Released: April 28, 2025
Features a Enhancements
JFrog Xray
Added support for SBOM component properties in compliance with the German SBOM Regulation (BSI TR-03183) and the Indian SBOM Regulation (CERT-IN SBOM Guidelines).
Xray now supports scanning podspec.json (extension of Cocoapods).
Upgraded bundled PostgreSQL to 16.8 in native, archive, and Docker Compose installers.
Upgraded bundled PostgreSQL to 16.6 in Helm installers.
The Export Component Details v2 REST API now supports passing an array of objects instead of a single JSON. This allows you to generate SBOM reports for multiple artifacts at a time and the aggregated reports will be returned in a “multiple_components_report.zip” file.
Enhanced the Xray-Jira integration by adding the Jira Status Retrieval feature. Xray users can now view the status of related Jira tickets without leaving the Xray platform.
Note: This feature will be enabled by default for all integration types, except for OAuth2 authentication with Jira Cloud. OAuth2 Jira Cloud users will need to follow the additional steps outlined in the Enabling for OAuth2 on Jira Cloud section to activate the feature.
Added support for Full License Text content in Legal reports.
Added an option to exclude specific file names from a scan when they exist in the resource (artifact/build/release bundle).
Added support for installing multiple Xray applications in a single namespace.
Added a new capability to Xray policies, allowing a grace period for violations before blocking downloads.
JFrog Curation
You can now export audit data in CSV format directly from the UI in Curation > Audit.
You can now export audit data in CSV format through the Approved/blocked-audit REST API.
Users can now connect repositories by package type to Curation, gaining a comprehensive overview of all curatable ecosystems in their Artifactory. Easily manage connections, view status updates for each package type, and define automatic connections for future repositories. Stay informed with notifications for any disconnections, ensuring seamless management and oversight.
Create tickets or notifications from the system if there is a blocking action in the audit using Webhooks events. Whenever a curation process encounters a blocked package, an event is triggered and sent to the designated webhook. The event includes comprehensive details about the blocked package, such as:
Package Information: Identifying details of the package that was requested.
Requester Details: Information on the user or entity that requested the package.
Policy Violation: A description of the specific policy violation that resulted in the blocking of the package.
You can now connect repositories by package type to Curation, gaining a comprehensive overview of all curatable ecosystems in your Artifactory. Easily manage connections, view status updates for each package type, and define automatic connections for future repositories. Stay informed with notifications for any disconnections, ensuring seamless management and oversight.
EPSS (Exploit Prediction Scoring System) is a statistical probability of exploiting a CVE, enabling security teams to prioritize remediation efforts. The custom CVSS condition now supports a new relaxed condition: If the EPSS score is below a specified threshold, the policy will not block the corresponding CVE.
Create tickets or notifications from the system to monitor the creation of Waiver Requests and related documentation in external systems using Webhooks events. Introduced two new Webhook events for Waiver Request creation and Waiver Request update. For more information, see Webhooks.
You can now create, read, update, and delete curation policies and conditions using the REST API.
Curation now supports Rust repositories.
Added a new webhook that enables security teams to understand if there were any changes in the configuration of Curation policies, including changes in the policy condition. This will not detect changes in label/package applications.
JFrog Catalog
Catalog now supports Google Maven repositories.
JFrog CLI
You may now use the Waiver feature for Curation, using the JFrog
jf curation-auditCLI command. The Curation Waiver feature allows you to exclude specific packages or versions from policy restrictions.A Violations column was added to the Git Repositories tab under Scans List. This means that you may now see the violation count for each Git commit.
Advanced Security
With the new Custom Scanner, you can now define search patterns to detect sensitive information in your artifacts and source code, scanning both binary and text files.
