Released: November 9, 2025
Highlights
Curation
Conda Support
Curation now supports Conda packages.
VS Code Support
You can now curate VS Code remote repositories created through the AI Editor Extensions — apply policies, conditions, and governance controls to manage VS Code packages with the same flexibility as any other package type. For more information, see How to Curate VS Code Remote Repositories.
*Requires an Ultimate or Unified Security Bundle.
Compliant Version Selection
Curation now returns the highest policy-compliant package version instead of blocking requests, minimizing development disruptions. Supported for PyPI and NPM. For more information, see Compliant Version Selection.
Advanced Security
Rules for ML Model Types
You can now define package-version rules for ML model types to block and/or notify risky formats and enforce approved versions.
Xray
Jira Integration
Xray now offers REST APIs for seamless Jira integration using Basic Authentication. For more information, see JIRA INTEGRATION.
Scanning Multi-architecture Images
Xray now supports scanning multi-architecture images. The results are presented as a unified scan summary for the entire image, along with individual scans for each contained architecture.
Xray CVSS v4.0 Scoring Support
Xray now supports CVSS v4.0 scoring in addition to CVSS v3 and v2. CVSS v4.0 introduces a more detailed, flexible, and accurate framework that allows security professionals to perform more precise risk assessments by better incorporating exploitability, the evolving threat landscape, and the unique context of their environments. This enhancement ensures that Xray’s vulnerability scoring remains up-to-date and aligned with the latest industry standards, providing a more comprehensive view of vulnerability severity and risk impact.
Xray Helm Chart Scanning Support
Xray now supports scanning Helm charts to identify vulnerabilities and license compliance issues within the chart’s packaged dependencies.
Create Custom License REST API
Added REST API support for creating Custom Licenses in Xray.
Catalog
Valkey Support
Added installation and upgrade support for JFrog Valkey, an open-source in-memory data store used in JFrog Catalog deployments. Supported across Docker Compose, RPM/Debian, Linux Archive, Helm, and OpenShift installations. For more information, see Install Valkey.
Feature Enhancements
Xray
Added support for ant-style patterns in the specific package policy.
Xray now supports CPE (Common Platform Enumeration) matching during SBOM ingestion for generic components.
Added support for Apache 2.0 NOTICE information in SBOM exports (SPDX and CycloneDX).
Xray now supports ingesting SBOMs in SPDX format, expanding compatibility with industry-standard Software Bill of Materials specifications.
Added Support for Exporting SBOM in SPDX Format version 2.3.
Added support for a new macro JFrog Research Severity in Native Jira Integration. It uses severity from JFrog Research when available, falls back to CVE data, or applies your default value if neither is found.
License Attribution report is now supported in the UI as well - can be triggered from the resource export dialog.
Automatic License Conclusion (license resolution) now shows concluded licenses as a different column in PDF, and as “concluded” property in SDPX and CycloneDX.
Added support in Xray to detect cpp components based on text patterns embedded in compiled binaries.
Enhanced Violations Reporting with Scheduling, Sharing, and Dashboards.
We've introduced a powerful new experience for generating Violations Reports. Users can now:
Use a step-by-step wizard to define report scope across repositories, builds, release bundles, and projects
Schedule reports to run daily, weekly, or monthly.
Share reports directly with teammates via email.
Interactive dashboards that highlight policy violations per type, severity and applicability, along with a top 10 CVEs violations widget.
Detailed table.
Enhanced Vulnerabilities Reporting with Scheduling, Sharing, and Dashboards
We've introduced a powerful new experience for generating Vulnerabilities Reports. Users can now:
Use a step-by-step wizard to define report scope across repositories, builds, release bundles, and projects.
Schedule reports to run daily, weekly, or monthly.
Share reports directly with teammates via email.
View insights through a new aggregated dashboard with severity, applicability, and top 10 vulnerabilities widgets.
Filter results based on vulnerability applicability, severity, or component.
Explore full vulnerability details with remediation guidance and contextual analysis.
Export an overview PDF.
Catalog
Introduced License Correction Request, you can open a request in the Catalog UI for packages with unknown or misidentified licenses. The JFrog team reviews and updates the license based on their findings.
