Add Liquibase Enterprise Docker image support

[jandroav]

Summary

Implements production-ready Docker image for Liquibase Enterprise (formerly Datical DB) with comprehensive testing, automation, and documentation.

Key Components

🐳 Docker Implementation

DockerfileEnterprise

• Multi-stage build with Eclipse Temurin 21 JRE
• Automated IzPack installer (version 8.10.479)
• Headless installation using xvfb
• Java 21 module compatibility for Groovy reflection
• SHA256 verification for security
• Non-root user (UID/GID 1001)
• Multi-platform: linux/amd64, linux/arm64

autoInstall.xml

• IzPack automated configuration
• Installs all 6 packages: UI, CLI, License Manager, Java Runtime, Oracle Client

docker-entrypoint-enterprise.sh

• Automatic license detection from /liquibase/license/
• Sets DATDB_LICENSE environment variable
• Auto-changes to /liquibase/project directory
• Intelligent command routing

📚 Documentation

README-enterprise.md

• Quick Start with platform-specific examples (x86-64 and Apple Silicon)
• Verified working example with real version output
• Enterprise features documentation
• Build instructions (AMD64, ARM64, multi-platform)
• Common usage examples (statusDetails, forecast, deploy)
• CI/CD integration examples (Jenkins, GitLab CI, GitHub Actions)
• Troubleshooting guide with Apple Silicon/Rosetta instructions

docker-compose.enterprise.yml

• Complete example with PostgreSQL
• Service dependencies and health checks

🚀 GitHub Actions Workflows

create-release-enterprise.yml

• Automated version bumping with SHA256 validation
• Git tagging: v{version}-ENTERPRISE format
• Multi-platform builds
• Publishes to Docker Hub, GHCR, AWS ECR Public
• Dry-run mode support
• Selective registry publishing

test-enterprise.yml

• Runs on ubuntu-latest and macos-15-intel
• Container structure validation
• Java 21 and hammer CLI verification
• License and project mounting tests
• Platform-specific x86-64 tests

trivy-enterprise.yml

• Surface and deep vulnerability scanning
• SBOM generation (Syft) and scanning (Grype)
• Docker Scout CVE analysis
• Nested JAR/Python package extraction
• SARIF upload to GitHub Security
• Enhanced reports (90-day retention)
• Scheduled scans (weekdays 7am UTC)

✅ Testing & Verification

• ✅ Built and tested on AMD64
• ✅ Verified with valid Enterprise license
• ✅ Confirmed hammer CLI execution
• ✅ Version output validated:

  Liquibase Enterprise CLI  8.10
    Component Versions:
            Liquibase Enterprise Core  8.10.479
            Liquibase Enterprise CLI   8.10.479.20250717040249
            Liquibase                  3.5.11640
            Stored Logic extension     1.0.318.20250710062909
            AppDBA extension           1.0.474.20250710061826
            Java                       11.0.15
  

• ✅ License mounting (DATDB_LICENSE) working
• ✅ Docker Compose example functional

Architecture Decisions

Separate Workflows: Enterprise uses dedicated workflows (not added to test.yml/trivy.yml matrix) because:

• Different CLI interface (hammer vs liquibase)
• Unique requirements (license file testing)
• Longer build times (IzPack installation)
• Different test scenarios

Tag Format: v{version}-ENTERPRISE prevents conflicts with Community (v{version}) and Secure (v{version}-SECURE)

License Handling: Runtime mounting (not build-time) for security and flexibility

Platform Support: Multi-arch build with Apple Silicon documentation (--platform flag)

Available Registries

Images will be published to:

• Docker Hub: liquibase/liquibase-enterprise
• GitHub Container Registry: ghcr.io/liquibase/liquibase-enterprise
• AWS ECR Public: public.ecr.aws/liquibase/liquibase-enterprise

Files Changed

• ✨ .github/workflows/create-release-enterprise.yml - Release automation
• ✨ .github/workflows/test-enterprise.yml - Comprehensive testing
• ✨ .github/workflows/trivy-enterprise.yml - Security scanning
• ✨ DockerfileEnterprise - Multi-stage build
• ✨ README-enterprise.md - Complete documentation
• ✨ autoInstall.xml - IzPack configuration
• ✨ docker-entrypoint-enterprise.sh - Entrypoint script
• ✨ examples/docker-compose/docker-compose.enterprise.yml - Docker Compose example

Closes DAT-7679

🤖 Generated with Claude Code

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds official Liquibase Enterprise Docker support: new DockerfileEnterprise, IzPack autoInstall.xml, docker-entrypoint-enterprise.sh, README and docker-compose example, .gitignore update, plus three new GitHub Actions workflows for release, testing, and vulnerability scanning; and path-filter adjustments to existing CI workflows.

Changes

Cohort / File(s)	Summary
Release & CI Workflows \.github/workflows/create-release-enterprise.yml, \.github/workflows/test-enterprise.yml, \.github/workflows/trivy-enterprise.yml, \.github/workflows/test.yml, \.github/workflows/trivy.yml	New release workflow to update DockerfileEnterprise, tag/create releases, and build/push multi-arch images to Docker Hub/GHCR/ECR with dry-run support; new enterprise test workflow (matrix runners, extensive container tests); new enterprise Trivy/Scout vulnerability scanning workflow (SBOM, SARIF, reports); added path filters to existing test/trivy workflows.
Enterprise Docker image & runtime DockerfileEnterprise, docker-entrypoint-enterprise.sh, autoInstall.xml	New multi-stage Dockerfile that runs IzPack headless installer in builder and produces minimal Temurin-21 runtime, creates liquibase user/group (UID/GID 1001), sets LIQUIBASE_HOME/DOCKER_LIQUIBASE, copies DaticalDB install, symlinks hammer, exposes OCI labels and volumes; entrypoint detects license and dispatches to hammer or execs provided command; autoInstall.xml configures automated installer defaults.
Documentation & examples README-enterprise.md, examples/docker-compose/docker-compose.enterprise.yml	New enterprise README with usage, licensing and build notes; docker-compose example for Postgres + liquibase-enterprise including mounts, healthchecks, and sample commands.
Ignore rules \.gitignore	Adds *.lic to ignore license files.

Sequence Diagram(s)

sequenceDiagram
    actor Trigger
    participant GHA as GitHub Actions
    participant Repo as Repository
    participant RegHub as Docker Hub
    participant RegGHCR as GHCR
    participant RegECR as ECR

    Trigger->>GHA: start release workflow
    activate GHA

    rect rgb(230,245,255)
    Note over GHA: update-dockerfiles
    GHA->>Repo: read inputs & secrets
    GHA->>Repo: update `DockerfileEnterprise` (enterpriseVersion, jar SHA)
    GHA->>Repo: commit & create tag (if not dry-run)
    end

    rect rgb(245,235,255)
    Note over GHA: build-push-image
    GHA->>GHA: generate tags & platforms
    GHA->>GHA: build multi-arch image
    alt push to Docker Hub
        GHA->>RegHub: push
    end
    alt push to GHCR
        GHA->>RegGHCR: push
    end
    alt push to ECR
        GHA->>RegECR: push
    end
    GHA->>GHA: create GitHub release (non-dry-run)
    end

    deactivate GHA

Loading

sequenceDiagram
    participant Container
    participant Entrypoint as docker-entrypoint-enterprise.sh
    participant Hammer as hammer

    Container->>Entrypoint: start
    activate Entrypoint
    Entrypoint->>Entrypoint: detect license -> export DATDB_LICENSE
    Entrypoint->>Entrypoint: set LIQUIBASE_HOME, PATH
    alt first arg is an executable command
        Entrypoint->>Container: exec "$@"
    else
        Entrypoint->>Hammer: exec hammer [args]
    end
    deactivate Entrypoint

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

• Areas for extra attention:
  • create-release-enterprise.yml: secrets retrieval, AWS/Vault/GitHub App auth, dry-run vs push/tag logic, multi-registry tag generation and push conditions.
  • test-enterprise.yml: cross-platform matrix, macOS Docker setup, platform-gated tests (x86 vs ARM), and many container assertions.
  • trivy-enterprise.yml: SBOM generation, SARIF outputs, Grype/Trivy/Scout orchestration and artifact uploads.
  • DockerfileEnterprise & autoInstall.xml: IzPack headless flags, Java 21 --add-opens settings, SHA256 validation, ownership/permissions and UID/GID choices.
  • docker-entrypoint-enterprise.sh: license discovery paths and exec/dispatch behavior.

Suggested reviewers

• jnewton03
• sayaliM0412

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Add Liquibase Enterprise Docker image support' accurately captures the main deliverable of this PR: introducing Docker image support for Liquibase Enterprise, which aligns with the primary objective to add an official Dockerfile and supporting infrastructure.
Description check	✅ Passed	The PR description comprehensively documents the changes including Docker implementation details, documentation, GitHub Actions workflows, testing, and architecture decisions. It directly relates to the changeset by explaining each new file and feature added.
Linked Issues check	✅ Passed	The PR successfully implements all key objectives from DAT-7679: provides an official Dockerfile (DockerfileEnterprise), delivers production-ready multi-stage build without build-time dependencies, uses proper version tagging (v{version}-ENTERPRISE), includes documentation (README-enterprise.md, docker-compose example), separate GitHub Actions workflows for releases/testing/security, and publishes to official registries (Docker Hub, GHCR, ECR).
Out of Scope Changes check	✅ Passed	Minor path-based trigger additions to existing workflows (test.yml and trivy.yml) are secondary changes to support the enterprise setup. The core changes (DockerfileEnterprise, workflows, documentation) are directly scoped to DAT-7679 requirements. All additions align with stated objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch DAT-7679

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 8057d05 and f27c4e0.

