JFrog Security Self-Managed Releases

3.143.6

Released: April 28, 2026

New Features and Enhancements

Xray

• Announcing a new Xray Overview UI Page: a single-pane-of-glass view of your organization's security scanning coverage, secrets detection adoption, supply chain protection, and policy enforcement.
• Added Base Image Detection, enabling separation and filtering of base image vs. application vulnerabilities and SBOM components.
• Added Audit Events for SBOM impact analysis, license and copyright edits, and custom license creation flows.
• Enhanced Xray authentication and permission checks by adopting updated JFrog Access client APIs and principal-based authorization.
• Added an API to retrieve Xray license information.
• Moved the Export Scan Data option in Scan Results out of the options menu for improved accessibility.
• Optimized vulnerability matching performance by increasing parallelization relative to the Xray Update Center.
• Added support for SBOM exports to return in the REST API body response by specifying "output_format": "raw" in the Request Body.
• Enabled Optimized Impact Analysis by default for instances migrated to SBOM.
• Added Impact Search enhancements: improved autocomplete with better suggestion filtering, intuitive keyboard navigation, and support for unquoted values.
• Violation Report improvements: centralized CVSS display in the CVE details panel, refined visibility rules for CVSS information, and updated layout for clearer context.
• Added Publisher Date, Fix Date, Exploited Status, and JFrog Research severity justification fields to vulnerability report exports (CSV and API).
• Added a severity source field to the Get Vulnerabilities Report API.
• Added distinct status messages for blocked, scanned, and unscanned artifacts.
• Improved query performance for violations.
• Improved formatting of Xray security email notifications.
• Upgraded RabbitMQ to version 4.0 and improved metrics collection.
• Extracted the post-scan flow from the Impact Analysis worker into a dedicated PostScan worker, improving scan throughput under load.
• Optimized Docker image indexing with single-pass layer extraction and pruning of irrelevant installed files.
• Optimized Policy Enforcer runtime performance.
• Optimized bulk delete operations for SBOM data.

JFrog Advanced Security

• Secrets ignore rules now support Ant-style file path patterns (e.g., /*.jar/), allowing users to suppress violations across multiple files or directories without creating individual rules.
• Added support for ignoring secrets using file path patterns with Ant-based or RE2 pattern matching.
• Exposures scanning is now supported for AppTrust, providing exposure findings alongside existing vulnerability data.
• Improved Advanced Security scan performance for large repositories.
• Added Transitive Contextual Analysis indicators to vulnerability reports, including the overview, table, and export files.

Curation

• Announcing Block Downloads from Cached Remote Repositories, enabling Curation policies to enforce restrictions on packages even when already stored in the Artifactory cache.
• Announcing On-Demand Curation, enabling Curation policies to be applied to packages from remote repositories not covered by the JFrog Public Catalog, with immediate enforcement for uncataloged, private, and ecosystem-specific components.
• NVIDIA NIM models are now supported in Catalog and Curation policies.
• Preview Dashboard: Added a preview dashboard for non-entitled JFrog Curation users, providing a snapshot of the security posture of remote OSS packages.
• Expanded Compliant Version Selection support to include Conda, NuGet, and RubyGems ecosystems.
• With Compliant Version Selection enabled, JFrog Curation now dynamically evaluates packages not found in the Catalog. Packages are allowed by default unless a blocking policy exists, in which case they are blocked and automatically replaced with a compliant alternative.
• Enhanced the Overview dashboard to surface security coverage gaps and provide actionable insights for improving protection.
• Introduced new REST APIs to get and create a Waiver Request.
• Added support for waiver requests in the API and UI, enabling developers to request waivers from policy owners for specific blocked packages.
• The Curation Audit now includes additional filters: Reason, Requester Email (search), Origin, and Condition Name.
• You can now search for a package without specifying a version, enabling visibility across all available versions.