Source Code
You can now integrate Frogbot with your GitHub repositories using the JFrog GitHub App. This integration simplifies setup by automatically configuring Frogbot with GitHub Actions, adding the required secrets, and opening a workflow pull request in each selected repository. Once enabled, Frogbot continuously scans commits and pull requests for security issues, adds comments with findings, and can even open fix pull requests for vulnerable dependencies. This integration is supported for repositories under GitHub Organizations.
Resolved Issues
Jira | Description |
|---|---|
XRAY-119896 | Resolved a |
XRAY-115356 | Fixed mismatch between detected license in Xray vs Policy license selector - in license “ |
XRAY-116447 | The Any Repo option was incorrectly disabled for users without admin permissions, even if they had all the required permissions to add repositories to a watch. |
XRAY-118970 | The fix version was not displayed for some packages in on-demand scanning |
XRAY-117101 | Fixed an issue with the dropdown in the Xray tab in Artifactory. Users can now switch the violations table view between active and ignored issues. |
XRAY-116057 | Failed to update the Scan Status of the artifact |
XRAY-115356 | Fixed mismatch between detected license in Xray vs Policy license selector - in license |
XRAY-115121 | Improved vulnerability matching accuracy for RedHat components by factoring in branch information into the vulnerable range. |
XRAY-113702 | Updated the logic for the Artifactory |
XRAY-116447 | The Any Repo option was incorrectly disabled for users without admin permissions, even if they had all the required permissions to add repositories to a watch. |
XRAY-114175 | Added TLS support for Advanced Security when running in router mode. |
XRAY-122439 | Fixed an issue where scans of RBv2 did not generate exposure violations. |
XRAY-122439 | Fixed an issue where fix versions were not displayed for some packages during on-demand scanning. |
XRAY-124017 | Fixed an issue in Xray webhooks where high memory usage occurred in the policy enforcer when a single CVE impacted multiple artifacts. |
XRAY-124017 | Fixed an issue in Xray webhooks where high memory usage occurred in the policy enforcer when a single CVE impacted multiple artifacts. |
XRAY-123347 | Compressed files with uppercase extensions, such as .TGZ and .TAR.GZ, were not scanned. |
XRAY-122770 | Scanning a build would hang indefinitely if the build name contained the string "build-info". |
XRAY-104468 | Xray returned a 500 error from the |
XRAY-123540 | Fixed an issue that caused the Policy Violations Report to break due to missing data. |
XRAY-123764 | Fixed an issue where |
XRAY-122808 | Fixed missing fields in |
XRAY-115361 | Fixed an issue where not all violations were ignored when a Block Download grace period rule was assigned. |
XRAY-124820 | Incorrect published dates on V2 Reports. |
XRAY-120511 | Re-scanning an artifact in one remote repository incorrectly triggered a scan on a different remote repository. |
XRAY-119885 | Xray's policy rule evaluation did not stop after the first rule match. |
XRAY-122389 | The Xray Create Policy REST API allowed creating rules with incompatible criteria |
XRAY-124246 | Fixed an issue where exposure violations were incorrectly ignored when creating an “Ignore CVE” rule scoped to all components and artifacts. |
XRAY-124561 |
|
XRAY-119548 | Updated the violations widget title to display “Loading” while data is being retrieved, instead of showing a zero value. |
XRAY-123980 | Several licenses, including BSD-2-Clause-first-lines, BSD-2-Clause-Darwin, and LicenseRef-jfrog-w3c-03-bsd-license, were not available when creating an Xray License policy. |
XRAY-122761 | A warning message appeared when saving a Watch, indicating a failure to retrieve the binary manager. |
XRAY-118013 | A misleading log message appeared in Xray logs when a user viewed the scan data for a Debian package, despite the scan being successful. |
XRAY-87110 | Project admins received an incorrect "Currently only admins can run an SCA scan" message when viewing the Xray Data tab for non-indexed resources, despite having permissions to initiate scans elsewhere. |
XRAY-124184 | Fixed an issue that caused a specific on-demand Source Code Scan deletion to fail. |
XRAY-125467 | Indexing a specific zip file may cause a runtime error, such as an invalid memory address or a nil pointer dereference. |
