Xray
Here you'll find the previous releases of JFrog Security Products.
The release notes are displayed in chronological order, with the latest ones always displayed at the top.
JFrog supports all versions from their date of release going forward 18 months.
3.140.2
Released: February 22, 2026
Feature Enhancements
Xray
- Added a structured field to Xray logs.
- Updated the log message when downloading files from Artifactory.
- Impact Search:
- Enhanced Impact Search autocomplete with improved suggestion filtering and more intuitive keyboard navigation, preventing duplicate selections.
- Added support for unquoted values in Impact Search queries for greater input flexibility.
- Added Support for SBOM exports to return in the REST API body response by specifying "output_format": "raw" in the Request Body
- Optimized bulk delete operations for SBOM data.
- Enabled Optimized Impact Analysis by default for instances migrated to SBOM.
- Violation Report:
- Centralized CVSS display in the CVE details panel of the Violations Report for improved consistency.
- Refined visibility rules for CVSS information across package types and viewing contexts.
- Updated the layout to display CVSS information alongside related metadata and moved the watch name after the policy for clearer context.
- Improved performance of the FrogBot V3 fix-version endpoint.
- Performed internal unification of SBOM data enrichment across the APIs.
- Refactored malicious package identification in the database to improve malicious search capabilities.
- Upgraded RabbitMQ to version 4.0 in SaaS and improved metrics collection.
Curation
- With Compliant Version Selection enabled, JFrog Curation now dynamically evaluates packages not found in the Catalog. Packages are allowed by default unless a blocking policy exists, in which case they are blocked and automatically replaced with a compliant alternative.
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-135447 | Resolved an issue where the fixed_version field was missing from the Artifact Summary API response. |
| XRAY-135251 | Resolved an issue that caused an incorrect error when adding a policy with the Enable Jira Ticket toggle enabled. |
| XRAY-135146 | Resolved an out-of-memory (OOM) condition that could cause scans to fail. |
| XRAY-135049 | Added an index to the SBOM migration table to improve status retrieval performance. |
| XRAY-135034 | Resolved an issue in Exposure unit tests that could cause test failures due to a panic. |
| XRAY-134745 | Resolved an issue that could cause vulnerability reports to appear empty in some cases. |
| XRAY-134721 | Resolved a failure in Xray caused by a missing docker.config file |
| XRAY-134637 | Resolved flaky tests related to the Exposure mechanism. |
| XRAY-134561 | Resolved an issue where a build would not appear as a watch resource. |
| XRAY-134550 | Resolved a 404 error when opening Jira-linked violations for builds containing “/” in the name due to improper URL encoding. |
| XRAY-134548 | Improved policy evaluation accuracy for newly introduced CVEs by refining fallback logic for artifacts awaiting re-scan. |
| XRAY-134524 | Resolved an issue affecting impact path calculation for zipped components during scans. |
| XRAY-134414 | Resolved an issue causing a 500 response in one of the SBOM Search APIs. |
| XRAY-134402 | Resolved an issue where project-scoped watches did not create violations for remote repositories. |
| XRAY-134400 | Added additional logging to the new garbage collection procedure. |
| XRAY-134152 | Resolved an issue that caused the Git repositories screen to fail to load in some cases. |
| XRAY-134023 | Fixed a bug where Release Bundle v2 versions were scanned for CVE applicability even when Contextual Analysis was explicitly disabled for the RBv2 resource. Newly created RBv2 versions now correctly show "Not Scanned" status when CA is disabled. |
| XRAY-133701 | Resolved an issue where the extended information for a vulnerability was not being processed. |
| XRAY-129018 | Webhook URLs are now validated to prevent Server-Side Request Forgery (SSRF) attacks. URLs pointing to private/internal IP addresses and localhost are blocked. This validation is disabled by default on self-hosted deployments. Self-hosted customers who do not need to call private IP webhooks can enable this via system.yaml. |
| XRAY-128452 | Resolved an issue that could cause “ghost” violations to appear |
| XRAY-134664 | Optimized Policy Enforcer runtime performance. |
| XRAY-134636 | Reduced cardinality in data query logs. |
| XRAY-134607 | Resolved an issue that could cause JAS installation to fail on Ubuntu 24.04 due to incompatibility with Python 3.12. |
| XRAY-133365 | Added a structured field to Xray logs. |
| XRAY-135525 | Resolved an inconsistency in the violation count displayed in the UI. |
| XRAY-134996 | Resolved an issue that could cause violations from custom vulnerabilities to be missing. |
| XRAY-135677 | Resolved an issue affecting build info retrieval via AQL. |
3.140.3
Released: February 24, 2026
| Jira | Description |
|---|---|
| XRAY-135049 | Added an index to the SBOM migration table to improve status retrieval performance. |
| XRAY-134414 | Resolved an issue causing a 500 response in one of the SBOM Search APIs. |
3.140.4
Released: March 5, 2026
| Jira | Description |
|---|---|
| XRAY-136189 | Resolved an issue where missing fields could cause Curation-on-Demand scans to fail. |
| XRAY-136172 | Improved handling of JSONC files, such as tsconfig.json, in Secrets scans for Docker images, which could previously fail and result in a partial scan status. |
| XRAY-135768 | Resolved an issue where an SBOM file encoding error could cause the entire scan to fail. |
| XRAY-136144 | Updated JFrog Router to version 7.205.4. |
3.140.5
Released: March 8, 2026
| Jira | Description |
|---|---|
| XRAY-136144 | Updated JFrog Router version to 7.205.4. |
| XRAY-135558 | Resolved an issue where Exposures scans could crash on malformed or corrupted archive files (.tgz, .tar.gz, .deb), resulting in repeated scan failures and a partial scan status. The scanner now gracefully skips unextractable archives and continues the scan. |
| XRAY-133098 | Resolved an issue that could cause incorrect rule retrieval when policies had identical names. |
| XRAY-132636 | Resolved an issue where Exposures scans failed on OCI artifacts stored in Docker repositories, resulting in a partial scan status. Non-container artifacts pushed via tools like ORAS are now correctly identified and handled gracefully. |
3.140.6
Released: March 9, 2026
| Jira | Description |
|---|---|
| XRAY-136880 | Resolved an issue affecting base image detection behavior for multi-architecture images. |
| XRAY-135539 | Resolved an issue affecting Go support in Source Code Basic Remediation. |
| XRAY-135049 | Added an index to the SBOM migration table to improve status retrieval performance. |
| XRAY-134414 | Resolved an issue causing a 500 response in one of the SBOM Search APIs. |
3.139.2
Released: February 9, 2026
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-133701 | Resolved an issue where the extended information for a vulnerability was not being processed. |
| XRAY-134721 | Resolved a failure in Xray caused by a missing docker.config file. |
| XRAY-134517 | Enabled Optimized Impact Analysis by default for SBOM-migrated instances. |
| XRAY-134666 | Optimized bulk delete operations for SBOM data. |
| XRAY-134561 | Resolved an issue where a build would not appear as a watch resource. |
| XRAY-134400 | Added additional logging to the new garbage collection procedure. |
| XRAY-134292 | Improved performance of the FrogBot V3 fix-version endpoint. |
| XRAY-134072 | Performed internal unification of SBOM data enrichment across the APIs. |
| XRAY-133994 | Resolved an issue where history scans did not update the scan status, causing blocks. |
| XRAY-133925 | Resolved a bug where the WorkersCount API reported an incorrect number of workers used for SBOM Impact Analysis. |
| XRAY-133857 | Resolved an issue affecting hash persistence for packages ingested through both binary and declarative ingestion flows. |
| XRAY-133798 | Resolved an issue that caused duplicate violations for Alpine Docker builds. |
| XRAY-133583 | Optimized license assignment during the scan process. |
| XRAY-133517 | Resolved an issue where custom vulnerabilities were sometimes not shown in the artifact summary. |
| XRAY-133365 | Added a structured field to Xray logs. |
| XRAY-133324 | Resolved an issue where upgrading Xray could cause failed checks for HA RabbitMQ. |
| XRAY-132937 | Added support for Debian and Ubuntu copyright information in the attribution report. |
| XRAY-132227 | Added row highlighting for the selected row in a table. |
| XRAY-131795 | Resolved an issue with split identifiers for “unknown” licenses that caused misuse of unknown licenses. |
| XRAY-131789 | Resolved an issue where Xray policy violations were not displayed for builds when using a project-level watch scope, while the same violations appeared correctly when the watch was scoped to a specific build. |
| XRAY-131339 | Resolved an issue where an undefined value in the component field of the SBOM table caused UI display issues. |
