From dee3cd58c97b9b79da2080f530b788395c2d60eb Mon Sep 17 00:00:00 2001 From: framton1678-del Date: Mon, 27 Oct 2025 13:23:04 -0400 Subject: [PATCH 1/8] Add CodeQL analysis workflow configuration --- .github/workflows/codeql.yml | 99 ++++++++++++++++++++++++++++++++++++ 1 file changed, 99 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..d179055f --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,99 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL Advanced" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '33 7 * * 3' + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners (GitHub.com only) + # Consider using larger runners or machines with greater resources for possible analysis time improvements. + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + - language: ruby + build-mode: none + # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' + # Use `c-cpp` to analyze code written in C, C++ or both + # Use 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Add any setup steps before running the `github/codeql-action/init` action. + # This includes steps like installing compilers or runtimes (`actions/setup-node` + # or others). This is typically only required for manual builds. + # - name: Setup runtime (example) + # uses: actions/setup-example@v1 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + # If the analyze step fails for one of the languages you are analyzing with + # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step + # to build your code. + # ℹ️ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + - name: Run manual build steps + if: matrix.build-mode == 'manual' + shell: bash + run: | + echo 'If you are using a "manual" build mode for one or more of the' \ + 'languages you are analyzing, replace this with the commands to build' \ + 'your code, for example:' + echo ' make bootstrap' + echo ' make release' + exit 1 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 + with: + category: "/language:${{matrix.language}}" From 7234e41264fb99b778fd0b516f7778bba606157d Mon Sep 17 00:00:00 2001 From: framton1678-del Date: Mon, 27 Oct 2025 23:18:35 -0400 Subject: [PATCH 2/8] Create workflow for testing JS vulnerabilities Added a GitHub Actions workflow for testing JavaScript vulnerabilities using Liquibase and a vulnerability scanning action. --- .github/workflows/main.yml | 279 +++++++++++++++++++++++++++++++++++++ 1 file changed, 279 insertions(+) create mode 100644 .github/workflows/main.yml diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 00000000..d3e3812a --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,279 @@ + - name: Liquibase Connect Action + # You may pin to the exact commit or the version. + # uses: liquibase-github-actions/connect@1c0ef25a2b6b2b6469be7252bc1925c5ca693a9e + uses: liquibase-github-actions/connect@v4.33.0 + with: + # The default catalog name to use for the database connection + defaultCatalogName: # optional + # The default schema name to use for the database connection + defaultSchemaName: # optional + # The JDBC driver class + driver: # optional + # The JDBC driver properties file + driverPropertiesFile: # optional + # Password to use to connect to the database + password: # optional + # *required* The JDBC database connection URL + url: + # Username to use to connect to the database + username: # optional + # If true, a subset of the MdcKeys, as defined by product, will be set to empty strings upon system startup. + addEmptyMdcValues: # optional + # Allows duplicated changeset identifiers without failing Liquibase execution. + allowDuplicatedChangesetIdentifiers: # optional + # If true, drop and recreate a view instead of replacing it. + alwaysDropInsteadOfReplace: # optional + # When generating SQL for createProcedure, should the procedure schema be forced to the default schema if no schemaName attribute is set? + alwaysOverrideStoredLogicSchema: # optional + # Liquibase caches the results from the config endpoint, and this value determines how long that cache should live for before being refreshed. + analyticsConfigCacheTimeoutMillis: # optional + # + analyticsConfigEndpointTimeoutMillis: # optional + # + analyticsConfigEndpointUrl: # optional + # By default, Liquibase will not send analytics in dev (non release) builds. To override this behavior, set this value to true and provide a value for liquibase.analytics.configEndpointUrl + analyticsDevOverride: # optional + # Enable or disable sending product usage data and analytics to Liquibase. Learn more at https://docs.liquibase.com/analytics. + analyticsEnabled: # optional + # Number of characters of the license key that should be appended to the userId. This is used in the event that the same customer has multiple license keys associated with them. + analyticsLicenseKeyChars: # optional + # + analyticsLogLevel: # optional + # By default, the timeout for sending data to the remote endpoint is configured in the config endpoint. Any value set here will override that value. + analyticsTimeoutMillis: # optional + # Should Liquibase automatically include REORG TABLE commands when needed? + autoReorg: # optional + # Number of seconds wait between checks to the changelog lock when it is locked + changelogLockPollRate: # optional + # Number of minutes to wait for the changelog lock to be available before giving up + changelogLockWaitTimeInMinutes: # optional + # Configures how to handle unknown fields in changelog files. Possible values: STRICT which causes parsing to fail, and LAX which continues with the parsing. + changelogParseMode: # optional + # Enable liquibase-checks extension compatibility check. Can be used when running tests to turn off the check. + checksCompatibilityEnabled: # optional + # Additional classpath entries to use + classpath: # optional + # Should Liquibase convert to/from STANDARD data types. Applies to both snapshot and update commands. + convertDataTypes: # optional + # [PRO]Relative or fully qualified path to a yaml file containing key:value data to inject or exclude data from JSON structured logs. Learn more at https://docs.liquibase.com/structured-logging + customLogDataFile: # optional + # [PRO]The frequency that the custom log data will be entered into the logs. Available options are: ONCE,REPEATED + customLogDataFrequency: # optional + # Name of table to use for tracking concurrent Liquibase usage + databaseChangelogLockTableName: # optional + # Name of table to use for tracking change history + databaseChangelogTableName: # optional + # Class to use for Database implementation + databaseClass: # optional + # The index name for the DATABASECHANGELOG table on DB2 z/OS + db2zDatabasechangelogIndex: # optional + # The index name for the DATABASECHANGELOGLOCK table on DB2 z/OS + db2zDatabasechangeloglockIndex: # optional + # The database name for the Liquibase tracking tables on DB2 z/OS + db2zTrackingTablesLocationDatabase: # optional + # The tablespace name for the Liquibase tracking tables on DB2 z/OS + db2zTrackingTablesLocationTablespace: # optional + # If true, extensions are captured in the history table + dbclhistoryCaptureExtensions: # optional + # If true, executed SQL is captured in the history table + dbclhistoryCaptureSql: # optional + # [PRO]This property enables Liquibase Pro users to store a record of all database changing liquibase operations in a new table DATABASECHANGELOGHISTORY. This table includes records of rollback, dropalls, and repeated runOnChange type activity, which is not available in the standard DATABASECHANGELOG table. + dbclhistoryEnabled: # optional + # The exit code to use if an exception is encountered while recording history events + dbclhistorySeverity: # optional + # + dbclhistoryTableName: # optional + # The DDL_LOCK_TIMEOUT parameter indicates the number of seconds a DDL command should wait for the locks to become available before throwing the resource busy error message. This applies only to Oracle databases. + ddlLockTimeout: # optional + # File with default Liquibase properties + defaultsFile: # optional + # Should Liquibase compare column order in diff operation? + diffColumnOrder: # optional + # How to handle multiple files being found in the search path that have duplicate paths. Options are SILENT (do not log and choose one at random), DEBUG, INFO, WARN (log at the given level and choose one at random), or ERROR (fail current operation). + duplicateFileMode: # optional + # Throw an error if Liquibase detects that an includeAll will cause a circular reference (and thus a changelog parse error). + errorOnCircularIncludeAll: # optional + # Encoding to use when reading files. Valid values include: UTF-8, UTF-16, UTF-16BE, UTF-16LE, US-ASCII, or OS to use the system configured encoding. + fileEncoding: # optional + # DEPRECATED: No longer used + filterLogMessages: # optional + # If true, display a more verbose output for the FlowFile toString representation + flowVerboseToString: # optional + # Should Liquibase include a "created" attribute in diff/generateChangelog changesets with the current datetime + generateChangesetCreatedValues: # optional + # Should Liquibase include the change description in the id when generating changesets? + generatedChangesetIdsContainsDescription: # optional + # Force Liquibase to think it has no access to a keyboard + headless: # optional + # Should Liquibase include the catalog name when determining equality? + includeCatalogInSpecification: # optional + # If set to true, and there are multiple identical tags in the database changelog table, all of the newer matching tags will be rolled back while rolling back to the oldest tag. The default value for this option was false for all Liquibase versions equal to or older than 4.25.1. + includeMatchingTagInRollbackOldest: # optional + # If true, the parent relationship for computed columns is preserved in snapshot-dependent commands: snapshot and diff + includeRelationsForComputedColumns: # optional + # If true, the schema name is included for the default schema when loading a snapshot + includeSchemaNameForDefault: # optional + # Include the system classpath when resolving classes at runtime + includeSystemClasspath: # optional + # The name of the integration used to invoke Liquibase, for example, cli, or JavaAPI. It is not required to specify this value. This is primarily used by wrappers around Liquibase (like Gradle), so that analytics can be differentiated for those integrations. + integrationName: # optional + # If true, then write to a JCL log file + jclCreateLogFile: # optional + # Log file path for JCL output + jclLogFilePath: # optional + # Minimum return code recognized as an error + jclMinimumErrorReturnCode: # optional + # If true, overwrite JCL log file + jclOverwriteLogFile: # optional + # Enable or disable sending license usage data. + licenseUtilityEnabled: # optional + # + licenseUtilityLogLevel: # optional + # Time, in milliseconds, to wait for HTTP request to complete + licenseUtilityTimeout: # optional + # Specifies an identifier (e.g., team name, pipeline ID, or environment) to track and analyze Liquibase license usage. If not provided, the hostname and user is used for identification. + licenseUtilityTrackingId: # optional + # + licenseUtilityUrl: # optional + # Liquibase Pro or Liquibase Labs license key used to unlock paid capabilities. Get a free trial at https://liquibase.com/trial and use in CLI or add liquibase.licenseKey= into your defaults file. + licenseKey: # optional + # Catalog to use for Liquibase objects + liquibaseCatalogName: # optional + # Schema to use for Liquibase objects + liquibaseSchemaName: # optional + # Tablespace to use for Liquibase objects + liquibaseTablespaceName: # optional + # Controls which log channels have their level set by the liquibase.logLevel setting. Comma separate multiple values. To set the level of all channels, use "all". Example: liquibase,org.mariadb.jdbc + logChannels: # optional + # Users can use .gz file extension to enable log files compression. + logFile: # optional + # Sets the format of log output to console or log files. Open Source users default to unstructured "TEXT" logs to the console or output log files. Pro users have the option to set value as "JSON" or "JSON_PRETTY" to enable json-structured log files to the console or output log files. + logFormat: # optional + # Controls which logs get set to stderr AND to any log file. The CLI defaults, if log file set, to SEVERE. Others vary by integration. The official log levels are: OFF, SEVERE, WARNING, INFO, FINE + logLevel: # optional + # When set to true, the console messages are mirrored to the logs as [liquibase.ui] to provide a more complete picture of liquibase operations to log analysis tools. Set to false to change this behavior. + mirrorConsoleMessagesToLog: # optional + # [PRO]When set to true, console output will be mirrored to both the specified output-file and the console. If output-file is not set, the "mirror-output-to-console" argument has no effect. + mirrorOutputToConsole: # optional + # How to handle changelog property expressions where a value is not set. For example, a string "${address}" when no "address" property was defined. Values can be: "preserve" which leaves the string as-is, "empty" which replaces it with an empty string, or "error" which stops processing with an error. + missingPropertyMode: # optional + # Enable performance tracking. Set to "false" to disable. If set to "true", data is stored to a `liquibase-TIMESTAMP.jfr` file in your working directory. Any other value will enable tracking and be used as the name of the file to write the data to. + monitorPerformance: # optional + # [PRO]Flag to enable composite primary key for newly added DBCL tables. Disabled by default + mysqlEnableDbclPrimaryKey: # optional + # Custom executor that can specified + nativeExecutor: # optional + # If set to WARN, then liquibase will not throw exception on missing changelog file, instead will show a warning message. + onMissingIncludeChangelog: # optional + # If set to WARN, then Liquibase will not throw exception on missing sqlFile inside a sqlFile change type, instead will show a warning message + onMissingSqlFile: # optional + # + outputFile: # optional + # Encoding to use when writing files + outputFileEncoding: # optional + # Line separator for output + outputLineSeparator: # optional + # If true "classpath:" prefix will be preserved in normalized paths, allowing to resolve hierarchical resources under a classpath-based root. + preserveClasspathPrefixInNormalizedPaths: # optional + # If true, Liquibase treats schema and catalog names as case sensitive + preserveSchemaCase: # optional + # If true, rollback execution will be forced when having partial changes that needs to be rolled back. Defaults to false. + proForceOnPartialChanges: # optional + # [PRO]The default end delimiter to use for all change sets + proGlobalEndDelimiter: # optional + # [PRO]If true, the global end delimiter overrides all other settings + proGlobalEndDelimiterPrioritized: # optional + # [PRO]The default strip comments to use for all change sets + proGlobalStripComments: # optional + # [PRO]If true, the global strip comments overrides all other settings + proGlobalStripCommentsPrioritized: # optional + # DEPRECATED: Liquibase Pro license key used to unlock paid capabilities. Get a free trial at https://www.liquibase.com/protrial and use in CLI or add liquibase.pro.licenseKey= into your defaults file. + proLicenseKey: # optional + # If a column would be dropped in a diffChangeLog, call markUnused instead if set to true + proMarkUnusedNotDrop: # optional + # If true, generate changeSets with SQL-based changes inlined instead of saving them to an external file + proSqlInline: # optional + # If false, do not drop public synonyms in diffChangeLog/dropAll + proSynonymsDropPublic: # optional + # [PRO]If true, the Liquibase operations will fail when specified paths to Pro resource files (flow files, checks settings files, native executor conf files, etc) or rollback scripts are missing or empty. + proStrict: # optional + # Should Liquibase prompt if a non-local database is being accessed + promptForNonLocalDatabase: # optional + # Implementation of Properties class to provide additional driver properties + propertyProviderClass: # optional + # [PRO]Enable or disable reporting. + reportsEnabled: # optional + # [PRO]The format of the report. Currently, can only be set to "html". + reportsFormat: # optional + # [PRO]The name of the reports. + reportsName: # optional + # [PRO]Open the newly generated report in your default browser. + reportsOpen: # optional + # [PRO]The path to the directory to generate the reports. + reportsPath: # optional + # [PRO]Minimize the amount of logging when generating reports. + reportsQuiet: # optional + # [PRO]Global setting to prevent the display of exceptions in operation reports. + reportsSuppressException: # optional + # [PRO]Global setting to prevent the display of changeset SQL in operation reports. + reportsSuppressSql: # optional + # Path to a Python executable associated with a virtual environment + scriptPythonExecutablePath: # optional + # Complete list of Location(s) to search for files such as changelog files in. Multiple paths can be specified by separating them with commas. + searchPath: # optional + # If true, remove functionality from file parsers which could be used insecurely. Examples include (but not limited to) disabling remote XML entity support. + secureParsing: # optional + # Should Liquibase commands execute + shouldRun: # optional + # Should Liquibase snapshot data by default? + shouldSnapshotData: # optional + # If true, show a Liquibase banner on startup. + showBanner: # optional + # If true, all command arguments marked as hidden will be shown in the help output, ignoring the hidden flag. NOTE, due to the order of value provider loading at such an early point in Liquibase startup, you MUST set this as a environment variable. Command line parameters will not be recognized. + showHiddenArgs: # optional + # [PRO]Path to private key used for PKI Authentication type. Usually requires "snowflake-auth-type" property configured. + snowflakeAuthPrivateKeyPassphrase: # optional + # [PRO]Path to private key used for PKI Authentication type. Usually requires "snowflake-auth-type" property configured. + snowflakeAuthPrivateKeyPath: # optional + # [PRO]Value of the token used for specified Authentication type. Usually requires "snowflake-auth-type" property configured. + snowflakeAuthToken: # optional + # [PRO]The type or mechanism of Snowflake database authentication + snowflakeAuthType: # optional + # If true, all queries will have their fetch size set to the fetch size defined in their database implementation. This has the effect of informing the driver how