📒 Files selected for processing (1)

• .github/workflows/test-enterprise.yml (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to **/Dockerfile* : When extending Community images, use `FROM liquibase/liquibase:latest` as the base and add database drivers using LPM (e.g., `lpm add mysql --global`)

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,docker-compose.yml} : Docker Community images should use distinct tagging strategy: Git tag format `v{version}` (e.g., `v5.0.1`), GitHub Release labeled `v{version}`, and Docker image tags `liquibase/liquibase:{version}`, `liquibase/liquibase:{major.minor}`, and `liquibase/liquibase:latest`

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Community Docker images should be published to Docker Hub as `liquibase/liquibase`, GitHub Container Registry as `ghcr.io/liquibase/liquibase*`, and Amazon ECR Public as `public.ecr.aws/liquibase/liquibase*`

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to DockerfileSecure : Docker Secure images should use distinct tagging strategy: Git tag format `v{version}-SECURE` (e.g., `v5.0.1-SECURE`), GitHub Release labeled `v{version}-SECURE`, and Docker image tags `liquibase/liquibase-secure:{version}`, `liquibase/liquibase-secure:{major.minor}`, and `liquibase/liquibase-secure:latest`

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Secure Docker images should be published to Docker Hub as `liquibase/liquibase-secure`, GitHub Container Registry as `ghcr.io/liquibase/liquibase-secure*`, and Amazon ECR Public as `public.ecr.aws/liquibase/liquibase-secure*`

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to **/Dockerfile* : When extending Secure images, use `FROM liquibase/liquibase-secure:latest` as the base and set `LIQUIBASE_LICENSE_KEY` environment variable

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to Dockerfile : Community Liquibase versions should be sourced from GitHub releases and controlled via `LIQUIBASE_VERSION` ARG

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Set working directory to `/liquibase` in all Docker images

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : When adding tools or runtime dependencies to images, switch to root user, run apt-get operations, and switch back to non-root `liquibase` user in multi-step processes

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Validate Liquibase and LPM binary SHA256 checksums for security in Dockerfile builds

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to docker-entrypoint.sh : Enable automatic changelog directory detection in `docker-entrypoint.sh`: detect `/liquibase/changelog` mount and change working directory for CLI-Docker compatibility, unless `SHOULD_CHANGE_DIR` environment variable explicitly overrides this behavior

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Set `liquibase.docker.properties` default configuration file to enable headless mode in all images

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Validate Liquibase and LPM binary SHA256 checksums for security in Dockerfile builds

Applied to files:

• .github/workflows/test-enterprise.yml

🪛 GitHub Check: CodeQL

.github/workflows/test-enterprise.yml

[warning] 40-40: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Test Liquibase Enterprise Dockerfile' step Uses Step uses 'aws-actions/configure-aws-credentials' with ref 'v5', not a pinned commit hash

---

[warning] 47-47: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Test Liquibase Enterprise Dockerfile' step Uses Step: vault-secrets uses 'aws-actions/aws-secretsmanager-get-secrets' with ref 'v2', not a pinned commit hash

---

[warning] 68-68: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Test Liquibase Enterprise Dockerfile' step Uses Step uses 'douglascamata/setup-docker-macos-action' with ref 'v1.0.2', not a pinned commit hash

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)

• GitHub Check: Build & Test DockerfileSecure - macos-15-intel
• GitHub Check: Build & Test Dockerfile - ubuntu-latest
• GitHub Check: Build & Test Dockerfile.alpine - macos-15-intel
• GitHub Check: Build & Test Dockerfile.alpine - ubuntu-latest
• GitHub Check: Build & Test DockerfileSecure - ubuntu-latest
• GitHub Check: Build & Test DockerfileEnterprise - macos-15-intel
• GitHub Check: Build & Test Dockerfile - macos-15-intel
• GitHub Check: Scout Scan - Liquibase Enterprise
• GitHub Check: Scout (DockerfileSecure, liquibase/liquibase-secure)
• GitHub Check: Trivy (Dockerfile, liquibase/liquibase)
• GitHub Check: Trivy (DockerfileSecure, liquibase/liquibase-secure)
• GitHub Check: Trivy (Dockerfile.alpine, liquibase/liquibase, -alpine)
• GitHub Check: Trivy Scan - Liquibase Enterprise

🔇 Additional comments (1)

.github/workflows/test-enterprise.yml (1)

70-355: Test coverage and workflow logic look solid.

The test suite comprehensively validates container structure, Java/tool availability, directory layouts, environment variables, volume mounting, entrypoint behavior, and platform-specific functionality. Cleanup steps properly remove temporary artifacts. Multi-platform testing with x86-64 conditional tests appropriately handles binary architecture limitations.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔍 Vulnerabilities of liquibase/liquibase-secure:b06c57740e565f8c9a49a4fb9667dd5025c31450

📦 Image Reference liquibase/liquibase-secure:b06c57740e565f8c9a49a4fb9667dd5025c31450

digest	sha256:b75816b8ad456c115d5c9799c1db1932435d37d9835faf7abd468f197a3db542
vulnerabilities
platform	linux/amd64
size	762 MB
packages	425

📦 Base Image eclipse-temurin:21-jre

also known as	21-jre-noble 21.0.9_10-jre 21.0.9_10-jre-noble
digest	sha256:d665ca47131b82e94b17ec6b8d9ee72924268c509f9407a766ffe3d3defbaa32
vulnerabilities

[github-advanced-security]

CodeQL found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

[github-actions]

🔍 Vulnerabilities of liquibase/liquibase-enterprise:b06c57740e565f8c9a49a4fb9667dd5025c31450

📦 Image Reference liquibase/liquibase-enterprise:b06c57740e565f8c9a49a4fb9667dd5025c31450

digest	sha256:80eef08040498ca2b5e9b49b8b976f4beea2872201425e8034341a2fee94a6a8
vulnerabilities
platform	linux/amd64
size	742 MB
packages	639

📦 Base Image eclipse-temurin:21-jre

also known as	21-jre-noble 21.0.9_10-jre 21.0.9_10-jre-noble
digest	sha256:d665ca47131b82e94b17ec6b8d9ee72924268c509f9407a766ffe3d3defbaa32
vulnerabilities

org.drools/drools-core 7.48.0.Final (maven) pkg:maven/org.drools/[email protected] Improper Restriction of XML External Entity Reference Affected range <=7.59.0.Final Fixed version 7.60.0.Final CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.062% EPSS Percentile 19th percentile Description drools <=7.59.x is affected by an XML External Entity (XXE) vulnerability in KieModuleMarshaller.java. The Validator class is not used correctly, resulting in the XXE injection vulnerability.

org.apache.commons/commons-text 1.9 (maven) pkg:maven/org.apache.commons/[email protected] Improper Control of Generation of Code ('Code Injection') Affected range >=1.5 <1.10.0 Fixed version 1.10.0 CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 94.161% EPSS Percentile 100th percentile Description Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.

com.thoughtworks.xstream/xstream 1.4.14 (maven) pkg:maven/com.thoughtworks.xstream/[email protected] Unrestricted Upload of File with Dangerous Type Affected range <1.4.18 Fixed version 1.4.18 CVSS Score 8.5 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H EPSS Score 0.712% EPSS Percentile 72nd percentile Description Impact The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. Patches XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. Workarounds See workarounds for the different versions covering all CVEs. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39154. Credits ka1n4t found and reported the issue to XStream and provided the required information to reproduce it. For more information If you have any questions or comments about this advisory: Open an issue in XStream Contact us at XStream Google Group Deserialization of Untrusted Data Affected range <1.4.18 Fixed version 1.4.18 CVSS Score 8.5 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H EPSS Score 0.573% EPSS Percentile 68th percentile Description Impact The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. Patches XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. Workarounds See workarounds for the different versions covering all CVEs. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39153. Credits Ceclin and YXXX from the Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it. For more information If you have any questions or comments about this advisory: Open an issue in XStream Contact us at XStream Google Group Deserialization of Untrusted Data Affected range <1.4.18 Fixed version 1.4.18 CVSS Score 8.5 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H EPSS Score 67.834% EPSS Percentile 98th percentile Description Impact The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. Patches If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.18. Workarounds See workarounds for the different versions covering all CVEs. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39152. Credits m0d9 of the Security Team of Alibaba Cloud found and reported the issue to XStream and provided the required information to reproduce it. For more information If you have any questions or comments about this advisory: Open an issue in XStream Contact us at XStream Google Group Unrestricted Upload of File with Dangerous Type Affected range <1.4.18 Fixed version 1.4.18 CVSS Score 8.5 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H EPSS Score 0.573% EPSS Percentile 68th percentile Description Impact The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. Patches XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. Workarounds See workarounds for the different versions covering all CVEs. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39151. Credits Smi1e of DBAPPSecurity WEBIN Lab found and reported the issue to XStream and provided the required information to reproduce it. For more information If you have any questions or comments about this advisory: Open an issue in XStream Contact us at XStream Google Group Deserialization of Untrusted Data Affected range <1.4.18 Fixed version 1.4.18 CVSS Score 8.5 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H EPSS Score 1.965% EPSS Percentile 83rd percentile Description Impact The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. Patches If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.18. Workarounds See workarounds for the different versions covering all CVEs. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39150. Credits Lai Han of NSFOCUS security team found and reported the issue to XStream and provided the required information to reproduce it. For more information If you have any questions or comments about this advisory: Open an issue in XStream Contact us at XStream Google Group Unrestricted Upload of File with Dangerous Type Affected range <1.4.18 Fixed version 1.4.18 CVSS Score 8.5 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H EPSS Score 0.712% EPSS Percentile 72nd percentile Description Impact The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. Patches XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. Workarounds See workarounds for the different versions covering all CVEs. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39149. Credits Lai Han of NSFOCUS security team found and reported the issue to XStream and provided the required information to reproduce it. For more information If you have any questions or comments about this advisory: Open an issue in XStream Contact us at XStream Google Group Deserialization of Untrusted Data Affected range <1.4.18 Fixed version 1.4.18 CVSS Score 8.5 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H EPSS Score 0.573% EPSS Percentile 68th percentile Description Impact The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. Patches XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. Workarounds See workarounds for the different versions covering all CVEs. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39148. Credits wh1t3p1g from TSRC (Tencent Security Response Center) found and reported the issue to XStream and provided the required information to reproduce it. For more information If you have any questions or comments about this advisory: Open an issue in XStream Contact us at XStream Google Group Deserialization of Untrusted Data Affected range <1.4.18 Fixed version 1.4.18 CVSS Score 8.5 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H EPSS Score 0.573% EPSS Percentile 68th percentile Description Impact The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. Patches XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. Workarounds See workarounds for the different versions covering all CVEs. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39147. Credits wh1t3p1g from TSRC (Tencent Security Response Center) found and reported the issue to XStream and provided the required information to reproduce it. For more information If you have any questions or comments about this advisory: Open an issue in XStream Contact us at XStream Google Group Deserialization of Untrusted Data Affected range <1.4.18 Fixed version 1.4.18 CVSS Score 8.5 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H EPSS Score 54.176% EPSS Percentile 98th percentile Description Impact The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. Patches XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. Workarounds See workarounds for the different versions covering all CVEs. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39146. Credits Ceclin and YXXX from the Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it. For more information If you have any questions or comments about this advisory: Open an issue in XStream Contact us at XStream Google Group Deserialization of Untrusted Data Affected range <1.4.18 Fixed version 1.4.18 CVSS Score 8.5 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H EPSS Score 0.500% EPSS Percentile 65th percentile Description Impact The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. Patches XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. Workarounds See workarounds for the different versions covering all CVEs. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39145. Credits 李安诺 (Li4n0) from Alibaba Cloud Security Team and Smi1e of DBAPPSecurity WEBIN Lab found and reported the issue independently to XStream and provided the required information to reproduce it. For more information If you have any questions or comments about this advisory: Open an issue in XStream Contact us at XStream Google Group Missing Authentication for Critical Function Affected range <1.4.18 Fixed version 1.4.18 CVSS Score 8.5 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H EPSS Score 94.380% EPSS Percentile 100th percentile Description Impact The vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. Patches XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. Workarounds See workarounds for the different versions covering all CVEs. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39144. Credits Ceclin and YXXX from the Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it. For more information If you have any questions or comments about this advisory: Open an issue in XStream Email us at XStream Google Group Deserialization of Untrusted Data Affected range <1.4.18 Fixed version 1.4.18 CVSS Score 8.5 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H EPSS Score 84.542% EPSS Percentile 99th percentile Description Impact The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. Patches XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. Workarounds See workarounds for the different versions covering all CVEs. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39141. Credits Ceclin and YXXX from the Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it. For more information If you have any questions or comments about this advisory: Open an issue in XStream Contact us at XStream Google Group Deserialization of Untrusted Data Affected range <1.4.18 Fixed version 1.4.18 CVSS Score 8.5 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H EPSS Score 0.842% EPSS Percentile 74th percentile Description Impact The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. Patches XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. Workarounds See workarounds for the different versions covering all CVEs. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39139. Credits Lai Han of nsfocus security team found and reported the issue to XStream and provided the required information to reproduce it. For more information If you have any questions or comments about this advisory: Open an issue in XStream Contact us at XStream Google Group Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Affected range <1.4.20 Fixed version 1.4.20 CVSS Score 8.2 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H EPSS Score 4.274% EPSS Percentile 88th percentile Description Impact The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream. Patches XStream 1.4.20 handles the stack overflow and raises an InputManipulationException instead. Workarounds The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. Following types of the Java runtime are affected: java.util.HashMap java.util.HashSet java.util.Hashtable java.util.LinkedHashMap java.util.LinkedHashSet Other third party collection implementations that use their element's hash code may also be affected A simple solution is to catch the StackOverflowError in the client code calling XStream. If your object graph does not use referenced elements at all, you may simply set the NO_REFERENCE mode: XStream xstream = new XStream(); xstream.setMode(XStream.NO_REFERENCES); If your object graph contains neither a Hashtable, HashMap nor a HashSet (or one of the linked variants of it) then you can use the security framework to deny the usage of these types: XStream xstream = new XStream(); xstream.denyTypes(new Class[]{ java.util.HashMap.class, java.util.HashSet.class, java.util.Hashtable.class, java.util.LinkedHashMap.class, java.util.LinkedHashSet.class }); Unfortunately these types are very common. If you only use HashMap or HashSet and your XML refers these only as default map or set, you may additionally change the default implementation of java.util.Map and java.util.Set at unmarshalling time:: xstream.addDefaultImplementation(java.util.TreeMap.class, java.util.Map.class); xstream.addDefaultImplementation(java.util.TreeSet.class, java.util.Set.class); However, this implies that your application does not care about the implementation of the map and all elements are comparable. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2022-41966. For more information If you have any questions or comments about this advisory: Open an issue in XStream Contact us at XStream Google Group Stack-based Buffer Overflow Affected range <1.4.21 Fixed version 1.4.21 CVSS Score 7.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P EPSS Score 0.176% EPSS Percentile 39th percentile Description Impact The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. Patches XStream 1.4.21 detects the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Workarounds The only solution is to catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2024-47072. Credits Alexis Challande of Trail Of Bits found and reported the issue to XStream and provided the required information to reproduce it. Stack-based Buffer Overflow Affected range <1.4.20 Fixed version 1.4.20 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.245% EPSS Percentile 48th percentile Description Impact The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream. Patches XStream 1.4.20 handles the stack overflow and raises an InputManipulationException instead. Workarounds The only solution is to catch the StackOverflowError in the client code calling XStream. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2022-40151. Credits The vulnerability was discovered and reported by Henry Lin of the Google OSS-Fuzz team. For more information If you have any questions or comments about this advisory: Open an issue in XStream Contact us at XStream Google Group Uncontrolled Resource Consumption Affected range <1.4.19 Fixed version 1.4.19 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 2.031% EPSS Percentile 83rd percentile Description Impact The vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. Patches XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Workarounds The attack uses the hash code implementation for collections and maps to force an exponential calculation time due to highly recursive structures with in the collection or map. Following types of the Java runtime are affected in Java versions available in December 2021: java.util.HashMap java.util.HashSet java.util.Hashtable java.util.LinkedHashMap java.util.LinkedHashSet java.util.Stack (older Java revisions only) java.util.Vector (older Java revisions only) Other third party collection implementations that use their element's hash code may also be affected If your object graph does not use referenced elements at all, you may simply set the NO_REFERENCE mode: XStream xstream = new XStream(); xstream.setMode(XStream.NO_REFERENCES); If your object graph contains neither a Hashtable, HashMap nor a HashSet (or one of the linked variants of it) then you can use the security framework to deny the usage of these types: XStream xstream = new XStream(); xstream.denyTypes(new Class[]{ java.util.HashMap.class, java.util.HashSet.class, java.util.Hashtable.class, java.util.LinkedHashMap.class, java.util.LinkedHashSet.class }); Unfortunately these types are very common. If you only use HashMap or HashSet and your XML refers these only as default map or set, you may additionally change the default implementation of java.util.Map and java.util.Set at unmarshalling time:: xstream.addDefaultImplementation(java.util.TreeMap.class, java.util.Map.class); xstream.addDefaultImplementation(java.util.TreeSet.class, java.util.Set.class); However, this implies that your application does not care about the implementation of the map and all elements are comparable. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-43859. Credits The vulnerability was discovered and reported by r00t4dm at Cloud-Penetrating Arrow Lab. For more information If you have any questions or comments about this advisory: Open an issue in XStream Contact us at XStream Google Group Deserialization of Untrusted Data Affected range <1.4.17 Fixed version 1.4.17 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 90.769% EPSS Percentile 100th percentile Description Impact The vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. Patches If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.17. Workarounds See workarounds for the different versions covering all CVEs. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-29505. Credits V3geB1rd, white hat hacker from Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it. For more information If you have any questions or comments about this advisory: Open an issue in XStream Email us at XStream Google Group Uncontrolled Resource Consumption Affected range <1.4.16 Fixed version 1.4.16 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 23.434% EPSS Percentile 96th percentile Description Impact The vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. Patches If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. Workarounds See workarounds for the different versions covering all CVEs. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-21341. Credits The vulnerability was discovered and reported by threedr3am. For more information If you have any questions or comments about this advisory: Open an issue in XStream Contact us at XStream Google Group

