Overview

This page presents release notes for JFrog Xray describing the main fixes and enhancements made to each version as it is released. 

If you need release notes for earlier versions of Xray, please refer to the Release Notes in the Xray 2.x User Guide.

Download 

Click to download the latest Xray version .

Previous Versions

Previous versions of JFrog Xray are available for download in the  Previous Releases  page.

Installation and Upgrade

For installation instructions please refer to Installing Xray.

To upgrade to this release from your current installation please refer to Upgrading Xray.

Xray 3.54

Xray 3.54.5

Released: Aug 4, 2022

Highlights
Scans List

The Scans List page combines Xray scan details into a single screen and enables you to view details for repositories, builds, release bundles, and packages. For each of these items, you can drill down further to view the Policy Violations, software components, and security issues. For more information, see Xray Scans List. 

Resolved Issues

Resolved Vulnerabilities

This release contains Fixed Security Vulnerabilities.  

Xray 3.52

Xray 3.52.4

Released: July 10, 2022

Resolved Issues

Xray 3.51

Xray 3.51.3

Released: June 22, 2022

Resolved Issues

1. ( XRAY-11489) Improved PHP composer detection. 

Xray 3.51.0

Released: June 9, 2022

Feature Enhancements

Enhanced the Issue Events REST API

Implemented a new V2 of the Get Issue Events REST API with the ability to get vulnerability details. 

The Get Issue Events V1 REST API is deprecated. 

Resolved Issues

Xray 3.50

This section includes all of the Xray version 3.50 releases.

Xray 3.50.3

Released: June 2, 2022

Features and Enhancements

RabbitMQ Upgrade

RabbitMQ has been upgraded to version 3.9.15.

Resolved Issues

This release contains a resolved security issue, for more information see  Fixed Security Vulnerabilities . 

Xray 3.49

Released: May 18, 2022

Feature Enhancements 

New On-Demand Scan REST API 

Introduced a new REST API that will enable you to delete on-demand scanning results using the JFrog CLI. For more information, see Delete On-Demand Scan Results

Operational Risk Reports 

You can now generate Operational Risk reports as one of the Xray report types. In addition, you can also view Operational Risk violations in the Violations report type. For more information. see Xray Reports.

This feature is available with Artifactory version 7.40.x and above. 

Resolved Issues

This release contains a resolved security issue, for more information see  Fixed Security Vulnerabilities . 

Xray 3.48

This section includes all of the Xray version 3.48 releases.

Xray 3.48.2

Released: May 08, 2022

Resolved Issues

This release contains a resolved security issue, for more information see Fixed Security Vulnerabilities.

Xray 3.47

This section includes all of the Xray version 3.47 releases.

Xray 3.47.3

Released: April 20, 2022

Resolved Issues

Xray 3.46

Released: April 7, 2022

Highlights

Operational Risk

Xray can now provide information about the operational risk of using open source software components. These include the risk of using outdated versions or inactive open source software components in your projects. In the current version of this release, we will provide operational risk information for Maven and npm packages. More package types will be added in future releases. For more information, see Components Operational Risk. 

Resolved Issues

Xray 3.45

This section includes all of the Xray version 3.45 releases.

Xray 3.45.2

Released: March 31, 2022

Resolved Issues

1. Fixed an issue whereby, in some cases, Scan Build had a slow performance. 

Xray 3.45.1

Released: March 21, 2022

Feature Enhancements

Jira Integration OAuth2 Scope Support 

Added support for the new  OAuth2 scope rollout by Atlassian. OAuth2 apps that are already connected can be upgraded and reconfigured in the Atlassian developer dashboard with the new scope permissions, as described in Creating a Jira Connection Profile.

Enhanced the Export Component Details REST API 

Added a new option for the output_format field in the Export Component Details API. The new option is named json_full which returns a JSON file.

Resolved Issues

Xray 3.44

This section includes all of the Xray version 3.44 releases.

Xray 3.44.3

Released: March 17, 2022

Resolved Issues

1. Fixed an issue whereby, due to a breaking change in npm registry, Xray failed to perform an npm audit. 

Xray 3.44.2

Released: March 13, 2022

Resolved Issues

1. Fixed an issue whereby, in some cases, a user with Read Permissions was unable to view artifact data in the Xray tab's tree view when the artifact's name contained some specific special characters.

Xray 3.44.1

Released: March 6, 2022

Highlights

Components Physical Path

Xray now displays the physical path (location) of a vulnerable component in an artifact. This information is displayed in the impact path graph within the CVE, export formats of Xray scans, and in the Violations and Vulnerabilities reports. 

This feature is also supported through REST API; Build Summary and Artifact Summary.

Exclude Violations with No Available Fixed Version

Introducing a new capability in Xray Policies, where you can set a policy rule to not generate violations for security issues that do not contain a fixed version. This new capability will help you improve your security workflow in enabling you to exclude violations at the Policy level by not failing builds for issues that do not contain a fixed version. Whenever a fixed version is available, the violation will be generated. For more information, see Triggering Violations Using Policy Rules.

This feature is also supported through the Create Policy REST API. 

Resolved Issues

Xray 3.43

This section includes all of the Xray version 3.43 releases.

Xray 3.43.4

Released: March 18, 2022

Resolved Issues

1. Fixed an issue whereby, due to a breaking change in npm registry, Xray failed to perform an npm audit. 

Xray 3.43.1

Released: February 21, 2022

Resolved Issues

Xray 3.42

This section includes all of the Xray version 3.42 releases.

Xray 3.42.3

Released: February 13, 2022

Feature Enhancements

CVE Enrichment REST API Support

The JFrog Security CVE Research and Enrichment feature is now supported in the following REST APIs:

• List Ignored Violations
• Scan Build V2
• Build Summary
• Artifact Summary
• Get Violations

The following parameters were added:

• JFrog Research Severity
• Summary markdown text
• Detailed description markdown text
• JFrog Research Severity Breakdown (list of reasons)
• Remediation (list of mitigation options)

Resolved Issues

This release contains a resolved security issue, for more information see  Fixed Security Vulnerabilities . 