3.139.4
Released: February 11, 2026
Resolved Issues
| Jira ID | Description |
|---|---|
| XRAY-134727 | Resolved a security vulnerability identified as CVE-2025-15467. |
| XRAY-134666 | Optimized bulk delete operations for SBOM data. |
| XRAY-134664 | Optimized Policy Enforcer runtime performance. |
| XRAY-134548 | Resolved Policy Enforcer fallback behavior that could incorrectly generate CVE violations marked Not Applicable when an artifact was scanned before the CVE was introduced to the scanner’s vulnerability database. |
| XRAY-134414 | Resolved an issue causing a 500 response in one of the SBOM Search APIs. |
| XRAY-130107 | Enhanced the secret detection engine filtering logic to reduce false positives caused by example local database configurations in installation scripts. |
3.139.5
Released: February 12, 2026
Resolved Issues
Jira
| ID | Description |
|---|---|
| XRAY-135146 | Resolved an out-of-memory (OOM) condition that could cause scanning to fail. |
3.139.7
Released: February 12, 2026
Resolved Issues
Jira
| ID | Description |
|---|---|
| XRAY-135049 | Added an index to the SBOM migration table to improve status retrieval performance. |
| XRAY-134666 | Optimized bulk delete operations for SBOM data. |
| XRAY-134548 | Improved policy evaluation accuracy for new CVEs by refining the fallback logic for artifacts awaiting a re-scan. |
| XRAY-134414 | Resolved an issue causing a 500 response in one of the SBOM Search APIs. |
| XRAY-131477 | Refactored malicious package identification in the database to improve malicious search capabilities. |
3.139.8
Released: February 15, 2026
Resolved Issues
| Jira ID | Description |
|---|---|
| XRAY-135140 | Resolved a security vulnerability identified as CVE-2025-68121 in cloud environments. |
| XRAY-134664 | Optimized Policy Enforcer runtime performance. |
3.139.9
Released: February 18, 2026
Resolved Issues
| Jira ID | Description |
|---|---|
| XRAY-135140 | Resolved a security vulnerability identified as CVE-2025-68121 in Cloud environments. |
3.139.10
Released: February 18, 2026
Resolved Issues
| Jira ID | Description |
|---|---|
| XRAY-134745 | Resolved an issue that could cause vulnerability reports to appear empty in some cases. |
3.139.11
Released: February 19, 2026
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-135447 | Resolved an issue where the fixed_version field was missing from the Artifact Summary API response. |
| XRAY-135677 | Resolved an issue affecting build info retrieval via AQL. |
3.138.0
Released: January 26, 2026
Feature Enhancements
Xray
- Added support for Debian and Ubuntu copyright information in the Attribution Report
- Optimized license assignment during the scan process
- UX Improvements to the Impact Search console behavior
Advanced Security
Ignore rules now support Secrets-based filtering, allowing you to ignore specific Secrets findings so they won’t appear in future scans.
Curation
- Introduced new REST APIs to get and create a Waiver Request
- Open Waiver request table behavior change, now the latest updated request is at the top of the list
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-132724 | Wrong CVE information in RPM component libxslt-1.1.32-6.1 |
| XRAY-131610 | Inconsistencies between UI and REST API in Custom License Creation |
| XRAY-127553 | Resolved an issue that caused on-demand scans to occasionally not appear in the Platform UI |
3.138.2
Released: January 29, 2026
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-133423 | Resolved a security vulnerability identified as CVE-2025-4517. |
3.138.3
Released: February 4, 2026
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-134400 | Added additional logging to the new garbage collection procedure. |
3.138.6
Released: February 6, 2026 Resolved Issues
| Jira | Description |
|---|---|
| XRAY-134414 | Resolved an issue causing a 500 response in one of the SBOM Search APIs |
3.138.7
Released: February 10, 2026
Resolved Issues
| Jira ID | Description |
|---|---|
| XRAY-134727 | Resolved a security vulnerability identified as CVE-2025-15467. |
| XRAY-134664 | Optimized Policy Enforcer runtime performance. |
| XRAY-134548 | Resolved Policy Enforcer fallback behavior that could incorrectly generate CVE violations marked Not Applicable when an artifact was scanned before the CVE was introduced to the scanner’s vulnerability database. |
3.138.10
Released: February 11, 2026
Resolved Issues
| Jira ID | Description |
|---|---|
| XRAY-134664 | Optimized Policy Enforcer runtime performance. |
| XRAY-130107 | Enhanced the secret detection engine filtering logic to reduce false positives caused by example local database configurations in installation scripts. |
3.138.12
Released: February 15, 2026
Resolved Issues
| Jira ID | Description |
|---|---|
| XRAY-135140 | Resolved a security vulnerability identified as CVE-2025-68121 in cloud environments. |
| XRAY-134548 | Improved policy evaluation accuracy for new CVEs by refining the fallback logic for artifacts awaiting a re-scan. |
3.138.13
Released: March 8, 2026
Resolved Issues
| XRAY-135768 | Resolved an issue where an SBOM file encoding error could cause the entire scan to fail. |
| XRAY-135140 | Resolved a security vulnerability identified as CVE-2025-68121 in Cloud environments. |
| XRAY-133098 | Resolved an issue that could cause incorrect rule retrieval when policies had identical names. |
| XRAY-136172 | Improved handling of JSONC files, such as tsconfig.json, in Secrets scans for Docker images, which could previously fail and result in a partial scan status. |
| XRAY-132636 | Resolved an issue where Exposures scans failed on OCI artifacts stored in Docker repositories, resulting in a partial scan status. Non-container artifacts pushed via tools like ORAS are now correctly identified and handled gracefully. |
| XRAY-135558 | Resolved an issue where Exposures scans could crash on malformed or corrupted archive files (.tgz, .tar.gz, .deb), resulting in repeated scan failures and a partial scan status. The scanner now gracefully skips unextractable archives and continues the scan. |
3.137.2
Released: January 13, 2026
Feature Enhancements
Curation
- Added support for the Pub ecosystem in Catalog and Curation policies.
- Added support for PHP Composer in Catalog and Curation policies.
- Added support for Debian and Ubuntu in Catalog and Curation policies.
- Added support for waiver requests in the API and UI, enabling developers to request waivers from policy owners for specific blocked packages, in addition to the existing CLI flow.
Xray
- Added Impact Search capability for searching vulnerability identifiers or package identifiers across the entire Xray database.
- A new REST API, Get Jira Integration Status, has been introduced to enable programmatic retrieval of the current health and operational status of an existing Jira integration.
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-131885 | Resolved an intermittent Indexer crash. |
| XRAY-131798 | Resolved an issue preventing expected violations from being generated when re-scanning Release Bundles after removing ignore rules. |
| XRAY-131790 | Resolved incorrect component IDs returned during fix-version checks for Debian distributions when using the new SBOM. |
| XRAY-131704 | Resolved an issue where license violations from Git repository scans failed to load in the violation right pane. |
| XRAY-131644 | Resolved an issue in Xray Reports that caused redirect errors during navigation. |
| XRAY-131573 | Resolved an issue that caused errors due to incorrectly formatted requests in the Violations API. |
| XRAY-131012 | Resolved an issue where, in some cases, external links to license information under the SBOM tab were broken. |
| XRAY-130525 | Resolved an issue that caused false positives for specific RPM components. |
| XRAY-129037 | Resolved an issue where packages with invalid or outdated license metadata were not updated during forced reindex operations. |
| XRAY-129030 | Resolved an issue that caused sorting preferences to reset in the Report Results view. |
| XRAY-126114 | Resolved an issue that caused failures when scanning a specific CRAN package. |
| XRAY-122439 | Resolved an issue where fix versions were not displayed for some packages during on-demand scanning. |
| XRAY-130792 | Resolved an issue with NPM “latest” tag handling where inspections could select a non-compliant version; the inspection process now evaluates all available versions and automatically excludes non-compliant releases from the metadata. |
3.137.3
Released: January 13, 2026
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-132850 | Resolved an issue in which some RabbitMQ queues failed to replicate consistently across all nodes in a high-availability environment when Quorum Queues were disabled. |
3.137.4
Released: January 14, 2026
Catalog
- Loading custom certificates into
${JF_PRODUCT_HOME}/var/etc/security/keys/trustedis now supported for secure communication with Catalog Central when a proxy server is configured. - Introduced bulk assignment of packages to labels to support waivers across all current and future package versions.
