Xray 3.11

Released: November 8, 2020

Highlights

Violations Report

Introduced the new Violations report, which provides you with information on security and license violations for each component in the selected scope. Violations information includes information such as type of violation, impacted artifacts, and severity. 

Feature Enhancements

Ignore Rules 

Enhanced the Ignore Rules feature functionalities, including the ability to set granularity on a defined Ignore Rule. All of the Ignore Rule functionalities are supported via the REST API.

To enable these enhancements, it requires Artifactory version 7.10.5 (available) or above.

To learn more, see Ignore Rules.

New Connection Parameters in the Xray system YAML

Added support for the following two new parameters in the Xray system YAML:

• maxLifetimeSecs: The number of seconds to allow a connection to be alive before a connection is recycled and another connection is established in its place.
• maxIdleSecs: The number of seconds a connection may be in idle mode before it is closed.

Resolved Issues

Xray 3.11.1

Released: November 9, 2020

Resolved Issues

1. Fixed an issue, whereby Xray Docker Compose was pointing to an incorrect Docker Registry.

Xray 3.11.2

Released: November 11, 2020

Resolved Issues

Xray 3.10

This section includes all of the Xray version 3.10 releases.

Xray 3.10.3

Released: October 22, 2020

Highlights

Alpine Package Support in Xray

Xray now scans and indexes your Alpine Repositories and Alpine Packages, including recursive analysis, component graph integration, and providing detailed metadata information. 

Feature Enhancements

Python Package File Format Support

Xray now supports the indexing of Python files (PyPI) inside .tar, .gz, .tgz, .whl, and .egg file formats.

Support PHP files in *.tar Archives

Xray now supports PHP files inside *.tar archives.

New Metadata REST API 

Added a new Resend Artifacts Metadata REST API that enables administrators to resend artifact metadata to the Metadata Server.

Resolved Issues

Xray 3.9 

This section includes all of the Xray version 3.9 releases.

Xray 3.9.1

Released: October 4, 2020

Highlights

Due Diligence Licenses Report

Introduced the new Due Diligence Licenses Report, which provides you with a list of components and artifacts and their relevant licenses. This enables you to review and verify that the components and artifacts comply with the license requirements. 

DB Sync Improvements 

Improved initial vulnerabilities database synchronization by 92%. The total time is down to less than one hour with minimum Xray system requirements.

Resolved Issues

1. Fixed an issue whereby, in some cases, Docker layers descendants were not displayed in the UI.
2. Fixed an issue whereby, if violations were found, Webhooks was not triggered if the Fail Build option was enabled.
3. Improved the Xray request log format to be aligned with the JFrog Platform standards. If you have automation that is based on the old format, make sure to update it accordingly.
4. Improved performance in Xray when responding to requests coming from Xray IDE plugins.
5. Improved the database connection pool configuration by reducing the default number of idle connections to the database to a lower value of 5. The system YAML parameter names have been changed to support this enhancement, however, the old parameter names are supported for backward compatibility. For more information, see Xray System YAML.

Xray 3.8

Released: August 13, 2020

Highlights

Vulnerabilities Report

You can now create and generate a Vulnerabilities report that gives you a visual representation of vulnerabilities found in your artifacts, builds, and release bundles. Narrow down what data you would like to see by setting a specific scope and advanced filters to display the exact data you want to analyze. A new reports page now is part of the JFrog platform where you can create, generate, and perform various actions on reports with the capability to export to PDF, JSON, and CSV file formats for further analysis. The Vulnerabilities report is also supported by REST API.

This report type is the first of the Reports feature that was introduced in this release. Other report types are planned for future releases that will provide you with further capabilities. 

Manage Reports User Role

A new role was added to the users' permissions allowing users to create, generate, and manage the new Reports feature in Users and Groups. This role is also required by some APIs such as Get Component List Per Watch and Find Component by CVE.

Multiple License Permissive Approach

The new Multiple License Permissive Approach enables you to have more flexibility in the policy level and to configure a more permissive approach that allows components that have at least one of the licenses as permitted to go through without triggering a violation even if some licenses are not allowed. 

System Metrics Information API and log

Xray has been enhanced to support open metrics. The new Metrics API has been added and returns metrics in the Open Metrics format. The new metric-related log file xray-{microservice}-metrics.log was added to the file system.

RabbitMQ Upgrade

RabbitMQ has been upgraded to version 3.8.x.

Feature Enhancements

Go Version Upgrade

The Go version with Xray has been upgraded to version 1.14.6, solving some security vulnerabilities described in CVE-2020-15586.

