Liquibase vulnerability scan


Has Liquibase a reference to continuous vulnerability scans?
Any known vulnerabilities in version 3.5.3?

In addition, we are required to run security scans on our repositories. Is anyone aware how can Liquibase SQL output be scanned? Is there a tool that can scan that for security issues?


Hi @Danny!

Let me see if I can track that info. I want to know too! We just changed up parts of our release process so I will check and get back to you.


Hello again @Danny,

I just spoke with @NathanVoxland and I’ll just quote him:

We don’t have security scan information back to 3.5.3. For current versions of liquibase, we have two tools we use:

  1. SonarCloud’s vulnerability scanning, which you can see the results for at
  2. which outputs a report we are not licensed to share currently

Sonarcloud does list vulnerabilities we are going to address, but both are based on the attacker putting specific XML into your changelog file, and if an attacker can put arbitrary XML into your changelog file you are going to have larger problems than the vulnerability they list.The Snyk report is not finding any vulnerabilities

Please let me know if you have any questions.


Hi @ronak!

Thanks for this valuable info.
We will check this options for our process.