due to timeout issues.

Xray 2.8.7

Released: June 3, 2019

Issues Resolved
  1. Fixed an issue whereby high RAM usage was experienced on Xray when scanning builds with many dependencies.

Xray 2.8.8

Released: June 24, 2019

Feature Enhancements

Xray Supports Displaying the Fixed Version in the IDE Plugin 

Remediation information can now be viewed directly in your IDE plugin in addition to viewing panels displaying vulnerability information about the components and their dependencies. 

Improved Xray Classification of Maven Artifacts

Xray searches and classifies artifacts located in the Maven root as Maven artifacts in addition to searching the POM and JAR files in the folder. 

Multiple Licenses are Added to Xray Known Licenses 

Xray now recognizes multiple licenses grouped using the 'And' operator in the local file resource.  

Improved MIT License Detection

Xray adds improved MIT license detection by searching for the 'expression' variable in the NuGet package. 

Xray Supports Externalized PostgreSQL Connection Pools 

Xray externalizes the 'max connection' and 'max idle connection' PosgreSQL connection pools. 

Issues Resolved

  1. Fixed an issue whereby Xray scanned and tagged the org.aist:configurations component for Maven packages with an unknown license. 
  2. Fixed an issue whereby Xray scanned all json files as license files in npm packages.
  3. Fixed an issue whereby database updates were skipped as they did not progress during database sync. 
  4. Fixed an issue whereby users using native installers could connect to the MongoDB without credentials. 
  5. Fixed an issue whereby Xray did not detect a number of Python .whl file as components. 
  6. Fixed an issue where Xray triggered a false notification during monitoring, alerting that specific services were down in Kubernetes. 
  7. Fixed an issue in which Xray could not index certain JAR files. 
  8. Fixed an issue whereby missing Docker layers were skipped by Xray resulting in corrupted scan results. 
  9. Fixed an issue whereby Xray could not connect to an external user if the username contained the '@' symbol. 
  10. Fixed an issue whereby DB sync get stuck while calculating on SaaS. 
  11. Fixed an issue whereby running queries in PSQL failed when collecting data for the support bundle. 
  12. Fixed an image whereby Xray continued to generate a violation for an Alpine image that was fixed. 

Xray 2.8.9

Released: June 30, 2019

Feature Enhancements

Added SSL Certificate CER File Support 

With this release, new installations do not hard code "password" for MongoDB. Instead, the installer uses a random string to set the Xray password, which is then encrypted by the Xray master.key. The password is stored under the /root folder as a text file, MongoDB_Admin_pass.txt. Depending on how Xray was installed, it might be in the local user's home directory:  ~/MongoDB_Admin_pass.txt

Issues Resolved

  1. Fixed an issue with the cache synchronisation via RabbitMQ which caused issues with HA mode.

Xray 2.7.0

Released: February 12, 2019

Feature Enhancements

Added SSL Certificate CER File Support 

From Xray 2.7, we have expanded SSL Certificate File support to include CER files in addition to the existing support for CRT, CRT and PEM files. CER files are used to store X.509 certificates. Normally used for SSL certification to verify and identify web servers security. A CER file can be in binary (ASN.1 DER) or encoded with Base-64 with a header and footer included (PEM) and is recognized by Windows.

Customized Scripts for Disabling "Guest" login in the RabbitMQ Management Console

The Xray Installation process includes installing the RabbitMQ Management Console with the 'Guest' user enabled by default. From Xray 2.7, you can run a script to disable the RabbitMQ 'Guest' in Docker and Linux. 

RabbitMQ 3.7 Support

From Xray 2.7, RabbitMQ was upgraded from version 3.6 to 3.7.

New API Commands

Issues Resolved

  1. Fixed an issue whereby Xray did not parse builds containing a slash "/" in the build name. 
  2. Fixed an issue whereby when upgrading from Xray 2.1, the Watch "Minimum" severities were reset to "All Severities".
  3. Fixed an issue whereby if the "Admin" user was removed from the Artifactory Authentication Provider Xray users permissions could not be loaded. 
  4. Fixed an issue whereby invalid regex files were saved and Xray then proceeded to throw an error when validating it. From Xray 2.7, invalid regex files are rejected during the save process.  
  5. Fixed an issue when Xray scanned RPM OS packages in certain scenarios. 
  6. Fixed an issue whereby when running the Component Search by Severity did not return any components. 
  7. Fixed an issue resulting in improved message logs when DB sync fails. 
  8. Fixed an issue whereby Xray will archive support bundles as zip files instead of tar.gz files.
  9. Fixed an issue whereby setting Watches to search 'All repositories' failed. 

  10. Fixed an issue whereby a watch failed when selecting "Applying on existing content" with a custom date range.

  11. Fixed an issue whereby Xray failed to upgrade if the existing Xray installation was installed under the "/data" folder. 

  12. Fixed an issue whereby a number of violations still appeared even though the "ignore permanently" option was set. 

  13. Fixed an issue whereby navigating to the Admin Tab failed if violations were in the process of being loaded to the Xray home page. 

  14. Fixed the issue whereby running the Scan Build REST command returned an incorrect path for files with several entries sharing the same checksum. 

Xray 2.7.3

Released: March 5, 2019

Issue Resolved

  1. Fixed an issue whereby builds crashed and Xray scanning failed when repository scanning was not enabled on Artifactory.

Xray 2.7.4

Released: March 13, 2019

Issue Resolved

  1. Fixed an issue with the database sync automatic updates.
  2. Improved the search performance when filtering components by minimum severity.

Xray 2.7.6

Released: April 2, 2019

Issues Resolved

  1. Fixed an issue whereby the Xray proxy password was displayed in the Xray UI.

Xray 2.6.0

Released: December 31, 2018


Deprecation Notice - Snyk Integration

From this version, the built-in integration with Snyk is deprecated. Since the Xray Global Database Server has been enhanced to include the vast majority of vulnerabilities provided by the basic Snyk integration with the same or a better level of detail, this should have minimal to no impact on Xray vulnerability scans. 

Scanning External Dependencies

This version extends the scanning capabilities of Xray to external (transitive) dependencies. This means that for supported package formats, when build components are scanned, any dependencies hosted on external sources (i.e. not physically included in the build artifact) will also be scanned by Xray. This means that any watches and policies defined for the build will be applied to both the internal build artifacts and the external dependencies and will trigger violations accordingly.