Xray 3.41

This section includes all of the Xray version 3.41 releases.

Xray 3.41.4

Released: January 26, 2022

Highlights

Xray Data Retention

Improve Xray performance and data usage by selecting which artifacts are important to scan and how long to retain their Xray data. To learn more, see Indexing Xray Resources.

Feature Enhancements

Added Export and Import of XRAY Configuration to the Xray APIs

• Export API: 
  
  • Added the ability to export ticketing (jira) integrations using 'ticketing_integrations' property.
  • Added the ability to export all configurations using 'export_all' property.
• Import API:
  
  • Added the ability to import configurations asynchronously using 'async' property.

To learn more, see IMPORT & EXPORT.

Resolved Issues

This release contains resolved security issues, for more information see Fixed Security Vulnerabilities . 

Xray 3.40

This section includes all of the Xray version 3.40 releases.

Xray 3.40.4

Released: January 18, 2022

Resolved Issues

1. Fixed an issue, whereby an internal AQL from Xray to Artifactory can cause a significant load on the Artifactory database. The AQL is triggered when Xray scans a build.

Xray 3.40.3

Released: January 13, 2022

Highlights

Generate Software Bills of Materials (SBOM) Report

Xray now can generate an SBOM report in both SPDX and CycloneDX standard formats. This will help DevSecOps teams to identify the software components in use, their dependencies, and associated license risks if any. To learn more, see Xray SBOM Report.

Feature Enhancements

On-Demand Binary Scan Docker Support

Xray's On-Demand Binary Scan using the JFrog CLI now supports scanning Docker images. You can run an ad-hoc scan of a Docker image without uploading it to Artifactory first. 
This feature requires JFrog CLI version 2.11.0. 

On-Demand Binary Scans New UI

You can now view the On-Demand Binary scans that run using the JFrog CLI as part of the Xray UI in the JFrog Platform. This enables you to view and perform scan-related actions in Xray. For more information, see On-Demand Binary Scan. 

Resolved Issues

Xray 3.38

This section includes all of the Xray version 3.38 releases.

Xray 3.38.6

Released: January 18, 2022

Resolved Issues

1. Fixed an issue, whereby an internal AQL from Xray to Artifactory can cause a significant load on the Artifactory database. The AQL is triggered when Xray scans a build.

Xray 3.38.5

Released: December 28, 2021

Resolved Issues

Xray 3.38.2

Released: December 12, 2021

Resolved Issues

This release contains a resolved security issue, for more information see Fixed Security Vulnerabilities. 

Xray 3.37

This section includes all of the Xray version 3.37 releases.

Xray 3.37.2

Released: November 29, 2021

Resolved Issues

Xray 3.37.1

Released: November 24, 2021

Feature Enhancements

Jira Integration Dynamic Labels and Custom Fields

You can now use Xray-specific entities as dynamic labels and custom fields in your Jira issues. For more information, see Creating a Jira Configuration Profile

Scan Build REST API V2

Added  Scan Build REST API V2 . 

Resolved Issues

Xray 3.36

This section includes all of the Xray version 3.36 releases.

Xray 3.36.2

Released: November 15, 2021

Resolved Issues

Xray 3.35

Released: October 27, 2021 

Highlights

Scan Status

You can now get information on the scan status of resources in the Xray data tab of Packages, Builds, and Release Bundles in Artifactory.

Scan Now REST API 

Introducing a new Scan Now REST API that enables you to index resources on-demand, even those that were not marked for indexing.

Feature Enhancements

Jira Integration Enhancements

Enhanced the Jira Integration feature with the following:

• Updated JIRA ticket information with a new structure and additional fields.
• The option to eliminate duplicate Jira tickets is enabled by default now. Note that this does not change existing Jira profile configurations.
• Now selecting a Jira configuration profile automatically enables the feature in a Watch.

Resolved Issues

Xray 3.34

This section includes all of the Xray version 3.34 releases.

Xray 3.34.1

Released: October 14, 2021 

Highlights

New REST API for Scan Status

You can now check the scan status of Packages, Builds, and Release Bundles using the new Scan Status REST API.

Resolved Issues

Xray 3.33

This section includes all of the Xray version 3.33 releases.

Xray 3.33.5

Released: October 6, 2021 

Resolved Issues

1. Fixed an issue whereby, extra workers were being initiated for Xray which sometimes led to resource exhaustion.

Xray 3.33.4

Released: October 3, 2021 

Resolved Issues

Xray 3.33.3

Released: September 30, 2021 

Highlights

JFrog Security CVE Research and Enrichment

Xray's integration with Vdoo introduces JFrog security CVE research and enrichment, a new capability that provides additional CVE details by the J Frog security research team , which  comprises security experts that perform manual  research on CVEs and suggest a new  JFrog Severity Score  and a deep technical overview  that allows you to better understand the actual risk posed by the CVEs.

Xray Integration with Jira

Xray now can be integrated with Atlassian’s Jira Software enabling the automatic creation of Jira tickets based on Xray identified security threats and violations. To learn more, see Xray Jira Integration.

Resolved Issues

Xray 3.32

This section includes all of the Xray version 3.32 releases.

Xray 3.32.2

Released: September 1, 2021 

Resolved Issues

1. Fixed an issue whereby, in some cases, existing values were overwritten when updating system parameters using the Configurations REST API. 

Xray 3.32.1

Released: August 31, 2021 

Feature Enhancements

Grace Period REST API Support

Added a new parameter to support the Grace Period feature in the Create Policy REST API. 

Ignore Rules REST API Enhancement

You can now sort the Get Ignore Rules REST API by projects. 

Resolved Issues

Xray 3.31

This section includes all of the Xray version 3.31 releases.

Xray 3.31.2

Released: September 1, 2021 

Resolved Issues

1. Fixed an issue whereby, in some cases, the Watch Violations page was taking a while to load due to the new filters of the latest build or Release Bundle version.