Catalog

• Introduced bulk assignment of packages to labels to support waivers across all current and future package versions.
• Increased the maximum number of labels that can be assigned to a single package to 500.
• Introduced a new public API that returns the currently active Catalog version.

Source Code (Frogbot)

• Added include-pattern fields to centralized repository scan configuration in the Xray UI.
• Added Snippet Detection toggles to centralized repository scan configuration in the Xray UI.
• Improved performance of the Frogbot V3 fix-version endpoint.

Resolved Issues

3.137.15

Released: February 3, 2026

Highlights

Catalog

JFrog Catalog now includes Public Labels, predefined labels created by the JFrog Security Research team to help classify and identify important package groups. Public labels are read-only and are applied automatically by JFrog, allowing for filtering and evaluation across the Catalog.

A new public label, MCP Servers, identifies packages originating from MCP (Model Context Protocol) servers, based on JFrog’s curated research.

Xray

The SBOM tab now supports the essential use case of viewing and updating OSS license information for components within the SBOM. You can open any component in the SBOM tree, review its detected licenses, and add, remove, or correct license entries directly from the UI. This enables accurate license attribution and improves compliance reporting for scanned artifacts. For more information, see How to view and modify licenses in the SBOM tab.

Feature Enhancements

JFrog Advanced Security

• JFrog Advanced Security now includes Transitive Dependency Analysis, enabling deep contextual insight into vulnerabilities introduced through indirect (transitive) dependencies. For each CVE, users can now view:
  • The full call chain leading to the vulnerable function, including whether the call is direct or transitive.
  • A visual call graph illustrating the dependency path.
  • Highlighted evidence, such as functions, file paths, and line numbers, with one-click copy for easy sharing.
• Added support for exporting Secrets scan results in CycloneDX (CBOM) format.

Xray

• Added REST API support for creating Custom Licenses in Xray.
• The Impact Path view has been upgraded from the Bullseye layout to a more intuitive tree-based visualization, improving clarity and navigation.
• Xray now supports scanning multi-architecture images. The results are presented as a unified scan summary for the entire image, along with individual scans for each contained architecture.
• Full License Text Retrieval in Attribution and SBOM - Adds the full license text of generic licenses.
• A new REST API, Get Jira Integration Status, has been introduced to enable programmatic retrieval of the current health and operational status of an existing Jira integration.
• Added support for ingesting VEX (Contextual Analysis) information from external CycloneDX sources. Requires Advanced Security.
• Added a new REST API endpoint, /api/v1/sbomMigration/status, to retrieve the current SBOM migration status.
• Added support for a text output format for the License Attribution Report.
• Added component supplier information to SPDX reports in accordance with the NTIA 2021 SBOM guidelines.
• Added Impact Search capability for searching vulnerability identifiers or package identifiers across the entire Xray database.
• A new REST API, Get Jira Integration Status, has been introduced to enable programmatic retrieval of the current health and operational status of an existing Jira integration.

Curation

• Added support for additional Maven repositories:

  • GridGain External
  • MuleSoft Releases
  • Sonatype Forge
  • Confluent
  • Cloudera Public

• The issue related to the selection of the NPM “latest” tag has been resolved. When the version referenced by the latest tag does not represent the most recent compliant release (for example, when newer versions exist but are not tagged as latest), the inspection process now continues to evaluate all available versions. It automatically removes any non-compliant versions from the metadata.

• Loading custom certificates into ${JF_PRODUCT_HOME}/var/etc/security/keys/trusted is now supported for secure communication with Catalog Central when a proxy server is configured.

• Introduced bulk assignment of packages to labels to support waivers across all current and future package versions.

• Increased the maximum number of labels that can be assigned to a single package to 500.

• Introduced a new public API that returns the currently active Catalog version.

• Added support for the Pub ecosystem in Catalog and Curation policies.

• Added support for PHP Composer in Catalog and Curation policies.