Managing Open Source Licenses and Custom Licenses

JFrog Xray introduces the Manage Licenses module that provides a comprehensive list of open source licenses available on the market and an indication of which licenses are used by each component scanned. Through this new module, you can define custom licenses and assign them to components in the same way you assign any other license.

Feature Enhancements

Exporting Component Details

This version extends Xray's export capabilities from the UI or through the Export Component Details REST API endpoint. For all supported package formats, you can now export full component details (as opposed to just exporting a license report) including violations, licenses and security issues.   

Vulnerability Severity in Component Details

When viewing component details, Xray now displays the top severity of vulnerabilities detected in any of its dependencies.

Xray 2.6.2

Released January 27, 2019

Issues Resolved

  1. Fixed an issue in which Xray would fail to scan Docker registries if the hosting Artifactory instance was configured as a ROOT application in its Tomcat.

  2. Fixed an issue in which Xray would fail to index a Docker registry if its name is included in the domain name of the hosting Artifactory instance .

  3. Fixed an issue in which exporting component details would fail if the component name included a forward slash ("/") character.

Xray 2.6.3

Released January 30, 2019

Issues Resolved

  1. Fixed an issue which caused Xray to crash if it ran a DB sync at the same time as a repository scan or impact analysis.
  2. Fixed an issue in which during a scan, Xray would fail to sort components with vulnerabilities that were presented in certain version formats.
  3. Fixed an issue in which Xray would issue many warnings when performing a DB sync for an environment that has no vulnerabilities.

Xray 2.5.0

Released: 26 November 2018


Hardened Security for Secrets

To harden security when providing encrypted data (secrets) such as connection strings to external databases, from this version, when running Xray in a Docker container on Kubernetes, you can provide secrets in a temporary file. Xray will load the parameters specified in the file at startup and then delete the file. 

Real-Time Indexing Status

To give a better indication of the scan-status of a component, a new "Pending Scan" status has been added to indicate that the component was added to Artifactory and indexed, but scanning by Xray has not been completed. 

Feature Enhancements

Ignoring All Issues for a Component

From this version, for root components, you can now choose to ignore all violations for a component

Improvements in How Severity is Reported

The way the severity of a vulnerability is handled has been enhanced in several ways:

Naming: Severity names now conform to the CVSS v2 standard and are reported as "Low", "Medium" or "High". 

Information Severity: Custom issues can now be assigned a severity of "Information".

Issues Resolved

  1. Fixed an issue in which Maven-like artifacts were displayed as generic components after being indexed by Xray.
  2. Fixed an issue in which newly created repositories would not appear as available resources when creating or editing Permissions.
  3. Fixed an issue in which Admin users were not able to edit user profiles.
  4. Fixed an issue in which there was no way to rest the internal Admin password if an authentication provider was set for Xray. Now you can reset the password using the Update User REST API endpoint.
  5. Fixed an issue in which CVSS v3 scores were not displayed in the Violation details popup.
  6. Fixed an issue in which Xray would continue trying to connect to the global vulnerability database, even though it was configured for offline synchronization of the database.
  7. Fixed an issue in which the Xray UI would not indicate that local user management is blocked when Xray uses a connected Artifactory service as an authentication provider.
  8. Fixed an issue in which you could not save an update to the configuration if Xray could not connect to a defined proxy or to the global database.
  9. Fixed an issue in which Xray would not open correctly when being accessed via the More Details in Xray link in the Xray tab for a component in Artifactory's Repository Browser.
  10. Fixed an issue in which Xray could not connect an Artifactory service through a proxy.
  11. Fixed an issue in which after adding multiple custom licenses to a component, the licenses could not be removed.
  12. Fixed an issue in which when indexing a Docker image with foreign layers, or an image with layers that are missing from Artifactory, Xray would not provide useful information in the log when indexing failed.
  13. Fixed an issue in which the Get Token REST API endpoint would produce a text string instead of a JSON object. 
  14. Fixed an issue in which certain log messages were listed as [INFO] when they should be listed as [ERROR].
  15. Fixed an issue in which a Name filter on a Watch would not work on Docker images
  16. Fixed an issue in which after setting a connected Artifactory services as an authentication provider, creating a new permission, and then severing the Xray-Artifactory connection, after installing another instance of Xray and connecting it to the Artifactory service, you could not create a new permission with the same name.

Xray 2.5.1

Released: December 11, 2018

Issues Resolved

  1. Resolved an issue whereby scanning failed on the nil pointer exception when the range bound was missing.
  2. Resolved an issue whereby generating license metrics caused the server to crash on the nil pointer exception.
  3. Resolved an issue whereby impact analysis failed due to Postgres deadlock when trying to use Prepare statements.
  4. Resolved an issue whereby the build indexing process entered an endless loop causing the same layer file to be repeatedly regenerated on the disk.

Xray 2.4.0

Released: October 10, 2018



Watches have undergone significant changes to improve usability and effectiveness in detecting violations.

Multiple resources per watch: You can now add multiple resources to a watch and include any number of repositories or builds while specifying a separate set of filters to apply for each resource. When scanning an artifact, Xray processes each resource and its filters before going on to the next one. If an artifact passes through all filters, Xray will then process the policies defined for the Watch to determine what, if any, action should be taken. 

Artifact path filter: You now specify a relative expression to filter artifacts according to their path within a repository. This is in addition to the "Name" filter (formerly known as the "Regex" filter) which filters artifacts based on their name.

Watches REST API: This release introduces V2 of the REST API. Currently, only the endpoints related to Watches have been updated to accommodate the significant changes to Watches in this release. Note that the REST API is backward compatible and will continue to support V1 endpoints, including those related to Watches for older versions of Xray.

Feature Enhancements

Alpine Packages

Xray now supports indexing and scanning of Alpine OS packages including recursive analysis, component graph integration and providing detailed metadata information.

Component Details

The UI of the Locations tab in the Component Details panel has been improved to give a clearer indication of where the artifacts of a scanned component can be found.

Known Issues

Red Hat 6 on GCP not supported

There is a known issue in this release in which Xray cannot be installed on a Red Hat 6 machine on Google Cloud Platform (GCP) due to a missing OS dependency in RHEL 6.