Xray 3.31.1

Released: August 23, 2021 

Highlights

Set a Grace Period before Failing Build

You can now set a grace period in a Policy for build failure, allowing you to stop a build from failing if violations exist, for the period of time you set. For more information, see Creating Xray Policies and Rules.

New Filter in Watches

Filter the Watches list in the Watches page in Xray to narrow down and display only Watches that are relevant to you. For more information, see Configuring Xray Watches.

Filter Ignore Rules

Use an array of different filtering options to narrow down the list of Ignore Rules by the filter criteria you select. For more information, see Ignore Rules.

Xray Reports Clone

Create a clone of an existing report in Xray Reports to reuse a report and its defined settings saving you the time of recreating reports that you use often. This feature requires Artifactory 7.23.x and above.

Hot Upgrade

You can now upgrade an Xray High Availability (HA) installation from version 3.31.0 to a higher version without turning off all the secondary nodes. You can complete an Xray HA upgrade with zero downtime. 

Feature Enhancements

Enhanced Xray Dependency Scanning and On-Demand Binary Scanning

Xray Dependencies and Xray On-Demand Binary  scanning now include the option to ignore violations. In the JSON report of each scan, an Ignore Rule URL (URL to Xray in the JFrog Platform) is included in the results, enabling you to create ignore rules for violations in the report, as described in Ignore Rules. 

Resolved Issues

Xray 3.30

This section includes all of the Xray version 3.30 releases.

Xray 3.30.2

Released: August 18, 2021

Resolved Issues

Xray 3.30.1

Released: August 15, 2021 

Highlights

Release Bundle Details REST API

Added a new Release Bundle Details REST API that returns license and security violations found in a Release Bundle. 

Resolved Issues

Xray 3.29

Xray 3.29.2

Released: August 11, 2021

Resolved Issues

Xray 3.29.0

Released: July 21, 2021 

Highlights

Dependencies Scan 

The Xray Dependencies Scan feature enables you to scan your source code dependencies to find security vulnerabilities and licenses violations, with the ability to scan against your Xray policies. The dependencies scan is available using the JFrog CLI. With a simple command-line tool, you can scan a source code directory on your local file system, providing a fast and early scan during development.

On-Demand Binary Scan

Xray now provides on-demand binary scanning to address your needs using the JFrog CLI for fast results. Now, you can point to a binary in your local file system and receive a report that contains a list of vulnerabilities, licenses, and policy violations for that binary prior to uploading the binary or build to Artifactory. 

Feature Enhancements 

Additional REST API Projects Support

To further support Projects in Xray, the following additions were made in the Xray REST APIs:

• Added ability to scan builds in a Project using the Scan Builds REST API . 
• Added Project scope support when exporting/importing Watches, Policies and Ignore Rules using the Import/Export REST API. 

Resolved Issues

Xray 3.27

This section includes all of the Xray version 3.27 releases.

Xray 3.27.4

Released: July 13, 2021 

Resolved Issues

Xray 3.27.3

Released: July 12, 2021 

Feature Enhancements

Health Check Readiness New Configurations

The Health Check Readiness feature can now be configured with the following new configuration parameters in the Xray system YAML.

• shared.probes.readiness.samplers.database.enabled
• shared.probes.readiness.samplers.rabbitmq.enabled
• shared.probes.readiness.samplers.centraldb.enabled (Cloud only)
• shared.probes.readiness.samplers.indexerDataFolderDiskUsage.enabled
• shared.probes.readiness.samplers.indexerDataFolderDiskUsage.threshold 

Xray 3.27.2

Released: June 30, 2021 

Highlights

New Security Manager Role in Projects

A Security Manager can perform security-related project actions such as Manage Xray Data, Manage Reports, Manage Watches and Policies, and Ignore Global Violations. 

Generate Xray Reports on a Project Scope

You can now generate Global Xray Reports for selected Projects for all report types in Xray. 

Apply Global Watches on Projects 

You can now apply Global Watches on specific Projects enabling you to set rules and policies in the selected Projects. 

Feature Enhancements

Added DB Sync Metrics

To monitor the DB Sync status, new DB Sync metrics were added to the Open Metrics REST API and Log. 

Resolved Issues

Xray 3.26

This section includes all of the Xray version 3.26 releases.

Xray 3.26.1

Released: June 10, 2021

Highlights

Xray's Garbage Collector (GC) feature enables you to avoid race conditions between delete/create events sent by Artifactory mainly when moving Artifacts and promoting images. This feature is active by default and is configurable in the Xray System YAML deleteMode (‘gc’/‘eager’) parameter. 
You can manage the Garbage Collector through a set of REST APIs, such as getting the GC status or forcing GC to run. For more information, see Garbage Collector (GC) REST APIs.

Resolved Issues

Xray 3.25

This section includes all of the Xray version 3.25 releases.

Xray 3.25.1

Released: May 27, 2021

Feature Enhancements

Watches and Reports REST APIs Enhancements for Projects

Added support for Projects when creating a report or Watch for the Build resource in the Watches V2 REST APIs and Reports REST APIs.  

Resolved Issues

Xray 3.24

This section includes all of the Xray version 3.24 releases.

Xray 3.24.2

Released: May 2, 2021

Highlights

Distroless Scanning

Xray now can scan Google Distroless Images that only contain your application and its runtime dependencies.

Red Hat Vulnerability Scanner Certification

JFrog Xray is now certified with the Red Hat Vulnerability Scanner Certification. The certification recognizes Xray as a trusted Red Hat security partner, enabling Xray to deliver consistent and more accurate processing of Red Hat products and packages and reporting of vulnerabilities, minimizing false positives and other discrepancies.

Feature Enhancements

Impact Analysis Performance Improvements

Improved the Impact Analysis performance significantly reducing the database server CPU and I/O levels.

Red Hat Packages Enhancements

Improved Red Hat packages scanning to support CPE matching to enhance Red Hat vulnerabilities detection. Xray also supports Red Hat Modules for better scanning of Red Hat OS packages.

