Released: 15 January, 2025
New Features
Evidence Service
JFrog's new Evidence service generates an audit trail that documents all the security, quality, and operational steps taken to produce a production-ready software release. It enriches artifacts, packages, builds, and Release Bundles with signed attestation metadata (based on the in-toto Attestation Framework) that can be tracked and verified easily for governance and compliance. The Evidence service enables you to seamlessly consolidate information from all the tools and platforms used in software development into a trusted single source of truth. It also integrates seamlessly with Release Lifecycle Management, providing a graphical interface for viewing the evidence generated at each stage of your SDLC.
Artifactory creates signed evidence automatically when Release Bundles are promoted and distributed. When used in conjunction with JFrog Xray, additional evidence is created in the form of SBOMs and vulnerability reports.
In addition, Enterprise+ users can attach externally-produced evidence to artifacts, packages, builds, and Release Bundles using the JFrog CLI.
For more information, see Evidence Management.
Artifactory Federation Service
To meet the growing needs of customers, JFrog has moved the Federated repositories feature into a standalone, multi-tenant service to ensure the timely synchronization of huge volumes of artifact metadata between customer sites. The new standalone service offers the following benefits:
Scalability: The Federation service is designed from the ground up to grow as the needs of our customers grow.
Automatic Federation recovery: The Federation service features an improved auto-healing mechanism that can identify synchronization problems between members due to an exhausted queue (a queue that has exceeded the maximum number of attempts to send metadata events to other members), reset the failed events, and retry synchronization. This capability is particularly useful in the event a Full Sync operation is interrupted by a restart of one of the Artifactory instances that host a Federation member. For more information, see Federation Recovery and Auto-Healing.
Improved monitoring using the Federation dashboard: The new Federation dashboard enables you to:
Understand the health status of all your repository Federations at a glance. The dashboard makes it particularly easy to see how many repositories are in error or delayed. For more information, see View the Status of All Repository Federations.
Drill down into a selected Federation to see the state of each member at a glance. For more information, see View the Status of a Selected Repository Federation.
Give selected repositories priority to system resources to help ensure all their metadata events are synchronized with other Federation members. For more information, see Prioritize Federated Repository.
Using the Federation Comparison Tool on Federated Repositories
Users who have the Artifactory Federation Service installed can use the Federation Comparison Tool to compare the state of a Federated repository with one or more remote members to detect missing artifacts in those remote members. This enables you to simulate the results of a Full Sync operation before you perform it. The Federation Comparison tool is invoked using a new query parameter in the Federated Repository Full Sync REST API. For more information, see Use the Federation Comparison Tool.
Cleanup Policies: Release Bundle v2
JFrog Cleanup Policies for Release Bundle v2 enable Platform and Project Administrators to define and customize policies based on specific criteria for removing unused Release Bundles across their JFrog platform. This provides optimal system performance. Administrators can customize a repeatable cleanup process that aligns with their organization's requirements by setting specific criteria and rules. For more information, refer to Cleanup Policies.
Helm Enforce Layout
Helm Enforce Layout is designed to maintain the integrity and organization of Helm charts within your repositories. It consists of two key functionalities that promote structure and reduce errors during deployments:
Preventing duplicate chart paths: Prevents the deployment of charts with the same name and version to different paths within the same repository, by ensuring that only a single instance of a chart is indexed. This maintains the integrity and accessibility of Helm charts, ensuring that users can easily identify and deploy the desired version without confusion.
Enforcing chart names and versions: Ensures that the chart name and version specified in the packaged file name match the values in Chart.yaml and adhere to Semantic Versioning (SemVer) standards adopted by the Helm official specification. Enforcing these rules promotes uniformity, allowing teams to adopt clear naming conventions that foster better collaboration and understanding of changes across different versions.
For more information on Helm Enforce Layout, click here.
Note
Helm Enforce Layout is forward-compatible only, it will not work on repositories created prior to Artifactory 7.104.2. This means that even if you upgrade to Artifactory 7.104.2, any repositories created prior to the upgrade are not compatible with this feature. Enforcement is set only upon repository creation.
Feature Enhancements
Updating multiple repositories using a batch request
It is now possible to update the configuration of multiple repositories using a single batch request. The request can contain a mixture of package types (for example, Docker and Maven) and repository types (for example, local and remote). For more information, see Update Multiple Repositories.
