Released: October 12, 2022
JFrog Advanced Security (Cloud-only)
Announcing JFrog Advanced Security Pack! The new security pack can be purchased with Cloud Enterprise X and Enterprise+ subscriptions, and contains the following features:
Vulnerability Contextual Analysis: An industry first; scan containers and packages to prioritize whether OSS vulnerabilities are actually exploitable.
Exposed Secrets: Detect any secrets left exposed in any containers stored in Artifactory to stop accidental leaks of internal tokens or credentials.
Insecure use of libraries and services: Detect whether common OSS libraries and services are used and configured securely so that containerized applications can be easily hardened by default.
Infrastructure-as-Code (IAC): Scan IaC files stored in Artifactory for early detection of cloud and infrastructure misconfigurations. Xray scans Terraform states for AWS, Azure, and GCP cloud services.
OCI Image Support
Xray now supports scans of OCI images deployed to an Artifactory Docker repository.
Conda Packages Support
Xray now can scan Conda packages that contain python packages and their dependencies for security vulnerabilities, license compliance and operational risk.
Additional information about the Conda scan feature:
Conda is a general-purpose package, dependency, and environment management open-source project that is language-independent. Conda is commonly used for applications that can run on a variety of platforms without the risk of package conflicts.
While Conda is language-independent, Xray's support for Conda is designed primarily to scan the Python packages that are bundled within the Conda packages. Note that the UI will display zero security vulnerabilities for packages within a Conda package that are not supported. An updated list of supported package types can be found here.
On-Demand Scanning Enhancement
When the JFrog CLI tool executes an on-demand scan, it first downloads the Xray executable from the Xray server. Until this release, a native M1 version of this executable was unavailable. For an on-demand scan on an M1 machine, the Intel X64 version of the executable had to be used, and required Rosseta2 emulation. With this release, a native M1 version is available and the need for Rosseta2 has been removed.
Expand Support to Additional General Archive Types/Formats
Added support in Xray for additional compression and general archive formats and extensions (.rar, .tbz2, tar.bz2, tar.lzma, .tlz, .tar.xz, .txz).
Fixed an issue whereby, in some cases, the Xray issue ID was displayed instead of a CVE number.
Fixed an issue whereby, sometimes Maven components were matched to an incorrect version.
Fixed an issue, whereby, a 500 error was issued in the Scans List Build tab when builds contained spaces in the build name.
Fixed an issue whereby, duplicate violations were displayed on the Violations page.
Fixed an issue whereby, the create vulnerability Ignore Rule dialog did not have a clear character limit when input was longer than 252 characters.
Fixed an issue whereby, the config parameters for the
Added support for sending requests to Xray via basic auth while the password is an Access token.
Fixed an issue whereby,
This release contains Fixed Security Vulnerabilities.