Go Version Upgrade

The Go version with Xray has been upgraded to version 1.16.1, solving some security vulnerabilities described in  CVE-2021-27918.

PostgreSQL Version Bundling

Xray bundling with PostgreSQL has been updated to use a newer PostgreSQL version 13.x

Resolved Issues

Xray 3.23

Released: April 22, 2021

Feature Enhancement

REST API Related Performance Improvement

Improved the performance when running the Scan Build API.

Resolved Issue

The resolved issues now contain the associated JIRA number to help you keep track of your issues that were fixed in the release.

Xray 3.22

This section includes all of the Xray version 3.22 releases.

Xray 3.22.1

Released: April 7, 2021

Feature Enhancements

Limit Storage Space Used by Indexer

You can now limit the storage space used by the Indexer microservice during concurrent downloads and extraction of artifacts. This will ensure that the used storage will not exceed the default 80% of allowed disk usage. 
To enable this, set the  server.enableVirtualStorageManager parameter to true in the Xray System YAML  file.

Resolved Issues

Xray 3.21

This section includes all of the Xray version 3.21 releases.

Xray 3.21.2

Released: March 31, 2021

Highlights

Xray in Projects

^{CLOUD: E nterprise | Enterprise+    SELF-HOSTED:  Enterprise | Enterprise+}

Use Xray capabilities in the scope of JFrog Projects. JFrog Projects is a management entity for hosting your resources (repositories, builds, Release Bundles, and Pipelines), and for associating users/groups as members with specific entitlements. Offload and delegate Xray tasks to the different personas in your organization, such as assigning Xray security management capabilities to Project Admins on the scope of their specific projects. For more information, see Projects.

Xray CVSS v3 Scoring Support

Xray now supports CVSS v3 scoring in addition to the CVSS v2 scoring. This will ensure that Xray's scoring of vulnerabilities is up-to-date and provide the latest universally standard severity ratings of vulnerabilities. For more information, see CVSS Scoring in Xray. 

Xray Conan and C/C++ Support

Xray can now scan Conan packages deployed to Artifactory. Xray can also scan C/C++ dependencies as part of a build. For more information, see Conan and C/C++ Support in Xray.

Feature Enhancements

Xray UI Changes

The Xray UI in the JFrog Platform has changed to create a better division of Xray tasks reflecting the different tasks by persona. Management and creation of Watches and Policies have been moved to the Administration module, as these are tasks usually performed by the administrators or users with special privileges. The Watch Violations and Reports are in the Application module. 

Resolved Issues

Xray 3.18

Xray 3.18.2

Released: March 22, 2021

Resolved Issues

1. Fixed an issue whereby, in some cases, Xray failed when validating permissions without resources.

Xray 3.18.1

Released: March 8, 2021

Resolved Issues

1. Fixed an issue whereby, in some cases, Xray crashed when the DB sync contained a vulnerability with a large size of information.

Xray 3.18.0

Released: March 2, 2021

Feature Enhancements

PostgreSQL Version Support

PostgreSQL 13 is certified to be used with Xray 3.x and above.

Resolved Issues

Xray 3.17

This section includes all of the Xray version 3.17 releases.

Xray 3.17.4

Released: February 17, 2021

Resolved Issues

Xray 3.17.2

Released: February 4, 2021

HIghlights

REST API Open Metrics 

Added metrics related to Xray DB sync time, and total number of scanned artifacts and components. For more information, see Open Metrics.

Feature Enhancements

Go Version Upgrade

Upgraded Go version to 1.15.7 to fix security vulnerabilities.

Impact Path Data in Reports

You can now view the Impact Path data in the Due Diligence Report in the Get Due Diligence Report Content REST API and JSON and CSV outputs.

Scan Build REST API Permissions

The Scan Build REST API no longer requires Admin permissions, only Manage Xray Metadata permissions.

Resolved Issues

Xray 3.16

Released: January 21, 2021

Highlights

New REST API to Restore Ignored Violations 

Introduced a new Restore Ignored Violations REST API, which allows you to restore violations that were ignored due to defined Ignore Rules.

Feature Enhancements

Impact Path Data in Reports

You can now view the Impact Path data for Vulnerabilities and Violations reports in JSON and CSV outputs.

Time-based Ignore Rule Filter for REST API

Filter and sort the Ignore Rules by expiration date using the Get Ignore Rules, such as time-based rules that will expire before or after a specific date. You can also sort Ignore Rules by expiration date.

View Ignored Violations in the Violations Report

You can view ignored violations data in the Violation Report including the Ignore Rule ID that can be used in REST APIs.

Resolved Issues

Xray 3.15

This section includes all of the Xray version 3.15 releases.

Xray 3.15.3

Released: January 7, 2021

Feature Enhancements

Xray Violations and Vulnerabilities reports now include additional information regarding the severity received from the Red Hat OS advisory board. This information will be included in the CSV and JSON export formats of the reports.

Resolved Issues

Xray 3.15.1

Released: December 30, 2020

Feature Enhancements 

Sizing Improvement 

Improved the performance of the Xray Data tab in the UI.

Resolved Issues

Xray 3.14

This section includes all of the Xray version 3.14 releases.

Xray 3.14.3

Released: December 29, 2020

Resolved Issue

1. Fixed an issue, whereby the Xray database disk space significantly increased after upgrading to Xray version 3.x.

Xray 3.14.1

Released: December 22, 2020

Feature Enhancements

PostgreSQL Driver Upgrade

Upgraded PostgreSQL driver to the latest version.

Resolved Issues

Xray 3.13

Xray 3.13.3

Released: 17 December 2020

Resolved Issues

The resolved issues now contain the associated JIRA number to help you keep track of your issues that were fixed in the release.

Xray 3.13.0

Released: December 8, 2020

Feature Enhancements

Ignore Rules Enhancements

Time-based Ignore Rule

Time-based ignore rule enables you to set an expiration date for an Ignore Rule in which the violation will be ignored until the Ignore Rule expires. Once that period expires, the Ignore Rule will be deleted automatically, and if the violation occurs again it will not be ignored moving forward. For more information, see Ignore Rules. This feature is also supported through REST API, as described in IGNORE RULES REST API.

