cve-dashboard/CHANGELOG.md

Changelog

All notable changes to the STEAM Security Dashboard are documented in this file.

Format follows Keep a Changelog and this project uses Semantic Versioning.

---

[2.0.0] — 2026-05-19

Breaking Changes

• PostgreSQL migration — database engine switched from SQLite to PostgreSQL. Requires running deploy-postgres.sh, data migration, and DATABASE_URL env var. SQLite is no longer supported.
• Multi-BU tenancy — data is now scoped per business unit with per-user team assignments. Replaces the previous binary scope toggle.

Features

• In-app notification system — replaces Webex bot integration with native notifications
• Screenshot uploads in feedback modal, Webex bot DM on issue close
• CCP Metrics page — multi-vertical VCL upload and cross-org compliance reporting
• VCL compliance reporting — exec report page, device metadata fields, bulk upload
• Aggregated burndown forecast on CCP Metrics overview page
• Sub-team drill-down — metric sub-team intermediate view with per-team breakdowns
• Metric breakdown panel — Non-Compliant stat clickable, reveals metric breakdown buttons, compact grid with top 8 and show-all toggle
• Remediation plan and resolution date history tracking
• Data management panel — delete vertical, rollback upload, and reset all
• VCL vertical metadata — inline-editable team fields on compliance routes
• Re-queue findings from rejected FP submissions
• FP submissions cleanup — auto-clear approved, dismiss rejected, collapsible section
• DECOM workflow type — auto-note/hide on decom, show CVEs on CARD queue items
• Interactive configuration wizard for deployment setup
• Unified setup script (configure.js) merging deploy + config wizard
• Per-BU trend lines in Ivanti counts history chart
• Multi-select BU picker replacing binary scope toggle
• Configurable IVANTI_MANAGED_BUS env var for multi-tenant drift classification
• Pipeline-to-issue traceability via after_script comments in CI/CD
• CI/CD pipeline with feedback modal, Atlas qualys_id fallback, and health endpoint
• Docker Compose and deploy-postgres.sh for production cutover
• Systemd service scripts for start/stop management

Bug Fixes

• Fix duplicate failing metrics on same asset across compliance endpoints
• Fix duplicate chart entries on compliance page when multiple verticals share a report_date
• Fix requeue inserting Postgres array literal instead of JSON into cves_json
• Fix todo queue crash on malformed cves_json data
• Fix AEO compliance page not showing metric health cards on dev
• Fix double-counting in VCL multi-vertical stats — use only ALL: rollup rows
• Fix compliance stats to use Summary sheet data instead of item counts
• Fix route mount order: vcl-multi must precede general compliance router
• Fix requeue: fallback to finding_ids_json when queue items are deleted or absent
• Sync FP submission lifecycle_status from Ivanti currentState on fetch
• Fix History tab crash: coerce Ivanti note fields to strings before rendering
• Fix archive bar chart: fmtDate now handles ISO datetime strings from PostgreSQL date columns
• Fix Ivanti panel bugs: Invalid Date, wrong workflow count, crash on archive click, BU scope filtering
• Fix BU drift checker: derive EXPECTED_BUS from IVANTI_BU_FILTER env var
• Fix null bu_teams in postgres migration, add retry logic to deploy script
• Fix missing created_by column in archer_tickets table
• Fix FP workflow counts donut scoped by BU
• Fix dotenv loading in db.js so DATABASE_URL is available on import
• Fix property test CI failure: mock db module before importing route

Maintenance

• Track package-lock.json files for deterministic CI installs
• Remove unused icon imports and unused imports to satisfy ESLint thresholds
• CI pipeline fixes: dependency installation, lint thresholds, test isolation
• Auto-run migrations in pipeline
• Documentation updates for PostgreSQL migration, systemd scripts, and reference manual

---

[1.0.0] — 2026-05-01

Initial release of the STEAM Security Dashboard.