com.google.protobuf/protobuf-java 3.6.1 (maven) pkg:maven/com.google.protobuf/[email protected] Improper Input Validation Affected range <3.25.5 Fixed version 3.25.5 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.055% EPSS Percentile 17th percentile Description Summary When parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash. Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team [email protected] Affected versions: This issue affects all versions of both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime. Severity CVE-2024-7254 High CVSS4.0 Score 8.7 (NOTE: there may be a delay in publication) This is a potential Denial of Service. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker. Proof of Concept For reproduction details, please refer to the unit tests (Protobuf Java LiteTest and CodedInputStreamTest) that identify the specific inputs that exercise this parsing weakness. Remediation and Mitigation We have been working diligently to address this issue and have released a mitigation that is available now. Please update to the latest available versions of the following packages: protobuf-java (3.25.5, 4.27.5, 4.28.2) protobuf-javalite (3.25.5, 4.27.5, 4.28.2) protobuf-kotlin (3.25.5, 4.27.5, 4.28.2) protobuf-kotlin-lite (3.25.5, 4.27.5, 4.28.2) com-protobuf [JRuby gem only] (3.25.5, 4.27.5, 4.28.2) Uncontrolled Resource Consumption Affected range >=3.0.0 <3.16.3 Fixed version 3.16.3 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.057% EPSS Percentile 18th percentile Description A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. Uncontrolled Resource Consumption Affected range >=3.0.0 <3.16.3 Fixed version 3.16.3 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.119% EPSS Percentile 31st percentile Description A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. Incorrect Behavior Order Affected range <3.16.1 Fixed version 3.16.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.291% EPSS Percentile 52nd percentile Description Summary A potential Denial of Service issue in protobuf-java was discovered in the parsing procedure for binary data. Reporter: OSS-Fuzz Affected versions: All versions of Java Protobufs (including Kotlin and JRuby) prior to the versions listed below. Protobuf "javalite" users (typically Android) are not affected. Severity CVE-2021-22569 High - CVSS Score: 7.5, An implementation weakness in how unknown fields are parsed in Java. A small (~800 KB) malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated GC pauses. Proof of Concept For reproduction details, please refer to the oss-fuzz issue that identifies the specific inputs that exercise this parsing weakness. Remediation and Mitigation Please update to the latest available versions of the following packages: protobuf-java (3.16.1, 3.18.2, 3.19.2) protobuf-kotlin (3.18.2, 3.19.2) google-protobuf [JRuby gem only] (3.19.2)

org.json/json 20180130 (maven) pkg:maven/org.json/json@20180130 Improperly Implemented Security Check for Standard Affected range <=20230618 Fixed version 20231013 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.468% EPSS Percentile 64th percentile Description Summary A denial of service vulnerability in JSON-Java was discovered by ClusterFuzz. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. There are two issues: (1) the parser bug can be used to circumvent a check that is supposed to prevent the key in a JSON object from itself being another JSON object; (2) if a key does end up being a JSON object then it gets converted into a string, using \ to escape special characters, including \ itself. So by nesting JSON objects, with a key that is a JSON object that has a key that is a JSON object, and so on, we can get an exponential number of \ characters in the escaped string. Severity High - Because this is an already-fixed DoS vulnerability, the only remaining impact possible is for existing binaries that have not been updated yet. Proof of Concept package orgjsonbug; import org.json.JSONObject; /** * Illustrates a bug in JSON-Java. */ public class Bug { private static String makeNested(int depth) { if (depth == 0) { return "{\"a\":1}"; } return "{\"a\":1;\t\0" + makeNested(depth - 1) + ":1}"; } public static void main(String[] args) { String input = makeNested(30); System.out.printf("Input string has length %d: %s\n", input.length(), input); JSONObject output = new JSONObject(input); System.out.printf("Output JSONObject has length %d: %s\n", output.toString().length(), output); } } When run, this reports that the input string has length 367. Then, after a long pause, the program crashes inside new JSONObject with OutOfMemoryError. Further Analysis The issue is fixed by this PR. Timeline Date reported: 07/14/2023 Date fixed: Date disclosed: 10/12/2023 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <20220320 Fixed version 20220320 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.276% EPSS Percentile 51st percentile Description A stack overflow in the org.json.JSONTokener.nextValue::JSONTokener.java component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data. OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <20220320 Fixed version 20220320 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.084% EPSS Percentile 25th percentile Description hutool-json v5.8.10 was discovered to contain an out of memory error. Out-of-bounds Write Affected range <20230227 Fixed version 20230227 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.878% EPSS Percentile 75th percentile Description A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 and org.json:json before version 20230227 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.

com.fasterxml.jackson.core/jackson-databind 2.13.2 (maven) pkg:maven/com.fasterxml.jackson.core/[email protected] Uncontrolled Resource Consumption Affected range >=2.13.0 <2.13.4 Fixed version 2.13.4 CVSS Score 8.2 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.303% EPSS Percentile 53rd percentile Description In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. This issue can only happen when the UNWRAP_SINGLE_VALUE_ARRAYS feature is explicitly enabled. Uncontrolled Resource Consumption Affected range >=2.13.0 <2.13.4.2 Fixed version 2.13.4.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.354% EPSS Percentile 57th percentile Description In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0. Commits that introduced vulnerable code are FasterXML/jackson-databind@d499f2e, FasterXML/jackson-databind@0e37a39, and FasterXML/jackson-databind@7ba9ac5. Fix commits are FasterXML/jackson-databind@cd09097 and FasterXML/jackson-databind@d78d00e. The 2.13.4.1 release does fix this issue, however it also references a non-existent jackson-bom which causes build failures for gradle users. See FasterXML/jackson-databind#3627 (comment) for details. This is fixed in 2.13.4.2 which is listed in the advisory metadata so that users are not subjected to unnecessary build failures Out-of-bounds Write Affected range >=2.13.0 <=2.13.2.0 Fixed version 2.13.2.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.614% EPSS Percentile 69th percentile Description jackson-databind is a data-binding package for the Jackson Data Processor. jackson-databind allows a Java stack overflow exception and denial of service via a large depth of nested objects.

