Add Liquibase Enterprise Docker image support

[jandroav]

Summary

Implements production-ready Docker image for Liquibase Enterprise (formerly Datical DB) with comprehensive testing, automation, and documentation.

Key Components

🐳 Docker Implementation

DockerfileEnterprise

• Multi-stage build with Eclipse Temurin 21 JRE
• Automated IzPack installer (version 8.10.479)
• Headless installation using xvfb
• Java 21 module compatibility for Groovy reflection
• SHA256 verification for security
• Non-root user (UID/GID 1001)
• Multi-platform: linux/amd64, linux/arm64

autoInstall.xml

• IzPack automated configuration
• Installs all 6 packages: UI, CLI, License Manager, Java Runtime, Oracle Client

docker-entrypoint-enterprise.sh

• Automatic license detection from /liquibase/license/
• Sets DATDB_LICENSE environment variable
• Auto-changes to /liquibase/project directory
• Intelligent command routing

📚 Documentation

README-enterprise.md

• Quick Start with platform-specific examples (x86-64 and Apple Silicon)
• Verified working example with real version output
• Enterprise features documentation
• Build instructions (AMD64, ARM64, multi-platform)
• Common usage examples (statusDetails, forecast, deploy)
• CI/CD integration examples (Jenkins, GitLab CI, GitHub Actions)
• Troubleshooting guide with Apple Silicon/Rosetta instructions

docker-compose.enterprise.yml

• Complete example with PostgreSQL
• Service dependencies and health checks

🚀 GitHub Actions Workflows

create-release-enterprise.yml

• Automated version bumping with SHA256 validation
• Git tagging: v{version}-ENTERPRISE format
• Multi-platform builds
• Publishes to Docker Hub, GHCR, AWS ECR Public
• Dry-run mode support
• Selective registry publishing

test-enterprise.yml

• Runs on ubuntu-latest and macos-15-intel
• Container structure validation
• Java 21 and hammer CLI verification
• License and project mounting tests
• Platform-specific x86-64 tests

trivy-enterprise.yml

• Surface and deep vulnerability scanning
• SBOM generation (Syft) and scanning (Grype)
• Docker Scout CVE analysis
• Nested JAR/Python package extraction
• SARIF upload to GitHub Security
• Enhanced reports (90-day retention)
• Scheduled scans (weekdays 7am UTC)

✅ Testing & Verification

• ✅ Built and tested on AMD64
• ✅ Verified with valid Enterprise license
• ✅ Confirmed hammer CLI execution
• ✅ Version output validated:

  Liquibase Enterprise CLI  8.10
    Component Versions:
            Liquibase Enterprise Core  8.10.479
            Liquibase Enterprise CLI   8.10.479.20250717040249
            Liquibase                  3.5.11640
            Stored Logic extension     1.0.318.20250710062909
            AppDBA extension           1.0.474.20250710061826
            Java                       11.0.15
  

• ✅ License mounting (DATDB_LICENSE) working
• ✅ Docker Compose example functional

Architecture Decisions

Separate Workflows: Enterprise uses dedicated workflows (not added to test.yml/trivy.yml matrix) because:

• Different CLI interface (hammer vs liquibase)
• Unique requirements (license file testing)
• Longer build times (IzPack installation)
• Different test scenarios

Tag Format: v{version}-ENTERPRISE prevents conflicts with Community (v{version}) and Secure (v{version}-SECURE)

License Handling: Runtime mounting (not build-time) for security and flexibility

Platform Support: Multi-arch build with Apple Silicon documentation (--platform flag)

Available Registries

Images will be published to:

• Docker Hub: liquibase/liquibase-enterprise
• GitHub Container Registry: ghcr.io/liquibase/liquibase-enterprise
• AWS ECR Public: public.ecr.aws/liquibase/liquibase-enterprise

Files Changed

• ✨ .github/workflows/create-release-enterprise.yml - Release automation
• ✨ .github/workflows/test-enterprise.yml - Comprehensive testing
• ✨ .github/workflows/trivy-enterprise.yml - Security scanning
• ✨ DockerfileEnterprise - Multi-stage build
• ✨ README-enterprise.md - Complete documentation
• ✨ autoInstall.xml - IzPack configuration
• ✨ docker-entrypoint-enterprise.sh - Entrypoint script
• ✨ examples/docker-compose/docker-compose.enterprise.yml - Docker Compose example

Closes DAT-7679

🤖 Generated with Claude Code

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds official Liquibase Enterprise Docker support: new DockerfileEnterprise, IzPack autoInstall.xml, docker-entrypoint-enterprise.sh, README and docker-compose example, .gitignore update, plus three new GitHub Actions workflows for release, testing, and vulnerability scanning; and path-filter adjustments to existing CI workflows.

Changes

Cohort / File(s)	Summary
Release & CI Workflows \.github/workflows/create-release-enterprise.yml, \.github/workflows/test-enterprise.yml, \.github/workflows/trivy-enterprise.yml, \.github/workflows/test.yml, \.github/workflows/trivy.yml	Adds a release workflow to update DockerfileEnterprise, tag/create releases, and build/push multi-arch images (Docker Hub, GHCR, ECR) with dry-run support; adds enterprise test and vulnerability-scanning workflows (Trivy/Scout, SBOM, SARIF, artifact uploads); adds path filters to existing test/trivy workflows.
Enterprise Docker image & installer DockerfileEnterprise, autoInstall.xml, mssql_driver.properties	New multi-stage Dockerfile using IzPack headless installer in builder stage and a Temurin-21 runtime; creates liquibase user (UID/GID 1001), copies DaticalDB install, sets env vars and OCI labels, exposes hammer CLI; autoInstall.xml provides automated installer defaults; MSSQL driver properties added.
Entrypoint & runtime script docker-entrypoint-enterprise.sh	New executable entrypoint: strict mode, license detection/export, SSH known_hosts population, command dispatch (exec provided command if executable else run hammer).
Docs & examples README-enterprise.md, examples/docker-compose/docker-compose.enterprise.yml	Adds comprehensive enterprise README and docker-compose example (Postgres + liquibase-enterprise) with mounts, healthchecks, sample commands and usage guidance.
Ignore rules \.gitignore	Adds *.lic to ignore license files.

Sequence Diagram(s)

sequenceDiagram
    actor Trigger
    participant GHA as "GitHub Actions"
    participant Repo as "Repository"
    participant RegHub as "Docker Hub"
    participant RegGHCR as "GHCR"
    participant RegECR as "ECR"

    Trigger->>GHA: start release workflow
    activate GHA

    rect rgba(230,245,255,0.5)
    Note over GHA: update-dockerfiles
    GHA->>Repo: read inputs & secrets
    GHA->>Repo: update `DockerfileEnterprise` (enterpriseVersion, jar SHA)
    GHA->>Repo: commit & create tag (if not dry-run)
    end

    rect rgba(245,235,255,0.5)
    Note over GHA: build-push-image
    GHA->>GHA: generate tags & platforms
    GHA->>GHA: build multi-arch image
    alt push to Docker Hub
        GHA->>RegHub: push
    end
    alt push to GHCR
        GHA->>RegGHCR: push
    end
    alt push to ECR
        GHA->>RegECR: push
    end
    GHA->>GHA: create GitHub release (non-dry-run)
    end

    deactivate GHA

Loading

sequenceDiagram
    participant Container
    participant Entrypoint as "docker-entrypoint-enterprise.sh"
    participant Hammer as "hammer"

    Container->>Entrypoint: start
    activate Entrypoint
    Entrypoint->>Entrypoint: detect license -> export DATDB_LICENSE
    Entrypoint->>Entrypoint: set LIQUIBASE_HOME, PATH
    alt first arg is an executable command
        Entrypoint->>Container: exec "$@"
    else
        Entrypoint->>Hammer: exec hammer [args]
    end
    deactivate Entrypoint

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

• Areas for extra attention:
  • .github/workflows/create-release-enterprise.yml: secrets retrieval, AWS/Vault/GitHub App auth, dry-run vs push/tag logic, multi-registry tag generation and push conditions.
  • .github/workflows/test-enterprise.yml: cross-platform matrix, macOS Docker setup, platform-gated tests and many container assertions.
  • .github/workflows/trivy-enterprise.yml: SBOM generation, SARIF outputs, Trivy/Grype/Scout orchestration and artifact uploads.
  • DockerfileEnterprise & autoInstall.xml: IzPack headless installer flags, Java runtime options, checksum uses, ownership/permissions and UID/GID implications.
  • docker-entrypoint-enterprise.sh: license discovery paths and exec/dispatch behavior.

Possibly related PRs

• fix: remove SARIF uploads from published images workflow #471 — Adds a trivy-enterprise vulnerability-scanning workflow with SARIF and security artifacts; closely related to the Trivy/Scout workflow additions in this PR.

Suggested labels

TypeCI, TypeDocs, type: ci

Suggested reviewers

• jnewton03
• sayaliM0412

🚥 Pre-merge checks | ✅ 5 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Merge Conflict Detection	⚠️ Warning	❌ Merge conflicts detected (12 files): ⚔️ .github/workflows/create-release.yml (content) ⚔️ .github/workflows/test.yml (content) ⚔️ .github/workflows/trivy-scan-published-images.yml (content) ⚔️ .github/workflows/trivy.yml (content) ⚔️ .gitignore (content) ⚔️ Dockerfile (content) ⚔️ Dockerfile.alpine (content) ⚔️ DockerfileSecure (content) ⚔️ README.md (content) ⚔️ docker-entrypoint.sh (content) ⚔️ scripts/README.md (content) ⚔️ scripts/generate-dockerhub-matrix.sh (content) These conflicts must be resolved before merging into main.	Resolve conflicts locally and push changes to this branch.

