Released: September 28, 2025
Highlights
Xray
Xray now offers REST APIs for seamless Jira integration using Basic Authentication. For more information, see JIRA INTEGRATION
Feature Enhancements
Xray
License Attribution report is now supported in the UI as well - can be triggered from the resource export dialog.
Automatic License Conclusion (license resolution) now shows concluded licenses as a different column in PDF, and as “concluded” property in SDPX and CycloneDX.
Added support in Xray to detect cpp components based on text patterns embedded in compiled binaries.
Enhanced Violations Reporting with Scheduling, Sharing, and Dashboards.
We've introduced a powerful new experience for generating Violations Reports. Users can now:
Use a step-by-step wizard to define report scope across repositories, builds, release bundles, and projects.
Schedule reports to run daily, weekly, or monthly.
Share reports directly with teammates via email.
Interactive dashboards that highlight policy violations per type, severity and applicability, along with a top 10 CVEs violations widget.
Detailed table.
Deprecation Notice
JFrog Security in Jira Plug-in
End of Support (EoS): 10 November 2025 End of Life (EoL): 10 December 2025
Impact
Existing users must migrate to the Native Jira Integration. After the EoL date, the plug-in will no longer be supported or compatible with future Xray versions.
Migration Path
Follow the JFrog documentation to configure the Native Jira Integration.
Validate the integration with a proof of concept (POC).
Migrate your ticketing process to the Native Jira Integration.
Decommission the plug-in from your environment once migration is complete.
For any assistance, contact JFrog Support.
Resolved Issues
Jira | Description |
|---|---|
XRAY-124561 |
|
XRAY-119548 | Updated the violations widget title to display “Loading” while data is being retrieved, instead of showing a zero value. |
XRAY-123980 | Several licenses, including BSD-2-Clause-first-lines, BSD-2-Clause-Darwin, and LicenseRef-jfrog-w3c-03-bsd-license, were not available when creating an Xray License policy. |
XRAY-122761 | A warning message appeared when saving a Watch, indicating a failure to retrieve the binary manager. |
XRAY-118013 | A misleading log message appeared in Xray logs when a user viewed the scan data for a Debian package, despite the scan being successful. |
XRAY-87110 | Project admins received an incorrect "Currently only admins can run an SCA scan" message when viewing the Xray Data tab for non-indexed resources, despite having permissions to initiate scans elsewhere. |
XRAY-124184 | Fixed an issue that caused a specific on-demand Source Code Scan deletion to fail. |
XRAY-125467 | Indexing a specific zip file may cause a runtime error, such as an invalid memory address or a nil pointer dereference. |
XRAY-125238 | Watch violations were incorrectly triggered for packages with N/A CVSS scores when a policy's CVSS score rule range included the maximum score of 10. |
XRAY-124208 | Fixed memory leak during scans of zstd archives. |
XRAY-123758 | Unsupported Docker layer MIME types caused an irrecoverable indexing error. |
XRAY-126975 | Fixed an issue that occasionally caused Impact Analysis to fail on Self Hosted installations of Xray. |
XRAY-126787 | Incorrect status code error when exporting license attribution report without the Catalog service available. |
XRAY-125880 | CVE duplications appeared in the Vulnerabilities tab in Xray scan results. |
XRAY-123429 | Fixed an issue where on-demand scan results in the Platform UI displayed a CVE as “not_applicable” instead of “not_covered”. |