- Increased the maximum number of labels that can be assigned to a single package to 500.
- Introduced a new public API that returns the currently active Catalog version.
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-132829 | Resolved tab click behavior issues, added package type auto-complete, and updated the column order and formatting in Impact Search. |
| XRAY-90900 | Added catalog installation support for Ubuntu 24.04 and Debian 12. |
3.137.5
Released: January 14, 2026
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-132657 | Migrated the Descendants Tree to the new UI tree component. |
3.137.10
Released: January 20, 2026
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-133583 | Optimized license assignment during the scan process. |
| XRAY-132937 | Added support for Debian and Ubuntu copyright information in the attribution report. |
3.137.11
Released: January 21, 2026
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-133583 | Optimized license assignment during the scan process. |
| XRAY-132937 | Added support for Debian and Ubuntu copyright information in the attribution report. |
3.137.12
Released: January 21, 2026
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-133583 | Optimized license assignment during the scan process. |
| XRAY-132937 | Added support for Debian and Ubuntu copyright information in the attribution report. |
3.137.14
Released: January 27, 2026
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-133925 | Resolves a bug where the WorkersCount API reported an incorrect number of workers used for SBOM Impact Analysis. |
3.137.15
Released: January 29, 2026
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-133423 | Resolved a security vulnerability identified as CVE-2025-4517. |
3.137.16
Released: February 4, 2026
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-134400 | Added additional logging to the new garbage collection procedure. |
3.137.17
Released: February 6, 2026 Resolved Issues
| Jira | Description |
|---|---|
| XRAY-134721 | Resolved a failure in Xray caused by a missing docker.config file |
| XRAY-134607 | Resolved an issue affecting JAS installation on Ubuntu 24.04 |
| XRAY-134517 | Enabled Optimized Impact Analysis by default for SBOM-migrated instances |
| XRAY-134414 | Resolved an issue causing a 500 response in one of the SBOM Search APIs |
| XRAY-134152 | Resolved an issue that caused the Git repositories screen to fail to load in some cases |
3.137.20
Released: February 15, 2026
Resolved Issues
| Jira ID | Description |
|---|---|
| XRAY-135140 | Resolved a security vulnerability identified as CVE-2025-68121 in cloud environments. |
| XRAY-134548 | Improved policy evaluation accuracy for new CVEs by refining the fallback logic for artifacts awaiting a re-scan. |
| XRAY-130107 | Enhanced the secret detection engine filtering logic to reduce false positives caused by example local database configurations in installation |
3.137.21
Released: February 19, 2026
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-135140 | Resolved a security vulnerability identified as CVE-2025-68121 in cloud environments. |
3.137.22
Released: February 23, 2026
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-135801 | Improved detection of Debian packages in ECHO Docker images. |
3.136.0
Released: January 4, 2026
Feature Enhancements
Curation
The issue related to the selection of the NPM “latest” tag has been resolved. When the version referenced by the latest tag does not represent the most recent compliant release (for example, when newer versions exist but are not tagged as latest), the inspection process now continues to evaluate all available versions. It automatically removes any non-compliant versions from the metadata.
Xray
- A new REST API, Get Jira Integration Status, has been introduced to enable programmatic retrieval of the current health and operational status of an existing Jira integration.
- Added support for ingesting VEX (Contextual Analysis) information from external CycloneDX sources. Requires Advanced Security.
- Added a new REST API endpoint,
/api/v1/sbomMigration/status, to retrieve the current SBOM migration status. - Added support for a text output format for the License Attribution Report.
- Added component supplier information to SPDX reports in accordance with the NTIA 2021 SBOM guidelines.
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-131885 | Resolved an issue that intermittently caused the Indexer to crash. |
| XRAY-131434 | Resolved an issue where dependency information did not appear in Build SBOM exports. |
| XRAY-131301 | Resolved a security vulnerability identified as CVE-2025-47913. |
| XRAY-130635 | Resolved an issue that caused errors when attempting to clone a report. |
| XRAY-129030 | Resolved an issue that caused sorting preferences to reset in the Report Results view. |
| XRAY-127329 | Resolved an issue in input parsing within the Reindex flow. |
| XRAY-127276 | Resolved a security vulnerability identified as CVE-2025-59375. |
| XRAY-131616 | Resolved an issue that caused errors during RabbitMQ4 installation. |
| XRAY-131562 | Resolved an issue that prevented navigation away from the Vulnerabilities Report tab. |
| XRAY-131393 | Resolved an issue where the completion log was printed before the analysis had finished. |
| XRAY-131798 | Resolved an issue where re-scanning Release Bundles after deleting ignore rules did not create violations when expected. |
| XRAY-130339 | Fixed an issue where navigating to the root (/) folder of GitLab servers under Git Repositories could result in a 500 server error. |
| XRAY-130154 | Fixed an issue where on-demand secrets scans executed via the JFrog CLI could fail when custom secrets were matched. |
| XRAY-128937 | Fixed an issue where opening the on-demand scans UI could result in a UI timeout. |
3.136.1
Released: January 5, 2026
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-129037 | Resolved an issue in which packages with invalid or outdated license metadata were not updated during forced reindex operations. |
3.136.3
Released: January 13, 2026
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-132738 | Resolved an error occurring during JF Docker Scan execution when OCI annotations were empty. |
3.135.1
Released: December 15, 2025
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-127407 | Include/exclude patterns in Vulnerability reports were not working properly. |
| XRAY-126114 | Xray, in some cases, did not scan a specific CRAN package. |
| XRAY-129148 | Fixed the curation email sending mechanism for SaaS customers using CNAME. |
| XRAY-114874 | In the policy creation flow, all groups are now displayed when selecting a waiver decision owner from the group drop-down. |
3.135.5
Released: December 24, 2026
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-131885 | Resolved an intermittent Indexer crash. |
| XRAY-126114 | Resolved an issue that caused failures when scanning a specific CRAN package. |
3.134.1
Released: December 2, 2025
Highlights
Catalog
JFrog Catalog now includes Public Labels, predefined labels created by the JFrog Security Research team to help classify and identify important package groups. Public labels are read-only and are applied automatically by JFrog, allowing for filtering and evaluation across the Catalog.
A new public label, MCP Servers, identifies packages originating from MCP (Model Context Protocol) servers, based on JFrog’s curated research.
Xray
The SBOM tab now supports the essential use case of viewing and updating OSS license information for components within the SBOM. You can open any component in the SBOM tree, review its detected licenses, and add, remove, or correct license entries directly from the UI. This enables accurate license attribution and improves compliance reporting for scanned artifacts. For more information, see How to view and modify licenses in the SBOM tab.
Feature Enhancement Xray
- Xray now supports scanning multi-architecture images. The results are presented as a unified scan summary for the entire image, along with individual scans for each contained architecture.
- Full License Text Retrieval in Attribution and SBOM - Adds the full license text of generic licenses.
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-129037 | Incorrect licensing in packages wasn’t fixed even with force-reindex. |
3.133.0
Released: November 17, 2025
Feature Enhancements
Curation
-
Added support for additional Maven repositories:
-
The Curation Audit now includes additional filters for easier tracking and analysis: Reason, Requester Email (search), Origin, and Condition Name.
-
You can now search for a package without specifying a version, enabling visibility across all available versions.
Xray
The Impact Path view has been upgraded from the Bullseye layout to a more intuitive tree-based visualization, improving clarity and navigation.
JFrog Advanced Security
Added support for exporting Secrets scan results in CycloneDX (CBOM) format.
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-127727 | The Violation Report filters displayed only the first 1,000 Watches. All relevant Watches are now shown correctly. |
| XRAY-127291 | Added the Xray ID field to the detailed pane of CVE policy violations, providing clearer traceability and reference. |
| XRAY-124905 | The license atlassian-end-user-license-agreement-3.0 was missing from the Xray license database. |
| XRAY-125088 | Resolved an issue that caused inconsistencies in the displayed violation count |
3.133.3
Released: November 21, 2025
Feature Enhancements
JFrog Advanced Security
JFrog Advanced Security now includes Transitive Dependency Analysis, enabling deep contextual insight into vulnerabilities introduced through indirect (transitive) dependencies. For each CVE, users can now view:
- The full call chain leading to the vulnerable function, including whether the call is direct or transitive.
- A visual call graph illustrating the dependency path.