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding Docker image support for Liquibase Enterprise, which is the primary focus of the entire changeset.
Description check	✅ Passed	The description is well-detailed and directly related to the changeset, covering all major components, workflows, testing, and architectural decisions for the Enterprise Docker image implementation.
Linked Issues check	✅ Passed	The PR meets the core requirements from DAT-7679: delivers an official Dockerfile for Enterprise in liquibase/docker repo, implements production-ready image with multi-stage build, includes documentation (README-enterprise.md), provides docker-compose example, adds separate GitHub Actions workflows for releases/testing/security, and uses distinct Enterprise tag scheme (v{version}-ENTERPRISE).
Out of Scope Changes check	✅ Passed	Changes are aligned with DAT-7679 requirements. Minor updates to existing test.yml and trivy.yml workflows add path filters for consistency, and .gitignore addition for license files is appropriate for Enterprise testing. All changes support the main objective.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch DAT-7679

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔍 Vulnerabilities of liquibase/liquibase-secure:b06c57740e565f8c9a49a4fb9667dd5025c31450

📦 Image Reference liquibase/liquibase-secure:b06c57740e565f8c9a49a4fb9667dd5025c31450

digest	sha256:b75816b8ad456c115d5c9799c1db1932435d37d9835faf7abd468f197a3db542
vulnerabilities
platform	linux/amd64
size	762 MB
packages	425

📦 Base Image eclipse-temurin:21-jre

also known as	21-jre-noble 21.0.9_10-jre 21.0.9_10-jre-noble
digest	sha256:d665ca47131b82e94b17ec6b8d9ee72924268c509f9407a766ffe3d3defbaa32
vulnerabilities

[github-advanced-security]

CodeQL found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

[github-actions]

🔍 Vulnerabilities of liquibase/liquibase-enterprise:b06c57740e565f8c9a49a4fb9667dd5025c31450

📦 Image Reference liquibase/liquibase-enterprise:b06c57740e565f8c9a49a4fb9667dd5025c31450

digest	sha256:80eef08040498ca2b5e9b49b8b976f4beea2872201425e8034341a2fee94a6a8
vulnerabilities
platform	linux/amd64
size	742 MB
packages	639

📦 Base Image eclipse-temurin:21-jre

also known as	21-jre-noble 21.0.9_10-jre 21.0.9_10-jre-noble
digest	sha256:d665ca47131b82e94b17ec6b8d9ee72924268c509f9407a766ffe3d3defbaa32
vulnerabilities

org.drools/drools-core 7.48.0.Final (maven) pkg:maven/org.drools/drools-core@7.48.0.Final Improper Restriction of XML External Entity Reference Affected range <=7.59.0.Final Fixed version 7.60.0.Final CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.062% EPSS Percentile 19th percentile Description drools <=7.59.x is affected by an XML External Entity (XXE) vulnerability in KieModuleMarshaller.java. The Validator class is not used correctly, resulting in the XXE injection vulnerability.

org.apache.commons/commons-text 1.9 (maven) pkg:maven/org.apache.commons/commons-text@1.9 Improper Control of Generation of Code ('Code Injection') Affected range >=1.5 <1.10.0 Fixed version 1.10.0 CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 94.161% EPSS Percentile 100th percentile Description Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.

com.thoughtworks.xstream/xstream 1.4.14 (maven) pkg:maven/com.thoughtworks.xstream/xstream@1.4.14 Unrestricted Upload of File with Dangerous Type Affected range <1.4.18 Fixed version 1.4.18 CVSS Score 8.5 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H EPSS Score 0.712% EPSS Percentile 72nd percentile Description Impact The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. Patches XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. Workarounds See workarounds for the different versions covering all CVEs. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39154. Credits ka1n4t found and reported the issue to XStream and provided the required information to reproduce it. For more information If you have any questions or comments about this advisory: Open an issue in XStream Contact us at XStream Google Group Deserialization of Untrusted Data Affected range <1.4.18 Fixed version 1.4.18 CVSS Score 8.5 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H EPSS Score 0.573% EPSS Percentile 68th percentile Description Impact The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. Patches XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. Workarounds See workarounds for the different versions covering all CVEs. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39153. Credits Ceclin and YXXX from the Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it. For more information If you have any questions or comments about this advisory: Open an issue in XStream Contact us at XStream Google Group Deserialization of Untrusted Data Affected range <1.4.18 Fixed version 1.4.18 CVSS Score 8.5 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H EPSS Score 67.834% EPSS Percentile 98th percentile Description Impact The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. Patches If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.18. Workarounds See workarounds for the different versions covering all CVEs. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39152. Credits m0d9 of the Security Team of Alibaba Cloud found and reported the issue to XStream and provided the required information to reproduce it. For more information If you have any questions or comments about this advisory: Open an issue in XStream Contact us at XStream Google Group Unrestricted Upload of File with Dangerous Type Affected range <1.4.18 Fixed version 1.4.18 CVSS Score 8.5 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H EPSS Score 0.573% EPSS Percentile 68th percentile Description Impact The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. Patches XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. Workarounds See workarounds for the different versions covering all CVEs. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39151. Credits Smi1e of DBAPPSecurity WEBIN Lab found and reported the issue to XStream and provided the required information to reproduce it. For more information If you have any questions or comments about this advisory: Open an issue in XStream Contact us at XStream Google Group Deserialization of Untrusted Data Affected range <1.4.18 Fixed version 1.4.18 CVSS Score 8.5 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H EPSS Score 1.965% EPSS Percentile 83rd percentile Description Impact The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. Patches If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.18. Workarounds See workarounds for the different versions covering all CVEs. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39150. Credits Lai Han of NSFOCUS security team found and reported the issue to XStream and provided the required information to reproduce it. For more information If you have any questions or comments about this advisory: Open an issue in XStream Contact us at XStream Google Group Unrestricted Upload of File with Dangerous Type Affected range <1.4.18 Fixed version 1.4.18 CVSS Score 8.5 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H EPSS Score 0.712% EPSS Percentile 72nd percentile Description Impact The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. Patches XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. Workarounds See workarounds for the different versions covering all CVEs. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39149. Credits Lai Han of NSFOCUS security team found and reported the issue to XStream and provided the required information to reproduce it. For more information If you have any questions or comments about this advisory: Open an issue in XStream Contact us at XStream Google Group Deserialization of Untrusted Data Affected range <1.4.18 Fixed version 1.4.18 CVSS Score 8.5 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H EPSS Score 0.573% EPSS Percentile 68th percentile Description Impact The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. Patches XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. Workarounds See workarounds for the different versions covering all CVEs. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39148. Credits wh1t3p1g from TSRC (Tencent Security Response Center) found and reported the issue to XStream and provided the required information to reproduce it. For more information If you have any questions or comments about this advisory: Open an issue in XStream Contact us at XStream Google Group Deserialization of Untrusted Data Affected range <1.4.18 Fixed version 1.4.18 CVSS Score 8.5 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H EPSS Score 0.573% EPSS Percentile 68th percentile Description Impact The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. Patches XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. Workarounds See workarounds for the different versions covering all CVEs. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39147. Credits wh1t3p1g from TSRC (Tencent Security Response Center) found and reported the issue to XStream and provided the required information to reproduce it. For more information If you have any questions or comments about this advisory: Open an issue in XStream Contact us at XStream Google Group Deserialization of Untrusted Data Affected range <1.4.18 Fixed version 1.4.18 CVSS Score 8.5 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H EPSS Score 54.176% EPSS Percentile 98th percentile Description Impact The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. Patches XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. Workarounds See workarounds for the different versions covering all CVEs. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39146. Credits Ceclin and YXXX from the Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it. For more information If you have any questions or comments about this advisory: Open an issue in XStream Contact us at XStream Google Group Deserialization of Untrusted Data Affected range <1.4.18 Fixed version 1.4.18 CVSS Score 8.5 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H EPSS Score 0.500% EPSS Percentile 65th percentile Description Impact The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. Patches XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. Workarounds See workarounds for the different versions covering all CVEs. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39145. Credits 李安诺 (Li4n0) from Alibaba Cloud Security Team and Smi1e of DBAPPSecurity WEBIN Lab found and reported the issue independently to XStream and provided the required information to reproduce it. For more information If you have any questions or comments about this advisory: Open an issue in XStream Contact us at XStream Google Group Missing Authentication for Critical Function Affected range <1.4.18 Fixed version 1.4.18 CVSS Score 8.5 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H EPSS Score 94.380% EPSS Percentile 100th percentile Description Impact The vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. Patches XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. Workarounds See workarounds for the different versions covering all CVEs. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39144. Credits Ceclin and YXXX from the Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it. For more information If you have any questions or comments about this advisory: Open an issue in XStream Email us at XStream Google Group Deserialization of Untrusted Data Affected range <1.4.18 Fixed version 1.4.18 CVSS Score 8.5 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H EPSS Score 84.542% EPSS Percentile 99th percentile Description Impact The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. Patches XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. Workarounds See workarounds for the different versions covering all CVEs. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39141. Credits Ceclin and YXXX from the Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it. For more information If you have any questions or comments about this advisory: Open an issue in XStream Contact us at XStream Google Group Deserialization of Untrusted Data Affected range <1.4.18 Fixed version 1.4.18 CVSS Score 8.5 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H EPSS Score 0.842% EPSS Percentile 74th percentile Description Impact The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. Patches XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. Workarounds See workarounds for the different versions covering all CVEs. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39139. Credits Lai Han of nsfocus security team found and reported the issue to XStream and provided the required information to reproduce it. For more information If you have any questions or comments about this advisory: Open an issue in XStream Contact us at XStream Google Group Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Affected range <1.4.20 Fixed version 1.4.20 CVSS Score 8.2 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H EPSS Score 4.274% EPSS Percentile 88th percentile Description Impact The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream. Patches XStream 1.4.20 handles the stack overflow and raises an InputManipulationException instead. Workarounds The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. Following types of the Java runtime are affected: java.util.HashMap java.util.HashSet java.util.Hashtable java.util.LinkedHashMap java.util.LinkedHashSet Other third party collection implementations that use their element's hash code may also be affected A simple solution is to catch the StackOverflowError in the client code calling XStream. If your object graph does not use referenced elements at all, you may simply set the NO_REFERENCE mode: XStream xstream = new XStream(); xstream.setMode(XStream.NO_REFERENCES); If your object graph contains neither a Hashtable, HashMap nor a HashSet (or one of the linked variants of it) then you can use the security framework to deny the usage of these types: XStream xstream = new XStream(); xstream.denyTypes(new Class[]{ java.util.HashMap.class, java.util.HashSet.class, java.util.Hashtable.class, java.util.LinkedHashMap.class, java.util.LinkedHashSet.class }); Unfortunately these types are very common. If you only use HashMap or HashSet and your XML refers these only as default map or set, you may additionally change the default implementation of java.util.Map and java.util.Set at unmarshalling time:: xstream.addDefaultImplementation(java.util.TreeMap.class, java.util.Map.class); xstream.addDefaultImplementation(java.util.TreeSet.class, java.util.Set.class); However, this implies that your application does not care about the implementation of the map and all elements are comparable. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2022-41966. For more information If you have any questions or comments about this advisory: Open an issue in XStream Contact us at XStream Google Group Stack-based Buffer Overflow Affected range <1.4.21 Fixed version 1.4.21 CVSS Score 7.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P EPSS Score 0.176% EPSS Percentile 39th percentile Description Impact The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. Patches XStream 1.4.21 detects the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Workarounds The only solution is to catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2024-47072. Credits Alexis Challande of Trail Of Bits found and reported the issue to XStream and provided the required information to reproduce it. Stack-based Buffer Overflow Affected range <1.4.20 Fixed version 1.4.20 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.245% EPSS Percentile 48th percentile Description Impact The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream. Patches XStream 1.4.20 handles the stack overflow and raises an InputManipulationException instead. Workarounds The only solution is to catch the StackOverflowError in the client code calling XStream. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2022-40151. Credits The vulnerability was discovered and reported by Henry Lin of the Google OSS-Fuzz team. For more information If you have any questions or comments about this advisory: Open an issue in XStream Contact us at XStream Google Group Uncontrolled Resource Consumption Affected range <1.4.19 Fixed version 1.4.19 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 2.031% EPSS Percentile 83rd percentile Description Impact The vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. Patches XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Workarounds The attack uses the hash code implementation for collections and maps to force an exponential calculation time due to highly recursive structures with in the collection or map. Following types of the Java runtime are affected in Java versions available in December 2021: java.util.HashMap java.util.HashSet java.util.Hashtable java.util.LinkedHashMap java.util.LinkedHashSet java.util.Stack (older Java revisions only) java.util.Vector (older Java revisions only) Other third party collection implementations that use their element's hash code may also be affected If your object graph does not use referenced elements at all, you may simply set the NO_REFERENCE mode: XStream xstream = new XStream(); xstream.setMode(XStream.NO_REFERENCES); If your object graph contains neither a Hashtable, HashMap nor a HashSet (or one of the linked variants of it) then you can use the security framework to deny the usage of these types: XStream xstream = new XStream(); xstream.denyTypes(new Class[]{ java.util.HashMap.class, java.util.HashSet.class, java.util.Hashtable.class, java.util.LinkedHashMap.class, java.util.LinkedHashSet.class }); Unfortunately these types are very common. If you only use HashMap or HashSet and your XML refers these only as default map or set, you may additionally change the default implementation of java.util.Map and java.util.Set at unmarshalling time:: xstream.addDefaultImplementation(java.util.TreeMap.class, java.util.Map.class); xstream.addDefaultImplementation(java.util.TreeSet.class, java.util.Set.class); However, this implies that your application does not care about the implementation of the map and all elements are comparable. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-43859. Credits The vulnerability was discovered and reported by r00t4dm at Cloud-Penetrating Arrow Lab. For more information If you have any questions or comments about this advisory: Open an issue in XStream Contact us at XStream Google Group Deserialization of Untrusted Data Affected range <1.4.17 Fixed version 1.4.17 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 90.769% EPSS Percentile 100th percentile Description Impact The vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. Patches If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.17. Workarounds See workarounds for the different versions covering all CVEs. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-29505. Credits V3geB1rd, white hat hacker from Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it. For more information If you have any questions or comments about this advisory: Open an issue in XStream Email us at XStream Google Group Uncontrolled Resource Consumption Affected range <1.4.16 Fixed version 1.4.16 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 23.434% EPSS Percentile 96th percentile Description Impact The vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. Patches If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. Workarounds See workarounds for the different versions covering all CVEs. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-21341. Credits The vulnerability was discovered and reported by threedr3am. For more information If you have any questions or comments about this advisory: Open an issue in XStream Contact us at XStream Google Group