Issues Resolved

  1. Fixed an issue that allowed creation of policies with an invalid cvss_range parameter.
  2. Fixed an issue in which the CentOS installer displayed an incorrect version number following installation.
  3. Fixed an issue in which the UI displayed an incorrect message when an offline DB sync was aborted.
  4. Fixed an issue in which a 500 Internal Server Error was erroneously returned by the Get Component By Name REST API endpoint when a component was not found instead of a 404 Not Found error.
  5. Fixed an issue in which a Violation due to an unknown license would sometimes be generated, even though the corresponding Watch would allow unknown licenses.
  6. Fixed an issue in which a group's permissions would not be applied to its users if the group name contained a space character.
  7. Fixed an issue in which a Policy could not be assigned to a Watch using the Create Policy REST API endpoint. 
  8. Fixed an issue in which a Policy could not be assigned to a new Watch created using the Create Watch REST API endpoint.
  9. Fixed an issue that would sometimes cause a "Out of memory" error during indexing due to messages containing large volume of JavaScript files.
  10. Fixed an issue in which when the connected Artifactory instance contained multiple Docker images with the same checksum, but different tags, and one of the tags was deleted, it would still show up in Xray with an invalid location.
  11. Fixed an issue in which indexing Docker images would not fail after encountering EOF errors in the indexing process.
  12. Fixed an issue in which the MongoDB database name was ignored even if it was provided in the connection string.
  13. Fixed an issue in which when scanning a component certain open source licenses would be erroneously detected as different ones. For example LGPL 2.1 license would sometimes be detected as LGPL 3.0, CDDI would sometimes be detected as CDDL-1.0 etc.
  14. Fixed an issue in which the number of indexed artifacts that Xray reported was sometimes larger than the total number of artifacts hosted in the repository.
  15. Fixed an issue in which Xray would not recognize Docker image tags that included a dash ("-") character.
  16. Fixed an issue in which when using Artifactory as the authentication provider, Xray would fail to authenticate users if they were included in Groups that had multiple spaces in their names.
  17. Fixed an issue in which a Watch on Docker images containing a Property filter would trigger violations on images even if they did not contain the specified property.
  18. Fixed an issue in which the Get Licenses Report Components REST API endpoint would report the same watch multiple times for a component.
  19. Fixed an issue in which disabling SSL/TLS in the Mail Server configuration using the UI would not work unless mailNoSsl:true was also configured in Xray's configuration file.
  20. Fixed an issue in which default credentials of RabbitMQ, PostgreSQL and MongoDB would be displayed in Xray's configuration file in plaintext. These credentials are now encrypted.
  21. Fixed an issue where usernames can now contain a hyphen.

Xray 2.4.1

Released: October 15, 2018

Issues Resolved

  1. Fixed an issue in which Xray would report Critical vulnerabilities as Major.

  2. Fixed an issue in which the impact analysis queue would get flooded with messages about empty ZIP files in components.
  3. Fixed an issue in which PostgreSQL queries would not terminate even after running for hours
  4. Fixed an issue in which the Notify Email action for policies did not work, even if a mail server was properly configured.
  5. Fixed an issue in which Build resources added to a Watch would be duplicated in the Watches display.

Xray 2.4.2

Released: October 25, 2018

  1. Fixed an issue whereby the Violations email displayed a broken link to the component.

Xray 2.4.6

Released November 8, 2018

Issues Resolved

  1. Fixed an issue that prevented creation of the impact analysis graph for complex components.

  2. Fixed an issue in which Xray would ignore a scheduling parameter for maintenance cleanup jobs.

  3. Fixed an issue that caused Xray to hang when presenting component details.

Xray 2.3.0

Released: August 20, 2018


Native HTTPS Support

Xray now supports configuring SSL on your web server in the Admin module in the HTTP Settings screen. By default, the HTTP port is set in the config.yaml file and all that is left is to specify the path that leads to your SSL key and SSL Certificate.

Automatic Component License Report

The Component License Report in Xray helps you stay compliant and avoid legal violations due to problematic components that may exist in your builds or artifacts. Based on the metadata generated in Xray, you can generate a license report for every build or artifact that will list all of the OSS licenses used directly or indirectly.

Xray Support Zone

As part of the JFrog SLA based support, you can now generate an information bundle in the Admin module in the Support Zone screen. When opening a support ticket, you can attach the information bundle to expedite handling of your issue. 

Public APIs for Policies

JFrog Xray exposes its policies to any external source with access to its REST APIs. Through a set of simple REST API call, you can create, delete, view and assign policies to watches

7z Indexing Support

7z compression has been added to the list of compression technologies that Artifactory already supports including Tar (Bz2, Gz, Z, infl, Xp3, xz), Zip, rpm, deb, and 7zip.

Issues Resolved

  1. Fixed an issue whereby temp files could not be found and deleted causing Persist to fail.
  2. Fixed an issue whereby huge RabbitMQ messages caused a queue overload after indexer which has been resolved by introducing file compression.
  3. Fixed an issue whereby Persist gets "connection reset by peer" errors from RabbitMQ and does not reconnect.
  4. Fixed an issue whereby multi-folder Docker images did not trigger violations and send alerts to CIs while leaving the build set as normal.
  5. Fixed an issue whereby failed messages in the ImpactAnalysis queue weren't displayed in the UI and could not be retried.
  6. Fixed an issue whereby running the watch filter by property did not filter Docker Images.
  7. Fixed an issue whereby database sync stopped when the trial license expired.
  8. Fixed an issue whereby a filter containing a specific build name was not triggered.


Xray 2.3.1

Released August 28, 2018 

Issues Resolved

  1. Fixed an issue in which the Watches REST API endpoint would not work.
  2. Fixed an issue introduced in Xray 2.3 in which Xray would not run when Artifactory and Xray were activated with a trial license.
  3. Fixed an issue in which Impact Analysis would sometimes fail when trying to update a license for a component that had been indexed but was now missing.

Xray 2.3.2

Released September 2, 2018 

Issues Resolved

  1. Fixed an issue whereby restarting Xray resulted in loss of user login permissions when using Crowd for Auth provider in Artifactory.
  2. Fixed an issue whereby after performing an upgrade, the admin user has no permissions.

Xray 2.3.3

Released September 26, 2018 

 Issue Resolved 

  1. Reduced memory consumption during JavaScript indexing process.

Xray 2.2.0

Released July 2, 2018



Xray introduces a new Policy entity that enforces security and license compliance behaviors, which were previously part of a Watch. In previous versions, a watch included the target resources, such as repositories and builds, being scanned as well as the security and licence violation criteria and actions to take. From this version, these are separated for enhanced manageability and maintenance.

Policies now enable you to create a set of rules, in which each rule defines a license/security criteria, with a corresponding set of automatic actions according to your needs. 

Watches now only define the scope of the resources you want to watch. You can define a policy once and assign it to as many watches as you like.

