v2.3.7

What's Changed

Other Changes

• Feat/vite updates by @wdower in #728
• Feat/comment feedback by @wdower in #729

Full Changelog: v2.3.6...v2.3.7

v2.3.6

What's Changed

Breaking Changes

• Base image changed from ruby:3.4.9-slim (Debian) to registry.access.redhat.com/ubi9/ubi-minimal:9.7 (Red Hat UBI 9). Ruby is now compiled from source in the build stage. This aligns the container with Iron Bank / DISA compliance requirements. jemalloc is compiled from source and re-enabled via LD_PRELOAD.
• PostgreSQL 18 in Docker Compose files requires the volume mount at /var/lib/postgresql (was /var/lib/postgresql/data). Existing deployments must migrate data before upgrading: docker compose down, then either (a) back up and restore the database, or (b) rename the volume contents to match the new layout. Running docker compose up with an old vulcan_dbdata volume on the new mount path will initialize a fresh empty database.

Other Changes

• Feat/viewer comments by @wdower in #717
• Feat/reactions by @wdower in #722
• swap to using ubi9 ruby as opposed to official docker/debian ruby by @Amndeep7 in #718

Full Changelog: v2.3.5...v2.3.6

v2.3.5

What's Changed

Other Changes

• chore: pin all workflow actions to full commit SHAs by @wdower in #715
• Fix/user search endpoint by @wdower in #716

Full Changelog: v2.3.4...v2.3.5

v2.3.4

What's Changed

Other Changes

• fix: exclude xml/binary blobs from with_severity_counts (prod crash) by @aaronlippold in #713
• fix: Blueprinter adoption + query performance hardening by @aaronlippold in #714

Full Changelog: v2.3.2...v2.3.4

v2.3.3

What's Changed

Other Changes

• fix: exclude xml/binary blobs from with_severity_counts (prod crash) by @aaronlippold in #713
• update to 2.3.3 by @wdower in #712

Full Changelog: v2.3.2...v2.3.3

v2.3.2

What's Changed

Other Changes

• Fix/OIDC provider conflict by @wdower in #711

Full Changelog: v2.3.1...v2.3.2

v2.3.1

Summary

Major feature release with 370 commits covering security hardening, UI redesign, export system overhaul, DISA compliance features, and infrastructure modernization.

Highlights

• Security hardening: SQL injection fixes, XXE prevention, PBKDF2 password hashing, deny-by-default authorization, CSP headers, account lockout (AC-07), consent modal (AC-8)
• Export overhaul: Unified export service with XCCDF, InSpec, Excel, CSV, JSON archive formatters; VendorSubmission and Backup modes; progressive disclosure ExportModal
• UI redesign: Unified rule form, command bars, Bootstrap slideovers, BenchmarkViewer with keyboard navigation, standardized list pages
• Infrastructure: Ruby 3.4.8, Node 24 LTS, PostgreSQL 18, multi-stage Dockerfile, tag-triggered releases with git-cliff, CI sharding with parallel_rspec

Upgrades

• Ruby 3.3.9 → 3.4.8, Puma 5.6.9 → 7.2.0, Node 22 → 24 LTS, PostgreSQL 12/16 → 18
• Replaced overcommit with lefthook; added pre-push checks

Security

• Sanitize SQL LIKE input to prevent injection in search queries
• Deny-by-default authorization on all controller actions
• XXE prevention via Nokogiri NONET patch on HappyMapper
• PBKDF2 password hashing with transparent bcrypt migration
• Account lockout (STIG AC-07) with Devise Lockable
• AC-8 consent modal with configurable TTL
• CSP headers for OIDC provider and application security
• Input length limits, upload validation, rate limiting
• CVE patches: rexml, rack, faraday, uri gems

New Features

• Global search via pg_search across rules, STIGs, SRGs
• Admin bootstrap: first-user-admin and env var support
• JSON archive backup/restore with full-fidelity serializer
• Excel export with caxlsx, per-cell lock styling, Source column
• CSV export with configurable column picker and header aliases
• SRG auto-detection from spreadsheet import
• Configurable password complexity (DoD 8500.2/2222)
• Classification banner and consent modal
• Health check endpoints for Kubernetes/Docker
• GET /api/version endpoint
• Tag-triggered release automation with git-cliff

Testing

• Vitest infrastructure for Vue 2 components (1200+ frontend tests)
• 36 spec files converted to let_it_be (~65% faster backend suite)
• shoulda-matchers 7.0 validation contract specs
• CI sharding: 6 parallel_rspec shards with ci-gate job
• Request specs for components, rules, exports, backup round-trip

Documentation

• VitePress documentation site
• Deployment, authentication, security, and DISA process guides
• Updated ENVIRONMENT_VARIABLES.md and CHANGELOG.md

Pull Requests Merged

• feat: migrate documentation to VitePress with Mermaid support by @aaronlippold in #687
• fix: Add the needed libyaml dependencies to docker build by @Eric-Domeier in #691
• fix: Simplify email configuration and resolve SMTP authentication issues by @aaronlippold in #695
• chore: Comprehensive security updates - eliminate all critical/high vulnerabilities by @aaronlippold in #696
• make license match other saf projects by @Amndeep7 in #697
• fix: Docker build and corrupted OIDC icon for v2.2.2 by @mikeBoterf in #703
• Add axios resolution to package.json by @Amndeep7 in #709
• Release v2.3.1: Feature release with security hardening and DRY refactors by @aaronlippold in #706

New Contributors

• @Eric-Domeier made their first contribution in #691
• @mikeBoterf made their first contribution in #703

Full Changelog: v2.2.1...v2.3.1

v2.2.1 - Patch Release

Vulcan v2.2.1 - Patch Release

Release Date: August 16, 2025

This patch release includes configuration improvements and minor fixes.