com.google.protobuf/protobuf-java 3.6.1 (maven) pkg:maven/com.google.protobuf/protobuf-java@3.6.1 Improper Input Validation Affected range <3.25.5 Fixed version 3.25.5 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.055% EPSS Percentile 17th percentile Description Summary When parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash. Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team ecosystem@trailofbits.com Affected versions: This issue affects all versions of both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime. Severity CVE-2024-7254 High CVSS4.0 Score 8.7 (NOTE: there may be a delay in publication) This is a potential Denial of Service. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker. Proof of Concept For reproduction details, please refer to the unit tests (Protobuf Java LiteTest and CodedInputStreamTest) that identify the specific inputs that exercise this parsing weakness. Remediation and Mitigation We have been working diligently to address this issue and have released a mitigation that is available now. Please update to the latest available versions of the following packages: protobuf-java (3.25.5, 4.27.5, 4.28.2) protobuf-javalite (3.25.5, 4.27.5, 4.28.2) protobuf-kotlin (3.25.5, 4.27.5, 4.28.2) protobuf-kotlin-lite (3.25.5, 4.27.5, 4.28.2) com-protobuf [JRuby gem only] (3.25.5, 4.27.5, 4.28.2) Uncontrolled Resource Consumption Affected range >=3.0.0 <3.16.3 Fixed version 3.16.3 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.057% EPSS Percentile 18th percentile Description A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. Uncontrolled Resource Consumption Affected range >=3.0.0 <3.16.3 Fixed version 3.16.3 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.119% EPSS Percentile 31st percentile Description A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. Incorrect Behavior Order Affected range <3.16.1 Fixed version 3.16.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.291% EPSS Percentile 52nd percentile Description Summary A potential Denial of Service issue in protobuf-java was discovered in the parsing procedure for binary data. Reporter: OSS-Fuzz Affected versions: All versions of Java Protobufs (including Kotlin and JRuby) prior to the versions listed below. Protobuf "javalite" users (typically Android) are not affected. Severity CVE-2021-22569 High - CVSS Score: 7.5, An implementation weakness in how unknown fields are parsed in Java. A small (~800 KB) malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated GC pauses. Proof of Concept For reproduction details, please refer to the oss-fuzz issue that identifies the specific inputs that exercise this parsing weakness. Remediation and Mitigation Please update to the latest available versions of the following packages: protobuf-java (3.16.1, 3.18.2, 3.19.2) protobuf-kotlin (3.18.2, 3.19.2) google-protobuf [JRuby gem only] (3.19.2)

org.json/json 20180130 (maven) pkg:maven/org.json/json@20180130 Improperly Implemented Security Check for Standard Affected range <=20230618 Fixed version 20231013 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.468% EPSS Percentile 64th percentile Description Summary A denial of service vulnerability in JSON-Java was discovered by ClusterFuzz. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. There are two issues: (1) the parser bug can be used to circumvent a check that is supposed to prevent the key in a JSON object from itself being another JSON object; (2) if a key does end up being a JSON object then it gets converted into a string, using \ to escape special characters, including \ itself. So by nesting JSON objects, with a key that is a JSON object that has a key that is a JSON object, and so on, we can get an exponential number of \ characters in the escaped string. Severity High - Because this is an already-fixed DoS vulnerability, the only remaining impact possible is for existing binaries that have not been updated yet. Proof of Concept package orgjsonbug; import org.json.JSONObject; /** * Illustrates a bug in JSON-Java. */ public class Bug { private static String makeNested(int depth) { if (depth == 0) { return "{\"a\":1}"; } return "{\"a\":1;\t\0" + makeNested(depth - 1) + ":1}"; } public static void main(String[] args) { String input = makeNested(30); System.out.printf("Input string has length %d: %s\n", input.length(), input); JSONObject output = new JSONObject(input); System.out.printf("Output JSONObject has length %d: %s\n", output.toString().length(), output); } } When run, this reports that the input string has length 367. Then, after a long pause, the program crashes inside new JSONObject with OutOfMemoryError. Further Analysis The issue is fixed by this PR. Timeline Date reported: 07/14/2023 Date fixed: Date disclosed: 10/12/2023 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <20220320 Fixed version 20220320 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.276% EPSS Percentile 51st percentile Description A stack overflow in the org.json.JSONTokener.nextValue::JSONTokener.java component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data. OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <20220320 Fixed version 20220320 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.084% EPSS Percentile 25th percentile Description hutool-json v5.8.10 was discovered to contain an out of memory error. Out-of-bounds Write Affected range <20230227 Fixed version 20230227 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.878% EPSS Percentile 75th percentile Description A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 and org.json:json before version 20230227 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.