• Added support for Debian and Ubuntu in Catalog and Curation policies.

• Added support for waiver requests in the API and UI, enabling developers to request waivers from policy owners for specific blocked packages, in addition to the existing CLI flow.

Resolved Issues

3.137.17

Released: February 6, 2026

Resolved Issues

3.137.18

Released: February 10, 2026

Resolved Issues

3.137.20

Released: February 15, 2026

Resolved Issues

3.137.21

Released: February 19, 2026

Resolved Issues

3.137.22

Released: February 23, 2026

Resolved Issues

3.137.23

Released: February 25, 2026

Resolved Issues

3.137.24

Relaesed: March 17, 2026

Feature Enhancements

Catalog

Updated JFrog Router version to 7.205.4.

Resolved Issues

3.137.26

Released: March 19, 2026

Resolved Issues

3.137.27

Released: March 24, 2026

Resolved Issues

3.137.28

Released: April 19, 2026

3.137.29

Released: April 23, 2026

3.137.30

Released: April 27, 2026

3.131.15

Released: November 9, 2025

Highlights

Curation

Conda Support

Curation now supports Conda packages.

VS Code Support

You can now curate VS Code remote repositories created through the AI Editor Extensions — apply policies, conditions, and governance controls to manage VS Code packages with the same flexibility as any other package type. For more information, see How to Curate VS Code Remote Repositories.

*Requires an Ultimate or Unified Security Bundle.

Compliant Version Selection

Curation now returns the highest policy-compliant package version instead of blocking requests, minimizing development disruptions. Supported for PyPI and NPM. For more information, see Compliant Version Selection.

Advanced Security

Rules for ML Model Types

You can now define package-version rules for ML model types to block and/or notify risky formats and enforce approved versions.

Xray

Jira Integration

Xray now offers REST APIs for seamless Jira integration using Basic Authentication. For more information, see JIRA INTEGRATION.

Scanning Multi-architecture Images

Xray now supports scanning multi-architecture images. The results are presented as a unified scan summary for the entire image, along with individual scans for each contained architecture.

Xray CVSS v4.0 Scoring Support

Xray now supports CVSS v4.0 scoring in addition to CVSS v3 and v2. CVSS v4.0 introduces a more detailed, flexible, and accurate framework that allows security professionals to perform more precise risk assessments by better incorporating exploitability, the evolving threat landscape, and the unique context of their environments. This enhancement ensures that Xray’s vulnerability scoring remains up-to-date and aligned with the latest industry standards, providing a more comprehensive view of vulnerability severity and risk impact.

Xray Helm Chart Scanning Support

Xray now supports scanning Helm charts to identify vulnerabilities and license compliance issues within the chart’s packaged dependencies.

Create Custom License REST API

Added REST API support for creating Custom Licenses in Xray.

Catalog

Valkey Support

Added installation and upgrade support for JFrog Valkey, an open-source in-memory data store used in JFrog Catalog deployments. Supported across Docker Compose, RPM/Debian, Linux Archive, Helm, and OpenShift installations. For more information, see Install Valkey.

Feature Enhancements

Xray

• Added support for ant-style patterns in the specific package policy.

• Xray now supports CPE (Common Platform Enumeration) matching during SBOM ingestion for generic components.

• Added support for Apache 2.0 NOTICE information in SBOM exports (SPDX and CycloneDX).

• Xray now supports ingesting SBOMs in SPDX format, expanding compatibility with industry-standard Software Bill of Materials specifications.

• Added Support for Exporting SBOM in SPDX Format version 2.3.

• Added support for a new macro JFrog Research Severity in Native Jira Integration. It uses severity from JFrog Research when available, falls back to CVE data, or applies your default value if neither is found.

• License Attribution report is now supported in the UI as well - can be triggered from the resource export dialog.

• Automatic License Conclusion (license resolution) now shows concluded licenses as a different column in PDF, and as “concluded” property in SDPX and CycloneDX.