XRAY-125238 | Watch violations were incorrectly triggered for packages with N/A CVSS scores when a policy's CVSS score rule range included the maximum score of 10. |
XRAY-124208 | Fixed memory leak during scans of zstd archives. |
XRAY-123758 | Unsupported Docker layer MIME types caused an irrecoverable indexing error. |
XRAY-126975 | Fixed an issue that occasionally caused Impact Analysis to fail on Self Hosted installations of Xray. |
XRAY-126787 | Incorrect status code error when exporting license attribution report without the Catalog service available. |
XRAY-125880 | CVE duplications appeared in the Vulnerabilities tab in Xray scan results. |
XRAY-123429 | Fixed an issue where on-demand scan results in the Platform UI displayed a CVE as “not_applicable” instead of “not_covered”. |
XRAY-125885 | Fixed an issue where empty package names caused an error. |
XRAY-124561 |
|
XRAY-119548 | Updated the violations widget title to display “Loading” while data is being retrieved, instead of showing a zero value. |
XRAY-123980 | Several licenses, including BSD-2-Clause-first-lines, BSD-2-Clause-Darwin, and LicenseRef-jfrog-w3c-03-bsd-license, were not available when creating an Xray License policy. |
XRAY-122761 | A warning message appeared when saving a Watch, indicating a failure to retrieve the binary manager. |
XRAY-118013 | A misleading log message appeared in Xray logs when a user viewed the scan data for a Debian package, despite the scan being successful. |
XRAY-87110 | Project admins received an incorrect "Currently only admins can run an SCA scan" message when viewing the Xray Data tab for non-indexed resources, despite having permissions to initiate scans elsewhere. |
XRAY-124184 | Fixed an issue that caused a specific on-demand Source Code Scan deletion to fail. |
XRAY-125467 | Indexing a specific zip file may cause a runtime error, such as an invalid memory address or a nil pointer dereference. |
XRAY-125238 | Watch violations were incorrectly triggered for packages with N/A CVSS scores when a policy's CVSS score rule range included the maximum score of 10. |
XRAY-124208 | Fixed memory leak during scans of zstd archives. |
XRAY-123758 | Unsupported Docker layer MIME types caused an irrecoverable indexing error. |
XRAY-126975 | Fixed an issue that occasionally caused Impact Analysis to fail on Self Hosted installations of Xray. |
XRAY-126787 | Incorrect status code error when exporting license attribution report without the Catalog service available. |
XRAY-125880 | CVE duplications appeared in the Vulnerabilities tab in Xray scan results. |
XRAY-123429 | Fixed an issue where on-demand scan results in the Platform UI displayed a CVE as “not_applicable” instead of “not_covered”. |
XRAY-125126 | Fixed an issue affecting third-party components in the Applicability scanner. |
XRAY-127701 | The Attribution Report was failing for builds. |
XRAY-127446 | CPE parsing created empty Component IDs. |
XRAY-127028 | Fixed default component type classification and fixed component type classification for ML models. |
XRAY-127368 | Fixed a UI bug in the Report right pane - caused overflow if too many licenses are selected. |
XRAY-127250 | Improved global permissions fetching, which caused potential slowness in the Curation UI page loading. |
XRAY-126104 | Comparing build versions in the UI failed with a 'Mandatory fields are missing' error when the build name contained a forward slash ('/'). |
XRAY-125318 | The Impact Path was not displayed for packages with Unknown Licences. |
XRAY-128360 | Incorrect Helm Charts files in the scanned filesystem were causing the SCA scan to freeze. |
XRAY-128113 | In some cases, Xray failed to save Multi-arch image scans to the database. |
XRAY-127669 | The Package Type column in Vulnerability Reports was empty. |
XRAY-125318 | “Unknown” license violations did not display any impact paths. |
XRAY-116071 | Resolved an issue where offline DBSync showed the wrong migration instructions during the synchronization process. |
XRAY-127940 | Xray scans were hanging when scanning JAR executables |
XRAY-127669 | The Package Type column in Vulnerability Reports was empty. |
XRAY-125318 | “Unknown” license violations did not display any impact paths. |
XRAY-127287 | Force-reindexing was sending the wrong repository for the artifact. |
XRAY-127051 | Custom licenses cannot be fully removed in the old Xray view. |