com.fasterxml.jackson.core/jackson-databind 2.13.2 (maven) pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.2 Uncontrolled Resource Consumption Affected range >=2.13.0 <2.13.4 Fixed version 2.13.4 CVSS Score 8.2 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.303% EPSS Percentile 53rd percentile Description In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. This issue can only happen when the UNWRAP_SINGLE_VALUE_ARRAYS feature is explicitly enabled. Uncontrolled Resource Consumption Affected range >=2.13.0 <2.13.4.2 Fixed version 2.13.4.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.354% EPSS Percentile 57th percentile Description In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0. Commits that introduced vulnerable code are FasterXML/jackson-databind@d499f2e, FasterXML/jackson-databind@0e37a39, and FasterXML/jackson-databind@7ba9ac5. Fix commits are FasterXML/jackson-databind@cd09097 and FasterXML/jackson-databind@d78d00e. The 2.13.4.1 release does fix this issue, however it also references a non-existent jackson-bom which causes build failures for gradle users. See FasterXML/jackson-databind#3627 (comment) for details. This is fixed in 2.13.4.2 which is listed in the advisory metadata so that users are not subjected to unnecessary build failures Out-of-bounds Write Affected range >=2.13.0 <=2.13.2.0 Fixed version 2.13.2.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.614% EPSS Percentile 69th percentile Description jackson-databind is a data-binding package for the Jackson Data Processor. jackson-databind allows a Java stack overflow exception and denial of service via a large depth of nested objects.

org.yaml/snakeyaml 1.17 (maven) pkg:maven/org.yaml/snakeyaml@1.17 Improper Input Validation Affected range <=1.33 Fixed version 2.0 CVSS Score 8.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L EPSS Score 93.849% EPSS Percentile 100th percentile Description Summary SnakeYaml's Constructor class, which inherits from SafeConstructor, allows any type be deserialized given the following line: new Yaml(new Constructor(TestDataClass.class)).load(yamlContent); Types do not have to match the types of properties in the target class. A ConstructorException is thrown, but only after a malicious payload is deserialized. Severity High, lack of type checks during deserialization allows remote code execution. Proof of Concept Execute bash run.sh. The PoC uses Constructor to deserialize a payload for RCE. RCE is demonstrated by using a payload which performs a http request to http://127.0.0.1:8000. Example output of successful run of proof of concept: $ bash run.sh [+] Downloading snakeyaml if needed [+] Starting mock HTTP server on 127.0.0.1:8000 to demonstrate RCE nc: no process found [+] Compiling and running Proof of Concept, which a payload that sends a HTTP request to mock web server. [+] An exception is expected. Exception: Cannot create property=payload for JavaBean=Main$TestDataClass@3cbbc1e0 in 'string', line 1, column 1: payload: !!javax.script.ScriptEn ... ^ Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager in 'string', line 1, column 10: payload: !!javax.script.ScriptEngineManag ... ^ at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:291) at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.construct(Constructor.java:172) at org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.construct(Constructor.java:332) at org.yaml.snakeyaml.constructor.BaseConstructor.constructObjectNoCheck(BaseConstructor.java:230) at org.yaml.snakeyaml.constructor.BaseConstructor.constructObject(BaseConstructor.java:220) at org.yaml.snakeyaml.constructor.BaseConstructor.constructDocument(BaseConstructor.java:174) at org.yaml.snakeyaml.constructor.BaseConstructor.getSingleData(BaseConstructor.java:158) at org.yaml.snakeyaml.Yaml.loadFromReader(Yaml.java:491) at org.yaml.snakeyaml.Yaml.load(Yaml.java:416) at Main.main(Main.java:37) Caused by: java.lang.IllegalArgumentException: Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167) at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171) at java.base/jdk.internal.reflect.UnsafeObjectFieldAccessorImpl.set(UnsafeObjectFieldAccessorImpl.java:81) at java.base/java.lang.reflect.Field.set(Field.java:780) at org.yaml.snakeyaml.introspector.FieldProperty.set(FieldProperty.java:44) at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:286) ... 9 more [+] Dumping Received HTTP Request. Will not be empty if PoC worked GET /proof-of-concept HTTP/1.1 User-Agent: Java/11.0.14 Host: localhost:8000 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive Further Analysis Potential mitigations include, leveraging SnakeYaml's SafeConstructor while parsing untrusted content. See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479 for discussion on the subject. Timeline Date reported: 4/11/2022 Date fixed: 30/12/2022 Date disclosed: 10/13/2022 Uncontrolled Resource Consumption Affected range <1.31 Fixed version 1.31 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.347% EPSS Percentile 57th percentile Description The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections. Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') Affected range <1.26 Fixed version 1.26 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 2.166% EPSS Percentile 84th percentile Description The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.

com.thoughtworks.xstream/xstream 1.4.19 (maven) pkg:maven/com.thoughtworks.xstream/xstream@1.4.19 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Affected range <1.4.20 Fixed version 1.4.20 CVSS Score 8.2 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H EPSS Score 4.274% EPSS Percentile 88th percentile Description Impact The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream. Patches XStream 1.4.20 handles the stack overflow and raises an InputManipulationException instead. Workarounds The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. Following types of the Java runtime are affected: java.util.HashMap java.util.HashSet java.util.Hashtable java.util.LinkedHashMap java.util.LinkedHashSet Other third party collection implementations that use their element's hash code may also be affected A simple solution is to catch the StackOverflowError in the client code calling XStream. If your object graph does not use referenced elements at all, you may simply set the NO_REFERENCE mode: XStream xstream = new XStream(); xstream.setMode(XStream.NO_REFERENCES); If your object graph contains neither a Hashtable, HashMap nor a HashSet (or one of the linked variants of it) then you can use the security framework to deny the usage of these types: XStream xstream = new XStream(); xstream.denyTypes(new Class[]{ java.util.HashMap.class, java.util.HashSet.class, java.util.Hashtable.class, java.util.LinkedHashMap.class, java.util.LinkedHashSet.class }); Unfortunately these types are very common. If you only use HashMap or HashSet and your XML refers these only as default map or set, you may additionally change the default implementation of java.util.Map and java.util.Set at unmarshalling time:: xstream.addDefaultImplementation(java.util.TreeMap.class, java.util.Map.class); xstream.addDefaultImplementation(java.util.TreeSet.class, java.util.Set.class); However, this implies that your application does not care about the implementation of the map and all elements are comparable. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2022-41966. For more information If you have any questions or comments about this advisory: Open an issue in XStream Contact us at XStream Google Group Stack-based Buffer Overflow Affected range <1.4.21 Fixed version 1.4.21 CVSS Score 7.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P EPSS Score 0.176% EPSS Percentile 39th percentile Description Impact The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. Patches XStream 1.4.21 detects the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Workarounds The only solution is to catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2024-47072. Credits Alexis Challande of Trail Of Bits found and reported the issue to XStream and provided the required information to reproduce it. Stack-based Buffer Overflow Affected range <1.4.20 Fixed version 1.4.20 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.245% EPSS Percentile 48th percentile Description Impact The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream. Patches XStream 1.4.20 handles the stack overflow and raises an InputManipulationException instead. Workarounds The only solution is to catch the StackOverflowError in the client code calling XStream. References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2022-40151. Credits The vulnerability was discovered and reported by Henry Lin of the Google OSS-Fuzz team. For more information If you have any questions or comments about this advisory: Open an issue in XStream Contact us at XStream Google Group

org.apache.velocity/velocity 1.7.0 (maven) pkg:maven/org.apache.velocity/velocity@1.7.0 Improper Input Validation Affected range <=1.7 Fixed version Not Fixed CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 10.626% EPSS Percentile 93rd percentile Description An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

commons-io/commons-io 2.7 (maven) pkg:maven/commons-io/commons-io@2.7 Uncontrolled Resource Consumption Affected range >=2.0 <2.14.0 Fixed version 2.14.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.177% EPSS Percentile 40th percentile Description Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are recommended to upgrade to version 2.14.0 or later, which fixes the issue.