Resolved Issues
Jira | Description |
|---|---|
XRAY-109054 | When trying to access the Xray Data tab of an unindexed (hidden) artifact, the following error is displayed: |
XRAY-97064 | License Due Diligence report for artifacts with many child components returned empty impact paths. |
XRAY-95570 | Unable to view Xray scan data for builds with special characters in their names. |
XRAY-98492 | Improved performance of the block download functionality linked to JFrog Xray Policies. |
XRAY-98659 | A “DB Error” was issued when performing a |
XRAY-95081 | Vulnerabilities were incorrectly reported for a resource with .digit(s) suffix in a Docker image that had been whiteouted. |
XRAY-92685 | Xray failed to display build overview data correctly for builds with a "+" symbol in their name. |
XRAY-95242 | Artifacts were not indexed due to database corruption of child files that lacked a corresponding root file. |
XRAY-96292 | The scan status of .exe files was stuck. |
XRAY-104815 | Fixed an issue where "block" and "approve" Curation package audit events were missing from the CSV export, despite being visible in the audit UI. |
XRAY-99663 | Some components were missing from the SBOM table when performing the SBOM import. |
XRAY-102173 | <listitem> An issue in scanning 7zip files prevented opening files using the ARM64 LZMA2:18 BCJ SPARC method. </listitem> |
XRAY-85823 | The response of API call |
XRAY-101943 | An SPDX report did not generate results for Release Bundles. |
XRAY-95742 | Xray Webhooks erroneously added violations in the scan callbacks from Policies that did not contain a specific webhook rule. |
XRAY-97722 | Fixed the search bar in the Git Repositories tab under Scans Lists. |
XRAY-105520 | In some cases, SBOM did not detect |
XRAY-106871 | Fixed a |
XRAY-96953 | Fixed an issue where running out of space during a Docker image scan ( |
XRAY-105498 | Fixed errors in CycloneDX export of CycloneDX Ingest. |
XRAY-106119 | Fixed an issue with Xray scans timing out |
XRAY-92999 | When using Builds > By pattern in the Watch resources, the Watch did not issue violations for all the builds when one of the builds did not meet the pattern in the Watch. |
XRAY-97920 | Deploy notifications for builds did not work properly when using Projects. |
XRAY-96950 | When generating a report the report included deleted artifact scan data. |
XRAY-102815 | Fixed a UI issue where Exposure violations could not be viewed correctly on the Watch Violations page. |
XRAY-101269 | Resolved a UI issue in Scans List > Git Repositories where duplicated data caused infinite scrolling. |
XRAY-108412 | Emails for Repository Scans contained a broken link to the Violations tab in Scans List. This issue impacts users who have edited the default Binary Manager ID (Artifactory ID). Older emails with broken links remain unchanged, but all future emails will have the correct links. |
XRAY-106713 | Xray failed indexing archive files which contained unsupported VMDK files |
XRAY-100153 | False positive vulnerabilities occur for case-sensitive Python package names inside a Docker image during a whiteout. |
XRAY-103965 | Fixed inconsistencies in vulnerability count in build scanning |
XRAY-105826 | Support for CVE details was added to the build overview for non-JFrog Advanced Security users. |
XRAY-102624 | Fixed an issue in RabbitMQ logs. |
XRAY-87916 | When running an Xray scan, the scan status remains stuck at Pending due to an incorrect violations response that returns a Pending status, even though the scan itself has been completed successfully. |
XRAY-107400 | Fixed an edge case in license resolution. |
XRAY-44023 | An Ignore Rule for a violation based on a specific version of a Release Bundle V2 affected all versions of the Release Bundle. |
XRAY-105705 | Resolved a UI issue where the Git Repository tab under Xray Scans List could not be viewed. |
XRAY-106871 | Resolved a |
XRAY-105653 | Resolved an issue with the Enriched by JFrog filter for CVEs and SAST in under Scans List. |
XRAY-88801 | Resolved multiple UX issues in the scan result filters under Scans List. |
XRAY-105866 | The watch filter and offset properties did not affect the "List Ignored Violations" API results. |
XRAY-107926 | Xray indexing fails when a remote Maven repository cached the lead artifact, but the pom was not cached (even if it existed in the remote repo). |
XRAY-84604 | The default retention policy configured in the Xray |
XRAY-109690 | Indexer fails when an OS image (VMDK/IMG) does not contain a supported partition/filesystem |
XRAY-110588 | The |
XRAY-108976 | Imported SBOM scans failed to recognize certain licenses |
XRAY-99827 | Users without relevant permissions could still view release bundles and their resources. |
XRAY-88886 | Adding builds for indexing via API within the Project scope behaved incorrectly. |
XRAY-27772 | Fixed an inconsistency with case sensitivity in search functionality on the Ignore Rules page. |
XRAY-89513 | While upgrading Xray, the license alias created for built-in licenses was not carried forward after the upgrade. |