Ignored Violations Stored in the DB

All ignored violations are now stored in the DB which enables you to view all ignored violations on the artifact, build, and Release Bundle level.

UI Enhancements

The UI now provides more information about an ignored violation in the different screens, including in the violations list for an artifact, build, and Release Bundle.

Export Components Details API Enhancement

Added the include_ignored_violations parameter to Export Component Details RST API. This will return the ignore rule ID per matched policy. 

Resolved Issues

Xray 3.12

Released: November 29, 2020

Feature Enhancements

Improved Indexer Functionality 

Enhanced the indexer functionality with improved classification of artifacts and identification of complex cases, such as identifying inner components within other components.

This enhancement resolves the following issues: XRAY-5380, XRAY-6032, XRAY-6023, XRAY-5601, XRAY-5200, XRAY-5022, XRAY-4551, XRAY-4540, XRAY-4505, XRAY-4081, XRAY-2167, XRAY-5355, XRAY-5448, XRAY-5786, XRAY-5694, XRAY-5534, XRAY-3716, XRAY-6583, XRAY-6441, XRAY-5449.

Build Scanning Improvement

Improved the build scanning process by having Xray only download artifacts from Artifactory that are part of the build in which Xray can scan them to save resources and time.

Resolved Issues

Xray 3.11

Xray 3.11.2

Released: November 11, 2020

Resolved Issues

Xray 3.11.1

Released: November 9, 2020

Resolved Issues

1. Fixed an issue, whereby Xray Docker Compose was pointing to an incorrect Docker Registry.

Xray 3.11.0

Released: November 8, 2020

Highlights

Violations Report

Introduced the new Violations report, which provides you with information on security and license violations for each component in the selected scope.  Violations information includes information such as type of violation, impacted artifacts, and severity. 

Feature Enhancements

Ignore Rules 

Enhanced the Ignore Rules feature functionalities, including the ability to set granularity on a defined Ignore Rule. All of the Ignore Rule functionalities are supported via the REST API.

To enable these enhancements, it requires Artifactory version 7.10.5 (available) or above.

To learn more, see Ignore Rules .

New Connection Parameters in the Xray system YAML

Added support for the following two new parameters in the Xray system YAML:

• maxLifetimeSecs: The number of seconds to allow a connection to be alive before a connection is recycled and another connection is established in its place.
• maxIdleSecs: The number of seconds a connection may be in idle mode before it is closed.

Resolved Issues

Xray 3.10

This section includes all of the Xray version 3.10 releases.

Xray 3.10.3

Released: October 22, 2020

Highlights

Alpine Package Support in Xray

Xray now scans and indexes your Alpine Repositories and Alpine Packages,  including recursive analysis, component graph integration, and providing detailed metadata information. 

Feature Enhancements

Python Package File Format Support

Xray now supports the indexing of Python files (PyPI) inside .tar, .gz, .tgz, .whl, and .egg file formats.

Support PHP files in *.tar Archives

Xray now supports PHP files inside *.tar archives.

New Metadata REST API 

Added a new Resend Artifacts Metadata REST API that enables administrators to resend artifact metadata to the Metadata Server.

Resolved Issues

Xray 3.9 

This section includes all of the Xray version 3.9 releases.

Xray 3.9.1

Released: October 4, 2020

Highlights

Due Diligence Licenses Report

Introduced the new Due Diligence Licenses Report, which provides you with a list of components and artifacts and their relevant licenses. This enables you to review and verify that the components and artifacts comply with the license requirements. 

DB Sync Improvements 

Improved initial vulnerabilities database synchronization by 92%. The total time is down to less than one hour with minimum Xray system requirements.

Resolved Issues

1. Fixed an issue whereby, in some cases, Docker layers descendants were not displayed in the UI.
2. Fixed an issue whereby, if violations were found, Webhooks was not triggered if the Fail Build option was enabled.
3. Improved the Xray request log format to be aligned with the JFrog Platform standards. If you have automation that is based on the old format, make sure to update it accordingly.
4. Improved performance in Xray when responding to requests coming from Xray IDE plugins.
5. Improved the database connection pool configuration by reducing the default number of idle connections  to the database to a lower value of 5. The system YAML parameter names have been changed to support this enhancement, however, the old parameter names are supported for backward compatibility. For more information, see Xray System YAML.

Xray 3.8

Xray 3.8.8

Released: September 26, 2020

Resolved Issues

1. Fixed an issue, whereby in some cases the migration from Xray 2.x to 3.8.4-3.8.6 may fail.
2. Fixed an issue, whereby PostgreSQL binary was missing and caused the migration to Xray 3.x to fail.

Xray 3.8.7

Released: September 25, 2020

Resolved Issues

1. Fixed an issue, whereby in some cases the migration from Xray 2.x to 3.8.4-3.8.6 may fail.

Xray 3.8.6

Released: September 16, 2020

Resolved Issues

1. Fixed an issue whereby, in some cases, the migration from Xray 2.x to Xray 3.x failed.

Xray 3.8.5

Released: September 10, 2020

Resolved Issues

1. Fixed an issue whereby, when migrating from Xray 2.x to Xray 3.x, the impact path records were being duplicated.
2. Fixed an issue whereby, installing Xray was failing on running wrapper scripts (RPM flavor) in AWS instances due to a PostgreSQL dependency.
3. Fixed an issue whereby, after upgrading to 3.8.x a full DB Sync was triggered, even when it was not needed.

Xray 3.8.3

Released: September 8, 2020

Feature Enhancements

License Detection Improvements

Improved license detection performance and success rate to reduce CPU utilization.