org.eclipse.jetty/jetty-server 10.0.6 (maven) pkg:maven/org.eclipse.jetty/jetty-server@10.0.6 Improper Resource Shutdown or Release Affected range >=10.0.0 <10.0.10 Fixed version 10.0.10 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.525% EPSS Percentile 66th percentile Description Impact SslConnection does not release ByteBuffers in case of error code paths. For example, TLS handshakes that require client-auth with clients that send expired certificates will trigger a TLS handshake errors and the ByteBuffers used to process the TLS handshake will be leaked. Workarounds Configure explicitly a RetainableByteBufferPool with max[Heap|Direct]Memory to limit the amount of memory that is leaked. Eventually the pool will be full of "active" entries (the leaked ones) and will provide ByteBuffers that will be GCed normally. With embedded-jetty int maxBucketSize = 1000; long maxHeapMemory = 128 * 1024L * 1024L; // 128 MB long maxDirectMemory = 128 * 1024L * 1024L; // 128 MB RetainableByteBufferPool rbbp = new ArrayRetainableByteBufferPool(0, -1, -1, maxBucketSize, maxHeapMemory, maxDirectMemory); server.addBean(rbbp); // make sure the ArrayRetainableByteBufferPool is added before the server is started server.start(); With jetty-home/jetty-base Create a ${jetty.base}/etc/retainable-byte-buffer-config.xml <?xml version="1.0"?> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "https://www.eclipse.org/jetty/configure_10_0.dtd"> <Configure id="Server" class="org.eclipse.jetty.server.Server"> <Call name="addBean"> <Arg> <New class="org.eclipse.jetty.io.ArrayRetainableByteBufferPool"> <Arg type="int"><Property name="jetty.byteBufferPool.minCapacity" default="0"/></Arg> <Arg type="int"><Property name="jetty.byteBufferPool.factor" default="-1"/></Arg> <Arg type="int"><Property name="jetty.byteBufferPool.maxCapacity" default="-1"/></Arg> <Arg type="int"><Property name="jetty.byteBufferPool.maxBucketSize" default="1000"/></Arg> <Arg type="long"><Property name="jetty.byteBufferPool.maxHeapMemory" default="128000000"/></Arg> <Arg type="long"><Property name="jetty.byteBufferPool.maxDirectMemory" default="128000000"/></Arg> </New> </Arg> </Call> </Configure> And then reference it in ${jetty.base}/start.d/retainable-byte-buffer-config.ini etc/retainable-byte-buffer-config.xml References jetty/jetty.project#8161 For more information Email us at security@webtide.com

com.fasterxml.jackson.core/jackson-core 2.13.2 (maven) pkg:maven/com.fasterxml.jackson.core/jackson-core@2.13.2 Stack-based Buffer Overflow Affected range <2.15.0 Fixed version 2.15.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.019% EPSS Percentile 4th percentile Description Impact With older versions of jackson-core, if you parse an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. Patches jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. Change is in FasterXML/jackson-core#943. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. Workarounds Users should avoid parsing input files from untrusted sources.

org.eclipse.jgit/org.eclipse.jgit 5.2.0.201812061821-r (maven) pkg:maven/org.eclipse.jgit/org.eclipse.jgit@5.2.0.201812061821-r Improper Handling of Case Sensitivity Affected range <5.13.3.202401111512-r Fixed version 5.13.3.202401111512-r CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 1.077% EPSS Percentile 77th percentile Description Arbitrary File Overwrite in Eclipse JGit <= 6.6.0 In Eclipse JGit, all versions <= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem. This can happen on checkout (DirCacheCheckout), merge (ResolveMerger via its WorkingTreeUpdater), pull (PullCommand using merge), and when applying a patch (PatchApplier). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command. The issue occurs only on case-insensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration. Setting git configuration option core.symlinks = false before checking out avoids the problem. The issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via Maven Central https://repo1.maven.org/maven2/org/eclipse/jgit/  and repo.eclipse.org https://repo.eclipse.org/content/repositories/jgit-releases/ . A backport is available in 5.13.3 starting from 5.13.3.202401111512-r. The JGit maintainers would like to thank RyotaK for finding and reporting this issue.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (5)

README-enterprise.md (2)

34-43: Add language identifier to fenced code block.

The code block showing example output is missing a language identifier. Update the opening ``` to ```bash or ```text for consistency with other code blocks and to help renderers apply proper formatting.

 **Example output:**
-```
+```bash
 Liquibase Enterprise CLI  8.10

---

345-355: Use markdown headings instead of bold emphasis.

Lines 345 and 357 use bold emphasis (**...**) where markdown headings (###) would be more semantically correct and improve document structure for navigation and tooling.

-**Example: Adding PostgreSQL Client**
+### Example: Adding PostgreSQL Client
 
 ```dockerfile

-**Example: Adding SQL Server Tools**
+### Example: Adding SQL Server Tools
 
 ```dockerfile

.github/workflows/create-release-enterprise.yml (1)

145-163: Add quoting to shell variables and fix unused variable.

Line 150 has unquoted variables that could break with special characters or spaces. Line 160 defines COMMIT_MSG but the variable is not used in the git commit command (string interpolation is used directly instead).

  ENTERPRISE_SHA=$(curl -LsS https://software.datical.com/Datical_DB_Software/Datical_DB_${{ steps.collect-data.outputs.enterpriseVersion }}/DaticalDB-linux.gtk.x86_64-${{ steps.collect-data.outputs.enterpriseVersion }}.jar | sha256sum | awk '{ print $1 }')

-         sed -i 's/^ARG ENTERPRISE_VERSION=.*/ARG ENTERPRISE_VERSION='"${{ steps.collect-data.outputs.enterpriseVersion }}"'/' "${{ github.workspace }}/DockerfileEnterprise"
-         sed -i 's/^ARG ENT_JAR_SHA256=.*/ARG ENT_JAR_SHA256='"$ENTERPRISE_SHA"'/' "${{ github.workspace }}/DockerfileEnterprise"
+         sed -i "s/^ARG ENTERPRISE_VERSION=.*/ARG ENTERPRISE_VERSION=${{ steps.collect-data.outputs.enterpriseVersion }}/" "${{ github.workspace }}/DockerfileEnterprise"
+         sed -i "s/^ARG ENT_JAR_SHA256=.*/ARG ENT_JAR_SHA256=${ENTERPRISE_SHA}/" "${{ github.workspace }}/DockerfileEnterprise"
  git add DockerfileEnterprise

  if git diff-index --cached --quiet HEAD --; then
    echo "Nothing new to commit"
    echo "changes_made=false" >> $GITHUB_OUTPUT
  else
-           COMMIT_MSG="Liquibase Enterprise Version Bumped to ${{ steps.collect-data.outputs.enterpriseVersion }}"
-           git commit -m "${COMMIT_MSG}"
+           git commit -m "Liquibase Enterprise Version Bumped to ${{ steps.collect-data.outputs.enterpriseVersion }}"

.github/workflows/test-enterprise.yml (1)

195-218: Add quoting to shell variable expansions to handle paths with spaces.

The command substitutions and path variables should be quoted to safely handle edge cases where paths contain spaces or special characters.

          # Mount license file and verify it's accessible
-         RESULT=$(docker run --rm \
-           -v $(pwd)/test-license:/liquibase/license \
+         RESULT=$(docker run --rm \
+           -v "$(pwd)/test-license:/liquibase/license" \
            liquibase/liquibase-enterprise:${{ github.sha }} \
            cat /liquibase/license/license.lic 2>&1)

Apply similar quoting to lines 221 and 247.

DockerfileEnterprise (1)

59-65: Non-standard OCI label.

org.opencontainers.image.licenses.url (line 62) is not a standard OCI image-spec annotation. The standard label is org.opencontainers.image.licenses which you've already set. Consider either removing the custom label or using a vendor-prefixed label like com.liquibase.licenses.url for clarity.

 LABEL org.opencontainers.image.description="Liquibase Enterprise Container Image"
 LABEL org.opencontainers.image.licenses="LicenseRef-Datical-EULA"
-LABEL org.opencontainers.image.licenses.url="https://www.datical.com/eula"
+LABEL com.liquibase.eula.url="https://www.datical.com/eula"
 LABEL org.opencontainers.image.vendor="Liquibase"

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between a02fa3e and 6eedd94.

📒 Files selected for processing (9)

• .github/workflows/create-release-enterprise.yml (1 hunks)
• .github/workflows/test-enterprise.yml (1 hunks)
• .github/workflows/trivy-enterprise.yml (1 hunks)
• .gitignore (1 hunks)
• DockerfileEnterprise (1 hunks)
• README-enterprise.md (1 hunks)
• autoInstall.xml (1 hunks)
• docker-entrypoint-enterprise.sh (1 hunks)
• examples/docker-compose/docker-compose.enterprise.yml (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/Dockerfile*

📄 CodeRabbit inference engine (CLAUDE.md)

**/Dockerfile*: When extending Community images, use FROM liquibase/liquibase:latest as the base and add database drivers using LPM (e.g., lpm add mysql --global)
When extending Secure images, use FROM liquibase/liquibase-secure:latest as the base and set LIQUIBASE_LICENSE_KEY environment variable

Files:

• DockerfileEnterprise

🧠 Learnings (17)

📓 Common learnings

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to **/Dockerfile* : When extending Community images, use `FROM liquibase/liquibase:latest` as the base and add database drivers using LPM (e.g., `lpm add mysql --global`)

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,docker-compose.yml} : Docker Community images should use distinct tagging strategy: Git tag format `v{version}` (e.g., `v5.0.1`), GitHub Release labeled `v{version}`, and Docker image tags `liquibase/liquibase:{version}`, `liquibase/liquibase:{major.minor}`, and `liquibase/liquibase:latest`