- Highlighted evidence, such as functions, file paths, and line numbers, with one-click copy for easy sharing.
3.132.0
Released: November 2, 2025
** Feature Enhancements**
Added REST API support for creating Custom Licenses in Xray.
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-128360 | Incorrect Helm Charts files in the scanned filesystem were causing the SCA scan to freeze. |
| XRAY-128113 | In some cases, Xray failed to save Multi-arch image scans to the database. |
| XRAY-127669 | The Package Type column in Vulnerability Reports was empty. |
| XRAY-125318 | “Unknown” license violations did not display any impact paths. |
| XRAY-116071 | Resolved an issue where offline DBSync showed the wrong migration instructions during the synchronization process. |
3.131.0
Released: October 17, 2025
Highlights
Xray
Scanning Multi-architecture Images
Xray now supports scanning multi-architecture images. The results are presented as a unified scan summary for the entire image, along with individual scans for each contained architecture.
Xray CVSS v4.0 Scoring Support
Xray now supports CVSS v4.0 scoring in addition to CVSS v3 and v2. CVSS v4.0 introduces a more detailed, flexible, and accurate framework that allows security professionals to perform more precise risk assessments by better incorporating exploitability, the evolving threat landscape, and the unique context of their environments. This enhancement ensures that Xray’s vulnerability scoring remains up-to-date and aligned with the latest industry standards, providing a more comprehensive view of vulnerability severity and risk impact.
Xray Helm Chart Scanning Support
Xray now supports scanning Helm charts to identify vulnerabilities and license compliance issues within the chart’s packaged dependencies.
Feature Enhancements
Xray
- Xray now supports CPE (Common Platform Enumeration) matching during SBOM ingestion for generic components.
- Added support for Apache 2.0 NOTICE information in SBOM exports (SPDX and CycloneDX).
- Xray now supports ingesting SBOMs in SPDX format, expanding compatibility with industry-standard Software Bill of Materials specifications.
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-124561 | dockerIgnoreInstalledFiles feature flag did not work properly. |
| XRAY-119548 | Updated the violations widget title to display “Loading” while data is being retrieved, instead of showing a zero value. |
| XRAY-123980 | Several licenses, including BSD-2-Clause-first-lines, BSD-2-Clause-Darwin, and LicenseRef-jfrog-w3c-03-bsd-license, were not available when creating an Xray License policy. |
| XRAY-122761 | A warning message appeared when saving a Watch, indicating a failure to retrieve the binary manager. |
| XRAY-118013 | A misleading log message appeared in Xray logs when a user viewed the scan data for a Debian package, despite the scan being successful. |
| XRAY-87110 | Project admins received an incorrect "Currently only admins can run an SCA scan" message when viewing the Xray Data tab for non-indexed resources, despite having permissions to initiate scans elsewhere. |
| XRAY-124184 | Fixed an issue that caused a specific on-demand Source Code Scan deletion to fail. |
| XRAY-125467 | Indexing a specific zip file may cause a runtime error, such as an invalid memory address or a nil pointer dereference. |
| XRAY-125238 | Watch violations were incorrectly triggered for packages with N/A CVSS scores when a policy's CVSS score rule range included the maximum score of 10. |
| XRAY-124208 | Fixed memory leak during scans of zstd archives. |
| XRAY-123758 | Unsupported Docker layer MIME types caused an irrecoverable indexing error. |
| XRAY-126975 | Fixed an issue that occasionally caused Impact Analysis to fail on Self Hosted installations of Xray. |
| XRAY-126787 | Incorrect status code error when exporting license attribution report without the Catalog service available. |
| XRAY-125880 | CVE duplications appeared in the Vulnerabilities tab in Xray scan results. |
| XRAY-123429 | Fixed an issue where on-demand scan results in the Platform UI displayed a CVE as “not_applicable” instead of “not_covered”. |
| XRAY-125126 | Fixed an issue affecting third-party components in the Applicability scanner. |
| XRAY-127701 | The Attribution Report was failing for builds. |
| XRAY-127446 | CPE parsing created empty Component IDs. |
| XRAY-127028 | Fixed default component type classification and fixed component type classification for ML models. |
| XRAY-127368 | Fixed a UI bug in the Report right pane - caused overflow if too many licenses are selected. |
| XRAY-127250 | Improved global permissions fetching, which caused potential slowness in the Curation UI page loading. |
| XRAY-126104 | Comparing build versions in the UI failed with a 'Mandatory fields are missing' error when the build name contained a forward slash ('/'). |
3.131.5
Released: October 26, 2025
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-125318 | The Impact Path was not displayed for packages with Unknown Licences. |
3.131.8
Released: October 30 , 2025
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-127940 | Xray scans were hanging when scanning JAR executables |
| XRAY-127669 | The Package Type column in Vulnerability Reports was empty. |
| XRAY-125318 | “Unknown” license violations did not display any impact paths. |
| XRAY-126080 | Fixed an issue where artifacts were downloaded from remote sources instead of using the remote cache. |
3.131.40
Released: February 19, 2026
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-135140 | Resolved a security vulnerability identified as CVE-2025-68121 in Cloud environments. |
| XRAY-134727 | Resolved a security vulnerability identified as CVE-2025-15467. |
| XRAY-134548 | Improved policy evaluation accuracy for newly introduced CVEs by refining fallback logic for artifacts awaiting re-scan. |
| XRAY-130107 | Enhanced the secret detection engine filtering logic to reduce false positives from example local database configurations in installation scripts. |
3.130.5
Released: September 28, 2025
Highlights
Xray
Xray now offers REST APIs for seamless Jira integration using Basic Authentication. For more information, see JIRA INTEGRATION
Feature Enhancements
Xray
-
License Attribution report is now supported in the UI as well - can be triggered from the resource export dialog.
-
Automatic License Conclusion (license resolution) now shows concluded licenses as a different column in PDF, and as “concluded” property in SDPX and CycloneDX.
-
Added support in Xray to detect cpp components based on text patterns embedded in compiled binaries.
-
Enhanced Violations Reporting with Scheduling, Sharing, and Dashboards.
We've introduced a powerful new experience for generating Violations Reports. Users can now:
- Use a step-by-step wizard to define report scope across repositories, builds, release bundles, and projects.
- Schedule reports to run daily, weekly, or monthly.
- Share reports directly with teammates via email.
- Interactive dashboards that highlight policy violations per type, severity and applicability, along with a top 10 CVEs violations widget.
- Detailed table.
Deprecation Notice
JFrog Security in Jira Plug-in
End of Support (EoS): 10 November 2025 End of Life (EoL): 10 December 2025
Impact
Existing users must migrate to the Native Jira Integration. After the EoL date, the plug-in will no longer be supported or compatible with future Xray versions.
Migration Path
- Follow the JFrog documentation to configure the Native Jira Integration.
- Validate the integration with a proof of concept (POC).
- Migrate your ticketing process to the Native Jira Integration.
- Decommission the plug-in from your environment once migration is complete.
- For any assistance, contact JFrog Support.
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-124561 | dockerIgnoreInstalledFiles feature flag did not work properly. |
| XRAY-119548 | Updated the violations widget title to display “Loading” while data is being retrieved, instead of showing a zero value. |
| XRAY-123980 | Several licenses, including BSD-2-Clause-first-lines, BSD-2-Clause-Darwin, and LicenseRef-jfrog-w3c-03-bsd-license, were not available when creating an Xray License policy. |
| XRAY-122761 | A warning message appeared when saving a Watch, indicating a failure to retrieve the binary manager. |
| XRAY-118013 | A misleading log message appeared in Xray logs when a user viewed the scan data for a Debian package, despite the scan being successful. |
| XRAY-87110 | Project admins received an incorrect "Currently only admins can run an SCA scan" message when viewing the Xray Data tab for non-indexed resources, despite having permissions to initiate scans elsewhere. |
| XRAY-124184 | Fixed an issue that caused a specific on-demand Source Code Scan deletion to fail. |
| XRAY-125467 | Indexing a specific zip file may cause a runtime error, such as an invalid memory address or a nil pointer dereference. |
| XRAY-125238 | Watch violations were incorrectly triggered for packages with N/A CVSS scores when a policy's CVSS score rule range included the maximum score of 10. |
| XRAY-124208 | Fixed memory leak during scans of zstd archives. |
| XRAY-123758 | Unsupported Docker layer MIME types caused an irrecoverable indexing error. |
| XRAY-126975 | Fixed an issue that occasionally caused Impact Analysis to fail on Self Hosted installations of Xray. |
| XRAY-126787 | Incorrect status code error when exporting license attribution report without the Catalog service available. |
| XRAY-125880 | CVE duplications appeared in the Vulnerabilities tab in Xray scan results. |
| XRAY-123429 | Fixed an issue where on-demand scan results in the Platform UI displayed a CVE as “not_applicable” instead of “not_covered”. |
3.130.12
Released: October 16, 2025
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-125885 | Fixed an issue where empty package names caused an error. |
3.128.7
Released: September 4, 2025
Feature Enhancements
Catalog
Introduced License Correction Request, you can open a request in the Catalog UI for packages with unknown or misidentified licenses. The JFrog team reviews and updates the license based on their findings.