• Added support in Xray to detect cpp components based on text patterns embedded in compiled binaries.

• Enhanced Violations Reporting with Scheduling, Sharing, and Dashboards.

  We've introduced a powerful new experience for generating Violations Reports. Users can now:

  • Use a step-by-step wizard to define report scope across repositories, builds, release bundles, and projects
  • Schedule reports to run daily, weekly, or monthly.
  • Share reports directly with teammates via email.
  • Interactive dashboards that highlight policy violations per type, severity and applicability, along with a top 10 CVEs violations widget.
  • Detailed table.

• Enhanced Vulnerabilities Reporting with Scheduling, Sharing, and Dashboards

  We've introduced a powerful new experience for generating Vulnerabilities Reports. Users can now:

  • Use a step-by-step wizard to define report scope across repositories, builds, release bundles, and projects.
  • Schedule reports to run daily, weekly, or monthly.
  • Share reports directly with teammates via email.
  • View insights through a new aggregated dashboard with severity, applicability, and top 10 vulnerabilities widgets.
  • Filter results based on vulnerability applicability, severity, or component.
  • Explore full vulnerability details with remediation guidance and contextual analysis.
  • Export an overview PDF.

Catalog

Introduced License Correction Request, you can open a request in the Catalog UI for packages with unknown or misidentified licenses. The JFrog team reviews and updates the license based on their findings.

Source Code

You can now integrate Frogbot with your GitHub repositories using the JFrog GitHub App. This integration simplifies setup by automatically configuring Frogbot with GitHub Actions, adding the required secrets, and opening a workflow pull request in each selected repository. Once enabled, Frogbot continuously scans commits and pull requests for security issues, adds comments with findings, and can even open fix pull requests for vulnerable dependencies. This integration is supported for repositories under GitHub Organizations.

Resolved Issues

3.131.18

Released: November 11 , 2025

This patch fine-tunes a few things under the hood for better performance and a smoother experience.

3.131.19

Released: November 18, 2025

This patch fine-tunes a few things under the hood for better performance and a smoother experience.

3.131.20

Released: November 17, 2025

3.131.22

Released: December 1, 2025

This patch fine-tunes a few things under the hood for better performance and a smoother experience.

3.131.23

Released: December 3, 2025

3.131.24

Released: December 7, 2025

This patch fine-tunes a few things under the hood for better performance and a smoother experience.

3.131.25

Released: December 8, 2025

This patch fine-tunes a few things under the hood for better performance and a smoother experience.

3.131.26

Released: December 15, 2025

3.131.27

Released: December 16, 2025

3.131.28

Released: December 22, 2025 ​ This patch fine-tunes a few things under the hood for better performance and a smoother experience.

3.131.29

Released: December 28, 2025 ​ This patch fine-tunes a few things under the hood for better performance and a smoother experience.

3.131.30

Released: December 28, 2025

3.131.31

Released: December 1, 2025

3.131.32

Released: January 13, 2026

3.131.33

Released: January 20, 2026

This patch fine-tunes a few things under the hood for better performance and a smoother experience.

3.131.35

Released: January 27, 2026

Resolved Issues

3.131.38

Released: February 3, 2026

This patch fine-tunes a few things under the hood for better performance and a smoother experience.

3.131.39

Released: February 5, 2026

Resolved Issues

3.131.40

Released: February 19, 2026

Resolved Issues

3.131.41

Released: February 25, 2026

This patch fine-tunes a few things under the hood for better performance and a smoother experience.

3.131.42

Released: April 19, 2026

3.124.11

Released: July 29 , 2025

Highlights

Xray

Legal

• License Attribution Report: Added support for including copyright information and full license text in legal exports via a new API.

• License Conclusion: Added support for automatically resolving multi-license cases in legal license exports and SBOM reports based on license category and priority.

