Xray 3.59.4

Xray Release Information

Products
JFrog Xray
Content Type
Release Notes
ft:sourceType
Paligo

Released: October 12, 2022

Highlights
JFrog Advanced Security (Cloud-only)

Announcing JFrog Advanced Security Pack! The new security pack can be purchased with Cloud Enterprise X and Enterprise+ subscriptions, and contains the following features:

  • Vulnerability Contextual Analysis: An industry first; scan containers and packages to prioritize whether OSS vulnerabilities are actually exploitable.Vulnerability Contextual Analysis

  • Exposed Secrets: Detect any secrets left exposed in any containers stored in Artifactory to stop accidental leaks of internal tokens or credentials.Exposures Scans

  • Insecure use of libraries and services: Detect whether common OSS libraries and services are used and configured securely so that containerized applications can be easily hardened by default.Exposures Scans

  • Infrastructure-as-Code (IAC): Scan IaC files stored in Artifactory for early detection of cloud and infrastructure misconfigurations. Xray scans Terraform states for AWS, Azure, and GCP cloud services.Exposures Scans

OCI Image Support

Xray now supports scans of OCI images deployed to an Artifactory Docker repository.

Conda Packages Support

Xray now can scan Conda packages that contain python packages and their dependencies for security vulnerabilities, license compliance and operational risk.

Additional information about the Conda scan feature:

Conda is a general-purpose package, dependency, and environment management open-source project that is language-independent. Conda is commonly used for applications that can run on a variety of platforms without the risk of package conflicts.

While Conda is language-independent, Xray's support for Conda is designed primarily to scan the Python packages that are bundled within the Conda packages. Note that the UI will display zero security vulnerabilities for packages within a Conda package that are not supported. An updated list of supported package types can be found here.JFrog Xray

Feature Enhancements
On-Demand Scanning Enhancement

When the JFrog CLI tool executes an on-demand scan, it first downloads the Xray executable from the Xray server. Until this release, a native M1 version of this executable was unavailable. For an on-demand scan on an M1 machine, the Intel X64 version of the executable had to be used, and required Rosseta2 emulation. With this release, a native M1 version is available and the need for Rosseta2 has been removed.Xray On-Demand Binary Scan

Expand Support to Additional General Archive Types/Formats

Added support in Xray for additional compression and general archive formats and extensions (.rar, .tbz2, tar.bz2, tar.lzma, .tlz, .tar.xz, .txz).

Resolved Issues

JIRA

Description

XRAY-12288

Fixed an issue whereby, in some cases, the Xray issue ID was displayed instead of a CVE number.

XRAY-12258

Fixed an issue whereby, sometimes Maven components were matched to an incorrect version.

XRAY-12216

Fixed an issue, whereby, a 500 error was issued in the Scans List Build tab when builds contained spaces in the build name.

XRAY-10984

Fixed an issue whereby, duplicate violations were displayed on the Violations page.

XRAY-12079

Fixed an issue whereby, the create vulnerability Ignore Rule dialog did not have a clear character limit when input was longer than 252 characters.

XRAY-10981

Fixed an issue whereby, the config parameters for the indexer-app where values of environment variables such as indexer.compress.RationLimit and indexer.compress.MaxEntities were not reflected in some environments.

XRAY-10980

Added support for sending requests to Xray via basic auth while the password is an Access token.

XRAY-9355

Fixed an issue whereby, manifest.json files in generic repositories were not indexed.

Resolved Vulnerabilities

This release contains Fixed Security Vulnerabilities.