Separating the behavior you want to enforce from the context you want to enforce it on provides you with the following values:

  • Efficiency. Reduce work and save time by configuring your policies once and assigning them to multiple watches.
  • Flexibility. Configure multiple behaviours with additional functionality such as priority of your security rules.
  • Separate  Concerns. Delegate permissions to different teams in your organization. Everything related to resources and filters is in the watch, and everything related to security and license compliance is in policies.

Feature Enhancements

  1. Xray can now classify OSS licenses, as known license types, from license files. 
  2. Added the ability to manually invoke a scan on existing content so that new watches that were just defined can be applied immediately without having to wait for a scan-triggering event to happen.
  3. The General Configuration settings have been enhanced to provide more control over different parameters of Xray.
  4. Easily navigate from the Xray Components module directly to any component in Artifactory.
  5. Alerts are now fully deprecated.
  6. Added a REST API endpoints that get and update a list of repositories and builds that are or are not indexed for scanning.  
  7. Added a REST API endpoint that provides a list of violations based on a set of search criteria.

Xray 2.2.1

Released July 8, 2018

Issues Resolved

  1. Fixed an issue where some indexing of Docker images inside a build did not work and threw an error.

Xray 2.2.2

Released July 16, 2018

Issues Resolved

  1. Fixed an issue in which when an Xray installation had an Artifactory instance set as its authentication provider, and it was upgraded from version 1.11.0 to version 2.2.1, the Xray Admin user ended up with no permissions.
  2. Fixed an issue in which an Artifactory instance set as the authentication provider would fail to successfully authenticate against Xray following an upgrade from version 1.11.0 and below to version 2.0.0 and above.
  3. Fixed an issue that prevented connection between Artifactory and Xray when Xray's base URL was specified with a trailing slash.
  4. Fixed an issue that prevented using a capital letter in Artifactory ID of an Artifactory instance set as the authentication provider for Xray

Xray 2.2.3

Released July 17, 2018

Issues Resolved

  1. Fixed an issue where some indexing of Docker images inside a build did not work and threw an error.

Xray 2.2.4

Released July 22, 2018

Issues Resolved

  1. Fixed an issue when using a CI integration (such as Jenkins), in some cases Xray responses would be very large and caused the CI to get stuck.

Xray 2.1.0

Released May 17, 2018


JFrog Enterprise+

Announcing the new Enterprise+ Platform, that provides a complete solution for covering all the steps involved in creating a secure, trustworthy, and traceable software release in a multi-site development environment.

The solution works in conjunction with source version control, continuous integration, and deployment tools.

The JFrog Enterprise+ platform bundle includes:

  • JFrog Artifactory: all features available with an Enterprise license as well as Access Federation and the ability to work with Artifactory Edge.
  • JFrog Distribution: an on-premise, centralized platform that lets you provision software release distribution.
  • JFrog Xray: universal analysis of binary software components at any stage of the application lifecycle providing unprecedented visibility into issues lurking in components anywhere in your organization.
  • JFrog Mission Control: all features available in Mission Control with the addition of: 

    • the ability to add instances of Jenkins-CI, JFrog Distribution and JFrog Artifactory Edge as services in the system and monitor them

    • Insight and analytics on build processes through as set of metrics on the end to end build process

Ruby Gems and Python Wheels Support

From this version, Xray supports indexing and scanning of Ruby Gems and Python Wheels packages. This support includes:

  • Recursive analysis and full component graph integration
  • Component metadata, including versions, licenses and checksums 
  • Manually curated security vulnerabilities
OAuth Integration

In addition to SAML/LDAP authentication capabilities, enabled once you select an authentication provider, from version 2.1 Xray is also integrated with OAuth. This allows you to delegate authentication requests to external providers and let users login to Xray using their accounts with those providers, according to the OAuth configuration in the authentication provider.

Watch Violation Search

You can now filter the watch violations using the new search mechanism, according to text, created date, type, severity and CVE ID.

SSO Support

From Xray 2.1, SSO support has been added and allows you to log in to all your JFrog applications using a single set of user credentials that are stored in the Authentication Provider Artifactory instance. When SSO is applied, the user logs in to the JFrog product using a set of predefined credentials and is granted access across the board to the JFrog products. SSO eliminates the need to re-enter the credentials every time a product is accessed.

UX Improvements
  1. The watch and component violations grid now include the exact infected component version and the impacted artifact name and version.
  2. The components in the violations impact analysis view are now clickable and will lead to the relevant component details.

Issues Resolved

  1. The watch violations sorting now works as expected

Xray 2.1.2

Released June 13, 2018

Issues Resolved

  1. Fixed an issue that prevented an offline sync of the database from completing successfully. From this version onwards, offline synchronization of the database requires JFrog CLI version 1.16.2 or higher.

Xray 2.0.0

Released April 16, 2018


Xray High Availability

JFrog Xray 2.0 introduces a highly available active-active cluster architecture, ensuring continuous security and governance to your software packages.

Improved Performance and Resilience

You can now scale your Xray environment with as many nodes as you need. This enhances Xray’s performance by delegating all workload across available cluster nodes, through a load balancer.

In case one or more nodes is unavailable or down for upgrade, the load is shared between the remaining nodes, ensuring optimal resilience and uptime.

Automatic Synchronization

Xray seamlessly and instantly synchronizes all data, configuration, cached objects and scheduled job changes across all cluster nodes.

Enhanced Monitoring

Xray’s self-monitoring mechanism, which provides you with system availability issues, has now been enhanced to let you know which node is affected.
In addition, Xray will provide cluster health information in a new page called “High Availability”, showing health information of every node and every microservice.

Easy HA Setup

Xray allows you to easily install a full HA cluster in minutes, or upgrade your existing Xray environment.

Feature Enhancements

Watch Violations View

In addition to viewing your policy violations in the component details view, the Xray UI has been enhanced with a new violations view that displays all defined violations in the context of a specific watch.

Automatic Xray Upgrade

Xray can now be upgraded automatically with a “use defaults” parameter, eliminating any manual script inputs. This parameter uses a default configuration for new installations and an existing configuration for upgrades.

Component Search by CVE

Xray now allows you to search for the components in your organization which are impacted by a specific security vulnerability CVE id. 