PostgreSQL Version Support

Xray is now certified to run with PostgreSQL versions 11.x, and 12.x.

Resolved Issues

1. Fixed an issue whereby, the IU-Extreme-1.1.1 license URL was incorrect.
2. Fixed an issue whereby, after DB Sync failure, the DB Sync was reading the same faulty bundle and not downloading fixed bundles. 
3. Fixed an issue whereby, Debian OS packages were named by "Source" instead of "Package". 
4. Fixed an issue whereby, the Get Component List Per Watch API required Admin permissions only, preventing non-admin users from calling this REST API. A new Manage Reports user role was added to enable you to use this API.
5. Fixed an issue whereby, the Find Component by CVE API did not return results for users with read permissions. A new Manage Reports user role was added to enable you to use this API.
6. Fixed an issue whereby, Xray was not sending E-mail notifications to watch recipients when violations were found. 
7. Fixed an issue whereby, Alert worker was consuming an excessive amount of memory.
8. Fixed an issue whereby, the RPM docker images were stuck in the indexing stage in an infinite loop.

9. Improvement in RabbitMQ clustering logic. 

Xray 3.8.2

Released: August 23, 2020

Feature Enhancements

Add Builds to Indexing Configuration API

A new Add Builds to Indexing Configuration API has been added to Xray REST API that enables you to add new builds by only providing the new build names to the list of builds selected for indexing.

Archive Installer Improvements

Install as a service was modified to use systemd scripts for systemd supported machines.

PostgreSQL Version Bundling

Xray bundling with PostgreSQL has been updated to use a newer PostgreSQL version 12.x

Resolved Issues

1. Improved the performance of Impact Analysis processing.
2. Fixed an issue, whereby in some cases, Artifacts were not indexed and scanned properly if the database was not available for a period of time (e.g. database restart or failover).
3. Fixed an issue, whereby Release bundle repo mapping caused Xray scanning to not find the files.
4. Fixed an issue, whereby there was a discrepancy in the component ID of PHP composer between Artifactory and Xray. The mismatch was fixed to always match vendor/package name in lower case.
5. Fixed an issue, whereby a vulnerability, in the Xray web application prior to version 3.8.2, did not properly restrict access to the license pages, which could have allowed an unauthenticated user to obtain information regarding the server license.

Xray 3.8.3

Released: September 8, 2020

Feature Enhancements

License Detection Improvements

Improved license detection performance and success rate to reduce CPU utilization.

Resolved Issues

1. Fixed an issue, whereby, in some cases, viewing or exporting licenses of an artifact led to a PostgreSQL server malfunction.
2. Fixed an issue, whereby in some cases, PyPI package licenses inside a docker image were not detected.
3. Fixed an issue, whereby when scanning component with GPL-2.0 with a classpath exception license, Xray recognized it as GPL-2.0.
4. Fixed an issue, whereby in some cases RPM OS packages were indexed with the wrong epoch in docker images. For packages that were already indexed with the wrong epoch, you can reindex to fix this using the Force Reindex API.
5. Fixed an issue, whereby, when trying to drill down to an inner component in the impact path graph of a vulnerability or violation, a 500 error was issued. This issue affects only SaaS users with Xray version 3.8.2.
6. Fixed an issue, whereby, Xray could not be set up with Azure managed PostgreSQL. A property was added to the system.yaml in order to support connecting to externally managed databases where the actual database username may differ from the connection username. The new property is shared.database.actualUsername.

Xray 3.8.5

Released: September 10, 2020

Resolved Issues

1. Fixed an issue whereby, when migrating from Xray 2.x to Xray 3.x, the impact path records were being duplicated.
2. Fixed an issue whereby, installing Xray was failing on running wrapper scripts (RPM flavor) in AWS instances due to a PostgreSQL dependency.
3. Fixed an issue whereby, after upgrading to 3.8.x a full DB Sync was triggered, even when it was not needed.

Xray 3.8.6

Released: September 16, 2020

Resolved Issues

1. Fixed an issue whereby, in some cases, the migration from Xray 2.x to Xray 3.x failed.

Xray 3.8.7

Released: September 25, 2020

Resolved Issues

1. Fixed an issue, whereby in some cases the migration from Xray 2.x to 3.8.4-3.8.6 may fail.

Xray 3.8.8

Released: September 26, 2020

Resolved Issues

1. Fixed an issue, whereby in some cases the migration from Xray 2.x to 3.8.4-3.8.6 may fail.
2. Fixed an issue, whereby PostgreSQL binary was missing and caused the migration to Xray 3.x to fail.