Resolved Issues

1. Fixed an issue, whereby, in some cases, viewing or exporting licenses of an artifact led to a PostgreSQL server malfunction.
2. Fixed an issue, whereby in some cases, PyPI package licenses inside a docker image were not detected.
3. Fixed an issue, whereby when scanning component with GPL-2.0 with a classpath exception license, Xray recognized it as GPL-2.0.
4. Fixed an issue, whereby in some cases RPM OS packages were indexed with the wrong epoch in docker images. For packages that were already indexed with the wrong epoch, you can reindex to fix this using the Force Reindex API.
5. Fixed an issue, whereby, when trying to drill down to an inner component in the impact path graph of a vulnerability or violation, a 500 error was issued. This issue affects only SaaS users with Xray version 3.8.2.
6. Fixed an issue, whereby, Xray could not be set up with Azure managed PostgreSQL. A property was added to the system.yaml in order to support connecting to externally managed databases where the actual database username may differ from the connection username. The new property is shared.database.actualUsername.

Xray 3.8.2

Released: August 23, 2020

Feature Enhancements

Add Builds to Indexing Configuration API

A new  Add Builds to Indexing Configuration  API has been added to Xray REST API that enables you to add new builds by only providing the new build names to the list of builds selected for indexing.

Archive Installer Improvements

Install as a service was modified to use systemd scripts for systemd supported machines.

PostgreSQL Version Bundling

Xray bundling with PostgreSQL has been updated to use a newer PostgreSQL version 12.x

Resolved Issues

1. Improved the performance of Impact Analysis processing.
2. Fixed an issue, whereby in some cases, Artifacts were not indexed and scanned properly if the database was not available for a period of time (e.g. database restart or failover).
3. Fixed an issue, whereby Release bundle repo mapping caused Xray scanning to not find the files.
4. Fixed an issue, whereby there was a discrepancy in the component ID of PHP composer between Artifactory and Xray. The mismatch was fixed to always match vendor/package name in lower case.
5. Fixed an issue, whereby a vulnerability, in the Xray web application prior to version 3.8.2, did not properly restrict access to the license pages, which could have allowed an unauthenticated user to obtain information regarding the server license.

Xray 3.8.0

Released: August 13, 2020

Highlights

Vulnerabilities Report

You can now create and generate a Vulnerabilities Report that gives you a visual representation of vulnerabilities found in your artifacts, builds, and release bundles. Narrow down what data you would like to see by setting a specific scope and advanced filters to display the exact data you want to analyze. A new reports page now is part of the JFrog platform where you can create, generate, and perform various actions on reports with the capability to export to PDF, JSON, and CSV file formats for further analysis. The Vulnerabilities report is also supported by REPORTS REST APIs.

This report type is the first of the Xray Reports feature that was introduced in this release. Other report types are planned for future releases that will provide you with further capabilities. 

Manage Reports User Role

A new role was added to the users' permissions allowing users to create, generate, and manage the new Reports feature in Users and Groups. This role is also required by some APIs such as Get Component List Per Watch and Find Component by CVE.

Multiple License Permissive Approach

The new Multiple License Permissive Approach  enables you to have more flexibility in the policy level and to configure a more permissive approach that allows components that have at least one of the licenses as permitted to go through without triggering a violation even if some licenses are not allowed. 

System Metrics Information API and log

Xray has been enhanced to support open metrics.  The new Metrics API has been added and returns metrics in the Open Metrics format . The new metric-related log file xray-{microservice}-metrics.log was added to the file system.

RabbitMQ Upgrade

RabbitMQ has been upgraded to version 3.8.x.

Feature Enhancements

Go Version Upgrade

The Go version with Xray has been upgraded to version 1.14.6, solving some security vulnerabilities described in CVE-2020-15586.

PostgreSQL Version Support

Xray is now certified to run with PostgreSQL versions 11.x, and 12.x.

Resolved Issues

1. Fixed an issue whereby, the IU-Extreme-1.1.1 license URL was incorrect.
2. Fixed an issue whereby, after DB Sync failure, the DB Sync was reading the same faulty bundle and not downloading fixed bundles. 
3. Fixed an issue whereby, Debian OS packages were named by "Source" instead of "Package". 
4. Fixed an issue whereby, the Get Component List Per Watch API required Admin permissions only, preventing non-admin users from calling this REST API. A new Manage Reports user role was added to enable you to use this API.
5. Fixed an issue whereby, the  Find Component by CVE API did not return results for users with read permissions. A new Manage Reports user role was added to enable you to use this API.
6. Fixed an issue whereby, Xray was not sending E-mail notifications to watch recipients when violations were found. 
7. Fixed an issue whereby, Alert worker was consuming an excessive amount of memory.
8. Fixed an issue whereby, the RPM docker images were stuck in the indexing stage in an infinite loop.

9. Improvement in RabbitMQ clustering logic. 

Xray 3.6

Xray 3.6.2

Released: July 9, 2020

Resolved Issues

1. Fixed an issue whereby, when migrating from Xray 2.x to 3.x, an error occurred when the changed_file field value was too long in the user_components_docker_layer_changed_files table.
2. Fixed an issue whereby, when trying to upgrade Xray and the xrayConfig field in the configuration table contained the special character %, the upgrade failed. 

Xray 3.6.1

Released: July 6, 2020

This release includes all of the enhancements and resolved issues of the 3.6.0 Cloud release, including the resolved issue below. 

Resolved Issues

1. Fixed an issue whereby Xray was crashing upon starting DB sync with the proxy enabled. 

3.6.0

Released: June 28, 2020

Feature Enhancements

Schedule Background Tasks

Xray now provides a way to schedule the DB sync background task using the Update DB Sync Daily Update Time REST API. Xray chooses a random time on startup to get daily updates from XUC. This time can be configured through the API, and restart is not required.

Prioritization of Scan Events

Xray now prioritizes the scanning of new Artifacts/Builds/Release Bundles over events originating from a history scan or a full repository scan, and provides the capability to control the number of workers for new content versus history/full repository scan using the Configuring the Workers Count REST API. Requires Artifactory version 7.6 and above.

Resolved Issues

1. Fixed an issue whereby, an error was ignored in the code when fetching the bin manager ID, which caused a nil pointer error.
2. Fixed an issue whereby, the scan-build failed when there were no policies, watches, and builds configured, and an unclear message was issued. 
3. Fixed an issue whereby, in Xray REST APIs where the artifactory_id parameter (or within a path) was required in Xray 2.x, and it is no longer required in 3.x and will be ignored.