Xray 2.0.1

Released April 23, 2018

Issues Resolved

  1. Fixed an issue in which when viewing certain Watch Violations, the name of the component that triggered the violation was not displayed
  2. Fixed an issue that prevented setting up Xray HA on cloud-native environments such as Kubernetes
  3. Fixed an issue that prevented upgrading some Docker installation from Xray 1.x to Xray 2.x  

Xray 2.0.2

Released May 6, 2018

Issues Resolved

  1. Fixed multiple issues related to builds containing Docker Images  

Xray 1.12

Released March 28, 2018 


Improved Integration with Artifactory

JFrog Xray 1.12 jointly released with JFrog Artifactory 5.10, presents significant changes in how these two complementary applications are integrated to improve usability and stability.

Upgrade Xray first

 For this joint release of JFrog Artifactory 5.10 and JFrog Xray 1.12, we strongly recommend first upgrading your Xray installation to version 1.12 and only then upgrading Artifactory.

Scan Status

Previously, an artifact's scan status was stored in Artifactory by annotating the artifact with a set of properties such as indexing status, last update, top vulnerability severity and block status. From this version, these properties will be removed. Artifactory will fetch an artifact's scan status on demand when it is selected in the tree browser.

This is a breaking change which restricts compatibility of Artifactory and Xray versions as described in the following table:

Xray Version




Since both Artifactory and Xray are upgraded, the new integration is fully functional as designed.


In this combination, the integration will not work since the new version of Artifactory will query Xray for scan status, however, the old version of Xray does not have the required REST API endpoints.



This combination is supported. Artifactory will continue to display each artifact's scan status, however, it will use previous mechanism that uses properties.


If neither Artifactory nor Xray are upgraded, the integration will work using the previous mechanism that displayed scan status as a set of properties on the artifact.

Improved Download Blocking

From this release, download blocking has been removed from Artifactory and is, instead, configured in Xray as "Block Download" action on a Watch. This creates a more intuitive and consistent workflow giving you full control over all actions on an Artifact that has a violation in one place.

Better Build Control

Previously, all builds in Artifactory were indexed by Xray potentially causing visual clutter as less important builds such as snapshots would get indexed. From this version, Xray lets you select which builds to index, letting you focus your analyses on more significant build processes.

Reapply Indexing to Your Builds

During the upgrade process to Xray 1.12, the indexing is cleared from all of the builds. To reapply indexing, you need to explicitly apply indexing to the builds of your choice.

Component-Driven Workflow: Watch Violations

Previously, Xray brought vulnerabilities to your attention in the form of Alerts. But since alerts may aggregate several issues, each of which may affect multiple artifacts and builds, they made it difficult to understand all the issues affecting a particular component. Continuing Xray's evolution to a component-driven workflow, this version introduces Watch Violations.

Watch violations are displayed directly on the Component Details panel making it easy to identify all the security, license and custom issues affecting the component.

Support for Additional Package Types

From this version, Xray supports indexing and scanning Gradle, Ivy and SBT packages.

Xray 1.12.1

Released April 2, 2018

Issues Resolved

This patch fixes these issues that were discovered in version 1.12:

  1. Fixed an issue in which the “Block Download” action did not work when creating a watch on a remote repository when Artifactory versions lower than 5.10.
  2. Fixed an issue in which deleting a custom issue did not impact the “Block Download” action when using Artifactory versions lower than 5.10.
  3. Added the ability to automatically index all builds by Xray via a configuration parameter.

Xray 1.11

Released February 18, 2018 


Assign OSS Licences to Components

This release provides these advanced OSS licenses functionalities:

  • Assign custom licenses to your components.
  • View the source of the originated license - custom, JFrog, or a local file.
  • View if the license was assigned directly to the component or propagated to parent components and is part of their license list.
Failure Messages

Xray now displays all impact analysis and artifact scanning failures in the new Failure Messages page, in the Admin module. This page provides administrators a single place where they can easily identify the exact step in the scanning and impact analysis Xray process in which it failed, allowing them to fix the issue and retry the step.

Xray 1.10

Released January 2, 2018


Grafeas API

Project Grafeas defines an open, unified metadata exchange format and API that will create a uniform and consistent way to produce and consume metadata from software components. By fully supporting the Grafeas API, Xray acts as a portal to Grafeas providing your software supply chain with an unprecedented abundance of metadata that can be easily be put to use in automated auditing and governance processes. This release of Xray exposes a set of Grafeas endpoints that are fully integrated into the Xray REST API.

Externalization of Databases

Xray works with a number of third party services, such as various databases, which were previously pre-installed with the other Xray microservices. From Xray 1.10, you have more control over your resource allocation and you can direct Xray to use an external RabbitMQ, MongoDB or PostgreSQL database in use in your organization. Keep in mind that if you direct Xray to use an external database, you have full control over the database, and also full responsibility to maintain and backup the database for Xray's use.

Improved Database Sync

Database synchronization has been significantly improved resulting in a smoother workflow, data compression and boosted performance. The enhanced compression and performance promote stability and robustness to transient network issues. Depending on your hardware, network and other factors, this may improve performance by up to 70%.

Expanded IDE Integration

In addition to UI improvements, the  has been updated to support scanning of Gradle and npm package formats in addition to the existing Maven package format. 

Issues Resolved

  1. Improved performance of Alerts page.
  2. Fixed an issue whereby Ignore Rules were not fetched when their associated Watch was deleted.
  3. Fixed an issue whereby the Event microservice crashed due to a missing checksum returned from a property search made for a build's items.
  4. Fixed an issue whereby deployed Docker Images with same SHA256 value got stuck in the analysis retry queue.
  5. Fixed an issue whereby the Xray API 'Update User' command does not update the user, and returns a 404 error.

Xray 1.10.1

Released January 4, 2018

This release includes UI display issue fixes in the Integrations and Permissions pages.

Xray 1.9

Released December 3, 2017


Authentication Through External Providers (LDAP, SAML, Crowd etc.)

User management in Xray has been greatly simplified by adding the ability to authenticate users through your corporate LDAP/Crowd or SAML provider. All you need to do is define one of the connected Artifactory instances as an "Authentication Provider". This lets you import the LDAP/Crowd, SAML and internal Artifactory users and groups from the specified Artifactory instance to Xray, and then assign them permissions as needed.

Permission Management 

This version introduces a flexible permissions model that gives an administrator fine-grained control over how users and groups access the different features of Xray.  "Resources" define the scope of a permission and specify the repositories and builds in the connected Artifactory instance to which the permission applies. You can then specify users and groups, internally defined in Xray or imported from a connected "authentication provider" as described above, and grant them privileges for the selected resources.

