Vulcan v2.2.1 - Patch Release

Release Date: August 16, 2025

This patch release includes configuration improvements and minor fixes.

🔧 Improvements

Deployment Configuration

• Simplified Heroku Review App deployment process
• Updated Kubernetes deployment examples for better practices
• Enhanced environment validation in utility scripts

Accessibility

• Improved HTML email template compliance
• Added missing accessibility attributes

📝 Changes Since v2.2.0

• Updated deployment configurations
• Enhanced environment checks in scripts
• Fixed email template formatting
• Improved Kubernetes examples

🙏 Acknowledgments

Thank you to all contributors for their continued improvements to Vulcan.

Version: v2.2.1
Type: Patch Release

Vulcan v2.2.0 - Major Framework Modernization

🎉 Release Highlights

This release represents a significant modernization of the Vulcan platform, bringing major framework upgrades, performance improvements, and comprehensive bug fixes. The upgrade positions Vulcan for long-term maintainability and sets the foundation for upcoming Vue 3 and Bootstrap 5 migrations.

🚀 Major Framework Upgrades

Core Platform

• Rails 8.0.2.1 - Upgraded from Rails 7.0.8.7, bringing improved performance and modern Rails features
• Ruby 3.3.9 - Upgraded from Ruby 3.1.6, providing better performance and language enhancements
• Node.js 22 LTS - Upgraded from Node.js 16, ensuring long-term support and modern JavaScript features

Test Framework Modernization

• Migrated all controller specs to request specs (Rails 8 compatibility)
• Migrated all feature specs to system specs (modern Rails testing standard)
• Fixed Devise authentication with Rails 8 lazy route loading
• All 190 tests passing with improved test coverage

Docker Optimization

• 73% smaller Docker image - Reduced from 6.5GB to 1.76GB
• Multi-stage build optimization with production-ready configuration
• Implemented jemalloc for improved memory management
• Updated to Debian Bookworm base image

🐛 Bug Fixes

Security & Code Quality

• Fixed SQL injection vulnerability through parameterized queries
• Resolved mass assignment security warnings with Rails 8 strong parameters
• Fixed unreachable code in RelatedRulesModal.vue
• Added missing HTML accessibility attributes (lang, title tags)
• Fixed version comparison logic using proper semver library

UI/UX Improvements

• Fixed Issue #681: "Applicable - Configurable" status now correctly shows check/fix fields instead of justification field
• MDI to Bootstrap Icons Migration: Fully migrated from deprecated MDI icons to Bootstrap Icons
• Fixed missing function call parentheses in event handlers
• Resolved Bootstrap-Vue deprecation warnings

📦 Dependency Updates

Security Updates

• axios: 1.6.8 → 1.11.0 (fixes 2 high SSRF vulnerabilities)
• factory_bot: 5.2.0 → 6.5.4
• ESLint: 8.x → 9.33.0
• Prettier: 2.8.8 → 3.6.2
• Updated all Rails gems to latest secure versions

New Dependencies

• Added bundler-audit for Ruby vulnerability scanning
• Integrated semver for proper version comparison

📚 Documentation Overhaul

Comprehensive Updates

• Added professional README with badges, technology stack, and clear setup instructions
• Created detailed CONTRIBUTING.md guide for new contributors
• Updated CHANGELOG to follow "Keep a Changelog" standard
• Enhanced SECURITY.md with MITRE SAF team contacts
• Fixed documentation typos and improved clarity throughout

MITRE SAF Integration

• Added proper attribution to MITRE Security Automation Framework
• Updated contact emails: [email protected] (general), [email protected] (security)
• Enhanced project description and purpose

🔧 Technical Improvements

Build System

• Removed deprecated Spring gem (Rails 8 has built-in reloader)
• Fixed fixture_paths deprecation warning
• Updated esbuild configuration for modern JavaScript bundling
• Enhanced pre-commit hooks with RuboCop and ESLint integration

Code Organization

• Archived MDI icon backup files for recovery purposes
• Cleaned up unused code and dead references
• Improved error handling throughout the application
• Enhanced SonarCloud integration with proper exclusions

📈 Performance Metrics

• Docker Image: 73% size reduction (1.76GB vs 6.5GB)
• Test Suite: All 190 tests passing
• Code Quality: 0 security issues, reduced code complexity
• Dependencies: 63 vulnerabilities addressed (many false positives from old Docker images)

🔮 What's Next

Planned for Future Releases

• Vue 3 Migration: Complete migration from Vue 2.6.11 to Vue 3
• Bootstrap 5 Upgrade: Migrate from Bootstrap 4 + Bootstrap-Vue to native Bootstrap 5
• Turbolinks Removal: Remove deprecated Turbolinks in favor of modern alternatives
• Continued Performance Optimization: Further Docker and application performance improvements

📝 Migration Notes

For Developers

• Controller specs have been replaced with request specs
• Feature specs have been replaced with system specs
• Ensure Ruby 3.3.9 and Node.js 22 are installed for local development
• Run bundle install and yarn install after pulling this version

For Production Deployments

• Docker images are now significantly smaller and more efficient
• Environment variables remain unchanged
• Database migrations are backward compatible

🙏 Acknowledgments

Thank you to all contributors and the MITRE SAF team for their continued support and dedication to improving Vulcan.