org.yaml/snakeyaml 1.17 (maven) pkg:maven/org.yaml/[email protected] Improper Input Validation Affected range <=1.33 Fixed version 2.0 CVSS Score 8.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L EPSS Score 93.849% EPSS Percentile 100th percentile Description Summary SnakeYaml's Constructor class, which inherits from SafeConstructor, allows any type be deserialized given the following line: new Yaml(new Constructor(TestDataClass.class)).load(yamlContent); Types do not have to match the types of properties in the target class. A ConstructorException is thrown, but only after a malicious payload is deserialized. Severity High, lack of type checks during deserialization allows remote code execution. Proof of Concept Execute bash run.sh. The PoC uses Constructor to deserialize a payload for RCE. RCE is demonstrated by using a payload which performs a http request to http://127.0.0.1:8000. Example output of successful run of proof of concept: $ bash run.sh [+] Downloading snakeyaml if needed [+] Starting mock HTTP server on 127.0.0.1:8000 to demonstrate RCE nc: no process found [+] Compiling and running Proof of Concept, which a payload that sends a HTTP request to mock web server. [+] An exception is expected. Exception: Cannot create property=payload for JavaBean=Main$TestDataClass@3cbbc1e0 in 'string', line 1, column 1: payload: !!javax.script.ScriptEn ... ^ Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager in 'string', line 1, column 10: payload: !!javax.script.ScriptEngineManag ... ^ at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:291) at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.construct(Constructor.java:172) at org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.construct(Constructor.java:332) at org.yaml.snakeyaml.constructor.BaseConstructor.constructObjectNoCheck(BaseConstructor.java:230) at org.yaml.snakeyaml.constructor.BaseConstructor.constructObject(BaseConstructor.java:220) at org.yaml.snakeyaml.constructor.BaseConstructor.constructDocument(BaseConstructor.java:174) at org.yaml.snakeyaml.constructor.BaseConstructor.getSingleData(BaseConstructor.java:158) at org.yaml.snakeyaml.Yaml.loadFromReader(Yaml.java:491) at org.yaml.snakeyaml.Yaml.load(Yaml.java:416) at Main.main(Main.java:37) Caused by: java.lang.IllegalArgumentException: Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167) at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171) at java.base/jdk.internal.reflect.UnsafeObjectFieldAccessorImpl.set(UnsafeObjectFieldAccessorImpl.java:81) at java.base/java.lang.reflect.Field.set(Field.java:780) at org.yaml.snakeyaml.introspector.FieldProperty.set(FieldProperty.java:44) at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:286) ... 9 more [+] Dumping Received HTTP Request. Will not be empty if PoC worked GET /proof-of-concept HTTP/1.1 User-Agent: Java/11.0.14 Host: localhost:8000 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive Further Analysis Potential mitigations include, leveraging SnakeYaml's SafeConstructor while parsing untrusted content. See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479 for discussion on the subject. Timeline Date reported: 4/11/2022 Date fixed: 30/12/2022 Date disclosed: 10/13/2022 Uncontrolled Resource Consumption Affected range <1.31 Fixed version 1.31 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.347% EPSS Percentile 57th percentile Description The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections. Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') Affected range <1.26 Fixed version 1.26 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 2.166% EPSS Percentile 84th percentile Description The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.

com.thoughtworks.xstream/xstream 1.4.19 (maven) pkg:maven/com.thoughtworks.xstream/[email protected] Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Affected range <1.4.20 Fixed version 1.4.20 CVSS Score 8.2 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H EPSS Score 4.274% EPSS Percentile 88th percentile Description Impact The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream. Patches XStream 1.4.20 handles the stack overflow and raises an InputManipulationException instead. Workarounds The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. Following types of the Java runtime are affected: java.util.HashMap java.util.HashSet java.util.Hashtable java.util.LinkedHashMap java.util.LinkedHashSet Other third party collection implementations that use their element's hash code may also be affected A simple solution is to catch the StackOverflowError in the client code calling XStream. If your object graph does not use referenced elements at all, you may simply set the NO_REFERENCE mode: XStream xstream = new XStream(); xstream.setMode(XStream.NO_REFERENCES); If your object graph contains neither a Hashtable, HashMap nor a HashSet (or one of the linked variants of it) then you can use the security framework to deny the usage of these types: XStream xstream = new XStream(); xstream.denyTypes(new Class[]{ java.util.HashMap.class, java.util.HashSet.class, java.util.Hashtable.class, java.util.LinkedHashMap.class, java.util.LinkedHashSet.class }); Unfortunately these types are very common. If you only use HashMap or HashSet and your XML refers these only as default map or set, you may additionally change the default implementation of java.util.Map and java.util.Set at unmarshalling time:: xstream.addDefaultImplementation(java.util.TreeMap.class, java.util.Map.class); xstream.addDefaultImplementation(java.util.TreeSet.class, java.util.Set.class); However, this implies that your application does not care about the implementation of the map and all elements are comparable. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2022-41966. For more information If you have any questions or comments about this advisory: Open an issue in XStream Contact us at XStream Google Group Stack-based Buffer Overflow Affected range <1.4.21 Fixed version 1.4.21 CVSS Score 7.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P EPSS Score 0.176% EPSS Percentile 39th percentile Description Impact The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. Patches XStream 1.4.21 detects the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Workarounds The only solution is to catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2024-47072. Credits Alexis Challande of Trail Of Bits found and reported the issue to XStream and provided the required information to reproduce it. Stack-based Buffer Overflow Affected range <1.4.20 Fixed version 1.4.20 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.245% EPSS Percentile 48th percentile Description Impact The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream. Patches XStream 1.4.20 handles the stack overflow and raises an InputManipulationException instead. Workarounds The only solution is to catch the StackOverflowError in the client code calling XStream. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2022-40151. Credits The vulnerability was discovered and reported by Henry Lin of the Google OSS-Fuzz team. For more information If you have any questions or comments about this advisory: Open an issue in XStream Contact us at XStream Google Group

org.apache.velocity/velocity 1.7.0 (maven) pkg:maven/org.apache.velocity/[email protected] Improper Input Validation Affected range <=1.7 Fixed version Not Fixed CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 10.626% EPSS Percentile 93rd percentile Description An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

commons-io/commons-io 2.7 (maven) pkg:maven/commons-io/[email protected] Uncontrolled Resource Consumption Affected range >=2.0 <2.14.0 Fixed version 2.14.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.177% EPSS Percentile 40th percentile Description Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are recommended to upgrade to version 2.14.0 or later, which fixes the issue.

org.eclipse.jetty/jetty-server 10.0.6 (maven) pkg:maven/org.eclipse.jetty/[email protected] Improper Resource Shutdown or Release Affected range >=10.0.0 <10.0.10 Fixed version 10.0.10 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.525% EPSS Percentile 66th percentile Description Impact SslConnection does not release ByteBuffers in case of error code paths. For example, TLS handshakes that require client-auth with clients that send expired certificates will trigger a TLS handshake errors and the ByteBuffers used to process the TLS handshake will be leaked. Workarounds Configure explicitly a RetainableByteBufferPool with max[Heap|Direct]Memory to limit the amount of memory that is leaked. Eventually the pool will be full of "active" entries (the leaked ones) and will provide ByteBuffers that will be GCed normally. With embedded-jetty int maxBucketSize = 1000; long maxHeapMemory = 128 * 1024L * 1024L; // 128 MB long maxDirectMemory = 128 * 1024L * 1024L; // 128 MB RetainableByteBufferPool rbbp = new ArrayRetainableByteBufferPool(0, -1, -1, maxBucketSize, maxHeapMemory, maxDirectMemory); server.addBean(rbbp); // make sure the ArrayRetainableByteBufferPool is added before the server is started server.start(); With jetty-home/jetty-base Create a ${jetty.base}/etc/retainable-byte-buffer-config.xml <?xml version="1.0"?> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "https://www.eclipse.org/jetty/configure_10_0.dtd"> <Configure id="Server" class="org.eclipse.jetty.server.Server"> <Call name="addBean"> <Arg> <New class="org.eclipse.jetty.io.ArrayRetainableByteBufferPool"> <Arg type="int"><Property name="jetty.byteBufferPool.minCapacity" default="0"/></Arg> <Arg type="int"><Property name="jetty.byteBufferPool.factor" default="-1"/></Arg> <Arg type="int"><Property name="jetty.byteBufferPool.maxCapacity" default="-1"/></Arg> <Arg type="int"><Property name="jetty.byteBufferPool.maxBucketSize" default="1000"/></Arg> <Arg type="long"><Property name="jetty.byteBufferPool.maxHeapMemory" default="128000000"/></Arg> <Arg type="long"><Property name="jetty.byteBufferPool.maxDirectMemory" default="128000000"/></Arg> </New> </Arg> </Call> </Configure> And then reference it in ${jetty.base}/start.d/retainable-byte-buffer-config.ini etc/retainable-byte-buffer-config.xml References jetty/jetty.project#8161 For more information Email us at [email protected]

com.fasterxml.jackson.core/jackson-core 2.13.2 (maven) pkg:maven/com.fasterxml.jackson.core/[email protected] Stack-based Buffer Overflow Affected range <2.15.0 Fixed version 2.15.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.019% EPSS Percentile 4th percentile Description Impact With older versions of jackson-core, if you parse an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. Patches jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. Change is in FasterXML/jackson-core#943. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. Workarounds Users should avoid parsing input files from untrusted sources.

org.eclipse.jgit/org.eclipse.jgit 5.2.0.201812061821-r (maven) pkg:maven/org.eclipse.jgit/[email protected] Improper Handling of Case Sensitivity Affected range <5.13.3.202401111512-r Fixed version 5.13.3.202401111512-r CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 1.077% EPSS Percentile 77th percentile Description Arbitrary File Overwrite in Eclipse JGit <= 6.6.0 In Eclipse JGit, all versions <= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem. This can happen on checkout (DirCacheCheckout), merge (ResolveMerger via its WorkingTreeUpdater), pull (PullCommand using merge), and when applying a patch (PatchApplier). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command. The issue occurs only on case-insensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration. Setting git configuration option core.symlinks = false before checking out avoids the problem. The issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via Maven Central https://repo1.maven.org/maven2/org/eclipse/jgit/  and repo.eclipse.org https://repo.eclipse.org/content/repositories/jgit-releases/ . A backport is available in 5.13.3 starting from 5.13.3.202401111512-r. The JGit maintainers would like to thank RyotaK for finding and reporting this issue.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (5)

README-enterprise.md (2)

34-43: Add language identifier to fenced code block.