Feature Enhancements

  1. Improved performance of indexing and analysis for large-scale environments.

  2. Improved indexing and analysis process for Javascript files.

  3. Improved database processes which significantly improve performance of certain recursive queries

Issues Resolved

  1. Fixed an issue in which Xray would not delete files that were moved to the RabbitMQ failure queue.

  2. Fixed several issues connected to identifying the OS layer and its installed packages in Docker images.

  3. Fixed an issue that would cause RabbitMQ to drain available RAM on large scale environments by loading a large number of messages.

Xray 1.8

Released July 13, 2017


Content-Driven Workflow

Xray's current work flow is event-driven creating alerts with stateless information; a snapshot of builds and components at an instant in time. In this release, we are adding support for a new and more intuitive workflow which is content-driven in that issues are displayed based on the components you are interested in. This has a huge impact on how you navigate your way to the most relevant content. The high-level flow can be summarized as:

Search for components → Drill down → Examine issues

Enhanced Search: Xray now provides enhanced search allowing you to search for specific components through a set of search filters such as package type, issue severity, version and more.

Rich component display: From the search results, you can select the component that interests you and view a rich display that provides details of all versions of the selected component

Examine issues: Selecting any issue from the components display provides detailed information on the issue as well as a list of all the artifacts and builds on which it has an impact.

Recommendations for Remediation

In addition to providing a comprehensive list of versions in which a vulnerability exists for an infected component, the rich component display in the content-driven workflow also indicates in which version a vulnerability has been fixed (if available) and recommends upgrading to that version

JFrog IntelliJ IDEA Plugin

With the JFrog IntelliJ IDEA Plugin, you can scan your Maven project dependencies using Xray and view vulnerabilities during development time directly from within the IntelliJ IDE. IDE integration support will continue to expand to additional industry-standard IDEs, and to additional package formats. 

TeamCity Integration

JFrog Xray expands its CI/CD integration capabilities by adding support for TeamCity, enabling you to scan builds, generate reports and even fail build jobs if they use components with known vulnerabilities. This is an effective way to prevent builds with vulnerabilities from entering production systems.

Enhanced Vulnerability Data

Processing of raw vulnerability data has been greatly enhanced based on improved algorithms and heuristics to correlate and match data from different sources to the right component and version. This new data model provides greater and more accurate details about vulnerabilities such as infected version ranges, fix versions and more. It also allows better identification of infected components. In the case of Maven components, the vulnerability data has been completely replaced and undergoes manual curation before being loaded into the database resulting in better coverage with fewer false-positives.

Note that you need to perform a database sync (whether you are working in online or offline mode) to work with the enhanced vulnerability data. 

Feature Enhancements

Improved Scanning Performance

Performance of scanning new builds and artifacts has been dramatically improved to orders of magnitude. Since this is the most common process that Xray performs the improvement results in Xray being more responsive on the whole. In particular, the performance and accuracy of Docker images analysis has been greatly improved.

Support for Docker Images in Builds

Docker images encased in builds are now scanned and indexed just like any other build dependency.

Issues Resolved

  1. Fixed an issue in which Xray listed a component as having an "Unknown" license, even though specific known licenses were identified.
  2. Fixed an issue in which npm dependencies with vulnerabilities were downloaded even when their hosting repository in Artifactory was set to block downloads.


Released July 17, 2017

Issues Resolved

  1. Fixed an issue which may have caused a slow database migration when upgrading Xray to a new version.

Xray 1.8.1

Released July 31, 2017

Issues Resolved

  1. Fixed an issue with Xray's analysis process causing component license data to be saved multiple times, potentially consuming high amounts of memory and disk space.

  2. Fixed an issue where license issues in alerts did not have an impact path.

  3. SaaS users will now receive email notifications with a default mail server configuration.

Xray 1.8.2

Released August 3, 2017

Issues Resolved

  1. Issues and their status, contained within Docker images in a build, are now properly propagated.

Xray 1.8.3

Released August 22, 2017

Feature Enhancements

  1. Xray now gives you the option of selecting a custom location for your Xray data and PostgreSQL directories during an installation or upgrade process.
  2. Xray has undergone system-wide performance improvements which can be seen in several screens including ComponentsIssues in component details, AlertsSecurity Reports and more.
  3. When viewing component details, you can filter the issues displayed by their Summary field.
  4. The Reports module has undergone several improvements in UI display and performance
Issue Resolved
  1. Fixed an issue in which the All Alerts tab in the Alerts screen would appear empty even when alerts were present.


Released August 24, 2017

Issues Resolved
  1. Fixed an issue where some filter selections in the Component Search did not return all applicable results.

  2. Fixed an issue with the “Cancel” button in the Artifactory instance details page.
  3. Fixed an issue where data migration was not running properly when upgrading to Xray 1.8.3 resulting in many errors in the log file.

Xray 1.8.4

Released September 25, 2017

This release brings significant OSS licenses functionalities for improved license coverage, including the ability to parse license from files, license content analysis and GitHub license matching.

Feature Enhancements
  1. Xray will now support parsing OSS license information from all popular license file conventions, such as "*.pom" and "license.txt" metadata files.
  2. An additional layer of matching logic will now be used to help classify even more OSS licenses that may have been slightly modified, by analyzing the license content and comparing it to known license types.
  3. Xray is now able to get license information from GitHub for components with a GitHub page.
  4. The Xray installer now supports writing the installation / upgrades outputs to an installer log for better traceability.

Issues Resolved
  1. The license tab will now show a "0" in the tab header when a license cannot be identified. Licenses that are identified as "unknown" will include a proper placeholder in the component details page.

  2. Better handling of multiple files associated with the same component id.
  3. The Xray Docker installation does no longer require root privileges to run.

Xray 1.8.5

Released October 17, 2017

Feature Enhancements
  1. Artifact Checksum Matching - Xray now provides more accurate results by doing a checksum match in addition to the already supported component id match. This is especially useful for files which do not have proper component id's attached to them, such as Javascript files.
  2. Performance improvements in the analysis process and Memory Consumption Enhancements.

Xray 1.8.6

Released October 19, 2017

Issues Resolved
  1. Fixed an issue in which when Xray's indexing process would fail, under certain conditions, temporary files would not be removed which could eventually deplete available storage on the filesystem.

Xray 1.7

Released April 20, 2017


New Home Page: The Xray Home page has been completely redesigned to act as a dashboard that provides a wealth of useful information. At a glance, understand your general system health, get an overview of components and alerts, system scan status, database sync status and more. 

Feature Enhancements

Package Type filter for Component search: The Components page now includes a Package Type filter that lets you focus on specific package types making it easier for you to search for specific components.