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to DockerfileSecure : Docker Secure images should use distinct tagging strategy: Git tag format `v{version}-SECURE` (e.g., `v5.0.1-SECURE`), GitHub Release labeled `v{version}-SECURE`, and Docker image tags `liquibase/liquibase-secure:{version}`, `liquibase/liquibase-secure:{major.minor}`, and `liquibase/liquibase-secure:latest`

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Community Docker images should be published to Docker Hub as `liquibase/liquibase`, GitHub Container Registry as `ghcr.io/liquibase/liquibase*`, and Amazon ECR Public as `public.ecr.aws/liquibase/liquibase*`

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Secure Docker images should be published to Docker Hub as `liquibase/liquibase-secure`, GitHub Container Registry as `ghcr.io/liquibase/liquibase-secure*`, and Amazon ECR Public as `public.ecr.aws/liquibase/liquibase-secure*`

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : When adding tools or runtime dependencies to images, switch to root user, run apt-get operations, and switch back to non-root `liquibase` user in multi-step processes

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to Dockerfile : Community Liquibase versions should be sourced from GitHub releases and controlled via `LIQUIBASE_VERSION` ARG

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to **/Dockerfile* : When extending Secure images, use `FROM liquibase/liquibase-secure:latest` as the base and set `LIQUIBASE_LICENSE_KEY` environment variable

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Set working directory to `/liquibase` in all Docker images

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Validate Liquibase and LPM binary SHA256 checksums for security in Dockerfile builds

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Set `liquibase.docker.properties` default configuration file to enable headless mode in all images

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine,docker-entrypoint.sh} : Use `docker-entrypoint.sh` as the container entrypoint with automatic MySQL driver installation capability

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Secure Docker images should be published to Docker Hub as `liquibase/liquibase-secure`, GitHub Container Registry as `ghcr.io/liquibase/liquibase-secure*`, and Amazon ECR Public as `public.ecr.aws/liquibase/liquibase-secure*`

Applied to files:

• .github/workflows/trivy-enterprise.yml
• DockerfileEnterprise
• .github/workflows/create-release-enterprise.yml
• README-enterprise.md

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to docker-entrypoint.sh : Enable automatic changelog directory detection in `docker-entrypoint.sh`: detect `/liquibase/changelog` mount and change working directory for CLI-Docker compatibility, unless `SHOULD_CHANGE_DIR` environment variable explicitly overrides this behavior

Applied to files:

• docker-entrypoint-enterprise.sh

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine,docker-entrypoint.sh} : Use `docker-entrypoint.sh` as the container entrypoint with automatic MySQL driver installation capability

Applied to files:

• docker-entrypoint-enterprise.sh

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Set working directory to `/liquibase` in all Docker images

Applied to files:

• docker-entrypoint-enterprise.sh
• DockerfileEnterprise
• .github/workflows/test-enterprise.yml
• README-enterprise.md
• examples/docker-compose/docker-compose.enterprise.yml

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : When adding tools or runtime dependencies to images, switch to root user, run apt-get operations, and switch back to non-root `liquibase` user in multi-step processes

Applied to files:

• docker-entrypoint-enterprise.sh
• DockerfileEnterprise
• .github/workflows/test-enterprise.yml
• .github/workflows/create-release-enterprise.yml
• README-enterprise.md

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to **/Dockerfile* : When extending Secure images, use `FROM liquibase/liquibase-secure:latest` as the base and set `LIQUIBASE_LICENSE_KEY` environment variable

Applied to files:

• docker-entrypoint-enterprise.sh
• DockerfileEnterprise
• README-enterprise.md

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Set `liquibase.docker.properties` default configuration file to enable headless mode in all images

Applied to files:

• docker-entrypoint-enterprise.sh
• DockerfileEnterprise
• examples/docker-compose/docker-compose.enterprise.yml

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Validate Liquibase and LPM binary SHA256 checksums for security in Dockerfile builds

Applied to files:

• docker-entrypoint-enterprise.sh
• DockerfileEnterprise
• .github/workflows/test-enterprise.yml

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to **/Dockerfile* : When extending Community images, use `FROM liquibase/liquibase:latest` as the base and add database drivers using LPM (e.g., `lpm add mysql --global`)

Applied to files:

• docker-entrypoint-enterprise.sh
• DockerfileEnterprise
• .github/workflows/test-enterprise.yml
• README-enterprise.md
• examples/docker-compose/docker-compose.enterprise.yml

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to Dockerfile : Community Liquibase versions should be sourced from GitHub releases and controlled via `LIQUIBASE_VERSION` ARG

Applied to files:

• docker-entrypoint-enterprise.sh
• DockerfileEnterprise
• .github/workflows/test-enterprise.yml
• .github/workflows/create-release-enterprise.yml
• README-enterprise.md
• examples/docker-compose/docker-compose.enterprise.yml

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Create and use non-root `liquibase` user with UID/GID 1001 for running the container

Applied to files:

• docker-entrypoint-enterprise.sh
• DockerfileEnterprise
• examples/docker-compose/docker-compose.enterprise.yml

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to DockerfileSecure : Docker Secure images should use distinct tagging strategy: Git tag format `v{version}-SECURE` (e.g., `v5.0.1-SECURE`), GitHub Release labeled `v{version}-SECURE`, and Docker image tags `liquibase/liquibase-secure:{version}`, `liquibase/liquibase-secure:{major.minor}`, and `liquibase/liquibase-secure:latest`

Applied to files:

• DockerfileEnterprise
• .github/workflows/test-enterprise.yml
• .github/workflows/create-release-enterprise.yml
• README-enterprise.md

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Base image must use Eclipse Temurin JRE 21 (Jammy) as the foundation

Applied to files:

• DockerfileEnterprise

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to DockerfileSecure : Secure Liquibase versions should be sourced from repo.liquibase.com and controlled via `LIQUIBASE_PRO_VERSION` ARG

Applied to files:

• DockerfileEnterprise
• README-enterprise.md
• examples/docker-compose/docker-compose.enterprise.yml

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,docker-compose.yml} : Docker Community images should use distinct tagging strategy: Git tag format `v{version}` (e.g., `v5.0.1`), GitHub Release labeled `v{version}`, and Docker image tags `liquibase/liquibase:{version}`, `liquibase/liquibase:{major.minor}`, and `liquibase/liquibase:latest`

Applied to files:

• .github/workflows/test-enterprise.yml
• .github/workflows/create-release-enterprise.yml
• README-enterprise.md

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Community Docker images should be published to Docker Hub as `liquibase/liquibase`, GitHub Container Registry as `ghcr.io/liquibase/liquibase*`, and Amazon ECR Public as `public.ecr.aws/liquibase/liquibase*`

Applied to files:

• .github/workflows/create-release-enterprise.yml
• README-enterprise.md

🪛 actionlint (1.7.8)

.github/workflows/trivy-enterprise.yml

246-246: shellcheck reported issue in this script: SC2086:info:2:56: Double quote to prevent globbing and word splitting

(shellcheck)

.github/workflows/test-enterprise.yml

47-47: shellcheck reported issue in this script: SC2086:info:4:24: Double quote to prevent globbing and word splitting

(shellcheck)

---

195-195: shellcheck reported issue in this script: SC2046:warning:9:6: Quote this to prevent word splitting

(shellcheck)

---

221-221: shellcheck reported issue in this script: SC2046:warning:9:6: Quote this to prevent word splitting

(shellcheck)

---

247-247: shellcheck reported issue in this script: SC2046:warning:9:6: Quote this to prevent word splitting

(shellcheck)

---

247-247: shellcheck reported issue in this script: SC2046:warning:23:6: Quote this to prevent word splitting

(shellcheck)

.github/workflows/create-release-enterprise.yml

145-145: shellcheck reported issue in this script: SC2086:info:13:32: Double quote to prevent globbing and word splitting

(shellcheck)

---

145-145: shellcheck reported issue in this script: SC2086:info:17:31: Double quote to prevent globbing and word splitting

(shellcheck)

---

168-168: shellcheck reported issue in this script: SC2034:warning:5:1: COMMIT_MSG appears unused. Verify use (or export if used externally)

(shellcheck)

---

217-217: shellcheck reported issue in this script: SC2086:info:2:56: Double quote to prevent globbing and word splitting

(shellcheck)

---

230-230: shellcheck reported issue in this script: SC2086:info:3:32: Double quote to prevent globbing and word splitting

(shellcheck)

---

230-230: shellcheck reported issue in this script: SC2086:info:4:40: Double quote to prevent globbing and word splitting

(shellcheck)

---

254-254: shellcheck reported issue in this script: SC2129:style:1:1: Consider using { cmd1; cmd2; } >> file instead of individual redirects

(shellcheck)

---

254-254: shellcheck reported issue in this script: SC2086:info:1:57: Double quote to prevent globbing and word splitting

(shellcheck)

---

254-254: shellcheck reported issue in this script: SC2086:info:2:66: Double quote to prevent globbing and word splitting

(shellcheck)

---

254-254: shellcheck reported issue in this script: SC2086:info:3:60: Double quote to prevent globbing and word splitting

(shellcheck)

---

288-288: property "aws_access_key_id" is not defined in object type {aws-access-key-id: string; aws-account-id: string; aws-expiration: string; aws-secret-access-key: string; aws-session-token: string}

(expression)

---

289-289: property "aws_secret_access_key" is not defined in object type {aws-access-key-id: string; aws-account-id: string; aws-expiration: string; aws-secret-access-key: string; aws-session-token: string}

(expression)