Source Code
You can now integrate Frogbot with your GitHub repositories using the JFrog GitHub App. This integration simplifies setup by automatically configuring Frogbot with GitHub Actions, adding the required secrets, and opening a workflow pull request in each selected repository. Once enabled, Frogbot continuously scans commits and pull requests for security issues, adds comments with findings, and can even open fix pull requests for vulnerable dependencies. This integration is supported for repositories under GitHub Organizations.
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-120511 | Re-scanning an artifact in one remote repository incorrectly triggered a scan on a different remote repository. |
| XRAY-119885 | Xray's policy rule evaluation did not stop after the first rule match. |
| XRAY-122389 | The Xray Create Policy REST API allowed creating rules with incompatible criteria |
| XRAY-124246 | Fixed an issue where exposure violations were incorrectly ignored when creating an “Ignore CVE” rule scoped to all components and artifacts. |
3.127
Released: August 10, 2025
Feature Enhancements
Xray
Added Support for Exporting SBOM in SPDX Format version 2.3
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-124017 | Fixed an issue in Xray webhooks where high memory usage occurred in the policy enforcer when a single CVE impacted multiple artifacts. |
| XRAY-123347 | Compressed files with uppercase extensions, such as .TGZ and .TAR.GZ, were not scanned. |
| XRAY-122770 | Scanning a build would hang indefinitely if the build name contained the string "build-info". |
| XRAY-104468 | Xray returned a 500 error from the artifactBlockedStatus endpoint when a DNS resolution error occurred while connecting to the database. |
| XRAY-123540 | Fixed an issue that caused the Policy Violations Report to break due to missing data. |
| XRAY-123764 | Fixed an issue where jf docker scan would time out and fail for scans that took longer than 10 minutes to complete. |
| XRAY-122808 | Fixed missing fields in jf docker scan JSON output when using --watches with an Operational Risk policy. |
3.127.6
Released: August 17, 2025
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-124820 | Incorrect published dates on V2 Reports |
3.127.5
Released: August 17, 2025
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-124820 | Incorrect published dates on V2 Reports |
3.127.1
Released: August 12, 2025
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-115361 | Fixed an issue where not all violations were ignored when a Block Download grace period rule was assigned. |
3.126.5
Released: July , 2025
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-118970 | The fix version was not displayed for some packages in on-demand scanning |
| XRAY-117101 | Fixed an issue with the dropdown in the Xray tab in Artifactory. Users can now switch the violations table view between active and ignored issues. |
| XRAY-116057 | Failed to update the Scan Status of the artifact |
| XRAY-115356 | Fixed mismatch between detected license in Xray vs Policy license selector - in license LicenseRef-jfrog-ms-dot-net-library-eula |
| XRAY-115121 | Improved vulnerability matching accuracy for RedHat components by factoring in branch information into the vulnerable range. |
| XRAY-113702 | Updated the logic for the Artifactory artifactgeneral API (used in the Scans List page) to handle encoding correctly: all characters are now decoded except for /, which remains encoded, as required by the API when passing artifact or build names. |
| XRAY-116447 | The Any Repo option was incorrectly disabled for users without admin permissions, even if they had all the required permissions to add repositories to a watch. |
| XRAY-114175 | Added TLS support for Advanced Security when running in router mode. |
| XRAY-122439 | Fixed an issue where scans of RBv2 did not generate exposure violations. |
| XRAY-122439 | Fixed an issue where fix versions were not displayed for some packages during on-demand scanning. |
3.126.7
Released: August 07, 2025
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-124017 | Fixed an issue in Xray webhooks where high memory usage occurred in the policy enforcer when a single CVE impacted multiple artifacts. |
3.125.2
Released: November 9, 2025
Highlights
Curation
Curation now supports Conda packages.
Advanced Security
You can now define package-version rules for ML model types to block and/or notify risky formats and enforce approved versions.
Feature Enhancements
Xray
-
Added support for ant-style patterns in the specific package policy.
-
Jira Integration - Added support for a new macro JFrog Research Severity in Native Jira Integration. It uses severity from JFrog Research when available, falls back to CVE data, or applies your default value if neither is found.
-
Enhanced Vulnerabilities Reporting with Scheduling, Sharing, and Dashboards
We've introduced a powerful new experience for generating Vulnerabilities Reports. Users can now:
- Use a step-by-step wizard to define report scope across repositories, builds, release bundles, and projects.
- Schedule reports to run daily, weekly, or monthly.
- Share reports directly with teammates via email.
- View insights through a new aggregated dashboard with severity, applicability, and top 10 vulnerabilities widgets.
- Filter results based on vulnerability applicability, severity, or component.
- Explore full vulnerability details with remediation guidance and contextual analysis.
- Export an overview PDF.
Resolved Issues
| XRAY-119896 | Resolved a jf bs scan command issue. |
| XRAY-115356 | Fixed mismatch between detected license in Xray vs Policy license selector - in license “LicenseRef-jfrog-ms-dot-net-library-eula“ |
| XRAY-116447 | The Any Repo option was incorrectly disabled for users without admin permissions, even if they had all the required permissions to add repositories to a watch. |
3.124
Released: July 1, 2025
Highlights
Xray
Legal
-
License Attribution Report: Added support for including copyright information and full license text in legal exports via a new API.
-
License Conclusion: Added support for automatically resolving multi-license cases in legal license exports and SBOM reports based on license category and priority.
REST API Support:
Feature Enhancements
Xray
Jira Integration
- Introduced new filters that enable users to categorize policy violations based on their associated Jira tickets. This improvement allows for more efficient management and resolution of violations.
- The search functionality within the Policy Violations UI has been enhanced to allow users to search for violations using Jira Ticket IDs. This makes it easier to find relevant details related to specific violations quickly.
Catalog
Catalog now supports Conda packages.
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-115251 | Fixed an issue where a misleading error message, “Cannot read properties of undefined (reading 'forEach')”, was displayed when creating a new watch on the Watches page. |
| XRAY-116057 | Updating the scan status of an artifact failed. |
3.124.41
Released: March 11, 2026**
Resolved Issues:
| Jira | Desription |
|---|---|
| XRAY-136172 | Improved handling of JSONC files, such as tsconfig.json, in Secrets scans for Docker images, which could previously fail and result in a partial scan status. |
| XRAY-136144 | Updated JFrog Router version to 7.205.4. |
| XRAY-135768 | Resolved an issue where an SBOM file encoding error could cause the entire scan to fail. |
| XRAY-135558 | Resolved an issue where Exposures scans could crash on malformed or corrupted archive files (.tgz, .tar.gz, .deb), resulting in repeated scan failures and a partial scan status. The scanner now gracefully skips unextractable archives and continues the scan. |
| XRAY-132636 | Resolved an issue where Exposures scans failed on OCI artifacts stored in Docker repositories, resulting in a partial scan status. Non-container artifacts pushed via tools like ORAS are now correctly identified and handled gracefully. |
| XRAY-124208 | Resolved a memory leak that could occur during scans of zstd archives. |
3.123.3
Released: June 23, 2025
Feature Enhancements
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-119739 | The Xray search did not work properly in some cases. |
| XRAY-118268 | Fixed an issue affecting search, sorting, and pagination in the source code scans list. |
3.123.2
Released: June , 2025
Feature Enhancements
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-116062 | Fixed an issue when license aliases were not saved in the UI. |
| XRAY-115121 | Improved vulnerability matching accuracy for Red Hat components by factoring in branch information into the vulnerable ranges. |
| XRAY-114426 | Fixed an issue where templates were incorrectly appended to the component suffix in the “Descendants” tab of the scan results. |
| XRAY-109338 | Fixed an issue regarding the version identification of Go package versions |
| XRAY-115368 | A Project admin could not scan an existing Release Bundle from the UI. |
| XRAY-74193 | Xray did not detect licenses referenced with a symlink in a package. |
3.122.0
Released: June 8, 2025
Feature Enhancements
Source Code
New REST APIs are available for managing and retrieving source code scan data, including endpoints to list repositories, branches, commits, and detailed scan results. These APIs enable precise visibility and filtering of scanned Git data across your projects.