Issues Resolved
  1. If an external integration is removed, Xray will now also remove any alerts related to that integration
  2. Custom issues are now aggregated together with security vulnerabilities when viewing Component details and in REST API responses.
  3. Fixed an issue with updating properties in Artifactory that are related to Xray's indexing status.

Xray 1.7.1

Released April 24, 2017

Issues Resolved
  1. Fixed an issue with file paths that sometimes led to the wrong location.
  2. Fixed an issue with migration for component license migration.

Xray 1.7.2

Released June 5, 2017

Feature Enhancements
  1. Xray now adds a timestamp indication to build snapshots. This ensures that each snapshot will have a unique name, making it easier to work with snapshots.
  2. When updating to a new version requires migration of the database (which may take some time), Xray will now show how the upgrade is progressing and provide error information if the upgrade fails.
  3. Xray's logging facility has been improved so that you no longer have to restart Xray if you want to change the log level for any of it's services.
  4. Xray's search has been enhanced so that in addition to package type, you can now also filter searches by component type (artifacts or builds).
Issues Resolved
  1. Fixed an issue that prevented creation of custom issues due to an error in parsing the timestamp when it included the Z timezone indicator.
  2. Fixed an issue that prevented Xray from annotating artifacts in Artifactory whose name included certain special characters.
  3. Fixed an issue in which the Xray base URL in the config descriptor for a connected Artifactory instance would not be updated when the base URL was modified.
  4. Fixed an issue in which the status of some artifacts would not be modified even after they were scanned, and, as a result, their download was blocked when download blocking was enabled in Artifactory for unscanned artifacts.


Released June 6, 2017

Issues Resolved
  1. Fixed an issue introduced in version 1.7.2 which, under certain conditions, caused a database connection leak.


Released June 8, 2017

Issues Resolved
  1. Fixed an issue that prevented Xray from synchronizing its database and indexing artifacts due to too many idle connections to its PostgreSQL database.

Xray 1.7.3

Released June 25, 2017


Xray now supports setting the system log level for each of the microservices without having to restart the Xray server. 

Issues Resolved
  1. Fixed an issue in which Docker images, whose full set of layers were already included in another indexed image, would not get indexed.
  2. Fixed an issue in which the Artifact Summary REST API endpoint did not provide license information if there were no Allowed or Banner License filters defined for a watch.

Xray 1.6

Released January 18, 2017

CI/CD Integration

JFrog Xray takes an active role in your CI/CD pipeline to indicate you should fail build jobs if your build or any of its dependencies have vulnerabilities. Your CI server (currently, Jenkins CI is supported) can now send a request to Xray to scan a build that was uploaded to Artifactory. In accordance with Watches you may define, Xray will scan the build, and if vulnerabilities that trigger an alert are found, Xray can now respond to the inquiring CI server that the build job should fail.

Main Updates

  1. Fail build jobs according to Watch specifications if build artifacts or their dependencies contain vulnerabilities. 
  2. Changes in the UI for Watches replacing "Notifications" with "Actions", and the addition of the Fail Build Job action to support CI/CD integration 
  3. "All Builds" has been added a new target type for watches so you can specify that all builds uploaded to Artifactory are scanned by Xray, not only specific builds you configure into the Watch. 

Xray 1.6.1

Released January 25, 2017

Main Updates

  1. An issue that was causing artifact indexing to fail has been fixed.

Xray 1.6.2

Released February 12, 2017

Preventing Brute Force Attacks

Xray has been equipped with a login protocol to prevent brute force attacks. When Xray encounters multiple login attempts by the same user, Xray steadily increases the time interval that the user must wait before attempting login again. After a specific number of failed login attempts, the user will be locked out of his account. At that point, login can only be reset by an Xray administrator. The administrator has full control over the number of failed login attempts to lock the user out.

System Logs

An Xray administrator may now view the Xray system log file in the Admin module, with the ability to filter log messages from the different services behind Xray.

Main Updates

  1. A bug preventing Xray from reaching the global database server when a proxy server is configured was fixed. 
  2. Performance when synchronizing the global database to Xray has been greatly improved. The overall process time is dramatically reduced, both for a first-time synchronization, and for periodic updates. 
  3. A mechanism has been added to prevent brute force attacks on Xray by locking out users with multiple failed login attempts. 
  4. A bug that prevented upgrade when the upgrade archive was extracted in the same folder as the previous version, has been fixed.
  5. The impact path of an artifact is now displayed as a full path including the Artifactory instance and the repository in which the impacted artifact is hosted.
  6. The Xray log can now be viewed by an administrator in the Admin module System Logs page. 

Xray 1.6.3

Released March 7, 2017

Main Updates

  1. Xray's analysis process performance has been greatly improved
  2. Performance when generating a security report has been greatly improved, especially for Xray instances that have indexed thousands of artifacts.
  3. Alerts can now be sorted by severity, and when viewing the details for a selected alert, the tab title also displays its severity.
  4. A bug in which some impacted artifacts were omitted from the security report has been fixed. 
  5. A bug in which offline database sync was failing due to components not being found has been fixed.
  6. The scanning process performance has been greatly improved
  7. When viewing a component's details page, vulnerabilities and licenses of it's child components are also displayed.

Xray 1.6.4

Released March 14, 2017

Main Updates

  1. An issue causing proxy server functionality to fail has been fixed.

Xray 1.6.5

Released March 22, 2017

Main Updates

  1.  Improve performance of both the indexing and scanning processes.
  2.  Improve performance of security report generation.

Xray 1.5

Released January 4, 2017

Dependency Graph APIs

JFrog Xray exposes its dependency graphs to any external source with access to its REST APIs. Through a simple REST API call, you can now receive the full dependency graph of any component or build as a JSON object, or compare the dependency graphs of any two components or builds to get a clear indication of the differences between them and easily hone in on new dependencies that may have introduced issues and vulnerabilities.

 Editing System Watches

System watches are created when a repository in Artifactory has been configured to block downloads. To provide more flexibility and finer control over when alerts should be generated, system watches can now be edited by Xray admin users.

 Unknown Licenses

Handling components with unknown licenses is a matter of your organization's policy. Xray now allows you to specify if these components should trigger alerts or not.

Main Updates

  1. Dependency Graph APIs allowing you to get the graph of any artifact or build, and compare any two artifacts or builds
  2. System watches can now be edited by Admin users. 
  3. Allowed and Banned License filters now allow you to specify "Unknown" so you can decide if components with unknown licenses should trigger alerts or not. 
  4. When indexing Docker images, Xray now also indexes Debian and RPM packages in the image OS layer.
  5. The onboarding wizard UI has been improved for usability and to allow indexing selected repositories on the spot. 
  6. The Security Report display has been improved. 