---

298-298: property "aws_access_key_id" is not defined in object type {aws-access-key-id: string; aws-account-id: string; aws-expiration: string; aws-secret-access-key: string; aws-session-token: string}

(expression)

---

299-299: property "aws_secret_access_key" is not defined in object type {aws-access-key-id: string; aws-account-id: string; aws-expiration: string; aws-secret-access-key: string; aws-session-token: string}

(expression)

---

303-303: shellcheck reported issue in this script: SC2086:info:37:24: Double quote to prevent globbing and word splitting

(shellcheck)

🪛 GitHub Check: CodeQL

.github/workflows/trivy-enterprise.yml

[warning] 43-43: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'aws-actions/configure-aws-credentials' with ref 'v5', not a pinned commit hash

---

[warning] 50-50: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step: vault-secrets uses 'aws-actions/aws-secretsmanager-get-secrets' with ref 'v2', not a pinned commit hash

---

[warning] 65-65: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'anchore/sbom-action' with ref 'v0', not a pinned commit hash

---

[warning] 80-80: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'aquasecurity/trivy-action' with ref '0.33.1', not a pinned commit hash

---

[warning] 91-91: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'aquasecurity/trivy-action' with ref '0.33.1', not a pinned commit hash

---

[warning] 102-102: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'aquasecurity/trivy-action' with ref '0.33.1', not a pinned commit hash

---

[warning] 115-115: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'aquasecurity/trivy-action' with ref '0.33.1', not a pinned commit hash

---

[warning] 128-128: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step: grype_scan uses 'anchore/scan-action' with ref 'v5', not a pinned commit hash

---

[warning] 159-159: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'rtCamp/action-slack-notify' with ref 'v2', not a pinned commit hash

---

[warning] 199-199: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'rsdmike/github-security-report-action' with ref 'v3.0.4', not a pinned commit hash

---

[warning] 232-232: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'aws-actions/configure-aws-credentials' with ref 'v5', not a pinned commit hash

---

[warning] 239-239: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step: vault-secrets uses 'aws-actions/aws-secretsmanager-get-secrets' with ref 'v2', not a pinned commit hash

---

[warning] 250-250: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'docker/login-action' with ref 'v3', not a pinned commit hash

---

[warning] 256-256: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'docker/scout-action' with ref 'v1.18.2', not a pinned commit hash

---

[warning] 269-269: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'rtCamp/action-slack-notify' with ref 'v2', not a pinned commit hash

---

[warning] 289-289: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'rsdmike/github-security-report-action' with ref 'v3.0.4', not a pinned commit hash

.github/workflows/test-enterprise.yml

[warning] 40-40: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Test Liquibase Enterprise Dockerfile' step Uses Step uses 'douglascamata/setup-docker-macos-action' with ref 'v1.0.2', not a pinned commit hash

.github/workflows/create-release-enterprise.yml

[warning] 103-103: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Release Liquibase Enterprise' step Uses Step uses 'aws-actions/configure-aws-credentials' with ref 'v5', not a pinned commit hash

---

[warning] 110-110: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Release Liquibase Enterprise' step Uses Step: vault-secrets uses 'aws-actions/aws-secretsmanager-get-secrets' with ref 'v2', not a pinned commit hash

---

[warning] 203-203: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Release Liquibase Enterprise' step Uses Step uses 'aws-actions/configure-aws-credentials' with ref 'v5', not a pinned commit hash

---

[warning] 210-210: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Release Liquibase Enterprise' step Uses Step: vault-secrets uses 'aws-actions/aws-secretsmanager-get-secrets' with ref 'v2', not a pinned commit hash

---

[warning] 239-239: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Release Liquibase Enterprise' step Uses Step uses 'softprops/action-gh-release' with ref 'v2', not a pinned commit hash

---

[warning] 249-249: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Release Liquibase Enterprise' step Uses Step uses 'docker/setup-qemu-action' with ref 'v3', not a pinned commit hash

---

[warning] 250-250: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Release Liquibase Enterprise' step Uses Step uses 'docker/setup-buildx-action' with ref 'v3', not a pinned commit hash

---

[warning] 261-261: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Release Liquibase Enterprise' step Uses Step uses 'docker/login-action' with ref 'v3', not a pinned commit hash

---

[warning] 268-268: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Release Liquibase Enterprise' step Uses Step uses 'docker/login-action' with ref 'v3', not a pinned commit hash

---

[warning] 276-276: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Release Liquibase Enterprise' step Uses Step: configure-aws-credentials-prod uses 'aws-actions/configure-aws-credentials' with ref 'v5', not a pinned commit hash

---

[warning] 283-283: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Release Liquibase Enterprise' step Uses Step uses 'docker/login-action' with ref 'v3', not a pinned commit hash

---

[warning] 293-293: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Release Liquibase Enterprise' step Uses Step uses 'docker/login-action' with ref 'v3', not a pinned commit hash

---

[warning] 348-348: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Release Liquibase Enterprise' step Uses Step uses 'docker/build-push-action' with ref 'v6', not a pinned commit hash

🪛 markdownlint-cli2 (0.18.1)

README-enterprise.md

34-34: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

345-345: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

---

357-357: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (14)

• GitHub Check: Scout Scan - Liquibase Enterprise
• GitHub Check: Trivy Scan - Liquibase Enterprise
• GitHub Check: Build & Test DockerfileEnterprise - macos-15-intel
• GitHub Check: Build & Test DockerfileEnterprise - ubuntu-latest
• GitHub Check: Build & Test Dockerfile - macos-15-intel
• GitHub Check: Build & Test DockerfileSecure - ubuntu-latest
• GitHub Check: Build & Test Dockerfile.alpine - ubuntu-latest
• GitHub Check: Build & Test Dockerfile.alpine - macos-15-intel
• GitHub Check: Build & Test DockerfileSecure - macos-15-intel
• GitHub Check: Build & Test Dockerfile - ubuntu-latest
• GitHub Check: Trivy (DockerfileSecure, liquibase/liquibase-secure)
• GitHub Check: Scout (DockerfileSecure, liquibase/liquibase-secure)
• GitHub Check: Trivy (Dockerfile.alpine, liquibase/liquibase, -alpine)
• GitHub Check: Trivy (Dockerfile, liquibase/liquibase)

🔇 Additional comments (14)

.gitignore (1)

3-3: LGTM!

The addition of *.lic to gitignore appropriately prevents accidental license file commits, which is important for security and privacy when handling customer-provided enterprise licenses.

autoInstall.xml (1)

1-23: LGTM!

The IzPack configuration is well-structured and correctly defaults to the paths expected by the entrypoint script and Docker Compose examples. The five selected packages and target installation path align with the PR objectives.

README-enterprise.md (1)

1-507: Comprehensive documentation with strong coverage of enterprise features.

The README provides excellent guidance on licensing, registry options, build instructions, multi-platform support, CI/CD integration patterns, and troubleshooting. Documentation aligns well with the runtime behavior implemented in docker-entrypoint-enterprise.sh and the examples provided in docker-compose.enterprise.yml.

examples/docker-compose/docker-compose.enterprise.yml (1)

1-41: LGTM!

The Docker Compose example correctly demonstrates Liquibase Enterprise usage with service dependencies, volume mounts for license/project, and health checks. The configuration aligns with the documentation and entrypoint behavior.

docker-entrypoint-enterprise.sh (1)

1-28: LGTM!

The entrypoint script correctly implements license auto-detection, project directory mounting, and intelligent command routing. The logic appropriately defaults to hammer commands while allowing direct OS command execution for flexibility (e.g., bash, cat). The set -e safety flag and dual license path checks are well-considered.

.github/workflows/create-release-enterprise.yml (1)

172-181: LGTM!

Tag format v{version}-ENTERPRISE correctly follows the established pattern from learnings for enterprise images. Multi-platform build setup and registry logic are sound.

.github/workflows/trivy-enterprise.yml (2)

1-300: Comprehensive vulnerability scanning with good tooling coverage.

The workflow provides thorough scanning including surface/deep vulnerability analysis, SBOM generation, multiple scanners (Trivy, Grype, Docker Scout), SARIF uploads for visibility, and scheduled runs. Architecture aligns well with enterprise security requirements.

---

62-62: All helper scripts are present and executable in the repository.

Verification confirms that all four helper scripts referenced in the workflow exist and have proper executable permissions:

• ✅ scripts/extract-nested-deps.sh
• ✅ scripts/save-grype-results.sh
• ✅ scripts/analyze-scan-results.sh
• ✅ scripts/check-file-exists.sh

No action required on this workflow.

.github/workflows/test-enterprise.yml (1)

1-337: Excellent comprehensive testing with good platform awareness.

The test workflow validates core container functionality (structure, Java, hammer CLI, directories, environment, volumes, entrypoint behavior, licensing, project mounting) with appropriate platform-specific handling for x86-64 vs ARM64. Well-structured assertions, good cleanup, and informative test output make this a strong validation suite.

DockerfileEnterprise (5)

1-9: LGTM!

Builder stage correctly uses Eclipse Temurin JRE 21 base and efficiently combines apt-get operations in a single layer with proper cleanup. The xvfb installation is appropriate for the headless IzPack GUI installer requirement.

---

11-17: Secure download with SHA256 validation.

Good implementation of installer download with checksum verification. The version is properly parameterized via ARG, following the established pattern for version control. Based on learnings, SHA256 validation is required for security.

---

19-38: LGTM - Java 21 module compatibility handled correctly.