JFrog Xray
Xray now supports pub packages ( Dart and Flutter).
JFrog Catalog
Introducing the Labels Center in Catalog; a unified view to manage all labels used in your organization. For more information, see Configure and Manage Labels.
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-116135 | Fixed an issue that prevented automatic scanning of Secrets in RBv2 Docker builds. |
| XRAY-110288 | Release Bundle not visible in Xray Scan Lists tab. |
| XRAY-116601 | When scanning Azure Linux images, components were misidentified, which led to false positives |
3.121.7
Released: May 28, 2025
Feature Enhancements
JFrog Xray
- Added Support for SBOM ingest and enrichment support for CycloneDX version 1.6
- Added a new REST API that analyzes and compares vulnerability differences between two build versions. For more information, see Build Vulnerability Diff
Source Code
- The Git repository configuration now reflects the actual hierarchy in your Source Control Management (SCM) system. It also supports inheriting configuration settings across future repositories and folders, streamlining setup and ensuring consistency.
- Git Repository Scans List table now reflects the actual hierarchy in your Source Control Management (SCM) system.
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-108647 | Resources are deleted despite a successful response when updating a Watch via the REST API without including the build_repo: release-bundles-v2 parameter. |
| XRAY-94756 | Non-admin users can now run the Fore Reindex REST API. |
| XRAY-110652 | Duplicate bom-ref identifiers in CycloneDX export |
| XRAY-113448 | Fixed an issue where NuGet packages were not being scanned during repository scans. |
| XRAY-113397 | Fixed an issue where Contextual Analysis scans on remote generic repositories were incorrectly marked as failed instead of showing as unsupported. |
| XRAY-110869 | Fixed a rare issue where Xray failed to start in certain custom setups, particularly when the kubeconfig file was misconfigured. |
| XRAY-116138 | Resolved an issue where the Commits table did not display the latest scan results for a commit. |
Xray 3.120.7
Released: May 12, 2025
Feature Enhancements
JFrog Xray
- Added the
malicious_packageproperty in the response forGET /api/v2/events/{id}REST API. - Added a new capability to Xray policies, allowing a grace period for promoting Release Bundles before blocking Release Bundle promotion.
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-110394 | The Apply Watch REST API experienced significant delays when processing a large number of artifacts for indexing. |
| XRAY-111127 | Address “deinstalled” Debian packages as deleted packages. |
| XRAY-114001 | Fixed a bug that caused the CVE right pane to display an incorrect contextual analysis status. |
Xray 3.119.3
Released: April 29, 2025
Feature Enhancements
Frog Xray
- Upgraded bundled PostgreSQL to 16.8 in native, archive, and Docker Compose installers.
- Upgraded bundled PostgreSQL to 16.6 in Helm installers.
JFrog Source Code
- The results of on-demand scans run using the CLI
jf audit --secretscommand are now displayed in the Scans List table. - You can now export Git repository scan data directly from the user interface via Platform > Xray > Scans List.
Advanced Security
You can now create and generate an Exposures Report that gives you a visual representation of which components in your code and binaries are actively invoked and potentially exploitable. This helps you focus on real-world security risks rather than theoretical vulnerabilities. Use advanced filters and scoped views to customize the report to your specific needs and environments. The Exposures Report is also supported via the new REPORTS REST APIs:
JFrog Curation
-
Curation now supports Google Maven repositories.
-
Enhancements to JFrog Curation Audit Capability:
- Improved package search functionality for easier navigation and discovery.
- Clearer distinctions between blocked, allowed, and dry-run packages.
- Introduced a new PASSED package type for items that successfully passed curation without specific policy inspection, providing the user a full view of the Curation process.
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-114127 | Mismatch in counts on the Reports page due to pagination issues |
| XRAY-114124 | CVE and CVSS columns on the Reports page were not populated for Vulnerability Reports. |
| XRAY-24708 | An incorrect number of vulnerabilities was sent to the Metadata Server. |
| XRAY-101346 | Fixed missing applicability details in violation results returned by the Scan Build V2 API. |
Xray 3.118.3
Released: April 14, 2025
Feature Enhancements
JFrog Xray
Added a new capability to Xray policies, allowing a grace period for violations before blocking downloads.
JFrog Curation
- Curation now supports Rust repositories.
- Added a new webhook that enables security teams to understand if there were any changes in the configuration of Curation policies, including changes in the policy condition. This will not detect changes in label/package applications.
Advanced Security
Added Exposures Report capability to highlight real, exploitable risks in your software.
Source Code
Frogbot scan results are now available directly in the JFrog platform's Scans List, under the Commits tab or associated Pull Request (PR). This centralized view provides clear visibility into security issues—including Secrets, SAST findings, and vulnerabilities—detected in your source code and dependencies, helping you triage and remediate risks faster during development.
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-108976 | Imported SBOM scans failed to recognize certain licenses |
| XRAY-99827 | Users without relevant permissions could still view release bundles and their resources. |
| XRAY-88886 | Adding builds for indexing via API within the Project scope behaved incorrectly. |
| XRAY-27772 | Fixed an inconsistency with case sensitivity in search functionality on the Ignore Rules page. |
| XRAY-89513 | While upgrading Xray, the license alias created for built-in licenses was not carried forward after the upgrade. |
Xray 3.117.5
Released: April 3, 2025
Feature Enhancements
JFrog Xray
- Added an option to exclude specific file names from a scan when they exist in the resource (artifact/build/release bundle).
- Added support for installing multiple Xray applications in a single namespace.
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-105866 | The watch filter and offset properties did not affect the "List Ignored Violations" API results. |
| XRAY-107926 | Xray indexing fails when a remote Maven repository cached the lead artifact, but the pom was not cached (even if it existed in the remote repo). |
| XRAY-84604 | The default retention policy configured in the Xray system.yaml file was not applied. |
| XRAY-109690 | Indexer fails when an OS image (VMDK/IMG) does not contain a supported partition/filesystem |
| XRAY-110588 | The dial timeout (the timeout to open a connection) configuration was used for regular timeouts (total timeout for an outgoing request), causing failures when indexing large artifacts. |
Xray 3.116.7
Released: March 26, 2025
Feature Enhancements
JFrog Curation
You can now create, read, update, and delete curation policies and conditions using the REST API.
Advanced Security
With the new Custom Scanner, you can now define search patterns to detect sensitive information in your artifacts and source code, scanning both binary and text files.
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-106713 | Xray failed indexing archive files which contained unsupported VMDK files |
| XRAY-100153 | False positive vulnerabilities occur for case-sensitive Python package names inside a Docker image during a whiteout. |
| XRAY-103965 | Fixed inconsistencies in vulnerability count in build scanning |
| XRAY-105826 | Support for CVE details was added to the build overview for non-JFrog Advanced Security users. |
| XRAY-102624 | Fixed an issue in RabbitMQ logs. |
| XRAY-87916 | When running an Xray scan, the scan status remains stuck at Pending due to an incorrect violations response that returns a Pending status, even though the scan itself has been completed successfully. |
| XRAY-107400 | Fixed an edge case in license resolution. |
| XRAY-44023 | An Ignore Rule for a violation based on a specific version of a Release Bundle V2 affected all versions of the Release Bundle. |
| XRAY-105705 | Resolved a UI issue where the Git Repository tab under Xray Scans List could not be viewed. |
| XRAY-106871 | Resolved a jf scan command issue. |
| XRAY-105653 | Resolved an issue with the Enriched by JFrog filter for CVEs and SAST in under Scans List. |
| XRAY-88801 | Resolved multiple UX issues in the scan result filters under Scans List. |
Xray 3.115.8
Released: March 17, 2025
Feature Enhancements
JFrog Xray
Added support for Full License Text content in Legal reports.
JFrog Curation
- EPSS (Exploit Prediction Scoring System) is a statistical probability of exploiting a CVE, enabling security teams to prioritize remediation efforts. The custom CVSS condition now supports a new relaxed condition: If the EPSS score is below a specified threshold, the policy will not block the corresponding CVE.
