Xray 3.111.9 Self-Hosted

Xray Release Information
Products
JFrog Xray
Content Type
Release Notes
ft:sourceType
Paligo

Released: January 30, 2025

Feature Enhancements

JFrog Xray

  • Installing Xray is now supported on Amazon Linux 2023 (AL3).

  • Xray now supports indexing raw disk images (.img) and SquashFS (.squashfs).

  • JFrog Self-Hosted customers will see an information message under the scans list prompting an upgrade to DBSync v3. We strongly encourage users to migrate to DBSync v3 promptly to ensure seamless and timely updates. For details, see Migration Guide for Self-Hosted Customers: Upgrading from DBSync V1 to V3.

  • Enhanced the clarity and readability of Jira Ticket Summary and Description fields created through the Xray-Jira integration.

  • Introduced a new Builds Security Overview dashboard that provides a centralized and comprehensive view of build versions where you can analyze trends, identify the most vulnerable components, and mitigate security risks effectively. For more information, see Builds Security Overview.

  • Added support for 3 additional fields in CycloneDX vulnerabilities description:

    • Vulnerability Ratings: Include CVSS Score, CVE severity, Scoring method, and Vector

    • Vulnerability Description: A detailed description of the specific vulnerability

    • Vulnerability CWEs: A list of CWE (Common Weaknesses Enumerations) that fit this specific CVE

    These 3 added fields greatly enhance the detail level and completeness of our CycloneDX SBOM reports.

  • You can now download the technician dashboard to view charts of metrics related to application performance. This REST API call will download a zip file with the dashboards as HTML files. Any admin user can access the REST API.

    REST API:GET api/v1/metrics/dashboard/download

  • Added Repo Path to the generated Violation reports.

  • Improved Operational Risk Policy by allowing the release age to be set in customized months instead of using a default range.

JFrog Advanced Security

  • Secrets Detection is now supported for the following types of repositories:

    • RPM

    • Debian

    • Alpine

    • Go

    • RubyGems

    • Gradle

  • Gradle repositories are now supported for Contextual Analysis.

  • Enhanced the design of the Exposures details (right pane).

JFrog Curation

  • You can now directly create a Curation Policy from a condition.

  • Introduced a guided process to help new Curation users get started. It clearly outlines steps like enabling curation, connecting repositories, and setting policies, with visual cues to track progress

  • Introduced a new Conditions Template that allows a Security Manager to create Curation Policies based on OpenSSF scorecard results. Conditions based on this template detect and block third-party packages whose scorecard scores (one or more) match the range you defined (including aggregated scores).

  • Curation policies can now be applied to repositories for a specific package type, including current and future repositories of the same type.

JFrog Catalog

JFrog Catalog can now be installed using Helm and OpenShift. For more information, see Install JFrog Catalog with Helm and OpenShift.

Resolved Issues

Jira

Description

XRAY-101948

Fixed the Impact Path tab in the right pane of Watch Violations.

XRAY-90229

In the Watch Violations screen, when clicking on an Exposures violation of package type Npm an error message appears: ‘Error getting Exposure scan’. A 404 was issued due to an incorrect path in the NPM package.

XRAY-92998

In the SPDX report, JFrog was falsely assigned as the Artifact Manufacturer.

XRAY-91040

When exporting a Vulnerabilities Report for an artifact from the Scans List page, the exported PDF was not sorted by severity order.

XRAY-88893

When running the command jf audit --watches=< > --fail=true, the fail_build field was missing from the response. This issue was reported in JFrog CLI version 2.64.0.

XRAY-91154

When running the command jf docker scan <image_path> --format json, the full_path field was missing in the response. This issue was reported in JFrog CLI version 2.64.0.

XRAY-95655

When the name of a build included the special character '/', navigating through the Build Versions in the Scans List page via breadcrumbs caused the UI to become unresponsive.

XRAY-95206

Xray could not display any versions of a build that contained the special character '/' in the build name after scanning.

XRAY-92685

Resolved an issue where Xray failed to display build overview data correctly for builds with a "+" symbol in their name.

XRAY-95132

Xray indexing failed for artifacts containing .pt extension files within zipped archives.

XRAY-94615

Fixed an issue when exporting CycloneDX reports for Release Bundles.

XRAY-93036

Indexing of artifacts with large license files took longer than expected

XRAY-83997

It was not possible to view Xray data on remote repositories when both "Any Local" and "Any Remote" permissions were granted.

XRAY-92483

The Xray Data tab for builds was infinitely loading.

XRAY-91762

The Exposures force scanning ability (Scan Now) for builds and RBV2 was removed as it was not supported.

XRAY-92466

The Violation report column headers were misaligned due to new additional columns.

XRAY-89785

Increased the Specific CVE IDs Policy condition to include up to 10k CVEs in one Policy rule.

XRAY-91233

The Scan Build REST API failed when the build contained a project key.

XRAY-90830

Report requests were stuck due to backend events.

XRAY-89975

Contextual Analysis results were missing in reports for remote repositories.

XRAY-88846

The JFrog CLI, in some cases, resulted in a “500 Internal Server Error” when running the “sbom-enrich” command.

XRAY-88805

The file path was sometimes missing for Exposures violations.

XRAY-88380

When generating a report using the REST API input validation was missing for the provided name, resulting in the creation of a report with an invalid name.

XRAY-87616

Xray could not scan artifacts from build info if the build was published using REST API without including the same values for the build.timestamp and body request started parameter.

XRAY-87395

The Export Details REST API call failed when the filename was more than 255 bytes

XRAY-86530

Fixed incorrect component referencing in CycloneDX - it was using “bom-ref” field instead of “affects” field.

XRAY-84772

REST API Ignore Rules are not applied in Docker On-Demand Scans when the name contains a slash.

XRAY-98492

Improved performance of the block download functionality linked to JFrog Xray Policies.

XRAY-96635

XRAY-97117

Resolved inefficiency in UI status checks within the DBsync migration wizard.

XRAY-87325

Removed socat as a dependency from Xray. As a result, socat will no longer be packaged or shipped with Xray deployments.

XRAY-92962

The results in Violations & License Reports were partial.