Liquibase vulnerability scan

Hi,

Has Liquibase a reference to continuous vulnerability scans?
Any known vulnerabilities in version 3.5.3?

In addition, we are required to run security scans on our repositories. Is anyone aware how can Liquibase SQL output be scanned? Is there a tool that can scan that for security issues?

Regards,
Daniel

Hi @Danny!

Let me see if I can track that info. I want to know too! We just changed up parts of our release process so I will check and get back to you.

-Ronak

Hello again @Danny,

I just spoke with @NathanVoxland and I’ll just quote him:

We don’t have security scan information back to 3.5.3. For current versions of liquibase, we have two tools we use:

  1. SonarCloud’s vulnerability scanning, which you can see the results for at https://sonarcloud.io/project/issues?id=liquibase_liquibase&resolved=false&severities=BLOCKER&types=VULNERABILITY
  2. Snyk.io which outputs a report we are not licensed to share currently

Sonarcloud does list vulnerabilities we are going to address, but both are based on the attacker putting specific XML into your changelog file, and if an attacker can put arbitrary XML into your changelog file you are going to have larger problems than the vulnerability they list.The Snyk report is not finding any vulnerabilities

Please let me know if you have any questions.

-Ronak

Hi @ronak!

Thanks for this valuable info.
We will check this options for our process.

Best!
Daniel