  REST API Support:

  • Get Licenses
  • Set License Priority

Installation

JFrog has added support for RabbitMQ Quorum Queues, available as an optional parameter in system.yaml, because RabbitMQ has deprecated Classic Queue mirroring in version 4.x. Consequently, JFrog will also deprecate Classic Queue support and transition to Quorum Queues. It is recommended to enable Quorum Queues in Xray, as JFrog plans to fully transition to RabbitMQ 4.x and discontinue Classic Queue support in upcoming versions.

Feature Enhancements

Xray

A new configuration option has been introduced to enable Xray indexing when creating new repositories automatically. To index all new repositories by default, set the following flag in Xray system YAML: server.enableXrayOnNewRepos=true

Jira Integration

• Introduced new filters that enable users to categorize policy violations based on their associated Jira tickets. This improvement allows for more efficient management and resolution of violations.
• The search functionality within the Policy Violations UI has been enhanced to allow users to search for violations using Jira Ticket IDs. This makes it easier to find relevant details related to specific violations quickly.
• Xray now supports a Skip Proxy option, enabling users to bypass global proxy settings when integrating with Jira.

Package Support

Xray now supports pub packages ( Dart and Flutter).

PostgreSQL Support

Upgraded bundled PostgreSQL to 16.8 in native, archive, and Docker Compose installers.

Upgraded bundled PostgreSQL to 16.6 in Helm installers.

Catalog

Catalog now supports Conda packages.

Introducing the Labels Center in Catalog; a unified view to manage all labels used in your organization. For more information, see Configure and Manage Labels.

Source Code

New REST APIs are available for managing and retrieving source code scan data, including endpoints to list repositories, branches, commits, and detailed scan results. These APIs enable precise visibility and filtering of scanned Git data across your projects.

The results of on-demand scans run using the CLI jf audit --secrets command are now displayed in the Scans List table.

You can now export Git repository scan data directly from the user interface via Platform >Xray >Scans List.

Advanced Security

You can now create and generate an Exposures Report that gives you a visual representation of which components in your code and binaries are actively invoked and potentially exploitable. This helps you focus on real-world security risks rather than theoretical vulnerabilities. Use advanced filters and scoped views to customize the report to your specific needs and environments. The Exposures Report is also supported via the new REPORTS REST APIs:

• Generate Exposures Report
• Get Exposures Report Content

Curation

• Curation now supports Google Maven repositories.

• Enhancements to JFrog Curation Audit Capability:

  • Improved package search functionality for easier navigation and discovery.
  • Clearer distinctions between blocked, allowed, and dry-run packages.
  • Introduced a new PASSED package type for items that successfully passed curation without specific policy inspection, providing the user a full view of the Curation process.

Resolved Issues

3.124.13

Released: August 04, 2025

3.124.14

Released: August 07, 2025

3.124.15

Released: August 11, 2025

3.124.18

Released: August 17, 2025

This patch fine-tunes a few things under the hood for better performance and a smoother experience.

3.124.19

Released: August 17, 2025

This patch fine-tunes a few things under the hood for better performance and a smoother experience.

3.124.20

Released: August 19, 2025

3.124.21

Released: September 3, 2025

3.124.23

Released: September 17, 2025

This patch fine-tunes a few things under the hood for better performance and a smoother experience.

3.124.24

Released: September 18, 2025

This patch fine-tunes a few things under the hood for better performance and a smoother experience.

3.124.25

Released: September 21, 2025

This patch fine-tunes a few things under the hood for better performance and a smoother experience.

3.124.26

Released: September 21, 2025

This patch fine-tunes a few things under the hood for better performance and a smoother experience.

3.124.27

Released: September 26, 2025

3.124.28

Released: October 8, 2025

3.124.31

Released: October 20, 2025

3.124.32

Released: October 29, 2025

3.124.33

Released: November 09, 2025

This patch fine-tunes a few things under the hood for better performance and a smoother experience.