📊 Full Changelog

For a detailed list of all changes, see the CHANGELOG.md file.

Release Date: August 16, 2025
Release Manager: Aaron Lippold
Version: v2.2.0

What's Changed

👒 Dependencies

• Bump ws from 6.2.2 to 6.2.3 in the npm_and_yarn group across 1 directory by @dependabot in #628

Other Changes

• updated cci mappings to latest rev5 by @rlakey in #627

Full Changelog: v2.1.7...v2.1.8

What's Changed

👒 Dependencies

• Bump axios from 0.21.4 to 1.6.0 by @dependabot in #617
• Bump the npm_and_yarn group across 1 directories with 1 update by @dependabot in #619
• Bump the npm_and_yarn group across 1 directories with 1 update by @dependabot in #620
• Bump the npm_and_yarn group across 1 directory with 3 updates by @dependabot in #623

Other Changes

• Upgrade to New Heroku Plan by @DMedina6 in #624

New Contributors

• @DMedina6 made their first contribution in #624

Full Changelog: v2.1.6...v2.1.7

What's Changed

👒 Dependencies

• Bump @babel/traverse from 7.15.4 to 7.23.2 by @dependabot in #613
• Bump browserify-sign from 4.2.1 to 4.2.2 by @dependabot in #614

Other Changes

• updating container to run as a non root user by @rlakey in #612

Full Changelog: v2.1.5...v2.1.6

What's Changed

Exciting New Features 🎉

• Enabled viewing of related rules in read-only mode, but hiding the copy button by @vanessuniq in #605
• Enable user to select which component to excel export by @vanessuniq in #610

Bug Fixes

• Added fixref attribute to fixtext XML tag for compatibility with stig-viewer-3x by @smarlaku820 in #608
• Ensure a rule's inspec code is updated after establishing rule satisfaction or reverting change on a rule by @vanessuniq in #609

Other Changes

• Removed Changelog from the landing page and have the app version on the top menu as a link directing to the changelog page by @vanessuniq in #606

Full Changelog: v2.1.4...v2.1.5

What's Changed

Exciting New Features 🎉

• New Feature: Enable setting up Project visibility and Requesting access to a project by @vanessuniq in #595
• STIG & Related Rules workflow by @vanessuniq in #599

Feature Enhancements

• Constrain the selectable list to allow only Apllicable - Configurable controls to be satisfied by other by @vanessuniq in #586
• Constrain requirement for locking Applicable -Does Not Meet and Applicable - Inherently Meets controls by @vanessuniq in #587
• Notifications: Slack notification and SMTP Enhancement by @vanessuniq in #594
• VULCAN-528: Fix component admin on component cards by @vanessuniq in #588

Bug Fixes

• If null data just return for related info by @freddyfeelgood in #602
• Fix: Capture STIG Name on Upload by @vanessuniq in #603
• Fix Related Rules Grouping by @vanessuniq in #604

👒 Dependencies

• Bump semver from 5.7.1 to 5.7.2 by @dependabot in #596
• Bump word-wrap from 1.2.3 to 1.2.4 by @dependabot in #597
• Bump puma from 4.3.12 to 5.6.7 by @dependabot in #601
• Bump audited from 5.0.2 to 5.3.3 by @dependabot in #568

Full Changelog: v2.1.3...v2.1.4

What's Changed

Exciting New Features 🎉

• VULCAN-551: Enabling SMTP feature to send emails via ActionMailer by @smarlaku820 in #584
• VULCAN-570: Control View Only and Edit Mode UX refactor by @vanessuniq in #583

Other Changes

• VULCAN-579: Fix project update logic for detecting name changes correctly by @smarlaku820 in #580
• VULCAN-581: Enhance Import from Spreadsheet workflow by @vanessuniq in #582

Full Changelog: v2.1.2...v2.1.3

What's Changed

Exciting New Features 🎉

• VULCAN-563: Export/Import inspec control body by @vanessuniq in #564
• Enabled editing component STIG ID prefix by @vanessuniq in #558

Other Changes

• Group histories with the same name, created_at, and comment; add tooltip for rule status by @vanessuniq in #562
• Adding the option to group/sort controls by SrG ID by @vanessuniq in #566
• VULCAN- 565: Add latest release version tag to Navbar component by @vanessuniq in #567
• VULCAN-559: Support for Multiple CCIs by @vanessuniq in #569

Full Changelog: v2.1.1...v2.1.2

What's Changed

👒 Dependencies

• Bump rack from 2.2.6.3 to 2.2.6.4 by @dependabot in #548
• Bump nokogiri from 1.14.2 to 1.14.3 by @dependabot in #554

Other Changes

• VULCAN-348: Aternative testing by @vanessuniq in #546
• Customized parser to not interpret character/html entity by @vanessuniq in #550
• VULCAN-372: Add additional component question of url type by @freddyfeelgood in #553
• Up to deep linking by @vanessuniq in #552
• Use title for description if description blank by @rlakey in #557

Full Changelog: v2.1.0...v2.1.1