The code block showing example output is missing a language identifier. Update the opening ``` to ```bash or ```text for consistency with other code blocks and to help renderers apply proper formatting.

 **Example output:**
-```
+```bash
 Liquibase Enterprise CLI  8.10

---

345-355: Use markdown headings instead of bold emphasis.

Lines 345 and 357 use bold emphasis (**...**) where markdown headings (###) would be more semantically correct and improve document structure for navigation and tooling.

-**Example: Adding PostgreSQL Client**
+### Example: Adding PostgreSQL Client
 
 ```dockerfile

-**Example: Adding SQL Server Tools**
+### Example: Adding SQL Server Tools
 
 ```dockerfile

.github/workflows/create-release-enterprise.yml (1)

145-163: Add quoting to shell variables and fix unused variable.

Line 150 has unquoted variables that could break with special characters or spaces. Line 160 defines COMMIT_MSG but the variable is not used in the git commit command (string interpolation is used directly instead).

  ENTERPRISE_SHA=$(curl -LsS https://software.datical.com/Datical_DB_Software/Datical_DB_${{ steps.collect-data.outputs.enterpriseVersion }}/DaticalDB-linux.gtk.x86_64-${{ steps.collect-data.outputs.enterpriseVersion }}.jar | sha256sum | awk '{ print $1 }')

-         sed -i 's/^ARG ENTERPRISE_VERSION=.*/ARG ENTERPRISE_VERSION='"${{ steps.collect-data.outputs.enterpriseVersion }}"'/' "${{ github.workspace }}/DockerfileEnterprise"
-         sed -i 's/^ARG ENT_JAR_SHA256=.*/ARG ENT_JAR_SHA256='"$ENTERPRISE_SHA"'/' "${{ github.workspace }}/DockerfileEnterprise"
+         sed -i "s/^ARG ENTERPRISE_VERSION=.*/ARG ENTERPRISE_VERSION=${{ steps.collect-data.outputs.enterpriseVersion }}/" "${{ github.workspace }}/DockerfileEnterprise"
+         sed -i "s/^ARG ENT_JAR_SHA256=.*/ARG ENT_JAR_SHA256=${ENTERPRISE_SHA}/" "${{ github.workspace }}/DockerfileEnterprise"
  git add DockerfileEnterprise

  if git diff-index --cached --quiet HEAD --; then
    echo "Nothing new to commit"
    echo "changes_made=false" >> $GITHUB_OUTPUT
  else
-           COMMIT_MSG="Liquibase Enterprise Version Bumped to ${{ steps.collect-data.outputs.enterpriseVersion }}"
-           git commit -m "${COMMIT_MSG}"
+           git commit -m "Liquibase Enterprise Version Bumped to ${{ steps.collect-data.outputs.enterpriseVersion }}"

.github/workflows/test-enterprise.yml (1)

195-218: Add quoting to shell variable expansions to handle paths with spaces.

The command substitutions and path variables should be quoted to safely handle edge cases where paths contain spaces or special characters.

          # Mount license file and verify it's accessible
-         RESULT=$(docker run --rm \
-           -v $(pwd)/test-license:/liquibase/license \
+         RESULT=$(docker run --rm \
+           -v "$(pwd)/test-license:/liquibase/license" \
            liquibase/liquibase-enterprise:${{ github.sha }} \
            cat /liquibase/license/license.lic 2>&1)

Apply similar quoting to lines 221 and 247.

DockerfileEnterprise (1)

59-65: Non-standard OCI label.

org.opencontainers.image.licenses.url (line 62) is not a standard OCI image-spec annotation. The standard label is org.opencontainers.image.licenses which you've already set. Consider either removing the custom label or using a vendor-prefixed label like com.liquibase.licenses.url for clarity.

 LABEL org.opencontainers.image.description="Liquibase Enterprise Container Image"
 LABEL org.opencontainers.image.licenses="LicenseRef-Datical-EULA"
-LABEL org.opencontainers.image.licenses.url="https://www.datical.com/eula"
+LABEL com.liquibase.eula.url="https://www.datical.com/eula"
 LABEL org.opencontainers.image.vendor="Liquibase"

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between a02fa3e and 6eedd94.

📒 Files selected for processing (9)

• .github/workflows/create-release-enterprise.yml (1 hunks)
• .github/workflows/test-enterprise.yml (1 hunks)
• .github/workflows/trivy-enterprise.yml (1 hunks)
• .gitignore (1 hunks)
• DockerfileEnterprise (1 hunks)
• README-enterprise.md (1 hunks)
• autoInstall.xml (1 hunks)
• docker-entrypoint-enterprise.sh (1 hunks)
• examples/docker-compose/docker-compose.enterprise.yml (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/Dockerfile*

📄 CodeRabbit inference engine (CLAUDE.md)

**/Dockerfile*: When extending Community images, use FROM liquibase/liquibase:latest as the base and add database drivers using LPM (e.g., lpm add mysql --global)
When extending Secure images, use FROM liquibase/liquibase-secure:latest as the base and set LIQUIBASE_LICENSE_KEY environment variable

Files:

• DockerfileEnterprise

🧠 Learnings (17)

📓 Common learnings

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to **/Dockerfile* : When extending Community images, use `FROM liquibase/liquibase:latest` as the base and add database drivers using LPM (e.g., `lpm add mysql --global`)

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,docker-compose.yml} : Docker Community images should use distinct tagging strategy: Git tag format `v{version}` (e.g., `v5.0.1`), GitHub Release labeled `v{version}`, and Docker image tags `liquibase/liquibase:{version}`, `liquibase/liquibase:{major.minor}`, and `liquibase/liquibase:latest`

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to DockerfileSecure : Docker Secure images should use distinct tagging strategy: Git tag format `v{version}-SECURE` (e.g., `v5.0.1-SECURE`), GitHub Release labeled `v{version}-SECURE`, and Docker image tags `liquibase/liquibase-secure:{version}`, `liquibase/liquibase-secure:{major.minor}`, and `liquibase/liquibase-secure:latest`

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Community Docker images should be published to Docker Hub as `liquibase/liquibase`, GitHub Container Registry as `ghcr.io/liquibase/liquibase*`, and Amazon ECR Public as `public.ecr.aws/liquibase/liquibase*`

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Secure Docker images should be published to Docker Hub as `liquibase/liquibase-secure`, GitHub Container Registry as `ghcr.io/liquibase/liquibase-secure*`, and Amazon ECR Public as `public.ecr.aws/liquibase/liquibase-secure*`

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : When adding tools or runtime dependencies to images, switch to root user, run apt-get operations, and switch back to non-root `liquibase` user in multi-step processes

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to Dockerfile : Community Liquibase versions should be sourced from GitHub releases and controlled via `LIQUIBASE_VERSION` ARG

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to **/Dockerfile* : When extending Secure images, use `FROM liquibase/liquibase-secure:latest` as the base and set `LIQUIBASE_LICENSE_KEY` environment variable

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Set working directory to `/liquibase` in all Docker images

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Validate Liquibase and LPM binary SHA256 checksums for security in Dockerfile builds

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Set `liquibase.docker.properties` default configuration file to enable headless mode in all images

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine,docker-entrypoint.sh} : Use `docker-entrypoint.sh` as the container entrypoint with automatic MySQL driver installation capability

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Secure Docker images should be published to Docker Hub as `liquibase/liquibase-secure`, GitHub Container Registry as `ghcr.io/liquibase/liquibase-secure*`, and Amazon ECR Public as `public.ecr.aws/liquibase/liquibase-secure*`

Applied to files:

• .github/workflows/trivy-enterprise.yml
• DockerfileEnterprise
• .github/workflows/create-release-enterprise.yml
• README-enterprise.md

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to docker-entrypoint.sh : Enable automatic changelog directory detection in `docker-entrypoint.sh`: detect `/liquibase/changelog` mount and change working directory for CLI-Docker compatibility, unless `SHOULD_CHANGE_DIR` environment variable explicitly overrides this behavior

Applied to files:

• docker-entrypoint-enterprise.sh

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine,docker-entrypoint.sh} : Use `docker-entrypoint.sh` as the container entrypoint with automatic MySQL driver installation capability

Applied to files:

• docker-entrypoint-enterprise.sh

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Set working directory to `/liquibase` in all Docker images

Applied to files:

• docker-entrypoint-enterprise.sh
• DockerfileEnterprise
• .github/workflows/test-enterprise.yml
• README-enterprise.md
• examples/docker-compose/docker-compose.enterprise.yml

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : When adding tools or runtime dependencies to images, switch to root user, run apt-get operations, and switch back to non-root `liquibase` user in multi-step processes

Applied to files:

• docker-entrypoint-enterprise.sh
• DockerfileEnterprise
• .github/workflows/test-enterprise.yml
• .github/workflows/create-release-enterprise.yml
• README-enterprise.md

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to **/Dockerfile* : When extending Secure images, use `FROM liquibase/liquibase-secure:latest` as the base and set `LIQUIBASE_LICENSE_KEY` environment variable

Applied to files:

• docker-entrypoint-enterprise.sh
• DockerfileEnterprise
• README-enterprise.md

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Set `liquibase.docker.properties` default configuration file to enable headless mode in all images

Applied to files:

• docker-entrypoint-enterprise.sh
• DockerfileEnterprise
• examples/docker-compose/docker-compose.enterprise.yml

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Validate Liquibase and LPM binary SHA256 checksums for security in Dockerfile builds

Applied to files:

• docker-entrypoint-enterprise.sh
• DockerfileEnterprise
• .github/workflows/test-enterprise.yml

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to **/Dockerfile* : When extending Community images, use `FROM liquibase/liquibase:latest` as the base and add database drivers using LPM (e.g., `lpm add mysql --global`)

Applied to files:

• docker-entrypoint-enterprise.sh
• DockerfileEnterprise
• .github/workflows/test-enterprise.yml
• README-enterprise.md
• examples/docker-compose/docker-compose.enterprise.yml

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to Dockerfile : Community Liquibase versions should be sourced from GitHub releases and controlled via `LIQUIBASE_VERSION` ARG

Applied to files:

• docker-entrypoint-enterprise.sh
• DockerfileEnterprise
• .github/workflows/test-enterprise.yml
• .github/workflows/create-release-enterprise.yml
• README-enterprise.md
• examples/docker-compose/docker-compose.enterprise.yml

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Create and use non-root `liquibase` user with UID/GID 1001 for running the container

Applied to files:

• docker-entrypoint-enterprise.sh
• DockerfileEnterprise
• examples/docker-compose/docker-compose.enterprise.yml

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to DockerfileSecure : Docker Secure images should use distinct tagging strategy: Git tag format `v{version}-SECURE` (e.g., `v5.0.1-SECURE`), GitHub Release labeled `v{version}-SECURE`, and Docker image tags `liquibase/liquibase-secure:{version}`, `liquibase/liquibase-secure:{major.minor}`, and `liquibase/liquibase-secure:latest`

Applied to files:

• DockerfileEnterprise
• .github/workflows/test-enterprise.yml
• .github/workflows/create-release-enterprise.yml
• README-enterprise.md

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Base image must use Eclipse Temurin JRE 21 (Jammy) as the foundation

Applied to files:

