Released: July 29 , 2025
Highlights
Xray
Legal
License Attribution Report: Added support for including copyright information and full license text in legal exports via a new API.
License Conclusion: Added support for automatically resolving multi-license cases in legal license exports and SBOM reports based on license category and priority.
REST API Support:
Installation
JFrog has added support for RabbitMQ Quorum Queues, available as an optional parameter in `system.yaml`, because RabbitMQ has deprecated Classic Queue mirroring in version 4.x. Consequently, JFrog will also deprecate Classic Queue support and transition to Quorum Queues. It is recommended to enable Quorum Queues in Xray, as JFrog plans to fully transition to RabbitMQ 4.x and discontinue Classic Queue support in upcoming versions.
Feature Enhancements
Xray
A new configuration option has been introduced to enable Xray indexing when creating new repositories automatically. To index all new repositories by default, set the following flag in Xray system YAML: server.enableXrayOnNewRepos=true
Jira Integration
Introduced new filters that enable users to categorize policy violations based on their associated Jira tickets. This improvement allows for more efficient management and resolution of violations.
The search functionality within the Policy Violations UI has been enhanced to allow users to search for violations using Jira Ticket IDs. This makes it easier to find relevant details related to specific violations quickly.
Xray now supports a Skip Proxy option, enabling users to bypass global proxy settings when integrating with Jira.
Package Support
Xray now supports pub packages ( Dart and Flutter).
PostGreSQL Support
Upgraded bundled PostgreSQL to 16.8 in native, archive, and Docker Compose installers.
Upgraded bundled PostgreSQL to 16.6 in Helm installers.
Catalog
Catalog now supports Conda packages.
Introducing the Labels Center in Catalog; a unified view to manage all labels used in your organization. For more information, see Configure and Manage Labels.
Source Code
New REST APIs are available for managing and retrieving source code scan data, including endpoints to list repositories, branches, commits, and detailed scan results. These APIs enable precise visibility and filtering of scanned Git data across your projects.
The results of on-demand scans run using the CLI jf audit --secrets command are now displayed in the Scans List table.
You can now export Git repository scan data directly from the user interface via Platform >Xray >Scans List.
Advanced Security
You can now create and generate an Exposures Report that gives you a visual representation of which components in your code and binaries are actively invoked and potentially exploitable. This helps you focus on real-world security risks rather than theoretical vulnerabilities. Use advanced filters and scoped views to customize the report to your specific needs and environments. The Exposures Report is also supported via the new REPORTS REST APIs:
Curation
Curation now supports Google Maven repositories.
Enhancements to JFrog Curation Audit Capability:
Improved package search functionality for easier navigation and discovery.
Clearer distinctions between blocked, allowed, and dry-run packages.
Introduced a new PASSED package type for items that successfully passed curation without specific policy inspection, providing the user a full view of the Curation process.
Resolved Issues
Jira | Description |
|---|---|
XRAY-104468 | Xray returned a 500 error from the |
XRAY-115251 | Fixed an issue where a misleading error message, “Cannot read properties of undefined (reading 'forEach')”, was displayed when creating a new watch on the Watches page. |
XRAY-116057 | Updating the scan status of an artifact failed. |
XRAY-119739 | The Xray search did not work properly in some cases. |
XRAY-118268 | Fixed an issue affecting search, sorting, and pagination in the source code scans list. |
XRAY-116062 | Fixed an issue when license aliases were not saved in the UI. |
XRAY-115121 | Improved vulnerability matching accuracy for Red Hat components by factoring in branch information into the vulnerable ranges. |
XRAY-114426 | Fixed an issue where templates were incorrectly appended to the component suffix in the “Descendants” tab of the scan results. |
XRAY-109338 | Fixed an issue regarding the version identification of Go package versions |
XRAY-115368 | A Project admin could not scan an existing Release Bundle from the UI. |
XRAY-74193 | Xray did not detect licenses referenced with a symlink in a package. |
XRAY-116135 | Fixed an issue that prevented automatic scanning of Secrets in RBv2 Docker builds. |
RAY-110288 | Release Bundle not visible in Xray Scan Lists tab. |
XRAY-116601 | When scanning Azure Linux images, components were misidentified, which led to false positives. |
XRAY-116062 | Fixed an issue when license aliases were not saved in the UI. |
XRAY-115121 | Improved vulnerability matching accuracy for Red Hat components by factoring in branch information into the vulnerable ranges. |
XRAY-114426 | Fixed an issue where templates were incorrectly appended to the component suffix in the “Descendants” tab of the scan results. |
XRAY-109338 | Fixed an issue regarding the version identification of Go package versions |
XRAY-115368 | A Project admin could not scan an existing Release Bundle from the UI. |
XRAY-74193 | Xray did not detect licenses referenced with a symlink in a package. |
XRAY-119739 | The Xray search did not work properly in some cases. |
XRAY-118268 | Fixed an issue affecting search, sorting, and pagination in the source code scans list. |
XRAY-114127 | Mismatch in counts on the Reports page due to pagination issues |
XRAY-114124 | CVE and CVSS columns on the Reports page were not populated for Vulnerability Reports. |
XRAY-24708 | An incorrect number of vulnerabilities was sent to the Metadata Server. |
XRAY-101346 | Fixed missing applicability details in violation results returned by the Scan Build V2 API. |