Vulcan

Appearance

Vulcan v2.3.4

Released: 2026-04-07

Highlights

  • Blueprinter JSON serialization — 15 blueprint classes replace all model as_json overrides, with context-specific views and automatic N+1 prevention via blueprinter-activerecord
  • Query performance hardening — 9 COUNT queries consolidated to 3, XML parsing eliminated from rule creation, unbounded queries bounded, Ruby set operations replaced with SQL
  • OIDC provider conflict fix — symbol/string comparison bug, provider+uid-first lookup, rescue_from ordering
  • Production /stigs crash fix — SeverityCounts concern auto-excludes multi-MB xml/binary columns from SELECT
  • Auth UX improvements — session auth method tracking, unlink identity, VULCAN_AUTO_LINK_USER setting

Added

  • Blueprinter framework with views: RuleBlueprint (:navigator, :viewer, :editor), ComponentBlueprint (:index, :show, :editor), StigBlueprint, SrgBlueprint, ProjectBlueprint, and 9 supporting blueprints
  • Oj fast JSON generator (~2x faster than stdlib)
  • Session auth method tracking — "Signed in via Okta" distinct from "Account linked to Okta"
  • Unlink identity feature with password verification in user profile
  • VULCAN_AUTO_LINK_USER environment variable for automatic provider-to-local account linking
  • Rule and Review test factories
  • 12 query performance regression tests

Changed

  • All controllers migrated from to_json(methods:[]) to Blueprint.render
  • Project#details: 9 separate COUNT queries → 3 queries (GROUP BY)
  • Project#available_members: Ruby Array#- → SQL WHERE NOT IN
  • Component#reviews: full rule load → pluck(:id, :rule_id)
  • Rule creation: multi-MB XML parse → database lookup
  • UsersController#index audit query bounded with .limit(200)
  • Replaced gitlab_omniauth-ldap with omniauth-ldap 2.3.3 (fixes Ruby VM crash from nkf)
  • Ruby 3.4.8 → 3.4.9
  • Admin password management UI shows all options regardless of SMTP

Fixed

  • OIDC login failure: symbol/string provider comparison in User.from_omniauth
  • Production /stigs crash: xml blob memory blowout (R14/R15/H12 on Heroku)
  • VulcanAudit bitwise &&& for nil rule
  • OmniAuth backtrace logging now works in all environments
  • email_verified OIDC claim hardened against string "false"
  • Exception messages no longer leaked to client in rescue blocks
  • Password reset uses update_columns to skip validations
  • Polymorphic membership_type filter in access request notifications
  • 8 additional auth/security fixes (see CHANGELOG for full list)

Upgrade Notes

No database migrations required. This is a drop-in upgrade from v2.3.1+.

New environment variable:

  • VULCAN_AUTO_LINK_USER (default: false) — set to true to automatically link external identities to local accounts with matching email. Only enable when all identity providers verify email ownership.

Gem changes:

  • Added: blueprinter, blueprinter-activerecord, oj
  • Replaced: gitlab_omniauth-ldapomniauth-ldap 2.3.3
  • Removed: nkf (no longer needed)

Version: v2.3.4

Part of the MITRE Security Automation Framework (SAF)

Copyright © 2025 MITRE Corporation