• DockerfileEnterprise

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to DockerfileSecure : Secure Liquibase versions should be sourced from repo.liquibase.com and controlled via `LIQUIBASE_PRO_VERSION` ARG

Applied to files:

• DockerfileEnterprise
• README-enterprise.md
• examples/docker-compose/docker-compose.enterprise.yml

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,docker-compose.yml} : Docker Community images should use distinct tagging strategy: Git tag format `v{version}` (e.g., `v5.0.1`), GitHub Release labeled `v{version}`, and Docker image tags `liquibase/liquibase:{version}`, `liquibase/liquibase:{major.minor}`, and `liquibase/liquibase:latest`

Applied to files:

• .github/workflows/test-enterprise.yml
• .github/workflows/create-release-enterprise.yml
• README-enterprise.md

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Community Docker images should be published to Docker Hub as `liquibase/liquibase`, GitHub Container Registry as `ghcr.io/liquibase/liquibase*`, and Amazon ECR Public as `public.ecr.aws/liquibase/liquibase*`

Applied to files:

• .github/workflows/create-release-enterprise.yml
• README-enterprise.md

🪛 actionlint (1.7.8)

.github/workflows/trivy-enterprise.yml

246-246: shellcheck reported issue in this script: SC2086:info:2:56: Double quote to prevent globbing and word splitting

(shellcheck)

.github/workflows/test-enterprise.yml

47-47: shellcheck reported issue in this script: SC2086:info:4:24: Double quote to prevent globbing and word splitting

(shellcheck)

---

195-195: shellcheck reported issue in this script: SC2046:warning:9:6: Quote this to prevent word splitting

(shellcheck)

---

221-221: shellcheck reported issue in this script: SC2046:warning:9:6: Quote this to prevent word splitting

(shellcheck)

---

247-247: shellcheck reported issue in this script: SC2046:warning:9:6: Quote this to prevent word splitting

(shellcheck)

---

247-247: shellcheck reported issue in this script: SC2046:warning:23:6: Quote this to prevent word splitting

(shellcheck)

.github/workflows/create-release-enterprise.yml

145-145: shellcheck reported issue in this script: SC2086:info:13:32: Double quote to prevent globbing and word splitting

(shellcheck)

---

145-145: shellcheck reported issue in this script: SC2086:info:17:31: Double quote to prevent globbing and word splitting

(shellcheck)

---

168-168: shellcheck reported issue in this script: SC2034:warning:5:1: COMMIT_MSG appears unused. Verify use (or export if used externally)

(shellcheck)

---

217-217: shellcheck reported issue in this script: SC2086:info:2:56: Double quote to prevent globbing and word splitting

(shellcheck)

---

230-230: shellcheck reported issue in this script: SC2086:info:3:32: Double quote to prevent globbing and word splitting

(shellcheck)

---

230-230: shellcheck reported issue in this script: SC2086:info:4:40: Double quote to prevent globbing and word splitting

(shellcheck)

---

254-254: shellcheck reported issue in this script: SC2129:style:1:1: Consider using { cmd1; cmd2; } >> file instead of individual redirects

(shellcheck)

---

254-254: shellcheck reported issue in this script: SC2086:info:1:57: Double quote to prevent globbing and word splitting

(shellcheck)

---

254-254: shellcheck reported issue in this script: SC2086:info:2:66: Double quote to prevent globbing and word splitting

(shellcheck)

---

254-254: shellcheck reported issue in this script: SC2086:info:3:60: Double quote to prevent globbing and word splitting

(shellcheck)

---

288-288: property "aws_access_key_id" is not defined in object type {aws-access-key-id: string; aws-account-id: string; aws-expiration: string; aws-secret-access-key: string; aws-session-token: string}

(expression)

---

289-289: property "aws_secret_access_key" is not defined in object type {aws-access-key-id: string; aws-account-id: string; aws-expiration: string; aws-secret-access-key: string; aws-session-token: string}

(expression)

---

298-298: property "aws_access_key_id" is not defined in object type {aws-access-key-id: string; aws-account-id: string; aws-expiration: string; aws-secret-access-key: string; aws-session-token: string}

(expression)

---

299-299: property "aws_secret_access_key" is not defined in object type {aws-access-key-id: string; aws-account-id: string; aws-expiration: string; aws-secret-access-key: string; aws-session-token: string}

(expression)

---

303-303: shellcheck reported issue in this script: SC2086:info:37:24: Double quote to prevent globbing and word splitting

(shellcheck)

🪛 GitHub Check: CodeQL

.github/workflows/trivy-enterprise.yml

[warning] 43-43: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'aws-actions/configure-aws-credentials' with ref 'v5', not a pinned commit hash

---

[warning] 50-50: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step: vault-secrets uses 'aws-actions/aws-secretsmanager-get-secrets' with ref 'v2', not a pinned commit hash

---

[warning] 65-65: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'anchore/sbom-action' with ref 'v0', not a pinned commit hash

---

[warning] 80-80: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'aquasecurity/trivy-action' with ref '0.33.1', not a pinned commit hash

---

[warning] 91-91: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'aquasecurity/trivy-action' with ref '0.33.1', not a pinned commit hash

---

[warning] 102-102: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'aquasecurity/trivy-action' with ref '0.33.1', not a pinned commit hash

---

[warning] 115-115: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'aquasecurity/trivy-action' with ref '0.33.1', not a pinned commit hash

---

[warning] 128-128: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step: grype_scan uses 'anchore/scan-action' with ref 'v5', not a pinned commit hash

---

[warning] 159-159: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'rtCamp/action-slack-notify' with ref 'v2', not a pinned commit hash

---

[warning] 199-199: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'rsdmike/github-security-report-action' with ref 'v3.0.4', not a pinned commit hash

---

[warning] 232-232: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'aws-actions/configure-aws-credentials' with ref 'v5', not a pinned commit hash

---

[warning] 239-239: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step: vault-secrets uses 'aws-actions/aws-secretsmanager-get-secrets' with ref 'v2', not a pinned commit hash

---

[warning] 250-250: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'docker/login-action' with ref 'v3', not a pinned commit hash

---

[warning] 256-256: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'docker/scout-action' with ref 'v1.18.2', not a pinned commit hash

---

[warning] 269-269: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'rtCamp/action-slack-notify' with ref 'v2', not a pinned commit hash

---

[warning] 289-289: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'rsdmike/github-security-report-action' with ref 'v3.0.4', not a pinned commit hash

.github/workflows/test-enterprise.yml

[warning] 40-40: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Test Liquibase Enterprise Dockerfile' step Uses Step uses 'douglascamata/setup-docker-macos-action' with ref 'v1.0.2', not a pinned commit hash

.github/workflows/create-release-enterprise.yml

[warning] 103-103: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Release Liquibase Enterprise' step Uses Step uses 'aws-actions/configure-aws-credentials' with ref 'v5', not a pinned commit hash

---

[warning] 110-110: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Release Liquibase Enterprise' step Uses Step: vault-secrets uses 'aws-actions/aws-secretsmanager-get-secrets' with ref 'v2', not a pinned commit hash

---

[warning] 203-203: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Release Liquibase Enterprise' step Uses Step uses 'aws-actions/configure-aws-credentials' with ref 'v5', not a pinned commit hash

---

[warning] 210-210: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Release Liquibase Enterprise' step Uses Step: vault-secrets uses 'aws-actions/aws-secretsmanager-get-secrets' with ref 'v2', not a pinned commit hash

---

[warning] 239-239: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Release Liquibase Enterprise' step Uses Step uses 'softprops/action-gh-release' with ref 'v2', not a pinned commit hash

---

[warning] 249-249: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Release Liquibase Enterprise' step Uses Step uses 'docker/setup-qemu-action' with ref 'v3', not a pinned commit hash

---

[warning] 250-250: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Release Liquibase Enterprise' step Uses Step uses 'docker/setup-buildx-action' with ref 'v3', not a pinned commit hash

---

[warning] 261-261: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Release Liquibase Enterprise' step Uses Step uses 'docker/login-action' with ref 'v3', not a pinned commit hash

---

[warning] 268-268: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Release Liquibase Enterprise' step Uses Step uses 'docker/login-action' with ref 'v3', not a pinned commit hash

---

[warning] 276-276: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Release Liquibase Enterprise' step Uses Step: configure-aws-credentials-prod uses 'aws-actions/configure-aws-credentials' with ref 'v5', not a pinned commit hash

---

[warning] 283-283: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Release Liquibase Enterprise' step Uses Step uses 'docker/login-action' with ref 'v3', not a pinned commit hash

---

[warning] 293-293: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Release Liquibase Enterprise' step Uses Step uses 'docker/login-action' with ref 'v3', not a pinned commit hash

---

[warning] 348-348: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Release Liquibase Enterprise' step Uses Step uses 'docker/build-push-action' with ref 'v6', not a pinned commit hash

🪛 markdownlint-cli2 (0.18.1)

README-enterprise.md

34-34: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

345-345: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

---

357-357: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (14)

• GitHub Check: Scout Scan - Liquibase Enterprise
• GitHub Check: Trivy Scan - Liquibase Enterprise
• GitHub Check: Build & Test DockerfileEnterprise - macos-15-intel
• GitHub Check: Build & Test DockerfileEnterprise - ubuntu-latest
• GitHub Check: Build & Test Dockerfile - macos-15-intel
• GitHub Check: Build & Test DockerfileSecure - ubuntu-latest
• GitHub Check: Build & Test Dockerfile.alpine - ubuntu-latest
• GitHub Check: Build & Test Dockerfile.alpine - macos-15-intel
• GitHub Check: Build & Test DockerfileSecure - macos-15-intel
• GitHub Check: Build & Test Dockerfile - ubuntu-latest
• GitHub Check: Trivy (DockerfileSecure, liquibase/liquibase-secure)
• GitHub Check: Scout (DockerfileSecure, liquibase/liquibase-secure)
• GitHub Check: Trivy (Dockerfile.alpine, liquibase/liquibase, -alpine)
• GitHub Check: Trivy (Dockerfile, liquibase/liquibase)

🔇 Additional comments (14)

.gitignore (1)

3-3: LGTM!

The addition of *.lic to gitignore appropriately prevents accidental license file commits, which is important for security and privacy when handling customer-provided enterprise licenses.

autoInstall.xml (1)

1-23: LGTM!

The IzPack configuration is well-structured and correctly defaults to the paths expected by the entrypoint script and Docker Compose examples. The five selected packages and target installation path align with the PR objectives.

README-enterprise.md (1)

1-507: Comprehensive documentation with strong coverage of enterprise features.

The README provides excellent guidance on licensing, registry options, build instructions, multi-platform support, CI/CD integration patterns, and troubleshooting. Documentation aligns well with the runtime behavior implemented in docker-entrypoint-enterprise.sh and the examples provided in docker-compose.enterprise.yml.

examples/docker-compose/docker-compose.enterprise.yml (1)

1-41: LGTM!

The Docker Compose example correctly demonstrates Liquibase Enterprise usage with service dependencies, volume mounts for license/project, and health checks. The configuration aligns with the documentation and entrypoint behavior.

docker-entrypoint-enterprise.sh (1)

1-28: LGTM!