3.124.34

Released: November 16, 2025

This patch fine-tunes a few things under the hood for better performance and a smoother experience.

3.124.36

Released: January 4, 2026

3.124.37

Released: January 13, 2026

3.124.38

Released: January 20, 2026

This patch fine-tunes a few things under the hood for better performance and a smoother experience.

3.124.39

Released: February 4, 2026

3.124.40

Released: February 25, 2026

Resolved Issues

3.124.41

Released: March 11, 2026

Resolved Issues:

3.124.42

Released: April 19, 2026

3.118.8

Released: April 28, 2025

Features Enhancements

Xray

• Added support for SBOM component properties in compliance with the German SBOM Regulation (BSI TR-03183) and the Indian SBOM Regulation (CERT-IN SBOM Guidelines).

• Xray now supports scanning podspec.json (extension of Cocoapods).

• Upgraded bundled PostgreSQL to 16.8 in native, archive, and Docker Compose installers.

• Upgraded bundled PostgreSQL to 16.6 in Helm installers.

• The Export Component Details v2 REST API now supports passing an array of objects instead of a single JSON. This allows you to generate SBOM reports for multiple artifacts at a time and the aggregated reports will be returned in a “multiple_components_report.zip” file.

• Enhanced the Xray-Jira integration by adding the Jira Status Retrieval feature. Xray users can now view the status of related Jira tickets without leaving the Xray platform.

  Note: This feature will be enabled by default for all integration types, except for OAuth2 authentication with Jira Cloud. OAuth2 Jira Cloud users will need to follow the additional steps outlined in the Enabling for OAuth2 on Jira Cloud section to activate the feature.

• Added support for Full License Text content in Legal reports.

• Added an option to exclude specific file names from a scan when they exist in the resource (artifact/build/release bundle).

• Added support for installing multiple Xray applications in a single namespace.

• Added a new capability to Xray policies, allowing a grace period for violations before blocking downloads.

Curation

• You can now export audit data in CSV format directly from the UI in Curation > Audit.

• You can now export audit data in CSV format through the Approved/blocked-audit REST API.

• Users can now connect repositories by package type to Curation, gaining a comprehensive overview of all curatable ecosystems in their Artifactory. Easily manage connections, view status updates for each package type, and define automatic connections for future repositories. Stay informed with notifications for any disconnections, ensuring seamless management and oversight.

• Create tickets or notifications from the system if there is a blocking action in the audit using Webhooks events. Whenever a curation process encounters a blocked package, an event is triggered and sent to the designated webhook. The event includes comprehensive details about the blocked package, such as:

  • Package Information: Identifying details of the package that was requested.
  • Requester Details: Information on the user or entity that requested the package.
  • Policy Violation: A description of the specific policy violation that resulted in the blocking of the package.

• You can now connect repositories by package type to Curation, gaining a comprehensive overview of all curatable ecosystems in your Artifactory. Easily manage connections, view status updates for each package type, and define automatic connections for future repositories. Stay informed with notifications for any disconnections, ensuring seamless management and oversight.

• EPSS (Exploit Prediction Scoring System) is a statistical probability of exploiting a CVE, enabling security teams to prioritize remediation efforts. The custom CVSS condition now supports a new relaxed condition: If the EPSS score is below a specified threshold, the policy will not block the corresponding CVE.

• Create tickets or notifications from the system to monitor the creation of Waiver Requests and related documentation in external systems using Webhooks events. Introduced two new Webhook events for Waiver Request creation and Waiver Request update. For more information, see Webhooks.

• You can now create, read, update, and delete curation policies and conditions using the REST APIs.

• Curation now supports Rust repositories.

• Added a new webhook that enables security teams to understand if there were any changes in the configuration of Curation policies, including changes in the policy condition. This will not detect changes in label/package applications.

Catalog

• Catalog now supports Google Maven repositories.