- Create tickets or notifications from the system to monitor the creation of Waiver Requests and related documentation in external systems using Webhooks events. Introduced two new Webhook events for Waiver Request creation and Waiver Request update. For more information, see Webhooks.
JFrog Catalog
Catalog now supports Google Maven repositories.
JFrog CLI
- You may now use the Waiver feature for Curation, using the JFrog
jf curation-auditCLI command. The Curation Waiver feature allows you to exclude specific packages or versions from policy restrictions. - A Violations column was added to the Git Repositories tab under Scans List. This means that you may now see the violation count for each Git commit.
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-106871 | Fixed a jf scan command issue. |
| XRAY-96953 | Fixed an issue where running out of space during a Docker image scan (jf docker scan) incorrectly displayed a successful scan with No Vulnerabilities Found. |
| XRAY-105498 | Fixed errors in CycloneDX export of CycloneDX Ingest. |
| XRAY-106119 | Fixed an issue with Xray scans timing out |
| XRAY-92999 | When using Builds > By pattern in the Watch resources, the Watch did not issue violations for all the builds when one of the builds did not meet the pattern in the Watch. |
| XRAY-97920 | Deploy notifications for builds did not work properly when using Projects. |
| XRAY-96950 | When generating a report the report included deleted artifact scan data. |
| XRAY-102815 | Fixed a UI issue where Exposure violations could not be viewed correctly on the Watch Violations page. |
| XRAY-101269 | Resolved a UI issue in Scans List > Git Repositories where duplicated data caused infinite scrolling. |
Xray 3.115.9
Released: March 20, 2025
Resolved Issues
Jira | Description |
|---|---|
XRAY-108412 | Emails for Repository Scans contained a broken link to the Violations tab in Scans List. This issue impacts users who have edited the default Binary Manager ID (Artifactory ID). Older emails with broken links remain unchanged, but all future emails will have the correct links. |
Xray 3.114.5
Released: February 26, 2025
Feature Enhancements
JFrog Curation
-
Create tickets or notifications from the system if there is a blocking action in the audit using Webhooks events. Whenever a curation process encounters a blocked package, an event is triggered and sent to the designated webhook. The event includes comprehensive details about the blocked package, such as:
- Package Information: Identifying details of the package that was requested.
- Requester Details: Information on the user or entity that requested the package.
- Policy Violation: A description of the specific policy violation that resulted in the blocking of the package.
-
You can now connect repositories by package type to Curation, gaining a comprehensive overview of all curatable ecosystems in your Artifactory. Easily manage connections, view status updates for each package type, and define automatic connections for future repositories. Stay informed with notifications for any disconnections, ensuring seamless management and oversight.
Resolved Issues
Jira | Description |
|---|---|
XRAY-98659 | A “DB Error” was issued when performing a |
XRAY-95081 | Vulnerabilities were incorrectly reported for a resource with .digit(s) suffix in a Docker image that had been whiteouted. |
XRAY-92685 | Xray failed to display build overview data correctly for builds with a "+" symbol in their name. |
XRAY-95242 | Artifacts were not indexed due to database corruption of child files that lacked a corresponding root file. |
XRAY-96292 | The scan status of .exe files was stuck. |
XRAY-104815 | Fixed an issue where "block" and "approve" Curation package audit events were missing from the CSV export, despite being visible in the audit UI. |
XRAY-99663 | Some components were missing from the SBOM table when performing the SBOM import. |
XRAY-102173 |
|
XRAY-85823 | The response of API call |
XRAY-101943 | An SPDX report did not generate results for Release Bundles. |
XRAY-95742 | Xray Webhooks erroneously added violations in the scan callbacks from Policies that did not contain a specific webhook rule. |
XRAY-97722 | Fixed the search bar in the Git Repositories tab under Scans Lists. |
XRAY-105520 | In some cases, SBOM did not detect |
Xray 3.114.6
Released: March 3, 2025
This patch fine-tunes a few things under the hood for better performance and a smoother experience.
Xray 3.112.3
Released: February 9, 2025
Feature Enhancements
JFrog Xray
-
Added support for SBOM component properties in compliance with the German SBOM Regulation (BSI TR-03183) and the Indian SBOM Regulation (CERT-IN SBOM Guidelines).
-
Xray now supports scanning podspec.json (extension of Cocoapods)
-
The Export Component Details v2 REST API now supports passing an array of objects instead of a single JSON. This allows you to generate SBOM reports for multiple artifacts at a time and the aggregated reports will be returned in a “multiple_components_report.zip” file.
-
Enhanced the Xray-Jira integration by adding the Jira Status Retrieval feature. Xray users can now view the status of related Jira tickets without leaving the Xray platform.
Note: This feature will be enabled by default for all integration types, except for OAuth2 authentication with Jira Cloud. OAuth2 Jira Cloud users will need to follow the additional steps outlined in the Enabling for OAuth2 on Jira Cloud section to activate the feature
JFrog Curation
- You can now export audit data in CSV format directly from the UI in Curation > Audit.
- You can now export audit data in CSV format through the Approved/blocked-audit REST API.
- Users can now connect repositories by package type to Curation, gaining a comprehensive overview of all curatable ecosystems in their Artifactory. Easily manage connections, view status updates for each package type, and define automatic connections for future repositories. Stay informed with notifications for any disconnections, ensuring seamless management and oversight.
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-97064 | License Due Diligence report for artifacts with many child components returned empty impact paths. |
| XRAY-95570 | Unable to view Xray scan data for builds with special characters in their names. |
| XRAY-98492 | Improved performance of the block download functionality linked to JFrog Xray Policies. |
Xray 3.111.6
Released: December 15, 2024
Feature Enhancements
JFrog Xray
- Enhanced the clarity and readability of Jira Ticket Summary and Description fields created through the Xray-Jira integration
- Introduced a new Builds Security Overview dashboard that provides a centralized and comprehensive view of build versions where you can analyze trends, identify the most vulnerable components, and mitigate security risks effectively. For more information, see Builds Security Overview.
JFrog Curation
Introduced a new Conditions Template that allows a Security Manager to create Curation Policies based on OpenSSF scorecard results. Conditions based on this template detect and block third-party packages whose scorecard scores (one or more) match the range you defined (including aggregated scores).
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-90837 | The Build Summary REST API did not output the name and version of the Build and thus did not align with the Component Details that are displayed in the JFrog Platform. |
| XRAY-90229 | In the Watch Violations screen, when clicking on an Exposures violation of package type Npm an error message appears: ‘Error getting Exposure scan’. A 404 was issued due to an incorrect path in the NPM package. |
| XRAY-92998 | In the SPDX report, JFrog was falsely assigned as the Artifact Manufacturer. |
| XRAY-91040 | When exporting a Vulnerabilities Report for an artifact from the Scans List page, the exported PDF was not sorted by severity order. |
| XRAY-88893 | When running the command jf audit --watches=< > --fail=true, the fail_build field was missing from the response. This issue was reported in JFrog CLI version 2.64.0. |
| XRAY-91154 | When running the command jf docker scan <image_path> --format json, the full_path field was missing in the response. This issue was reported in JFrog CLI version 2.64.0. |
| XRAY-95655 | When the name of a build included the special character '/', navigating through the Build Versions in the Scans List page via breadcrumbs caused the UI to become unresponsive. |
| XRAY-95206 | Xray could not display any versions of a build that contained the special character '/' in the build name after scanning. |
| XRAY-92685 | Resolved an issue where Xray failed to display build overview data correctly for builds with a "+" symbol in their name. |
| XRAY-95132 | Xray indexing failed for artifacts containing .pt extension files within zipped archives. |
| XRAY-94615 | Fixed an issue when exporting CycloneDX reports for Release Bundles. |
| XRAY-93036 | Indexing of artifacts with large license files took longer than expected |
| XRAY-83997 | It was not possible to view Xray data on remote repositories when both "Any Local" and "Any Remote" permissions were granted. |
Xray 3.109.3
Released: December 16, 2024
Highlights
JFrog Catalog
JFrog Catalog can now be installed using Helm and OpenShift. For more information, see Install JFrog Catalog with Helm and OpenShift.
JFrog Advanced Security
Secrets Detection is now supported for the following types of repositories:
- RPM
- Debian
- Alpine
- Go
- RubyGems
- Gradle
Feature Enhancements
Xray Essentials
SBOM: Added support for Source Code URL in CycloneDX SBOM reports - in compliance with TR-03183 SBOM Guidelines.
JFrog Curation
- You can now directly create a Curation Policy from a condition.