The entrypoint script correctly implements license auto-detection, project directory mounting, and intelligent command routing. The logic appropriately defaults to hammer commands while allowing direct OS command execution for flexibility (e.g., bash, cat). The set -e safety flag and dual license path checks are well-considered.

.github/workflows/create-release-enterprise.yml (1)

172-181: LGTM!

Tag format v{version}-ENTERPRISE correctly follows the established pattern from learnings for enterprise images. Multi-platform build setup and registry logic are sound.

.github/workflows/trivy-enterprise.yml (2)

1-300: Comprehensive vulnerability scanning with good tooling coverage.

The workflow provides thorough scanning including surface/deep vulnerability analysis, SBOM generation, multiple scanners (Trivy, Grype, Docker Scout), SARIF uploads for visibility, and scheduled runs. Architecture aligns well with enterprise security requirements.

---

62-62: All helper scripts are present and executable in the repository.

Verification confirms that all four helper scripts referenced in the workflow exist and have proper executable permissions:

• ✅ scripts/extract-nested-deps.sh
• ✅ scripts/save-grype-results.sh
• ✅ scripts/analyze-scan-results.sh
• ✅ scripts/check-file-exists.sh

No action required on this workflow.

.github/workflows/test-enterprise.yml (1)

1-337: Excellent comprehensive testing with good platform awareness.

The test workflow validates core container functionality (structure, Java, hammer CLI, directories, environment, volumes, entrypoint behavior, licensing, project mounting) with appropriate platform-specific handling for x86-64 vs ARM64. Well-structured assertions, good cleanup, and informative test output make this a strong validation suite.

DockerfileEnterprise (5)

1-9: LGTM!

Builder stage correctly uses Eclipse Temurin JRE 21 base and efficiently combines apt-get operations in a single layer with proper cleanup. The xvfb installation is appropriate for the headless IzPack GUI installer requirement.

---

11-17: Secure download with SHA256 validation.

Good implementation of installer download with checksum verification. The version is properly parameterized via ARG, following the established pattern for version control. Based on learnings, SHA256 validation is required for security.

---

19-38: LGTM - Java 21 module compatibility handled correctly.

The extensive --add-opens flags are necessary for Java 21's stricter module system when running IzPack with Groovy reflection. The headless installation via xvfb-run and subsequent cleanup of installer artifacts follows multi-stage build best practices.

---

40-55: LGTM - Follows security guidelines with OpenShift compatibility.

Correctly creates non-root liquibase user with UID/GID 1001 as per guidelines. The liquibase:root group ownership with g+rx permissions is a good pattern for OpenShift/Kubernetes environments where containers may run with arbitrary UIDs. Working directory properly set to /liquibase. Based on learnings, this follows the established pattern.

---

74-84: LGTM - Proper entrypoint configuration with non-root execution.

Efficient use of COPY --chmod=755 to set execute permissions in a single layer. Correctly switches to non-root liquibase:liquibase user before defining volumes and entrypoint. The default CMD providing hammer --help is user-friendly for discovery. Based on learnings, switching to non-root user after privileged operations follows the established pattern.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

Pin GitHub Actions to commit hashes for supply chain security.

Multiple third-party actions use version tags (v5, v2, v3, etc.) instead of commit hashes. While version tags are more maintainable, pinning to commit hashes provides stronger protection against supply chain attacks. This is a broader security hardening recommendation for the organization.

Consider pinning key actions to commit SHAs, particularly those handling secrets/credentials:

• aws-actions/configure-aws-credentials@v5 → aws-actions/configure-aws-credentials@<commit-hash>
• aws-actions/aws-secretsmanager-get-secrets@v2 → similar
• softprops/action-gh-release@v2 → similar

This would require regular updates when new versions are released, but provides stronger security guarantees.

---

I'll verify this review comment by examining the workflow file and checking current best practices for GitHub Actions pinning.

---

🏁 Script executed:

#!/bin/bash
# Find and examine the create-release-enterprise workflow file
find . -name "create-release-enterprise.yml" -type f | head -5 | xargs -I {} cat {}

Length of output: 15885

---

🌐 Web query:

GitHub Actions pinning commit hashes vs version tags security best practices 2024

💡 Result:

Summary — 2024 best practice (concise)

• Strong recommendation: pin third‑party Actions to a full‑length commit SHA (immutable). This is the most secure option against tag‑moves and malicious updates. [1][2]
• Tags (e.g., @V3) are convenient but riskier: tags can be moved/recreated if a repo is compromised — only use tags for authors you fully trust (prefer Verified creators) and accept the risk. [1][2]
• Watch for “unpinnable” Actions (they pull dynamic code or remote artifacts): pinning the SHA doesn’t neutralize those risks — avoid or audit them. [2]
• Governance: enable/require SHA pinning and/or block specific actions at org/repo level via GitHub’s allowed‑actions policy. This central enforcement is recommended for organizations. [2][4]
• Tooling & maintenance tradeoffs:
  • Pinning SHAs improves security but makes updates manual. Add the human‑readable tag/version in a comment next to the SHA to track versions. [2]
  • Dependabot/alerting caveat: Dependabot alerts and some automated updates rely on semver tags and won’t create alerts for actions pinned to SHAs — plan compensating monitoring. [1]
  • Use automation (scripts/actions) to pin SHAs and to periodically refresh/verify pinned SHAs from upstream. [5][6]
• Practical minimal checklist:
  1. Pin third‑party actions to full commit SHAs. [1][2]
  2. Enable org/repo policy to enforce SHA pinning and blocklisted actions. [2][4]
  3. Audit action code (or use Verified creators), avoid unpinnable actions. [1][2][3]
  4. Maintain a lightweight process to update SHAs and monitor advisories (Dependabot + manual checks for SHA‑pinned actions). [1][3]

Sources
[1] GitHub Docs — Security hardening for GitHub Actions (pin to full SHA; Dependabot caveat). (docs.github.com)
[2] GitHub Well‑Architected / Actions security (recommend SHA pinning; unpinnable actions). (wellarchitected.github.com)
[3] Snyk Labs — supply‑chain guidance for GitHub Actions (recommend pinning to commit SHAs). (labs.snyk.io)
[4] GitHub changelog — policy: enforce SHA pinning / block actions. (github.blog)
[5] pinsha / tooling examples (automation to pin SHAs). (zkamvar.github.io)

Citations:

• 1: https://docs.github.com/actions/learn-github-actions/security-hardening-for-github-actions?utm_source=openai
• 2: https://wellarchitected.github.com/library/application-security/recommendations/actions-security/?utm_source=openai
• 3: https://labs.snyk.io/resources/exploring-vulnerabilities-github-actions/?utm_source=openai
• 4: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/?utm_source=openai
• 5: https://zkamvar.github.io/pinsha/?utm_source=openai

---

Pin GitHub Actions to commit hashes for supply chain security.

Multiple third-party actions use version tags (v5, v2, v3, etc.) instead of commit hashes. Version tags are convenient but riskier because tags can be moved or recreated if a repository is compromised. Pinning to full-length commit SHAs is the recommended approach for stronger protection against supply chain attacks.

Update these actions in your workflow:

• aws-actions/configure-aws-credentials@v5 (lines 95, 206)
• aws-actions/aws-secretsmanager-get-secrets@v2 (lines 101, 148)
• softprops/action-gh-release@v2 (line 234)
• actions/create-github-app-token@v2 (line 108)

Add a human-readable tag or version in a comment next to each SHA to track versions, and plan for periodic updates when upstream actions release new versions.

🧰 Tools

🪛 GitHub Check: CodeQL

[warning] 103-103: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Release Liquibase Enterprise' step Uses Step uses 'aws-actions/configure-aws-credentials' with ref 'v5', not a pinned commit hash

---

[warning] 110-110: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Release Liquibase Enterprise' step Uses Step: vault-secrets uses 'aws-actions/aws-secretsmanager-get-secrets' with ref 'v2', not a pinned commit hash

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Add SHA256 verification against known value.

Line 150 downloads the enterprise JAR's SHA256 hash but never validates it against a known/expected value. This means a man-in-the-middle or compromised download could introduce a malicious installer. The workflow should verify the hash matches an expected value from a trusted source.

Consider either:

1. Maintain a hardcoded hash for each version in the workflow
2. Fetch the hash from a signed/verified source
3. Check against a manifest maintained in the repository

Example approach (fetch from signed manifest):

# Example - adapt based on actual manifest location/format
EXPECTED_SHA=$(curl -s https://trusted-source/hashes.txt | grep "DaticalDB-linux.*${{ steps.collect-data.outputs.enterpriseVersion }}" | awk '{print $1}')
ACTUAL_SHA=$(curl -LsS https://software.datical.com/... | sha256sum | awk '{ print $1 }')
if [ "$EXPECTED_SHA" != "$ACTUAL_SHA" ]; then
  echo "SHA256 verification failed!"
  exit 1
fi

🤖 Prompt for AI Agents

.github/workflows/create-release-enterprise.yml around lines 150-153: the
workflow computes ENTERPRISE_SHA from the downloaded JAR but never verifies it;
add a verification step before updating DockerfileEnterprise that obtains the
expected SHA from a trusted source (hardcoded map per version, a signed manifest
fetched from a trusted URL, or a repo-maintained manifest), compare the
EXPECTED_SHA to the ACTUAL_SHA, and if they differ print an error and exit
non-zero so the job fails; only proceed to sed/update the DockerfileEnterprise
when the hashes match.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Supply chain security: Pin GitHub Actions to commit hashes.

Similar to create-release-enterprise.yml, this workflow uses unpinned action versions (v5, v2, v0, 0.33.1, etc.). Pin these to commit hashes for stronger protection against supply chain attacks, particularly for security-sensitive operations.

🧰 Tools

🪛 GitHub Check: CodeQL

[warning] 43-43: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'aws-actions/configure-aws-credentials' with ref 'v5', not a pinned commit hash

---

[warning] 50-50: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step: vault-secrets uses 'aws-actions/aws-secretsmanager-get-secrets' with ref 'v2', not a pinned commit hash

---

[warning] 65-65: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'anchore/sbom-action' with ref 'v0', not a pinned commit hash

---

[warning] 80-80: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'aquasecurity/trivy-action' with ref '0.33.1', not a pinned commit hash

---

[warning] 91-91: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'aquasecurity/trivy-action' with ref '0.33.1', not a pinned commit hash

---

[warning] 102-102: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'aquasecurity/trivy-action' with ref '0.33.1', not a pinned commit hash

---

[warning] 115-115: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'aquasecurity/trivy-action' with ref '0.33.1', not a pinned commit hash

---

[warning] 128-128: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step: grype_scan uses 'anchore/scan-action' with ref 'v5', not a pinned commit hash

---

[warning] 159-159: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'rtCamp/action-slack-notify' with ref 'v2', not a pinned commit hash

---

[warning] 199-199: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'rsdmike/github-security-report-action' with ref 'v3.0.4', not a pinned commit hash

🤖 Prompt for AI Agents

.github/workflows/trivy-enterprise.yml lines 43-216: multiple "uses:
owner/action@vX" entries are unpinned which is a supply-chain risk; replace each
tagged version with the corresponding full commit SHA from the action's
repository (e.g., aws-actions/configure-aws-credentials@<commit-sha>), keeping
the same owner/repo path, and update all occurrences
(aws-actions/configure-aws-credentials,
aws-actions/aws-secretsmanager-get-secrets, anchore/sbom-action,
actions/upload-artifact, aquasecurity/trivy-action, anchore/scan-action,
rtCamp/action-slack-notify, github/codeql-action/upload-sarif,
rsdmike/github-security-report-action, etc.); to fix, look up the latest stable
commit SHA for each action on its GitHub repo, replace the @version with
@<full-commit-sha> in this workflow, and commit the change (optionally add a
short comment linking to the SHA sources for future maintenance).