Source Code

• CLI

  • You may now use the Waiver feature for Curation, using the JFrog jf curation-audit CLI command. The Curation Waiver feature allows you to exclude specific packages or versions from policy restrictions.
  • A Violations column was added to the Git Repositories tab under Scans List. This means that you may now see the violation count for each Git commit.

• Frogbot

  • Frogbot scan results are now available directly in the JFrog platform's Scans List, under the Commits tab or associated Pull Request (PR). This centralized view provides clear visibility into security issues—including Secrets, SAST findings, and vulnerabilities—detected in your source code and dependencies, helping you triage and remediate risks faster during development.

Advanced Security

With the new Custom Scanner, you can now define search patterns to detect sensitive information in your artifacts and source code, scanning both binary and text files.

Resolved Issues

3.118.9

Released: April 29, 2025

This patch fine-tunes a few things under the hood for better performance and a smoother experience.

3.118.11

Released: April 29, 2025

Resolved Issues

3.118.13

Released: May 8, 2025

Resolved Issues

3.118.14

Released: May 13, 2025

Resolved Issues

3.118.17

Released: May 19, 2025

This patch fine-tunes a few things under the hood for better performance and a smoother experience.

3.118.20

Released: June 4, 2025

Resolved Issues

3.118.22

Released: June 19, 2025

Resolved Issues

3.118.23

Released: July 06, 2025

This patch fine-tunes a few things under the hood for better performance and a smoother experience.

3.118.24

Released: July 17, 2025

This patch fine-tunes a few things under the hood for better performance and a smoother experience.

3.118.25

Released: August 03, 2025

3.118.26

Released: August 05, 2025

3.118.27

Released: August 05, 2025

3.118.28

Released: August 11, 2025

3.118.30

Released: September 14, 2025

This patch fine-tunes a few things under the hood for better performance and a smoother experience.

3.118.31

Released: September 26 , 2025

3.118.32

Released: August 19, 2025

3.118.36

Released: October 29, 2025

This patch fine-tunes a few things under the hood for better performance and a smoother experience.

3.118.38

Released: November 10, 2025

This patch fine-tunes a few things under the hood for better performance and a smoother experience.

3.118.40

Released: December 23, 2025

Resolved Issues:

3.118.41

Released: December 30, 2025

This patch fine-tunes a few things under the hood for better performance and a smoother experience.

3.118.42

Released: January 13, 2026

Resolved Issues:

3.118.43

Released: April 16, 2026

Enhancements

Advanced Security

Optimized the Alpine Advanced Security scanner bundle size by streamlining gadget installations, expanding PyInstaller module exclusions, and removing non-runtime files post-build.

3.111.9

Released: January 30, 2025

Feature Enhancements

Xray

• Installing Xray is now supported on Amazon Linux 2023 (AL3).

• Xray now supports indexing raw disk images (.img) and SquashFS (.squashfs).

• JFrog Self-Hosted customers will see an information message under the scans list prompting an upgrade to DBSync v3. We strongly encourage users to migrate to DBSync v3 promptly to ensure seamless and timely updates. For details, see Migration Guide for Self-Hosted Customers: Upgrading from DBSync V1 to V3.

• Enhanced the clarity and readability of Jira Ticket Summary and Description fields created through the Xray-Jira integration.

• Introduced a new Builds Security Overview dashboard that provides a centralized and comprehensive view of build versions where you can analyze trends, identify the most vulnerable components, and mitigate security risks effectively. For more information, see Builds Security Overview.

• Added support for 3 additional fields in CycloneDX vulnerabilities description:

  • Vulnerability Ratings: Include CVSS Score, CVE severity, Scoring method, and Vector
  • Vulnerability Description: A detailed description of the specific vulnerability
  • Vulnerability CWEs: A list of CWE (Common Weaknesses Enumerations) that fit this specific CVE

  These 3 added fields greatly enhance the detail level and completeness of our CycloneDX SBOM reports.