many rows should be fetched when processing the result set. This is not guaranteed to be respected by the driver, but if respected, should improve query performance significantly. + sqlAlwaysSetFetchSize: # optional + # Level to log SQL statements to + sqlLogLevel: # optional + # Show SQLWarning messages + sqlShowSqlWarnings: # optional + # If true, Liquibase enforces certain best practices and proactively looks for common errors + strict: # optional + # Support escaping changelog parameters using a colon. Example: ${:user.name} + supportPropertyEscaping: # optional + # Controls the level of validation performed on the supports method of Change classes. Options are OFF, WARN, FAIL. + supportsMethodValidationLevel: # optional + # When set to true, this global property prevents DBCL and DBCLH sql from being present in console and logs during *-sql commands, such as update-sql, rollback-sql, etc. + suppressLiquibaseSql: # optional + # If true column headers will be trimmed in case they were specified with spaces in the file. + trimLoadDataFileHeader: # optional + # Changes the default UI Service Logger used by Liquibase. Options are CONSOLE or LOGGER. + uiService: # optional + # If set to true (default value), createProcedure tags with a set schemaName will modify the procedure body with the given schema name. + useProcedureSchema: # optional + # Will perform XSD validation of XML changelog files. When many XML changelog files are included, this validation may impact Liquibase performance. Defaults to true. + validateXmlChangelogFiles: # optional + # If true, long strings in Oracle will be chunked at 4000 characters when an insert statement is run, to avoid running afoul of Oracle"s 4000 character limit for insert statements to clob type columns (which appears as "ORA-01704: string literal too long.") + workaroundOracleClobCharacterLimit: # optional + +name: Test site for publicly known js vulnerabilities + +on: push +jobs: + security: + runs-on: ubuntu-latest + steps: + - name: Test for public javascript library vulnerabilities + uses: lirantal/is-website-vulnerable@main + with: + scan-url: "https://*.*.com" + + From 479d73d243966e4b66dc9f3720c246cbf988fced Mon Sep 17 00:00:00 2001 From: framton1678-del Date: Mon, 27 Oct 2025 23:22:24 -0400 Subject: [PATCH 3/8] Update Liquibase action version in workflow --- .github/workflows/main.yml | 268 +------------------------------------ 1 file changed, 1 insertion(+), 267 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index d3e3812a..c6a02bd9 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,270 +1,4 @@ - - name: Liquibase Connect Action - # You may pin to the exact commit or the version. - # uses: liquibase-github-actions/connect@1c0ef25a2b6b2b6469be7252bc1925c5ca693a9e - uses: liquibase-github-actions/connect@v4.33.0 - with: - # The default catalog name to use for the database connection - defaultCatalogName: # optional - # The default schema name to use for the database connection - defaultSchemaName: # optional - # The JDBC driver class - driver: # optional - # The JDBC driver properties file - driverPropertiesFile: # optional - # Password to use to connect to the database - password: # optional - # *required* The JDBC database connection URL - url: - # Username to use to connect to the database - username: # optional - # If true, a subset of the MdcKeys, as defined by product, will be set to empty strings upon system startup. - addEmptyMdcValues: # optional - # Allows duplicated changeset identifiers without failing Liquibase execution. - allowDuplicatedChangesetIdentifiers: # optional - # If true, drop and recreate a view instead of replacing it. - alwaysDropInsteadOfReplace: # optional - # When generating SQL for createProcedure, should the procedure schema be forced to the default schema if no schemaName attribute is set? - alwaysOverrideStoredLogicSchema: # optional - # Liquibase caches the results from the config endpoint, and this value determines how long that cache should live for before being refreshed. - analyticsConfigCacheTimeoutMillis: # optional - # - analyticsConfigEndpointTimeoutMillis: # optional - # - analyticsConfigEndpointUrl: # optional - # By default, Liquibase will not send analytics in dev (non release) builds. To override this behavior, set this value to true and provide a value for liquibase.analytics.configEndpointUrl - analyticsDevOverride: # optional - # Enable or disable sending product usage data and analytics to Liquibase. Learn more at https://docs.liquibase.com/analytics. - analyticsEnabled: # optional - # Number of characters of the license key that should be appended to the userId. This is used in the event that the same customer has multiple license keys associated with them. - analyticsLicenseKeyChars: # optional - # - analyticsLogLevel: # optional - # By default, the timeout for sending data to the remote endpoint is configured in the config endpoint. Any value set here will override that value. - analyticsTimeoutMillis: # optional - # Should Liquibase automatically include REORG TABLE commands when needed? - autoReorg: # optional - # Number of seconds wait between checks to the changelog lock when it is locked - changelogLockPollRate: # optional - # Number of minutes to wait for the changelog lock to be available before giving up - changelogLockWaitTimeInMinutes: # optional - # Configures how to handle unknown fields in changelog files. Possible values: STRICT which causes parsing to fail, and LAX which continues with the parsing. - changelogParseMode: # optional - # Enable liquibase-checks extension compatibility check. Can be used when running tests to turn off the check. - checksCompatibilityEnabled: # optional - # Additional classpath entries to use - classpath: # optional - # Should Liquibase convert to/from STANDARD data types. Applies to both snapshot and update commands. - convertDataTypes: # optional - # [PRO]Relative or fully qualified path to a yaml file containing key:value data to inject or exclude data from JSON structured logs. Learn more at https://docs.liquibase.com/structured-logging - customLogDataFile: # optional - # [PRO]The frequency that the custom log data will be entered into the logs. Available options are: ONCE,REPEATED - customLogDataFrequency: # optional - # Name of table to use for tracking concurrent Liquibase usage - databaseChangelogLockTableName: # optional - # Name of table to use for tracking change history - databaseChangelogTableName: # optional - # Class to use for Database implementation - databaseClass: # optional - # The index name for the DATABASECHANGELOG table on DB2 z/OS - db2zDatabasechangelogIndex: # optional - # The index name for the DATABASECHANGELOGLOCK table on DB2 z/OS - db2zDatabasechangeloglockIndex: # optional - # The database name for the Liquibase tracking tables on DB2 z/OS - db2zTrackingTablesLocationDatabase: # optional - # The tablespace name for the Liquibase tracking tables on DB2 z/OS - db2zTrackingTablesLocationTablespace: # optional - # If true, extensions are captured in the history table - dbclhistoryCaptureExtensions: # optional - # If true, executed SQL is captured in the history table - dbclhistoryCaptureSql: # optional - # [PRO]This property enables Liquibase Pro users to store a record of all database changing liquibase operations in a new table DATABASECHANGELOGHISTORY. This table includes records of rollback, dropalls, and repeated runOnChange type activity, which is not available in the standard DATABASECHANGELOG table. - dbclhistoryEnabled: # optional - # The exit code to use if an exception is encountered while recording history events - dbclhistorySeverity: # optional - # - dbclhistoryTableName: # optional - # The DDL_LOCK_TIMEOUT parameter indicates the number of seconds a DDL command should wait for the locks to become available before throwing the resource busy error message. This applies only to Oracle databases. - ddlLockTimeout: # optional - # File with default Liquibase properties - defaultsFile: # optional - # Should Liquibase compare column order in diff operation? - diffColumnOrder: # optional - # How to handle multiple files being found in the search path that have duplicate paths. Options are SILENT (do not log and choose one at random), DEBUG, INFO, WARN (log at the given level and choose one at random), or ERROR (fail current operation). - duplicateFileMode: # optional - # Throw an error if Liquibase detects that an includeAll will cause a circular reference (and thus a changelog parse error). - errorOnCircularIncludeAll: # optional - # Encoding to use when reading files. Valid values include: UTF-8, UTF-16, UTF-16BE, UTF-16LE, US-ASCII, or OS to use the system configured encoding. - fileEncoding: # optional - # DEPRECATED: No longer used - filterLogMessages: # optional - # If true, display a more verbose output for the FlowFile toString representation - flowVerboseToString: # optional - # Should Liquibase include a "created" attribute in diff/generateChangelog changesets with the current datetime - generateChangesetCreatedValues: # optional - # Should Liquibase include the change description in the id when generating changesets? - generatedChangesetIdsContainsDescription: # optional - # Force Liquibase to think it has no access to a keyboard - headless: # optional - # Should Liquibase include the catalog name when determining equality? - includeCatalogInSpecification: # optional - # If set to true, and there are multiple identical tags in the database changelog table, all of the newer matching tags will be rolled back while rolling back to the oldest tag. The default value for this option was false for all Liquibase versions equal to or older than 4.25.1. - includeMatchingTagInRollbackOldest: # optional - # If true, the parent relationship for computed columns is preserved in snapshot-dependent commands: snapshot and diff - includeRelationsForComputedColumns: # optional - # If true, the schema name is included for the default schema when loading a snapshot - includeSchemaNameForDefault: # optional - # Include the system classpath when resolving classes at runtime - includeSystemClasspath: # optional - # The name of the integration used to invoke Liquibase, for example, cli, or JavaAPI. It is not required to specify this value. This is primarily used by wrappers around Liquibase (like Gradle), so that analytics can be differentiated for those integrations. - integrationName: # optional - # If true, then write to a JCL log file - jclCreateLogFile: # optional - # Log file path for JCL output - jclLogFilePath: # optional - # Minimum return code recognized as an error - jclMinimumErrorReturnCode: # optional - # If true, overwrite JCL log file - jclOverwriteLogFile: # optional - # Enable or disable sending license usage data. - licenseUtilityEnabled: # optional - # - licenseUtilityLogLevel: # optional - # Time, in milliseconds, to wait for HTTP request to complete - licenseUtilityTimeout: # optional - # Specifies an identifier (e.g., team name, pipeline ID, or environment) to track and analyze Liquibase license usage. If not provided, the hostname and user is used for identification. - licenseUtilityTrackingId: # optional - # - licenseUtilityUrl: # optional - # Liquibase Pro or Liquibase Labs license key used to unlock paid capabilities. Get a free trial at https://liquibase.com/trial and use in CLI or add liquibase.licenseKey= into your defaults file. - licenseKey: # optional - # Catalog to use for Liquibase objects - liquibaseCatalogName: # optional - # Schema to use for Liquibase objects - liquibaseSchemaName: # optional - # Tablespace to use for Liquibase objects - liquibaseTablespaceName: # optional - # Controls which log channels have their level set by the liquibase.logLevel setting. Comma separate multiple values. To set the level of all channels, use "all". Example: liquibase,org.mariadb.jdbc - logChannels: # optional - # Users can use .gz file extension to enable log files compression. - logFile: # optional - # Sets the format of log output to console or log files. Open Source users default to unstructured "TEXT" logs to the console or output log files. Pro users have the option to set value as "JSON" or "JSON_PRETTY" to enable json-structured log files to the console or output log files. - logFormat: # optional - # Controls which logs get set to stderr AND to any log file. The CLI defaults, if log file set, to SEVERE. Others vary by integration. The official log levels are: OFF, SEVERE, WARNING, INFO, FINE - logLevel: # optional - # When set