Xray 1.5.1

Released January 9, 2017 

Main Updates

  1. Fixed an issue that caused a database connection leak
  2. Fixed handling of gzip files with invalid headers

Xray 1.5.2

Released January 10, 2017 

Main Updates

  1. Fixed an issue that prevented microservices from writing entries to system logs

Xray 1.4

Released December 20, 2016

Security Reports

JFrog Xray adds a new report that shows you which vulnerabilities have the most far reaching consequences in your code, and which components in your code base have the most reported vulnerabilities, as well as recent vulnerabilities and infected components that were detected.

Black Duck Integration

JFrog Xray has integrated with Black Duck Software as a new external vulnerability provider. Black Duck automates the process of securing and managing open source software by helping you comply with open source license requirements and providing security alerts about vulnerabilities discovered in open source components.

Main Updates

  1. Security Report 
  2. Black Duck integration  

Xray 1.3

Released December 4, 2016

Improved Onboarding 

The onboarding experience has been improved in several ways including a wizard that guides you through the first essential steps of configuring Xray.


The Integrations UI has been modified to be more flexible and efficiently accommodate any number of integrations with external issue and vulnerability providers.

Artifact and Build Summary REST API

The Artifact and Build Summary REST API endpoints provides general information about an artifact or build as well as an aggregated list of issues and OSS licenses associated with them.

Main Updates

  1. Onboarding improvements including an Onboarding wizard 
  2. Flexible UI for integrations 
  3. Artifact Summary and Build Summary REST APIs 

Xray 1.2

Released November 6, 2016

License Reports

Generate a report that shows the distribution of open source licenses used by artifacts indexed by Xray, as well their compliance with "Allowed Licenses" and "Banned Licenses" filters defined in all watches in the system.

System Status

Xray now monitors a variety of system parameters and reports on their status to let you easily diagnose problems. 

Issue Filters

You can now create filters on watches based on the minimum severity of issues associated with indexed artifacts. 

Main Updates
  1. License reports for distribution of OSS licenses and compliance with watches defined. 
  2. Self-monitoring system status 
  3. Checksum calculation has been optimized by running it asynchronously.
  4. Issue filters based on minimum severity of an issue associated with an artifact. 

Xray 1.1

Released September 22, 2016

Support for Older Versions of Artifactory

JFrog Xray now supports all versions of JFrog Artifactory from v4.0 and above

Synchronization with the Global Database Server

Previously, Xray would synchronize with the global database server automatically at set time intervals. To give you more control over usage of your system resources, you can now manually invoke initial synchronization and update with the global database server, and pause/resume synchronization if necessary.

Support for Non-Docker Installation

In addition to Docker, JFrog Xray is now available for installation in a variety of flavors including Ubuntu, CentOS, Red Hat, and Debian.

Support Download Blocking

JFrog Xray will annotate artifacts that have been identified with an issue in any connected instance of JFrog Artifactory so that the Artifactory administrator may block download of that artifact.

Integration with Aqua

If you have an account with Aqua, this integration lets you enable their feed as a source for alerts using your Aqua API key.

OSS License Policy

You may now implement an OSS license policy by defining a filter for watches based on a whitelist or blacklist of OSS licenses. Any component in the system that does not pass through the filter you define will generate an alert.

Main Updates
  1. Support for older versions of Artifactory - v4.0 and above
  2. Visibility and control over resources with synchronizing with the global database server 
  3. Support for Linux installations 
  4. Support download blocking 
  5. Support for manually invoking and operating synchronization with the global database server 
  6. Integration with Aqua 
  7. OSS license policies 
  8. Connect to Artifactory via an HTTP proxy

Xray 1.0

August 1, 2016

JFrog is proud to the first official release JFrog Xray 1.0. This version presents dramatic changes based on feedback recieved from customers using the previous "Preview" version released several weeks ago. 

Easy Onboarding

The entire onboarding process to get started with Xray is done within Xray. This includes adding Artifactory instances, specifying repositories for indexing, triggering indexing and getting status on the indexing process.

Unified Analysis

Watches and alerts now aggregate all types of analysis performed. You simply define the context you are interested in for a Watch (repository, build or all artifacts), and view aggregated information on issues detected and artifacts impacted in the resulting alert. 

Focusing on the most relevant issues and alerts

You can now choose to ignore alerts or issues that have been resolved or are not interesting to you either for a specific alert instance or permanently.


While JFrog Xray comes preconfigured with a database of issues and affected software artifacts, it is also open to integration with additional vulnerability providers. This version comes with the ability to add Whitesource, a simple but powerful open source security and license management solution. 

Manually Invoking a Scan

A new Watch will only apply to new Artifacts or issues that arise after it has been created. This version adds the ability to run an analysis manually and apply a new Watch on existing artiafcts and issues.

Main Updates
  1. Easy onboarding
  2. Unified analysis with Watches
  3. Focusing on important issues using "ignore" rules
  4. Integration with Whitesource
  5. Manually invoking a scan
  6. View all alerts or only those based on watches you defined
  7. Support for an HTTP proxy to communicate with external networks.

Xray 1.0.2

August 11, 2016

This is  a minor update that fixes an issue with indexing and adds a limitation on the storage Xray consumes.

Main Updates
  1. Fixed an issue that caused the indexing process to be terminated in certain cases.
  2. Xray now limits the storage it utilizes when downloading artifacts for indexing.

Xray Preview

July 3, 2016

JFrog is proud to release JFrog Xray!

JFrog Xray performs universal artifact analysis, recursively scanning all layers of your binary packages to provide radical transparency and unparalleled insight into your software architecture. JFrog Xray works with most package formats and is fully integrated with JFrog Artifactory. 


The Home screen is your dashboard where you can monitor Artifactory instance Xray are connected to, component graphs and alerts.


Watches monitor artifacts for issues, and trigger alerts if any are found. A Scanning watch monitors a named build or repository in Artifactory and triggers an alert if any dependency with issues is found. An Impact Analysis watch listens to all providers streaming information to Xray and performs an impact analysis on all components in its database for any issues reported.


Alerts provide details about any issue found with any component, showing the full infection path through the component hierarchy.


View component relationships in your repositories to understand how one component affects others.


Automate component analysis through the rich Xray REST API.