🔧 Improvements

Deployment Configuration

• Simplified Heroku Review App deployment process
• Updated Kubernetes deployment examples for better practices
• Enhanced environment validation in utility scripts

Accessibility

• Improved HTML email template compliance
• Added missing accessibility attributes

📝 Changes Since v2.2.0

• Updated deployment configurations
• Enhanced environment checks in scripts
• Fixed email template formatting
• Improved Kubernetes examples

🙏 Acknowledgments

Thank you to all contributors for their continued improvements to Vulcan.

---

Version: v2.2.1
Type: Patch Release

v2.2.0 - Major Framework Modernization

Vulcan v2.2.0 - Major Framework Modernization

🎉 Release Highlights

This release represents a significant modernization of the Vulcan platform, bringing major framework upgrades, performance improvements, and comprehensive bug fixes. The upgrade positions Vulcan for long-term maintainability and sets the foundation for upcoming Vue 3 and Bootstrap 5 migrations.

🚀 Major Framework Upgrades

Core Platform

• Rails 8.0.2.1 - Upgraded from Rails 7.0.8.7, bringing improved performance and modern Rails features
• Ruby 3.3.9 - Upgraded from Ruby 3.1.6, providing better performance and language enhancements
• Node.js 22 LTS - Upgraded from Node.js 16, ensuring long-term support and modern JavaScript features

Test Framework Modernization

• Migrated all controller specs to request specs (Rails 8 compatibility)
• Migrated all feature specs to system specs (modern Rails testing standard)
• Fixed Devise authentication with Rails 8 lazy route loading
• All 190 tests passing with improved test coverage

Docker Optimization

• 73% smaller Docker image - Reduced from 6.5GB to 1.76GB
• Multi-stage build optimization with production-ready configuration
• Implemented jemalloc for improved memory management
• Updated to Debian Bookworm base image

🐛 Bug Fixes

Security & Code Quality

• Fixed SQL injection vulnerability through parameterized queries
• Resolved mass assignment security warnings with Rails 8 strong parameters
• Fixed unreachable code in RelatedRulesModal.vue
• Added missing HTML accessibility attributes (lang, title tags)
• Fixed version comparison logic using proper semver library

UI/UX Improvements

• Fixed Issue #681: "Applicable - Configurable" status now correctly shows check/fix fields instead of justification field
• MDI to Bootstrap Icons Migration: Fully migrated from deprecated MDI icons to Bootstrap Icons
• Fixed missing function call parentheses in event handlers
• Resolved Bootstrap-Vue deprecation warnings

📦 Dependency Updates

Security Updates

• axios: 1.6.8 → 1.11.0 (fixes 2 high SSRF vulnerabilities)
• factory_bot: 5.2.0 → 6.5.4
• ESLint: 8.x → 9.33.0
• Prettier: 2.8.8 → 3.6.2
• Updated all Rails gems to latest secure versions

New Dependencies

• Added bundler-audit for Ruby vulnerability scanning
• Integrated semver for proper version comparison

📚 Documentation Overhaul

Comprehensive Updates

• Added professional README with badges, technology stack, and clear setup instructions
• Created detailed CONTRIBUTING.md guide for new contributors
• Updated CHANGELOG to follow "Keep a Changelog" standard
• Enhanced SECURITY.md with MITRE SAF team contacts
• Fixed documentation typos and improved clarity throughout

MITRE SAF Integration

• Added proper attribution to MITRE Security Automation Framework
• Updated contact emails: saf@mitre.org (general), saf-security@mitre.org (security)
• Enhanced project description and purpose

🔧 Technical Improvements

Build System

• Removed deprecated Spring gem (Rails 8 has built-in reloader)
• Fixed fixture_paths deprecation warning
• Updated esbuild configuration for modern JavaScript bundling
• Enhanced pre-commit hooks with RuboCop and ESLint integration

Code Organization

• Archived MDI icon backup files for recovery purposes
• Cleaned up unused code and dead references
• Improved error handling throughout the application
• Enhanced SonarCloud integration with proper exclusions

📈 Performance Metrics

• Docker Image: 73% size reduction (1.76GB vs 6.5GB)
• Test Suite: All 190 tests passing
• Code Quality: 0 security issues, reduced code complexity
• Dependencies: 63 vulnerabilities addressed (many false positives from old Docker images)

🔮 What's Next

Planned for Future Releases

• Vue 3 Migration: Complete migration from Vue 2.6.11 to Vue 3
• Bootstrap 5 Upgrade: Migrate from Bootstrap 4 + Bootstrap-Vue to native Bootstrap 5
• Turbolinks Removal: Remove deprecated Turbolinks in favor of modern alternatives
• Continued Performance Optimization: Further Docker and application performance improvements

📝 Migration Notes

For Developers

• Controller specs have been replaced with request specs
• Feature specs have been replaced with system specs
• Ensure Ruby 3.3.9 and Node.js 22 are installed for local development
• Run bundle install and yarn install after pulling this version

For Production Deployments

• Docker images are now significantly smaller and more efficient
• Environment variables remain unchanged
• Database migrations are backward compatible

🙏 Acknowledgments

Thank you to all contributors and the MITRE SAF team for their continued support and dedication to improving Vulcan.

📊 Full Changelog

For a detailed list of all changes, see the CHANGELOG.md file.

---

Release Date: August 16, 2025
Release Manager: Aaron Lippold
Version: v2.2.0

vulcan v2.1.8

What's Changed

👒 Dependencies

• Bump ws from 6.2.2 to 6.2.3 in the npm_and_yarn group across 1 directory by @dependabot in #628

Other Changes

• updated cci mappings to latest rev5 by @rlakey in #627

Full Changelog: v2.1.7...v2.1.8