to true, the console messages are mirrored to the logs as [liquibase.ui] to provide a more complete picture of liquibase operations to log analysis tools. Set to false to change this behavior. - mirrorConsoleMessagesToLog: # optional - # [PRO]When set to true, console output will be mirrored to both the specified output-file and the console. If output-file is not set, the "mirror-output-to-console" argument has no effect. - mirrorOutputToConsole: # optional - # How to handle changelog property expressions where a value is not set. For example, a string "${address}" when no "address" property was defined. Values can be: "preserve" which leaves the string as-is, "empty" which replaces it with an empty string, or "error" which stops processing with an error. - missingPropertyMode: # optional - # Enable performance tracking. Set to "false" to disable. If set to "true", data is stored to a `liquibase-TIMESTAMP.jfr` file in your working directory. Any other value will enable tracking and be used as the name of the file to write the data to. - monitorPerformance: # optional - # [PRO]Flag to enable composite primary key for newly added DBCL tables. Disabled by default - mysqlEnableDbclPrimaryKey: # optional - # Custom executor that can specified - nativeExecutor: # optional - # If set to WARN, then liquibase will not throw exception on missing changelog file, instead will show a warning message. - onMissingIncludeChangelog: # optional - # If set to WARN, then Liquibase will not throw exception on missing sqlFile inside a sqlFile change type, instead will show a warning message - onMissingSqlFile: # optional - # - outputFile: # optional - # Encoding to use when writing files - outputFileEncoding: # optional - # Line separator for output - outputLineSeparator: # optional - # If true "classpath:" prefix will be preserved in normalized paths, allowing to resolve hierarchical resources under a classpath-based root. - preserveClasspathPrefixInNormalizedPaths: # optional - # If true, Liquibase treats schema and catalog names as case sensitive - preserveSchemaCase: # optional - # If true, rollback execution will be forced when having partial changes that needs to be rolled back. Defaults to false. - proForceOnPartialChanges: # optional - # [PRO]The default end delimiter to use for all change sets - proGlobalEndDelimiter: # optional - # [PRO]If true, the global end delimiter overrides all other settings - proGlobalEndDelimiterPrioritized: # optional - # [PRO]The default strip comments to use for all change sets - proGlobalStripComments: # optional - # [PRO]If true, the global strip comments overrides all other settings - proGlobalStripCommentsPrioritized: # optional - # DEPRECATED: Liquibase Pro license key used to unlock paid capabilities. Get a free trial at https://www.liquibase.com/protrial and use in CLI or add liquibase.pro.licenseKey= into your defaults file. - proLicenseKey: # optional - # If a column would be dropped in a diffChangeLog, call markUnused instead if set to true - proMarkUnusedNotDrop: # optional - # If true, generate changeSets with SQL-based changes inlined instead of saving them to an external file - proSqlInline: # optional - # If false, do not drop public synonyms in diffChangeLog/dropAll - proSynonymsDropPublic: # optional - # [PRO]If true, the Liquibase operations will fail when specified paths to Pro resource files (flow files, checks settings files, native executor conf files, etc) or rollback scripts are missing or empty. - proStrict: # optional - # Should Liquibase prompt if a non-local database is being accessed - promptForNonLocalDatabase: # optional - # Implementation of Properties class to provide additional driver properties - propertyProviderClass: # optional - # [PRO]Enable or disable reporting. - reportsEnabled: # optional - # [PRO]The format of the report. Currently, can only be set to "html". - reportsFormat: # optional - # [PRO]The name of the reports. - reportsName: # optional - # [PRO]Open the newly generated report in your default browser. - reportsOpen: # optional - # [PRO]The path to the directory to generate the reports. - reportsPath: # optional - # [PRO]Minimize the amount of logging when generating reports. - reportsQuiet: # optional - # [PRO]Global setting to prevent the display of exceptions in operation reports. - reportsSuppressException: # optional - # [PRO]Global setting to prevent the display of changeset SQL in operation reports. - reportsSuppressSql: # optional - # Path to a Python executable associated with a virtual environment - scriptPythonExecutablePath: # optional - # Complete list of Location(s) to search for files such as changelog files in. Multiple paths can be specified by separating them with commas. - searchPath: # optional - # If true, remove functionality from file parsers which could be used insecurely. Examples include (but not limited to) disabling remote XML entity support. - secureParsing: # optional - # Should Liquibase commands execute - shouldRun: # optional - # Should Liquibase snapshot data by default? - shouldSnapshotData: # optional - # If true, show a Liquibase banner on startup. - showBanner: # optional - # If true, all command arguments marked as hidden will be shown in the help output, ignoring the hidden flag. NOTE, due to the order of value provider loading at such an early point in Liquibase startup, you MUST set this as a environment variable. Command line parameters will not be recognized. - showHiddenArgs: # optional - # [PRO]Path to private key used for PKI Authentication type. Usually requires "snowflake-auth-type" property configured. - snowflakeAuthPrivateKeyPassphrase: # optional - # [PRO]Path to private key used for PKI Authentication type. Usually requires "snowflake-auth-type" property configured. - snowflakeAuthPrivateKeyPath: # optional - # [PRO]Value of the token used for specified Authentication type. Usually requires "snowflake-auth-type" property configured. - snowflakeAuthToken: # optional - # [PRO]The type or mechanism of Snowflake database authentication - snowflakeAuthType: # optional - # If true, all queries will have their fetch size set to the fetch size defined in their database implementation. This has the effect of informing the driver how many rows should be