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 87216c3 and 8057d05.

📒 Files selected for processing (1)

• .github/workflows/test-enterprise.yml (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to **/Dockerfile* : When extending Community images, use `FROM liquibase/liquibase:latest` as the base and add database drivers using LPM (e.g., `lpm add mysql --global`)

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,docker-compose.yml} : Docker Community images should use distinct tagging strategy: Git tag format `v{version}` (e.g., `v5.0.1`), GitHub Release labeled `v{version}`, and Docker image tags `liquibase/liquibase:{version}`, `liquibase/liquibase:{major.minor}`, and `liquibase/liquibase:latest`

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Community Docker images should be published to Docker Hub as `liquibase/liquibase`, GitHub Container Registry as `ghcr.io/liquibase/liquibase*`, and Amazon ECR Public as `public.ecr.aws/liquibase/liquibase*`

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to DockerfileSecure : Docker Secure images should use distinct tagging strategy: Git tag format `v{version}-SECURE` (e.g., `v5.0.1-SECURE`), GitHub Release labeled `v{version}-SECURE`, and Docker image tags `liquibase/liquibase-secure:{version}`, `liquibase/liquibase-secure:{major.minor}`, and `liquibase/liquibase-secure:latest`

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Secure Docker images should be published to Docker Hub as `liquibase/liquibase-secure`, GitHub Container Registry as `ghcr.io/liquibase/liquibase-secure*`, and Amazon ECR Public as `public.ecr.aws/liquibase/liquibase-secure*`

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to Dockerfile : Community Liquibase versions should be sourced from GitHub releases and controlled via `LIQUIBASE_VERSION` ARG

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to **/Dockerfile* : When extending Secure images, use `FROM liquibase/liquibase-secure:latest` as the base and set `LIQUIBASE_LICENSE_KEY` environment variable

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Set working directory to `/liquibase` in all Docker images

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : When adding tools or runtime dependencies to images, switch to root user, run apt-get operations, and switch back to non-root `liquibase` user in multi-step processes

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Set `liquibase.docker.properties` default configuration file to enable headless mode in all images

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to docker-entrypoint.sh : Enable automatic changelog directory detection in `docker-entrypoint.sh`: detect `/liquibase/changelog` mount and change working directory for CLI-Docker compatibility, unless `SHOULD_CHANGE_DIR` environment variable explicitly overrides this behavior

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine,docker-entrypoint.sh} : Use `docker-entrypoint.sh` as the container entrypoint with automatic MySQL driver installation capability

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Validate Liquibase and LPM binary SHA256 checksums for security in Dockerfile builds

Applied to files:

• .github/workflows/test-enterprise.yml

🪛 GitHub Check: CodeQL

.github/workflows/test-enterprise.yml

[warning] 40-40: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Test Liquibase Enterprise Dockerfile' step Uses Step uses 'aws-actions/configure-aws-credentials' with ref 'v5', not a pinned commit hash

---

[warning] 47-47: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Test Liquibase Enterprise Dockerfile' step Uses Step: vault-secrets uses 'aws-actions/aws-secretsmanager-get-secrets' with ref 'v2', not a pinned commit hash

---

[warning] 61-61: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Test Liquibase Enterprise Dockerfile' step Uses Step uses 'douglascamata/setup-docker-macos-action' with ref 'v1.0.2', not a pinned commit hash

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (14)

• GitHub Check: Build & Test DockerfileSecure - ubuntu-latest
• GitHub Check: Build & Test DockerfileSecure - macos-15-intel
• GitHub Check: Build & Test Dockerfile.alpine - ubuntu-latest
• GitHub Check: Build & Test Dockerfile - ubuntu-latest
• GitHub Check: Build & Test Dockerfile - macos-15-intel
• GitHub Check: Build & Test Dockerfile.alpine - macos-15-intel
• GitHub Check: Scout Scan - Liquibase Enterprise
• GitHub Check: Trivy Scan - Liquibase Enterprise
• GitHub Check: Build & Test DockerfileEnterprise - ubuntu-latest
• GitHub Check: Build & Test DockerfileEnterprise - macos-15-intel
• GitHub Check: Trivy (Dockerfile.alpine, liquibase/liquibase, -alpine)
• GitHub Check: Scout (DockerfileSecure, liquibase/liquibase-secure)
• GitHub Check: Trivy (DockerfileSecure, liquibase/liquibase-secure)
• GitHub Check: Trivy (Dockerfile, liquibase/liquibase)

🔇 Additional comments (3)

.github/workflows/test-enterprise.yml (3)

72-72: Review soft error suppression that may mask real test failures.

Multiple test steps use || true or set +e to suppress errors:

• Line 72: docker run ... || true — silently ignores failure
• Lines 191, 195: set +e before docker run, then set -e after — disables strict error checking

These patterns risk hiding genuine failures. If the entrypoint test at line 189–207 is meant to validate hammer execution, it should fail loudly on unexpected errors, not warn softly. Verify whether permissive error handling is intentional or should be tightened to catch regressions.

Also applies to: 191-191, 195-195

---

270-289: Clarify working directory change test expectations against entrypoint contract.

Lines 270–289 test whether the working directory changes to /liquibase/project when a project volume is mounted. However, line 286–289 only issues a warning if the directory does not change, suggesting the behavior is optional:

else
  echo "⚠️  Note: Working directory did not change (may be expected behavior)"
fi

Based on learnings about docker-entrypoint.sh, automatic directory change should be triggered when /liquibase/project is mounted. If that is the expected contract, this test should fail hard on mismatch. If it is optional or platform-dependent, clarify the entrypoint spec or gate the test to x86-64 only (as done in lines 323–346).

---

364-368: Strengthen cleanup to handle partial test failure scenarios.

The cleanup step (line 364–368) only removes test-license, which is safe because it will succeed even if the step that created it failed. However, inline cleanups at lines 268 and 306 depend on tests reaching those lines. If an earlier assertion fails, temporary directories may persist.

Consider adding a more robust cleanup:

      - name: Cleanup license file
        if: always()
        run: |
          rm -rf test-license
+         rm -rf test-project test-project-workdir
          echo "Temporary test files cleaned up"

This ensures all transient artifacts are removed regardless of which test fails.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

Pin Actions to immutable commit hashes for supply-chain security.

CodeQL flags three unpinned Actions:

• Line 40: aws-actions/configure-aws-credentials@v5
• Line 47: aws-actions/aws-secretsmanager-get-secrets@v2
• Line 61: douglascamata/[email protected]

Pinning to commit SHAs prevents accidental or malicious updates to Actions.

Also applies to: 47-47, 61-61

---

🏁 Script executed:

#!/bin/bash
# Check current commit hashes for each Action
echo "Fetching action commit hashes..."
curl -s "https://api.github.com/repos/aws-actions/configure-aws-credentials/commits?per_page=1&ref=v5" | jq '.[0].sha' | head -c 10
echo " (aws-actions/configure-aws-credentials@v5)"
curl -s "https://api.github.com/repos/aws-actions/aws-secretsmanager-get-secrets/commits?per_page=1&ref=v2" | jq '.[0].sha' | head -c 10
echo " (aws-actions/aws-secretsmanager-get-secrets@v2)"
curl -s "https://api.github.com/repos/douglascamata/setup-docker-macos-action/commits?per_page=1&ref=v1.0.2" | jq '.[0].sha' | head -c 10
echo " (douglascamata/[email protected])"

Length of output: 205

---

Pin GitHub Actions to immutable commit hashes for supply-chain security.

Unpinned action versions introduce supply-chain risk. Pin the following to their commit hashes:

• Line 40: aws-actions/configure-aws-credentials@v5 → pin to c2d97f116
• Line 47: aws-actions/aws-secretsmanager-get-secrets@v2 → pin to 8d2df8d4e
• Line 61: douglascamata/[email protected] → pin to 1a5b5b065

Using semantic version tags allows unauthorized code changes to run in your CI pipeline. Pinning prevents this.

🧰 Tools

🪛 GitHub Check: CodeQL

[warning] 40-40: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Test Liquibase Enterprise Dockerfile' step Uses Step uses 'aws-actions/configure-aws-credentials' with ref 'v5', not a pinned commit hash

🤖 Prompt for AI Agents

.github/workflows/test-enterprise.yml lines 40, 47 and 61: the workflow is using
floating action tags which create supply-chain risk; update the action
references to immutable commit SHAs by replacing
aws-actions/configure-aws-credentials@v5 with
aws-actions/configure-aws-credentials@c2d97f116 (line 40),
aws-actions/aws-secretsmanager-get-secrets@v2 with
aws-actions/aws-secretsmanager-get-secrets@8d2df8d4e (line 47), and
douglascamata/[email protected] with
douglascamata/setup-docker-macos-action@1a5b5b065 (line 61); ensure the exact
commit hashes are used and run the workflow to verify no behavior changes.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Mitigate secrets leakage and use safe redirection for license file.

Line 56 echoes a vault secret directly into a file. While GitHub Actions masks secrets in logs, this is risky; prefer using a temporary file with restricted permissions. Additionally, line 57 explicitly chmod 644 after creation is unnecessary overhead.

Consider using a safer pattern:

      - name: Write license file for testing
        run: |
          mkdir -p test-license
-         echo "${{ steps.vault-secrets.outputs.ENTERPRISE_LICENSE }}" > test-license/license.lic
-         chmod 644 test-license/license.lic
+         echo "${{ steps.vault-secrets.outputs.ENTERPRISE_LICENSE }}" > test-license/license.lic
+         chmod 600 test-license/license.lic

The default umask should create files with secure permissions; use 600 (owner read/write only) for sensitive license data instead of 644.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Write license file for testing
	run: |
	mkdir -p test-license
	echo "${{ steps.vault-secrets.outputs.ENTERPRISE_LICENSE }}" > test-license/license.lic
	chmod 644 test-license/license.lic
	- name: Write license file for testing
	run: |
	mkdir -p test-license
	echo "${{ steps.vault-secrets.outputs.ENTERPRISE_LICENSE }}" > test-license/license.lic
	chmod 600 test-license/license.lic

🤖 Prompt for AI Agents

.github/workflows/test-enterprise.yml lines 53-57: the workflow currently echoes
the vault secret directly which can leak to logs and creates a world-readable
file; instead write the secret using a safe redirection that does not print the
value (e.g. use a here-doc or redirected write that avoids expansion to stdout),
ensure the file is created with restrictive permissions (use umask or create the
file with mode 600) and remove the unnecessary chmod 644; implement creating the
test-license dir, write the license to test-license/license.lic with owner-only
read/write, and do not echo the secret to stdout.