• You can now download the technician dashboard to view charts of metrics related to application performance. This REST API call will download a zip file with the dashboards as HTML files. Any admin user can access the REST API.

  REST API:GET api/v1/metrics/dashboard/download

• Added Repo Path to the generated Violation reports.

• Improved Operational Risk Policy by allowing the release age to be set in customized months instead of using a default range.

Advanced Security

• Secrets Detection is now supported for the following types of repositories:

  • RPM
  • Debian
  • Alpine
  • Go
  • RubyGems
  • Gradle

• Gradle repositories are now supported for Contextual Analysis.

• Enhanced the design of the Exposures details (right pane).

Curation

• You can now directly create a Curation Policy from a condition.
• Introduced a guided process to help new Curation users get started. It clearly outlines steps like enabling curation, connecting repositories, and setting policies, with visual cues to track progress
• Introduced a new Conditions Template that allows a Security Manager to create Curation Policies based on OpenSSF scorecard results. Conditions based on this template detect and block third-party packages whose scorecard scores (one or more) match the range you defined (including aggregated scores).
• Curation policies can now be applied to repositories for a specific package type, including current and future repositories of the same type.

Catalog

JFrog Catalog can now be installed using Helm and OpenShift. For more information, see Install JFrog Catalog with Helm and OpenShift.

Resolved Issues

3.111.12

Released: February 2, 2025

3.111.15

Released: February 26, 2025

3.111.18

Released: March 11, 2025

3.111.20

Released: March 11, 2025

3.111.23

Released: March 11, 2025

3.111.24

Released: April 10, 2025

3.111.25

Released: April 17, 2025

3.111.26

Released: May 15, 2025

3.111.28

Released: June 4, 2025

3.111.30

Released: August 3, 2025

This patch fine-tunes a few things under the hood for better performance and a smoother experience.

3.111.31

Released: August 6, 2025

This patch fine-tunes a few things under the hood for better performance and a smoother experience.

3.107.11

Released: November 25, 2024

Feature Enhancements

Xray

Xray Reports

Added Repo Path to the generated Violation reports.

Retention Period Enhancement

Improved the retention period of scans, which will be recalculated once the artifact is downloaded. The retention period will be remeasured from the beginning of the configured retention.

Indexing CycloneDX SBOM Files

Added Xray support for indexing CycloneDX SBOM files (*.cdx.json or *.cdx.xml in Generic or Docker repositories)

Advanced Security

NuGet Support in Secrets

Secrets scanning is now supported on NuGet repositories.

JFrog Curation

Use JFrog Catalog Labels as Waivers in a Policy

This feature enables the security team to specify multiple packages and versions that can be excluded from the Policy (i.e., not violating it) allowing them to enter the repository. Waivers are added as labels on a per-policy basis, using preset labels from the JFrog Catalog.

Resolved Issues

3.107.15

Released: December 1, 2024

3.107.18

Released: December 15, 2024

Highlights

Xray

JFrog Self-Hosted customers will see an information message under the scans list prompting an upgrade to DBSync v3. We strongly encourage users to migrate to DBSync v3 promptly to ensure seamless and timely updates. For details, see Migration Guide for Self-Hosted Customers: Upgrading from DBSync V1 to V3.

Resolved Issues

3.107.21

Released: January 2, 2025

3.107.23

Released: January 19, 2025

📘

Note

All users on Xray versions 3.107.7, 3.107.15, 3.107.18, 3.107.18, 3.107.21 and using the Xray block download policy, should upgrade to Xray version 3.107.23 to maintain optimal performance in Artifactory and Xray.

3.107.30

Released: March 6, 2025

3.107.32

Released: March 26, 2025

3.107.35

Released: April 20, 2025

3.107.36

Released: May 15, 2025

Xray 3.104

3.104.17

Released: October 6, 2024

3.104.19

Released: November 20, 2024

3.104.18

Released: October 15, 2024