- Introduced a guided process to help new Curation users get started. It clearly outlines steps like enabling curation, connecting repositories, and setting policies, with visual cues to track progress
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-92483 | The Xray Data tab for builds was infinitely loading. |
| XRAY-91762 | The Exposures force scanning ability (Scan Now) for builds and RBV2 was removed as it was not supported. |
| XRAY-92466 | The Violation report column headers were misaligned due to new additional columns. |
| XRAY-89785 | Increased the Specific CVE IDs Policy condition to include up to 10k CVEs in one Policy rule. |
Xray 3.108.10
Released: December 9, 2024
Feature Enhancements
JFrog Advanced Security
- Gradle repositories are now supported for Contextual Analysis and Secrets scans.
- Enhanced the design of the Exposures details (right pane).
JFrog Curation
Curation policies can now be applied to repositories for a specific package type, including current and future repositories of the same type.
Xray Essentials
SBOM
Added support for 3 additional fields in CycloneDX vulnerabilities description:
- Vulnerability Ratings: Include CVSS Score, CVE severity, Scoring method, and Vector
- Vulnerability Description: A detailed description of the specific vulnerability
- Vulnerability CWEs: A list of CWE (Common Weaknesses Enumerations) that fit this specific CVE
These 3 added fields greatly enhance the detail level and completeness of our CycloneDX SBOM reports.
Technician Dashboard
You can now download the technician dashboard to view charts of metrics related to application performance. This REST API call will download a zip file with the dashboards as HTML files. Any admin user can access the REST API.
REST API:GET api/v1/metrics/dashboard/download
Xray Reports
Added Repo Path to the generated Violation reports.
Operational Risk
Improved Operational Risk Policy by allowing the release age to be set in customized months instead of using a default range.
Supported Technologies
Xray now supports indexing raw disk images (.img) and SquashFS (.squashfs)
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-91233 | The Scan Build REST API failed when the build contained a project key. |
| XRAY-90830 | Report requests were stuck due to backend events. |
| XRAY-89975 | Contextual Analysis results were missing in reports for remote repositories. |
| XRAY-88846 | The JFrog CLI, in some cases, resulted in a “500 Internal Server Error” when running the “sbom-enrich” command. |
| XRAY-88805 | The file path was sometimes missing for Exposures violations. |
| XRAY-88380 | When generating a report using the REST API input validation was missing for the provided name, resulting in the creation of a report with an invalid name. |
| XRAY-87616 | Xray could not scan artifacts from build info if the build was published using REST API without including the same values for the build.timestamp and body request started parameter. |
| XRAY-87395 | The Export Details REST API call failed when the filename was more than 255 bytes |
| XRAY-86530 | Fixed incorrect component referencing in CycloneDX - it was using “bom-ref” field instead of “affects” field. |
| XRAY-84772 | REST API Ignore Rules are not applied in Docker On-Demand Scans when the name contains a slash |
Note
All users on Xray versions 3.107.7, 3.107.15, 3.107.18, 3.107.18, 3.107.21 and using the Xray block download policy, should upgrade to Xray version 3.107.23 to maintain optimal performance in Artifactory and Xray.
Xray 3.107.15
Cloud and Self-Hosted
Released: December 1, 2024
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-92962 | The results in Violations & License Reports were partial. |
Xray 3.107.7
Released: November 11, 2024
** Highlights**
JFrog Advanced Security Exposures Support
You can now scan builds and Release Bundles V2 for Exposures.
Use JFrog Catalog Labels as Waivers in a Policy
This feature enables the security team to specify multiple packages and versions that can be excluded from the Policy (i.e., not violating it) allowing them to enter the repository. Waivers are added as labels on a per-policy basis, using preset labels from the JFrog Catalog.
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-78247 | Xray didn’t block the download of a folder via REST API when the folder contained non-downloadable artifacts. |
| XRAY-76649 | Improved secret management by storing secrets as environment variables rather than reading them from mounted secret files. This change improves security and compliance. |
| XRAY-85322 | A notification was not sent for the Notify deployer policy action for existing scans. |
| XRAY-82897 | In the report REST API, when the impacted_artifact parameter contained special characters or space the API returned “Request payload is invalid as impacted artifact is invalid" |
| XRAY-81898 | The Export Details V2 REST API retrieved data only for the latest build version that was scanned. |
Xray 3.107.9
Released: November 7, 2024
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-91233 | The Scan Build REST API failed when the build contained a project key, |
| XRAY-90830 | Report requests were stuck due to backend events. |
Xray 3.106.4
Released: October 6, 2024
Feature Enhancements
NuGet Support in Secrets
Secrets scanning is now supported on NuGet repositories.
Retention Period Enhancement
Improved the retention period of scans to be recalculated once the artifact is downloaded. The retention period will be remeasured from the beginning of the configured retention.
Indexing CycloneDX SBOM Files
Added Xray support for indexing CycloneDX SBOM files (*.cdx.json or *.cdx.xml in Generic or Docker repositories)
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-80970 | In the Scans List, the violation details right pane displayed two different severities for the violation. |
| XRAY-39533 | When using include or exclude patterns in build resources for a Watch and selecting the Apply on Existing Content option, the Watch violations on the applied builds were consistently generated. |
| XRAY-81898 | The Export Details v2 REST API generated details only for the latest build version that was scanned. |
| XRAY-80178 | Scans of composer artifacts failed due to a corrupted package. |
| XRAY-84554 | JFrog Advanced scan failed when scanning a repository that contains over 65K artifacts. |
| XRAY-85577 | In some cases, a repository scan status was stuck at 99%. |
Xray 3.106.7
Released: October 15, 2024
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-87616 | Xray could not scan artifacts from build info if the build was published using REST API without including the same values for the build.timestamp and body request started parameter. |
Xray 3.105.4
Released: September 26, 2024
Configuration Changes
Advanced Security
Advanced Security installation on a self-hosted environment without Helm port configuration is changed.
Use the following ports:
- Between Xray and k3s master VM - 6443,10250
- Between k3s VMs - Refer to the k3s documentation
- Between k3s VMs and Artifactory - 8082
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-75943 | When creating an Ignore Rule via UI, and a Path filter was set, the rule wasn’t created. |
| XRAY-82730 | A warning message "No connection to Access" in Xray Monitoring was falsely displayed. |
| XRAY-75864 | Contextual Analysis results discrepancy between the JFrog Platform and the REST API. |
| XRAY-72663 | A user with Xray permissions could not add a Webhook notification. |
| XRAY-85577 | In some cases, a repository scan status was stuck at 99%. |
Xray 3.104.8
Released: September 4, 2024
Highlights
JFrog Catalog Labels
Introducing JFrog Catalog Labels that provide an easy way to manage actions on multiple package versions. You can group package versions by labels to manage them better and apply block/allowed Curation Policies on that label.
JFrog Curation New Template: Security Policy for Blocking a List of Packages by Label
Create rules like block or allow list based on mlutliple package verisons using JFrog Catalog Labels.
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-47352 | Fixed a broken PURL when exporting CycloneDX and SPDX. |
| XRAY-71721 | In the Watch Violation screen violations are shown based on “Last Build” and not based on “All Builds”. |
| XRAY-78796 | In some cases, the Force Reindex REST API didn't work properly. |
| XRAY-24493 | A permission issue for users in groups assigned the Policy Viewer role were able to see a delete button for Policies. |
Xray 3.104.18
Cloud and Self-Hosted
Released: October 15, 2024
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-87616 | Xray could not scan artifacts from build info if the build was published using REST API without including the same values for the build.timestamp and body request started parameter. |
Xray 3.104.17
Cloud and Self-Hosted
Released: October 6, 2024
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-85577 | In some cases, a repository scan status was stuck at 99%. |
Xray 3.104.15
Released: September 26, 2024
Resolved Issues
Jira | Description |
|---|---|
XRAY-85577 | In some cases, a repository scan status was stuck at 99%. |
XRAY-85181 | Fixed an issue that caused an infinite buffer in the server containers. |
XRAY-84321 | Fixed the following issues:
|
Xray 3.104.11
Released: September 15, 2024
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-75864 | Fixed a discrepancy between the Contextual Analysis results in the JFrog Platform and the REST API. |
Xray 3.104.10
Released: September 12, 2024
Resolved Issues
| Jira | Description |
|---|---|
| XRAY-83618 | Indexing Release Bundle v1 resulted in panic messages. |
Updated 5 days ago