Released: October 17, 2025
Highlights
Xray
Scanning Multi-architecture Images
Xray now supports scanning multi-architecture images. The results are presented as a unified scan summary for the entire image, along with individual scans for each contained architecture.
Xray CVSS v4.0 Scoring Support
Xray now supports CVSS v4.0 scoring in addition to CVSS v3 and v2. CVSS v4.0 introduces a more detailed, flexible, and accurate framework that allows security professionals to perform more precise risk assessments by better incorporating exploitability, the evolving threat landscape, and the unique context of their environments. This enhancement ensures that Xray’s vulnerability scoring remains up-to-date and aligned with the latest industry standards, providing a more comprehensive view of vulnerability severity and risk impact.
Xray Helm Chart Scanning Support
Xray now supports scanning Helm charts to identify vulnerabilities and license compliance issues within the chart’s packaged dependencies.
Feature Enhancements
Xray
Xray now supports CPE (Common Platform Enumeration) matching during SBOM ingestion for generic components.
Added support for Apache 2.0 NOTICE information in SBOM exports (SPDX and CycloneDX).
Xray now supports ingesting SBOMs in SPDX format, expanding compatibility with industry-standard Software Bill of Materials specifications.
Resolved Issues
Jira | Description |
|---|---|
XRAY-124561 |
|
XRAY-119548 | Updated the violations widget title to display “Loading” while data is being retrieved, instead of showing a zero value. |
XRAY-123980 | Several licenses, including BSD-2-Clause-first-lines, BSD-2-Clause-Darwin, and LicenseRef-jfrog-w3c-03-bsd-license, were not available when creating an Xray License policy. |
XRAY-122761 | A warning message appeared when saving a Watch, indicating a failure to retrieve the binary manager. |
XRAY-118013 | A misleading log message appeared in Xray logs when a user viewed the scan data for a Debian package, despite the scan being successful. |
XRAY-87110 | Project admins received an incorrect "Currently only admins can run an SCA scan" message when viewing the Xray Data tab for non-indexed resources, despite having permissions to initiate scans elsewhere. |
XRAY-124184 | Fixed an issue that caused a specific on-demand Source Code Scan deletion to fail. |
XRAY-125467 | Indexing a specific zip file may cause a runtime error, such as an invalid memory address or a nil pointer dereference. |
XRAY-125238 | Watch violations were incorrectly triggered for packages with N/A CVSS scores when a policy's CVSS score rule range included the maximum score of 10. |
XRAY-124208 | Fixed memory leak during scans of zstd archives. |
XRAY-123758 | Unsupported Docker layer MIME types caused an irrecoverable indexing error. |
XRAY-126975 | Fixed an issue that occasionally caused Impact Analysis to fail on Self Hosted installations of Xray. |
XRAY-126787 | Incorrect status code error when exporting license attribution report without the Catalog service available. |
XRAY-125880 | CVE duplications appeared in the Vulnerabilities tab in Xray scan results. |
XRAY-123429 | Fixed an issue where on-demand scan results in the Platform UI displayed a CVE as “not_applicable” instead of “not_covered”. |
XRAY-125126 | Fixed an issue affecting third-party components in the Applicability scanner. |
XRAY-127701 | The Attribution Report was failing for builds. |
XRAY-127446 | CPE parsing created empty Component IDs. |
XRAY-127028 | Fixed default component type classification and fixed component type classification for ML models. |
XRAY-127368 | Fixed a UI bug in the Report right pane - caused overflow if too many licenses are selected. |
XRAY-127250 | Improved global permissions fetching, which caused potential slowness in the Curation UI page loading. |
XRAY-126104 | Comparing build versions in the UI failed with a 'Mandatory fields are missing' error when the build name contained a forward slash ('/'). |