Xray 3.6

Released: June 28, 2020

Feature Enhancements

Schedule Background Tasks

Xray now provides a way to schedule the DB sync background task using the Update DB Sync Daily Update Time REST API. Xray chooses a random time on startup to get daily updates from XUC. This time can be configured through the API, and restart is not required.

Prioritization of Scan Events

Xray now prioritizes the scanning of new Artifacts/Builds/Release Bundles over events originating from a history scan or a full repository scan, and provides the capability to control the number of workers for new content versus history/full repository scan using the Configuring the Workers Count REST API. Requires Artifactory version 7.6 and above.

Resolved Issues

1. Fixed an issue whereby, an error was ignored in the code when fetching the bin manager ID, which caused a nil pointer error.
2. Fixed an issue whereby, the scan-build failed when there were no policies, watches, and builds configured, and an unclear message was issued. 
3. Fixed an issue whereby, in Xray REST APIs where the artifactory_id parameter (or within a path) was required in Xray 2.x, and it is no longer required in 3.x and will be ignored.

Xray 3.6.1

Released: July 6, 2020

This release includes all of the enhancements and resolved issues of the 3.6.0 Cloud release, including the resolved issue below. 

Resolved Issues

1. Fixed an issue whereby Xray was crashing upon starting DB sync with the proxy enabled. 

Xray 3.6.2

Released: July 9, 2020

Resolved Issues

1. Fixed an issue whereby, when migrating from Xray 2.x to 3.x, an error occurred when the changed_file field value was too long in the user_components_docker_layer_changed_files table.
2. Fixed an issue whereby, when trying to upgrade Xray and the xrayConfig field in the configuration table contained the special character %, the upgrade failed. 

Xray 3.5.2

Released: June 21, 2020

Feature Enhancements

Artifactory Connection Management

Improved the process of Xray's active connections to Artifactory. To reduce the load in Artifcatory and improve performance, all HTTP client connections have a limited number of concurrent connections to Artifactory.

Repository Scan Improvement 

The process of repository indexing was enhanced. Indexing requests of Artifacts that were initiated from an index repository request are no longer persisted in the Artifactory database. This improvement reduces the network and database load in Artifactory.

Resolved Issues

1. Fixed an issue, whereby the CVE was not displayed in the PDF reports.
2. Fixed an issue, whereby a false positive was declared for RPM packages due to incorrect RPM distribution comparisons.
3. Fixed an issue, whereby Xray failed to process empty manifest.json files preventing the .wh components to be deleted.
4. Fixed an issue, whereby the Update Builds Indexing Configuration REST API command was missing response messages.
5. Fixed an issue, whereby when an invalid or expired license was detected by Xray, an error was displayed at the debug level instead of the error log level.
6. Fixed an issue, whereby when loading a watch, ignore rules were being loaded slowly.
7. Fixed an issue, whereby when migrating from Xray 2.x to 3.x, client SSL configurations were not migrated properly. 
8. Fixed an issue, whereby in a High Availability cluster, an error occurred when reloading the config cache.

Xray 3.4

Released: May 17, 2020

Highlights

Externalization of the PosgreSQL Database

From Xray 3.4, you have more control over your resource allocation and you can direct Xray to use an external PostgreSQL database in use in your organization. Keep in mind that if you direct Xray to use an external database, you have full control over the database, and also full responsibility to maintain and backup the database for Xray's use.

Resolved Issues

1. Improved performance and time of the initial DB sync with Xray Update Center (XUC). 
2. Fixed an issue whereby, in a number of cases, the Docker pull did not work properly when a Docker remote repository was configured with the Block Download Block Unscanned Artifacts setting. 
3. Fixed an issue whereby, the Impact Analysis process did not work properly due to a stack overflow error. 
4. Fixed an issue whereby, Impact Analysis stopped functioning due to an out of memory issue caused by multiple infected artifacts.
5. Fixed an issue whereby, Xray stopped functioning when indexing RPM files due to high memory consumption causing an out of memory issue. 
6. Fixed an issue whereby, a connection deadlock occurred when the number of workers was larger than the number of connections. 
7. Fixed an issue whereby, applying a watch for a history scan triggered scans on all watches.
8. Fixed an issue whereby, under certain rare circumstances, Artifactory would disconnect from Xray during a periodic license check.
9. Fixed an issue whereby, when exporting data in Xray, the displayed results were inconsistent in the different file formats, JSON, PDF, and CSV where the CVE was not displayed in the PDF and CSV files.
10. Fixed an issue whereby, after migrating from Xray 2.0 to Xray 3.0, stored messages were not passed correctly during migration, and retrying the messages in Xray 3.0 did not work properly. 
11. Fixed an issue whereby, a component persist did not work due to character limit constraints. 
12. Fixed an issue whereby, an invalid memory address or nil pointer error was issued when indexing GO packages in Xray.
13. Fixed an issue whereby, the Artifact Summary Rest API returned an issues response for components that did not contain a ComponentID.
14. Fixed an issue whereby fetching all watches from the database overloaded the database.
15. Fixed an issue whereby, upon installation, the initial Xray URL was defined incorrectly with /xray path.
16. Fixed an issue whereby, under certain circumstances, an empty license was added when indexing NuGet packages. 
17. Fixed an issue whereby, a number of Python packages were not indexed properly in Xray.

