Xray 3.8.0

Xray Release Information

Products
JFrog Xray
Content Type
Release Notes
ft:sourceType
Paligo

Released: August 13, 2020

Highlights
Vulnerabilities Report

You can now create and generate a Vulnerabilities Report that gives you a visual representation of vulnerabilities found in your artifacts, builds, and release bundles. Narrow down what data you would like to see by setting a specific scope and advanced filters to display the exact data you want to analyze. A new reports page now is part of the JFrog platform where you can create, generate, and perform various actions on reports with the capability to export to PDF, JSON, and CSV file formats for further analysis. The Vulnerabilities report is also supported by REPORTS REST APIs.Xray Reports

This report type is the first of the Xray Reports feature that was introduced in this release. Other report types are planned for future releases that will provide you with further capabilities.Xray Reports

Manage Reports User Role

A new role was added to the users' permissions allowing users to create, generate, and manage the new Reports feature in Users and Groups. This role is also required by some APIs such as Get Component List Per Watch and Find Component by CVE.Introduction to Users and GroupsGet Component List Per WatchFind Component by CVE

Multiple License Permissive Approach

The new Multiple License Permissive Approach enables you to have more flexibility in the policy level and to configure a more permissive approach that allows components that have at least one of the licenses as permitted to go through without triggering a violation even if some licenses are not allowed.Assign an Automatic Action to an Xray Policy Rule

Dedicated Features that Require Artifactory

The Vulnerabilities Report, the Manage Reports User Role, and the Multiple License Permissive Approach features all require Artifactory version 7.7.0 and above on the Cloud, and version 7.7.3 and above On-Prem.

System Metrics Information API and log

Xray has been enhanced to support open metrics. The new Metrics API has been added and returns metrics in the Open Metrics format. The new metric-related log file xray-{microservice}-metrics.log was added to the file system.Metrics

RabbitMQ Upgrade

RabbitMQ has been upgraded to version 3.8.x.

Feature Enhancements
Go Version Upgrade

The Go version with Xray has been upgraded to version 1.14.6, solving some security vulnerabilities described in CVE-2020-15586.

PostgreSQL Version Support

Xray is now certified to run with PostgreSQL versions 11.x, and 12.x.

Resolved Issues
  1. Fixed an issue whereby, the IU-Extreme-1.1.1 license URL was incorrect.

  2. Fixed an issue whereby, after DB Sync failure, the DB Sync was reading the same faulty bundle and not downloading fixed bundles.

  3. Fixed an issue whereby, Debian OS packages were named by "Source" instead of "Package".

  4. Fixed an issue whereby, the Get Component List Per Watch API required Admin permissions only, preventing non-admin users from calling this REST API. A new Manage Reports user role was added to enable you to use this API.

  5. Fixed an issue whereby, the Find Component by CVE API did not return results for users with read permissions. A new Manage Reports user role was added to enable you to use this API.

  6. Fixed an issue whereby, Xray was not sending E-mail notifications to watch recipients when violations were found.

  7. Fixed an issue whereby, Alert worker was consuming an excessive amount of memory.

  8. Fixed an issue whereby, the RPM docker images were stuck in the indexing stage in an infinite loop.

  9. Improvement in RabbitMQ clustering logic.