fetched when processing the result set. This is not guaranteed to be respected by the driver, but if respected, should improve query performance significantly. - sqlAlwaysSetFetchSize: # optional - # Level to log SQL statements to - sqlLogLevel: # optional - # Show SQLWarning messages - sqlShowSqlWarnings: # optional - # If true, Liquibase enforces certain best practices and proactively looks for common errors - strict: # optional - # Support escaping changelog parameters using a colon. Example: ${:user.name} - supportPropertyEscaping: # optional - # Controls the level of validation performed on the supports method of Change classes. Options are OFF, WARN, FAIL. - supportsMethodValidationLevel: # optional - # When set to true, this global property prevents DBCL and DBCLH sql from being present in console and logs during *-sql commands, such as update-sql, rollback-sql, etc. - suppressLiquibaseSql: # optional - # If true column headers will be trimmed in case they were specified with spaces in the file. - trimLoadDataFileHeader: # optional - # Changes the default UI Service Logger used by Liquibase. Options are CONSOLE or LOGGER. - uiService: # optional - # If set to true (default value), createProcedure tags with a set schemaName will modify the procedure body with the given schema name. - useProcedureSchema: # optional - # Will perform XSD validation of XML changelog files. When many XML changelog files are included, this validation may impact Liquibase performance. Defaults to true. - validateXmlChangelogFiles: # optional - # If true, long strings in Oracle will be chunked at 4000 characters when an insert statement is run, to avoid running afoul of Oracle"s 4000 character limit for insert statements to clob type columns (which appears as "ORA-01704: string literal too long.") - workaroundOracleClobCharacterLimit: # optional - -name: Test site for publicly known js vulnerabilities + name: Test site for publicly known js vulnerabilities on: push jobs: From 6dfc44abcb9de162b7a822b120b73af2b26acd05 Mon Sep 17 00:00:00 2001 From: framton1678-del Date: Mon, 27 Oct 2025 23:30:53 -0400 Subject: [PATCH 4/8] Modify CI workflow for JavaScript vulnerability testing Updated CI workflow to test for public JavaScript library vulnerabilities instead of building Ruby versions. --- .github/workflows/build.yml | 46 ++++++------------------------------- 1 file changed, 7 insertions(+), 39 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7f769ca1..a349f6c9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,44 +1,12 @@ -name: CI - -on: - - push - - pull_request +name: Test site for publicly known js vulnerabilities +on: push jobs: - build: - name: Ruby ${{ matrix.version }} + security: runs-on: ubuntu-latest - strategy: - matrix: - version: - - 3.0 - - 3.1 - - 3.2 - - 3.3 steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - name: Set up Ruby ${{ matrix.version }} - uses: ruby/setup-ruby@829114fc20da43a41d27359103ec7a63020954d4 # v1.255.0 + - name: Test for public javascript library vulnerabilities + uses: lirantal/is-website-vulnerable@main with: - ruby-version: ${{ matrix.version }} - - name: Install OpenSSL - run: | - sudo apt-get update - sudo apt-get install -y libssl-dev - - name: Run Bundle Commands - run: | - bundle config set --with docs - bundle config set ignore_messages true - bundle - - name: Run RuboCop - run: | - bundle exec rubocop - - name: Run Typecheck - run: | - bundle exec srb tc - - name: Run tests - run: | - bundle exec rake test:library - - name: Run REST wrapper tests - run: | - bundle exec rake test:rest_wrappers + scan-url: "https://*.*.com" + From 5d294265e13d4bb9acb302e409092085532158f9 Mon Sep 17 00:00:00 2001 From: framton1678-del Date: Mon, 27 Oct 2025 23:33:54 -0400 Subject: [PATCH 5/8] Create Node.js setup workflow in GitHub Actions Added a setup workflow for Node.js environment in GitHub Actions. --- .github/workflows/Setup.yaml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 .github/workflows/Setup.yaml diff --git a/.github/workflows/Setup.yaml b/.github/workflows/Setup.yaml new file mode 100644 index 00000000..c95e4798 --- /dev/null +++ b/.github/workflows/Setup.yaml @@ -0,0 +1,30 @@ + - name: Setup Node.js environment + uses: actions/setup-node@v6.0.0 + with: + # Set always-auth in npmrc. + always-auth: # optional, default is false + # Version Spec of the version to use. Examples: 12.x, 10.15.1, >=10.15.0. + node-version: # optional + # File containing the version Spec of the version to use. Examples: package.json, .nvmrc, .node-version, .tool-versions. + node-version-file: # optional + # Target architecture for Node to use. Examples: x86, x64. Will use system architecture by default. + architecture: # optional + # Set this option if you want the action to check for the latest available version that satisfies the version spec. + check-latest: # optional + # Optional registry to set up for auth. Will set the registry in a project level .npmrc and .yarnrc file, and set up auth to read in from env.NODE_AUTH_TOKEN. + registry-url: # optional + # Optional scope for authenticating against scoped registries. Will fall back to the repository owner when using the GitHub Packages registry (https://npm.pkg.github.com/). + scope: # optional + # Used to pull node distributions from node-versions. Since there's a default, this is typically not supplied by the user. When running this action on github.com, the default value is sufficient. When running on GHES, you can pass a personal access token for github.com if you are experiencing rate limiting. + token: # optional, default is ${{ github.server_url == 'https://github.com' && github.token || '' }} + # Used to specify a package manager for caching in the default directory. Supported values: npm, yarn, pnpm. + cache: # optional + # Set to false to disable automatic caching. By default, caching is enabled when either devEngines.packageManager or the top-level packageManager field in package.json specifies npm as the package manager. + package-manager-cache: # optional, default is true + # Used to specify the path to a dependency file: package-lock.json, yarn.lock, etc. Supports wildcards or a list of file names for caching multiple dependencies. + cache-dependency-path: # optional + # Used to specify an alternative mirror to downlooad Node.js binaries from + mirror: # optional + # The token used as Authorization header when fetching from the mirror + mirror-token: # optional + From 110ea1eba3acb3ae649389ae929c8b7408baccae Mon Sep 17 00:00:00 2001 From: framton1678-del Date: Mon, 27 Oct 2025 23:36:42 -0400 Subject: [PATCH 6/8] Replace vulnerability test with Sauce Security Action --- .github/workflows/main.yml | 39 ++++++++++++++++++++++++++------------ 1 file changed, 27 insertions(+), 12 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index c6a02bd9..56174e14 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,13 +1,28 @@ - name: Test site for publicly known js vulnerabilities - -on: push -jobs: - security: - runs-on: ubuntu-latest - steps: - - name: Test for public javascript library vulnerabilities - uses: lirantal/is-website-vulnerable@main - with: - scan-url: "https://*.