Xray 3.3

Released: April 22, 2020

Feature Enhancements

Force Full Reindex of Existing Components Rest API

The new Force Reindex Rest API command allows you to easily reindex artifacts that were indexed in the past. This is useful if you would like to rescan artifacts containing package types that were not supported in the past but now are, for example, Go, Python package in Docker or Alpine OS packages. 

Added Manual Linux Archive Installation

You can now install Xray using a Linux Archive installer in addition to the existing options giving more control over how to set up your environment. For more information, see Manual Linux Archive Installation.

Added Dedicated Policy REST API V.2 Commands

Xray now supports Policy commands REST API V.1 and V.2. The V.2 commands support blocking Release Bundles and allowing you now to notify Watch recipients and File deployers.

Resolved Issues

1. Fixed an issue whereby, all partnership integrations that were deprecated in previous Xray versions (Xray 1.x and 2.x), were displayed in the Integrations page in the UI. From version 3.3, the deprecated integrations are automatically removed when upgrading to Xray 3.x including all the vulnerabilities in the database related to the deprecated integrations. 
2. Fixed an issue whereby, the CVE IDs were missing from the JSON Security report. 
3. Fixed an issue whereby, when sorting component vulnerabilities in the Security tab by Severity, all the vulnerabilities were tagged with the "High" severity. 
4. Fixed an issue whereby after upgrading to Xray version 3.2.0, Xray did not start due to database migration issues. 
5. Fixed an issue whereby the graph located under the Xray Data | Descendants or Ancestors tab did not display for Debian packages.
6.  Fixed an issue whereby, impact analysis for Gems packages was not functioning. 
7.  Fixed an issue whereby when running the Get Policy REST API command, regardless of whether the minimum severity was defined as Low, Medium or High, all the severities were retrieved.
8. Fixed an issue whereby, the DB sync did not perform impact analysis on NuGet packages. 
9. Fixed an issue whereby, configuring a Watch with a Mime type filter did not function for .gz and .7z file types. 
10. Fixed an issue whereby, custom issues could not be assigned to Debian packages in the UI.
11. Improved the performance of loading watches and policies page in the WebUI. 
12. Improved performance when running the Get Violations REST API command to retrieve a list for a specific watch from a database containing millions of violations. 
13. Improved Debian package vulnerability detection based on the Distribution property that the user needs to provide when deploying Debian packages to a local repository in Artifactory.
14. Fixed an issue whereby an error was generated when updating a watch that included repositories or builds that previously deleted in Artifactory. Repositories and builds are now automatically deleted when saving the Watch.
15. Fixed an issue whereby Xray Server suffered from a memory leak during NPM audit.
16. Fixed an issue when running NPM audits with Xray, the vulnerabilities were added by Xray with unavailable links to VulDB as sources. 
17. Fixed an issue whereby, we reduced the load on PostgreSQL DB during scanning. 
18. Fixed an issue whereby scanning of Docker images for potentially infected JavaScript files heavily impacted the DB. 
19. Fixed an issue whereby Support Bundles returned request.logs excluding Xray logs. 
20. Improved performance when running the Update Watch REST API v.2 command with thousands of watches in an HA environment. 
21. Fixed an issue whereby an error was generated when updating a watch that included repositories or builds that previously deleted in Artifactory. Repositories and builds are now automatically deleted when saving the Watch.

Xray 3.2

Released: February 23, 2020

Resolved Issue

1. Fixed an issue whereby Xray analysis failed due to an out of memory issue caused by duplications of user-component licences.

