Xray 3.87.5

Xray Release Information

JFrog Xray

Released: January 8, 2024


New Security Policy for Specific Packages

You can create a security Policy rule for specific packages and package versions. This allows you to issue violations and perform actions if the specified packages are detected by Xray. For more information, see Trigger Violations Using Xray Policy Rules.Trigger Violations Using Xray Policy Rules

Support VMDK and OVA Indexing

Added support for Xray scanning of ".vmdk" VMWare Disk Image files (incl. when inside ".ova" archives)

  • monolithicSparse

  • streamOptimized

The supported partition table formats are:

  • MBR

  • GPT

The supported filesystems are:

  • XFS

  • EXT4

OCI Repository Support

With the support of OCI repositories in Artifactory version 7.75.3, this Xray version supports scans of OCI and Docker images deployed to an OCI repository including SCA, Contextual Analysis, and Exposures scans as supported in a Docker repository.

Additional Technologies Support in Xray

  • Added support for scanning XZ compressed files that were not part of a TAR archive

  • Added support for scanning of ISO image files

  • Added support for scanning of CPIO (SVR4) archive files

  • Added support for listing dependencies from OpenSUSE package metadata files (ex. ".packages.initrd")

Feature Enhancements

Jira Integration Ticket Mapping Enhancement

You now can map tickets to relevant Profiles based on the violation impact path. For more information, see Xray Jira Integration.Xray Jira Integration

Contextual Analysis in Reports

Contextual Analysis scan findings are now available in Xray's Vulnerabilities and Violations Reports.

License Coverage Enhancement

Xray's out-of-the-box license coverage expanded from 400 licenses to ~1800 licenses.

SBOM Report Enhancement

You now have the option to choose whether or not to include/exclude VEX data in CycloneDX format.

Resolved Issues




Fixed an issue whereby, when working with Projects, Project roles with permissions to create an Ignore Rule on the Project level were unable to delete the Ignore Rule.


Fixed an issue whereby, in some cases, a deleted Ignore Rule was still displayed in the UI.


Fixed an issue whereby, when applying Index Now on a Docker repository resulted in the scanning of all artifacts including ones that have already been scanned.


Fixed an issue whereby, support of special characters in build version caused a 500 error when accessing the build version.


Improved the operation of JFrog Advanced Security when operating under the Kubernetes runAsNonRoot policy by enabling UID setting in the system.yaml configuration file.Xray System YAML

Use the following new parameter:


uid: “1035”

Default Value: 1035


Fixed an issue whereby, applying an Ignore Rule for selected Watches was not working properly, as it did not apply on all the selected Watches.


Fixed an issue whereby, it was not possible to select a Watch in the Ignore Rule conditions for violations generated in an on-demand scan.