Xray 3.5

Xray 3.5.2

Released: June 21, 2020

Feature Enhancements

Artifactory Connection Management

Improved the process of Xray's active connections to Artifactory. To reduce the load in Artifcatory and improve performance, all  HTTP client connections have a limited number of concurrent connections to Artifactory.

Repository Scan Improvement 

The process of repository indexing was enhanced. Indexing requests of Artifacts that were initiated from an index repository request are no longer persisted in the Artifactory database. This improvement reduces the network and database load in Artifactory.

Resolved Issues

1. Fixed an issue, whereby the CVE was not displayed in the PDF reports.
2. Fixed an issue, whereby a false positive was declared for RPM packages due to incorrect RPM distribution comparisons.
3. Fixed an issue, whereby Xray failed to process empty  manifest.json  files preventing the .wh  components to be deleted.
4. Fixed an issue, whereby the  Update Builds Indexing Configuration REST API command was missing response messages.
5. Fixed an issue, whereby when an invalid or expired license was detected by Xray, an error was displayed at the debug level instead of the error log level.
6. Fixed an issue, whereby when loading a watch, ignore rules were being loaded slowly.
7. Fixed an issue, whereby when migrating from Xray 2.x to 3.x, client SSL configurations were not migrated properly. 
8. Fixed an issue, whereby in a High Availability cluster, an error occurred when reloading the config cache.

Xray 3.4

Released: May 17, 2020

Highlights

Externalization of the PosgreSQL Database

From Xray 3.4, you have more control over your resource allocation and you can direct Xray to use an external PostgreSQL database in use in your organization. Keep in mind that if you direct Xray to use an external database, you have full control over the database, and also full responsibility to maintain and backup the database for Xray's use.

Resolved Issues

1. Improved performance and time of the initial DB sync with Xray Update Center (XUC). 
2. Fixed an issue whereby, in a number of cases, the Docker pull did not work properly when a Docker remote repository was configured with the Block Download Block Unscanned Artifacts setting. 
3. Fixed an issue whereby, the Impact Analysis process did not work properly due to a stack overflow error. 
4. Fixed an issue whereby, Impact Analysis stopped functioning due to an out of memory issue caused by multiple infected artifacts.
5. Fixed an issue whereby, Xray stopped functioning when indexing RPM files due to high memory consumption causing an out of memory issue. 
6. Fixed an issue whereby, a connection deadlock occurred when the number of workers was larger than the number of connections. 
7. Fixed an issue whereby, applying a watch for a history scan triggered scans on all watches.
8. Fixed an issue whereby, under certain rare circumstances, Artifactory would disconnect from Xray during a periodic license check.
9. Fixed an issue whereby, when exporting data in Xray, the displayed results were inconsistent in the different file formats, JSON, PDF, and CSV where the CVE was not displayed in the PDF and CSV files.
10. Fixed an issue whereby, after migrating from Xray 2.0 to Xray 3.0, stored messages were not passed correctly during migration, and retrying the messages in Xray 3.0 did not work properly. 
11. Fixed an issue whereby, a component persist did not work due to character limit constraints. 
12. Fixed an issue whereby, an invalid memory address or nil pointer error was issued when indexing GO packages  in Xray.
13. Fixed an issue whereby, the Artifact Summary Rest API returned an issues response for components that did not contain a ComponentID.
14. Fixed an issue whereby fetching all watches from the database overloaded the database.
15. Fixed an issue whereby, upon installation, the initial Xray URL was defined incorrectly with /xray path.
16. Fixed an issue whereby, under certain circumstances, an empty license was added when indexing NuGet packages. 
17. Fixed an issue whereby, a number of Python packages were not indexed properly in Xray.

Xray 3.3

Released: April 22, 2020

Feature Enhancements

Force Full Reindex of Existing Components Rest API

The new  Force Reindex Rest API command allows you to easily reindex artifacts that were indexed in the past. This is useful if you would like to rescan artifacts containing package types that were not supported in the past but now are, for example, Go, Python package in Docker or Alpine OS packages. 

Added Manual Linux Archive Installation

You can now install Xray using a Linux Archive installer in addition to the existing options giving more control over how to set up your environment. For more information, see Manual Linux Archive Installation.

Added Dedicated Policy REST API V.2 Commands

Xray now supports Policy commands REST API V.1 and V.2 . The V.2 commands support blocking Release Bundles and allowing you now to notify Watch recipients and File deployers.

Resolved Issues

1. Fixed an issue whereby, all partnership integrations that were deprecated in previous Xray versions (Xray 1.x and 2.x), were displayed in the Integrations page in the UI. From version 3.3, the deprecated integrations are automatically removed when upgrading to Xray 3.x including all the vulnerabilities in the database related to the deprecated integrations. 
2. Fixed an issue whereby, the CVE IDs were missing from the JSON Security report. 
3. Fixed an issue whereby, when sorting component vulnerabilities in the Security tab by Severity, all the vulnerabilities were tagged with the "High" severity. 
4. Fixed an issue whereby after upgrading to Xray version 3.2.0, Xray did not start due to database migration issues. 
5. Fixed an issue whereby the graph located under the Xray Data | Descendants or Ancestors tab did not display for Debian packages.
6.  Fixed an issue whereby, impact analysis for Gems packages was not functioning. 
7.  Fixed an issue whereby when running the Get Policy REST API command, regardless of whether the minimum severity was defined as Low, Medium or High, all the severities were retrieved.
8. Fixed an issue whereby, the DB sync did not perform impact analysis on NuGet packages. 
9. Fixed an issue whereby, configuring a Watch with a Mime type filter did not function for .gz and .7z file types. 
10. Fixed an issue whereby, custom issues could not be assigned to Debian packages in the UI.
11. Improved the performance of loading watches and policies page in the WebUI. 
12. Improved performance when running the Get Violations REST API command to retrieve a list for a specific watch from a database containing millions of violations. 
13. Improved Debian package vulnerability detection based on the Distribution property that the user needs to provide when deploying Debian packages to a local repository in Artifactory.
14. Fixed an issue whereby an error was generated when updating a watch that included repositories or builds that previously deleted in Artifactory. Repositories and builds are now automatically deleted when saving the Watch.
15. Fixed an issue whereby Xray Server suffered from a memory leak during NPM audit.
16. Fixed an issue when running NPM audits with Xray, the vulnerabilities were added by Xray with unavailable links to VulDB as sources. 
17. Fixed an issue whereby, we reduced the load on PostgreSQL DB during scanning. 
18. Fixed an issue whereby scanning of Docker images for potentially infected JavaScript files heavily impacted the DB. 
19. Fixed an issue whereby Support Bundles returned request.logs excluding Xray logs. 
20. Improved performance when running the Update Watch REST API v.2 command with thousands of watches in an HA environment. 
21. Fixed an issue whereby an error was generated when updating a watch that included repositories or builds that previously deleted in Artifactory. Repositories and builds are now automatically deleted when saving the Watch.