Xray 3.2.3

Released: March 30, 2020

Resolved Issue

1. Fixed an issue whereby Xray failed to connect to Artifactory when trying to assign an Xray trial license.

Xray 3.0

Released: January 12, 2020

Highlights

JFrog Platform

Announcing the new JFrog Platform, designed to provide developers and administrators with a seamless DevOps experience across all JFrog products, supporting the following main features:

• Universal package management with all major packaging formats, build tools, and CI servers.
• Security and Compliance that's fully integrated into the JFrog Platform, providing full trust of your pipeline from code to production.
• Radically simplified administration with all configurations in one place.
• Complete trust in your pipeline all the way from code to production.
• Seamless DevOps experience from on-prem, cloud, hybrid or multi-cloud of your choice.

JFrog Platform New Functionalities

System Architecture

Xray 3.0 is now part of the JFrog Platform Deployment (JPD) which defines a single logical unit shared by all JFrog products. Xray pairing process to JPD was simplified and now requires only URL and shared secret (Join key). Learn More >

Xray system.yaml

Installation and Upgrade

Xray 3.0 comes with a new installer, which affects the installation and upgrade procedures. As part of the new installers, the file structure was changed and is now aligned with the other JFrog products. When upgrading to the JFrog Platform, Xray must be connected only to a single Artifactory instance. If you have a single Xray instance connected to multiple Artifactory instances, before upgrading Artifactory and Xray, you will need to split your Xray instance to multiple instances to support this requirement. See details here. 

Additional enhancements:

• The new Docker installer has been improved and now supports setting the uid/gid of the Xray container and image.
• The new system architecture includes a new system.yaml configuration which provides the option of silent installation.

Unified Permission Model

This version unifies all JFrog product permissions, allowing easier permission management across all products from one unified UI. The Unified Permission Model enables you to create a single permission target that applies to all products installed in the JFrog Platform. Since the products are unified within the Platform, you can now use a single permission target to control the permissions of all products. Learn More >

Unified User Interface

This version introduces a new UI that is unified for the entire JFrog Platform, including all JFrog products. If you are using Artifactory and other JFrog products such as JFrog Xray, JFrog Distribution, JFrog Mission Control and JFrog Insights, you will now be able to access them all from within a single UI with one URL address. Xray data is located within each of your resource pages allowing you to quickly review the status of for your scanned resources - Packages, Builds, Artifacts or Release Bundles. To find the changes in Artifactory UI. Learn More >

Logging

All JFrog products now follow a standardized logging format and naming convention. Learn More >

Feature Enhancements

Removed the MongoDB Database

The MongoDB database used by Xray prior to the Unified Platform, is no longer required (except during the data migration process). If you are upgrading to the new JFrog Platform, your data will automatically be migrated to PostgreSQL as part of the upgrade process.

Release Bundles Scan

In addition to scanning repositories and builds, the Unified Platform now allows Xray 3.0 to scan Release Bundles for vulnerability and license compliance.  You can now protect your releases by defining policies and watches on your Release Bundles. Policy violations can block the distribution of a Release Bundle. 

Configure Indexed Resources Using Patterns

You now have more flexibility when configuring Xray indexed resources by using Exclude or Include Patterns for Builds and Release Bundles.

Configure Watch Scope Using Patterns

You now have more flexibility when configuring the Watch resources scope of repositories, builds and Release Bundles by name or using Exclude/Include patterns.

Dedicated Security and Compliance Search Experience

Xray 3.0 introduces a new Security and Compliance Search, part of the new Global Search Experience in the JFrog Platform. You can now search for specific vulnerability and license compliance information by resource name, CVE number, license, severity level and scan date range.  Learn More >

Issues Resolved

1. Xray now collects "branch" information for Alpine components and vulnerabilities. 
2. Xray now displays the ignored violation upon creation.
3. Security improvements to Xray-related Docker base images.  
4. Fixed an issue whereby under certain circumstances, an exported Xray data file in a component could not be unzipped. 

Xray 3.0.13

Released: February 17, 2020

Resolved Issues

1.  Fixed an issue whereby loading and displaying vulnerability and violation data prolonged.
2.  Fixed an issue whereby assigning custom issue to descendent components failed.
3.  Fixed an issue whereby Go packages were indexed incorrectly.
4.  Fixed an issue whereby aborting the DB sync did not remove old zip packages. 
5.  Fixed an issue whereby under certain circumstances violations were not triggered when a package with vulnerabilities was detected. 
6.  Fixed an issue whereby Xray incorrectly detected Debian package names.