Hi,
Has Liquibase a reference to continuous vulnerability scans?
Any known vulnerabilities in version 3.5.3?
In addition, we are required to run security scans on our repositories. Is anyone aware how can Liquibase SQL output be scanned? Is there a tool that can scan that for security issues?
Regards,
Daniel
Hi @Danny!
Let me see if I can track that info. I want to know too! We just changed up parts of our release process so I will check and get back to you.
-Ronak
Hello again @Danny,
I just spoke with @NathanVoxland and I’ll just quote him:
We don’t have security scan information back to 3.5.3. For current versions of liquibase, we have two tools we use:
- SonarCloud’s vulnerability scanning, which you can see the results for at SonarCloud
- Snyk.io which outputs a report we are not licensed to share currently
Sonarcloud does list vulnerabilities we are going to address, but both are based on the attacker putting specific XML into your changelog file, and if an attacker can put arbitrary XML into your changelog file you are going to have larger problems than the vulnerability they list.The Snyk report is not finding any vulnerabilities
Please let me know if you have any questions.
-Ronak