Xray 3.2

Xray 3.2.3

Released: March 30, 2020

Resolved Issue

1. Fixed an issue whereby Xray failed to connect to Artifactory when trying to assign an Xray trial license.

Xray 3.2.0

Released: February 23, 2020

Resolved Issue

1. Fixed an issue whereby Xray analysis failed due to an out of memory issue caused by duplications of user-component licences.

Xray 3.0

Released: January 12, 2020

Highlights

JFrog Platform

Announcing the new JFrog Platform, designed to provide developers and administrators with a seamless DevOps experience across all JFrog products, supporting the following main features:

• Universal package management  with all major packaging formats, build tools, and CI servers.
• Security and Compliance  that's fully integrated into the JFrog Platform, providing full trust of your pipeline from code to production.
• Radically simplified administration  with all configurations in one place.
• Complete trust in your pipeline all the way from code to production.
• Seamless DevOps experience  from on-prem, cloud, hybrid or multi-cloud of your choice.

JFrog Platform New Functionalities

System Architecture

Xray 3.0 is now part of the JFrog Platform Deployment (JPD) which defines a single logical unit shared by all JFrog products. Xray pairing process to JPD was simplified and now requires only URL and shared secret (Join key). Learn More >

Xray system.yaml

This release introduces a new system configuration file, allowing system configurations to be handled externally to the application, before/after the installation process.  Learn More >

Installation and Upgrade

Xray 3.0 comes with a new installer, which affects the installation and upgrade procedures. As part of the new installers, the file structure was changed and is now aligned with the other JFrog products. When upgrading to the JFrog Platform, Xray must be connected only to a single Artifactory instance. If you have a single Xray instance connected to multiple Artifactory instances, before upgrading Artifactory and Xray, you will need to split your Xray instance to multiple instances to support this requirement. See details here. 

Additional enhancements:

• The new Docker installer has been improved and now supports setting the uid/gid of the Xray container and image.
• The new system architecture includes a new system.yaml configuration which provides the option of silent installation.

Unified Permission Model

This version unifies all JFrog product permissions, allowing easier permission management across all products from one unified UI. The Unified Permission Model enables you to create a single permission target that applies to all products installed in the JFrog Platform. Since the products are unified within the Platform, you can now use a single permission target to control the permissions of all products. Learn More >

Unified User Interface

This version introduces a new UI that is unified for the entire JFrog Platform, including all JFrog products. If you are using Artifactory and other JFrog products such as JFrog Xray, JFrog Distribution, JFrog Mission Control and JFrog Insights, you will now be able to access them all from within a single UI with one URL address. Xray data is located within each of your resource pages allowing you to quickly review the status of for your scanned resources - Packages, Builds, Artifacts or Release Bundles. To find the changes in Artifactory UI. Learn More >

Logging

All JFrog products now follow a standardized logging format and naming convention. Learn More >

Feature Enhancements

Removed the MongoDB Database

The MongoDB database used by Xray prior to the Unified Platform, is no longer required (except during the data migration process). If you are upgrading to the new JFrog Platform, your data will automatically be migrated to PostgreSQL as part of the  upgrade process .

Release Bundles Scan

In addition to scanning repositories and builds, the Unified Platform now allows Xray 3.0 to scan Release Bundles for vulnerability and license compliance.   You can now protect your releases by defining policies and watches on your Release Bundles. Policy violations can block the distribution of a Release Bundle . 

Configure Indexed Resources Using Patterns

You now have more flexibility when configuring Xray indexed resources  by using Exclude or Include Patterns for Builds and Release Bundles.

Configure Watch Scope Using Patterns

You now have more flexibility when configuring the Watch resources scope of  repositories, builds and Release Bundles by name or using Exclude/Include patterns.

Dedicated Security and Compliance Search Experience

Xray 3.0 introduces a new Security and Compliance Search, part of the new  Global Search Experience in the JFrog Platform. You can now search for specific vulnerability and license compliance information by resource name, CVE number, license, severity level and scan date range.  Learn More >

Issues Resolved

1. Xray now collects "branch" information for Alpine components and vulnerabilities. 
2. Xray now displays the ignored violation upon creation.
3. Security improvements to Xray-related Docker base images.  
4. Fixed an issue whereby under certain circumstances, an exported Xray data file in a component could not be unzipped. 

Xray 3.0.13

Released: February 17, 2020

Resolved Issues

1.  Fixed an issue whereby loading and displaying vulnerability and violation data prolonged.
2.  Fixed an issue whereby assigning custom issue to descendent components failed.
3.  Fixed an issue whereby Go packages were indexed incorrectly.
4.  Fixed an issue whereby aborting the DB sync did not remove old zip packages. 
5.  Fixed an issue whereby under certain circumstances violations were not triggered when a package with vulnerabilities was detected. 
6.  Fixed an issue whereby Xray incorrectly detected Debian package names.