*.com" - + - name: Sauce Security Action + # You may pin to the exact commit or the version. + # uses: saucelabs/sauce-security-action@5008ddffb96db501fc71486cad3950304a73a2d5 + uses: saucelabs/sauce-security-action@v0.3.0 + with: + # Sauce Labs user name. + username: + # Sauce Labs API Key. + accessKey: + # Url to the application under test. + target: + # An url to an OpenAPI specification to help scan the full API. + openapi: # optional + # An url to a graphql schema to help scan the full API. + graphql: # optional + # Amount of severe vulnerabilities that are allowed to be discovered - if set to `-1` these will be ignored. (Default: 0) + allowedSevereVulnerabilties: # optional, default is 0 + # Amount of medium vulnerabilities that are allowed to be discovered - if set to `-1` these will be ignored. (Default: 0) + allowedMediumVulnerabilties: # optional, default is 0 + # Amount of low vulnerabilities that are allowed to be discovered - if set to `-1` these will be ignored. (Default: 0) + allowedLowVulnerabilties: # optional, default is 0 + # Amount of informational vulnerabilities that are allowed to be discovered - if set to `-1` these will be ignored. (Default: 0) + allowedInformationalVulnerabilties: # optional, default is -1 + # If set to true, this action will download Zap reports for you to attach to the job via actions/upload-artifact + downloadReports: # optional + # If set to true, this action will download all Sauce Labs job assets for you to attach to the job via actions/upload-artifact + downloadJobAssets: # optional From 6af35a358c77445ec4693bdf4d306236d078114b Mon Sep 17 00:00:00 2001 From: framton1678-del Date: Mon, 27 Oct 2025 23:38:08 -0400 Subject: [PATCH 7/8] Fix indentation for Sauce Security Action in workflow --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 56174e14..147d2242 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,4 +1,4 @@ - - name: Sauce Security Action +name: Sauce Security Action # You may pin to the exact commit or the version. # uses: saucelabs/sauce-security-action@5008ddffb96db501fc71486cad3950304a73a2d5 uses: saucelabs/sauce-security-action@v0.3.0 From c9906bd24987220eef9f88fcec4f8d4008286a26 Mon Sep 17 00:00:00 2001 From: framton1678-del Date: Mon, 27 Oct 2025 23:43:54 -0400 Subject: [PATCH 8/8] Update EthicalCheck configuration with new URLs and email --- .github/workflows/ethicalcheck.yml | 69 ++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 .github/workflows/ethicalcheck.yml diff --git a/.github/workflows/ethicalcheck.yml b/.github/workflows/ethicalcheck.yml new file mode 100644 index 00000000..6774a197 --- /dev/null +++ b/.github/workflows/ethicalcheck.yml @@ -0,0 +1,69 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# EthicalCheck addresses the critical need to continuously security test APIs in development and in production. + +# EthicalCheck provides the industry’s only free & automated API security testing service that uncovers security vulnerabilities using OWASP API list. +# Developers relies on EthicalCheck to evaluate every update and release, ensuring that no APIs go to production with exploitable vulnerabilities. + +# You develop the application and API, we bring complete and continuous security testing to you, accelerating development. + +# Know your API and Applications are secure with EthicalCheck – our free & automated API security testing service. + +# How EthicalCheck works? +# EthicalCheck functions in the following simple steps. +# 1. Security Testing. +# Provide your OpenAPI specification or start with a public Postman collection URL. +# EthicalCheck instantly instrospects your API and creates a map of API endpoints for security testing. +# It then automatically creates hundreds of security tests that are non-intrusive to comprehensively and completely test for authentication, authorizations, and OWASP bugs your API. The tests addresses the OWASP API Security categories including OAuth 2.0, JWT, Rate Limit etc. + +# 2. Reporting. +# EthicalCheck generates security test report that includes all the tested endpoints, coverage graph, exceptions, and vulnerabilities. +# Vulnerabilities are fully triaged, it contains CVSS score, severity, endpoint information, and OWASP tagging. + + +# This is a starter workflow to help you get started with EthicalCheck Actions + +name: EthicalCheck-Workflow + +# Controls when the workflow will run +on: + # Triggers the workflow on push or pull request events but only for the "main" branch + # Customize trigger events based on your DevSecOps processes. + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '42 12 * * 1' + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +permissions: + contents: read + +jobs: + Trigger_EthicalCheck: + permissions: + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + + steps: + - name: EthicalCheck Free & Automated API Security Testing Service + uses: apisec-inc/ethicalcheck-action@005fac321dd843682b1af6b72f30caaf9952c641 + with: + # The OpenAPI Specification URL or Swagger Path or Public Postman collection URL. + oas-url: "http://127.0.0.1:8080" + # The email address to which the penetration test report will be sent. + email: "framton6996@wearehackerone.com" + sarif-result-file: "ethicalcheck-results.sarif" + + - name: Upload sarif file to repository + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ./ethicalcheck-results.sarif +