Viewing contents of Release Bundle v2 versions by package type
The window for viewing the contents of a Release Bundle v2 version has been redesigned to organize the contents according to package type. You can drill down from a package type to individual packages and from there, click a link to see the individual artifacts. For more information, see View the Contents of a Release Bundle (v2).
Promoting Release Bundle v2 versions to virtual repositories
You can now promote a Release Bundle v2 version to a virtual repository, provided it contains at least one local repository assigned to the same environment as the virtual repository (or no environment at all). For more information about promotion, see Promote a Release Bundle (v2) to a Target Environment.
Virtual repositories can include repositories not assigned or shared to the same project
You can now edit a virtual repository configuration that contains local and remote repositories which are not assigned to, or shared with, the same project as the virtual repository. If such repositories are aggregated, a message appears in the UI. Click the button next to the message to display a list of these repositories. You can export this list to a CSV file. For more information, see Virtual Repositories and Projects.
Note
Users who can perform actions on the virtual repository (based on their assigned roles in the relevant project) are not automatically granted permissions to aggregated repositories not assigned or shared with the same project.
Improved Performance for the Fetching Process
Performance of the fetching process has been improved, based on the count of manifests relative to the Max Unique Tags configuration.
Improvements in Obtaining AQL Results
The Search AQL API was improved such that AQL results are complete and not missing properties. A notification is now provided informing the client when the AQL limit has been reached. For information, see Artifactory Query Language (AQL) REST API.
Support for Ansible Packages in Cleanup and Archive
Frog ML models are now supported in Cleanup and Archive.
Ansible packages are now supported in Cleanup and Archive.
Supported Worker Features
Support for Scheduled Workers
JFrog now supports creating scheduled workers to trigger at predefined times or intervals, which you can define using Cron expressions. For more information, see Create a Scheduled Worker.
Before Build Info Saveevent is now supported.Before Download Requestevent is now supported.
Enabling SSO Disables Basic Authentication By Default
Enabling single sign-on authentication now disables internal password authentication by default. For more information, see Disable Basic Authentication Method.
Resolved Issues
JIRA Issue | Component | Severity | Description |
|---|---|---|---|
Packages | Medium | Fixed an issue whereby it was not possible to download and install a Go nested module from a private GitLab using a Go remote repository, and when trying to do this it resulted in a 404 error. | |
Packages | Medium | Fixed an issue whereby webhooks were not being triggered by the npm deprecate command. | |
Packages | Medium | Fixed an issue where reindexing did not happen automatically after distributing a Release Bundle for Cocoapods. | |
RTDEV-52453 | Federated Repositories | Medium | Fixed an issue whereby a binary task was sometimes not created for a federated repository. |
RTDEV-51529 | Federated Repositories | Medium | Fixed an issue during pull replications that caused changes to property values to be added to existing property values on the target instead of overriding the existing values. |
RTDEV-51525 | User Interface | Medium | Fixed an issue whereby the trash can could not be disabled through the User Interface with a Pro license. |
RTDEV-51363 | General | Medium | Fixed an issue whereby Apache Tomat version 10.1 that was bundled in Artifactory 7.98.7 contained an issue whereby when sending HEAD requests where the resource size was unknown, the server returned a content-length=0 header instead of omitting the header. |
RTDEV-50220 | Packages | Medium | Fixed an issue whereby a Debian virtual repository was generating a packages metadata file in gz format when requested for a plain text file. |
RTDEV-49674 | Storage | High | Fixed an issue whereby when Artifactory was configured with Cloudfront (AWS CDN), and a file larger than 50 GB was requested, the client received a 400 error. |
RTDEV-49456 | Repositories | Low | Fixed an issue whereby when trying to create a remote Gradle repository with the "Quick Repository Creation" option, the remote repository that was created was a Maven repository instead of Gradle. |
RTDEV-48039 | General | Medium | Fixed an issue whereby the Permission Target and Groups did not appear under the Effective Permissions tab of a remote cache repository. |
JA-15155 | General | Medium | Fixed an issue where certain global roles could not be edited or were grayed out. |
JA-15134 | Authentication Providers | High | Fixed an issue whereby Oauth user was not able to login to Artifactory. |
JA-15109 | User Interface | High | Fixed an issue where the Manage Intergrations (Administration | General Management | Manage Integrations) page was unavailable in the UI for hybrid deployments with Edge license. |
JA-14805 | Database | Low | Fixed an issue whereby duplicate resources existed during import and migration. |
JA-14796 | Projects | Medium | Fixed an issue whereby deleting a project caused the read-only access of the shared repository to be reset for other projects as well. |