The extensive --add-opens flags are necessary for Java 21's stricter module system when running IzPack with Groovy reflection. The headless installation via xvfb-run and subsequent cleanup of installer artifacts follows multi-stage build best practices.

---

40-55: LGTM - Follows security guidelines with OpenShift compatibility.

Correctly creates non-root liquibase user with UID/GID 1001 as per guidelines. The liquibase:root group ownership with g+rx permissions is a good pattern for OpenShift/Kubernetes environments where containers may run with arbitrary UIDs. Working directory properly set to /liquibase. Based on learnings, this follows the established pattern.

---

74-84: LGTM - Proper entrypoint configuration with non-root execution.

Efficient use of COPY --chmod=755 to set execute permissions in a single layer. Correctly switches to non-root liquibase:liquibase user before defining volumes and entrypoint. The default CMD providing hammer --help is user-friendly for discovery. Based on learnings, switching to non-root user after privileged operations follows the established pattern.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

Pin GitHub Actions to commit hashes for supply chain security.

Multiple third-party actions use version tags (v5, v2, v3, etc.) instead of commit hashes. While version tags are more maintainable, pinning to commit hashes provides stronger protection against supply chain attacks. This is a broader security hardening recommendation for the organization.

Consider pinning key actions to commit SHAs, particularly those handling secrets/credentials:

• aws-actions/configure-aws-credentials@v5 → aws-actions/configure-aws-credentials@<commit-hash>
• aws-actions/aws-secretsmanager-get-secrets@v2 → similar
• softprops/action-gh-release@v2 → similar

This would require regular updates when new versions are released, but provides stronger security guarantees.

---

I'll verify this review comment by examining the workflow file and checking current best practices for GitHub Actions pinning.

---

🏁 Script executed:

#!/bin/bash
# Find and examine the create-release-enterprise workflow file
find . -name "create-release-enterprise.yml" -type f | head -5 | xargs -I {} cat {}

Length of output: 15885

---

🌐 Web query:

GitHub Actions pinning commit hashes vs version tags security best practices 2024

💡 Result:

Summary — 2024 best practice (concise)

• Strong recommendation: pin third‑party Actions to a full‑length commit SHA (immutable). This is the most secure option against tag‑moves and malicious updates. [1][2]
• Tags (e.g., @V3) are convenient but riskier: tags can be moved/recreated if a repo is compromised — only use tags for authors you fully trust (prefer Verified creators) and accept the risk. [1][2]
• Watch for “unpinnable” Actions (they pull dynamic code or remote artifacts): pinning the SHA doesn’t neutralize those risks — avoid or audit them. [2]
• Governance: enable/require SHA pinning and/or block specific actions at org/repo level via GitHub’s allowed‑actions policy. This central enforcement is recommended for organizations. [2][4]
• Tooling & maintenance tradeoffs:
  • Pinning SHAs improves security but makes updates manual. Add the human‑readable tag/version in a comment next to the SHA to track versions. [2]
  • Dependabot/alerting caveat: Dependabot alerts and some automated updates rely on semver tags and won’t create alerts for actions pinned to SHAs — plan compensating monitoring. [1]
  • Use automation (scripts/actions) to pin SHAs and to periodically refresh/verify pinned SHAs from upstream. [5][6]
• Practical minimal checklist:
  1. Pin third‑party actions to full commit SHAs. [1][2]
  2. Enable org/repo policy to enforce SHA pinning and blocklisted actions. [2][4]
  3. Audit action code (or use Verified creators), avoid unpinnable actions. [1][2][3]
  4. Maintain a lightweight process to update SHAs and monitor advisories (Dependabot + manual checks for SHA‑pinned actions). [1][3]

Sources
[1] GitHub Docs — Security hardening for GitHub Actions (pin to full SHA; Dependabot caveat). (docs.github.com)
[2] GitHub Well‑Architected / Actions security (recommend SHA pinning; unpinnable actions). (wellarchitected.github.com)
[3] Snyk Labs — supply‑chain guidance for GitHub Actions (recommend pinning to commit SHAs). (labs.snyk.io)
[4] GitHub changelog — policy: enforce SHA pinning / block actions. (github.blog)
[5] pinsha / tooling examples (automation to pin SHAs). (zkamvar.github.io)

Citations:

• 1: https://docs.github.com/actions/learn-github-actions/security-hardening-for-github-actions?utm_source=openai
• 2: https://wellarchitected.github.com/library/application-security/recommendations/actions-security/?utm_source=openai
• 3: https://labs.snyk.io/resources/exploring-vulnerabilities-github-actions/?utm_source=openai
• 4: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/?utm_source=openai
• 5: https://zkamvar.github.io/pinsha/?utm_source=openai

---

Pin GitHub Actions to commit hashes for supply chain security.

Multiple third-party actions use version tags (v5, v2, v3, etc.) instead of commit hashes. Version tags are convenient but riskier because tags can be moved or recreated if a repository is compromised. Pinning to full-length commit SHAs is the recommended approach for stronger protection against supply chain attacks.

Update these actions in your workflow:

• aws-actions/configure-aws-credentials@v5 (lines 95, 206)
• aws-actions/aws-secretsmanager-get-secrets@v2 (lines 101, 148)
• softprops/action-gh-release@v2 (line 234)
• actions/create-github-app-token@v2 (line 108)

Add a human-readable tag or version in a comment next to each SHA to track versions, and plan for periodic updates when upstream actions release new versions.

🧰 Tools

🪛 GitHub Check: CodeQL

[warning] 103-103: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Release Liquibase Enterprise' step Uses Step uses 'aws-actions/configure-aws-credentials' with ref 'v5', not a pinned commit hash

---

[warning] 110-110: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Release Liquibase Enterprise' step Uses Step: vault-secrets uses 'aws-actions/aws-secretsmanager-get-secrets' with ref 'v2', not a pinned commit hash

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Add SHA256 verification against known value.

Line 150 downloads the enterprise JAR's SHA256 hash but never validates it against a known/expected value. This means a man-in-the-middle or compromised download could introduce a malicious installer. The workflow should verify the hash matches an expected value from a trusted source.

Consider either:

1. Maintain a hardcoded hash for each version in the workflow
2. Fetch the hash from a signed/verified source
3. Check against a manifest maintained in the repository

Example approach (fetch from signed manifest):

# Example - adapt based on actual manifest location/format
EXPECTED_SHA=$(curl -s https://trusted-source/hashes.txt | grep "DaticalDB-linux.*${{ steps.collect-data.outputs.enterpriseVersion }}" | awk '{print $1}')
ACTUAL_SHA=$(curl -LsS https://software.datical.com/... | sha256sum | awk '{ print $1 }')
if [ "$EXPECTED_SHA" != "$ACTUAL_SHA" ]; then
  echo "SHA256 verification failed!"
  exit 1
fi

🤖 Prompt for AI Agents

.github/workflows/create-release-enterprise.yml around lines 150-153: the
workflow computes ENTERPRISE_SHA from the downloaded JAR but never verifies it;
add a verification step before updating DockerfileEnterprise that obtains the
expected SHA from a trusted source (hardcoded map per version, a signed manifest
fetched from a trusted URL, or a repo-maintained manifest), compare the
EXPECTED_SHA to the ACTUAL_SHA, and if they differ print an error and exit
non-zero so the job fails; only proceed to sed/update the DockerfileEnterprise
when the hashes match.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Supply chain security: Pin GitHub Actions to commit hashes.

Similar to create-release-enterprise.yml, this workflow uses unpinned action versions (v5, v2, v0, 0.33.1, etc.). Pin these to commit hashes for stronger protection against supply chain attacks, particularly for security-sensitive operations.

🧰 Tools

🪛 GitHub Check: CodeQL

[warning] 43-43: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'aws-actions/configure-aws-credentials' with ref 'v5', not a pinned commit hash

---

[warning] 50-50: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step: vault-secrets uses 'aws-actions/aws-secretsmanager-get-secrets' with ref 'v2', not a pinned commit hash

---

[warning] 65-65: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'anchore/sbom-action' with ref 'v0', not a pinned commit hash

---

[warning] 80-80: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'aquasecurity/trivy-action' with ref '0.33.1', not a pinned commit hash

---

[warning] 91-91: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'aquasecurity/trivy-action' with ref '0.33.1', not a pinned commit hash

---

[warning] 102-102: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'aquasecurity/trivy-action' with ref '0.33.1', not a pinned commit hash

---

[warning] 115-115: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'aquasecurity/trivy-action' with ref '0.33.1', not a pinned commit hash

---

[warning] 128-128: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step: grype_scan uses 'anchore/scan-action' with ref 'v5', not a pinned commit hash

---

[warning] 159-159: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'rtCamp/action-slack-notify' with ref 'v2', not a pinned commit hash

---

[warning] 199-199: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Liquibase Enterprise Vulnerability Scanning' step Uses Step uses 'rsdmike/github-security-report-action' with ref 'v3.0.4', not a pinned commit hash

🤖 Prompt for AI Agents

.github/workflows/trivy-enterprise.yml lines 43-216: multiple "uses:
owner/action@vX" entries are unpinned which is a supply-chain risk; replace each
tagged version with the corresponding full commit SHA from the action's
repository (e.g., aws-actions/configure-aws-credentials@<commit-sha>), keeping
the same owner/repo path, and update all occurrences
(aws-actions/configure-aws-credentials,
aws-actions/aws-secretsmanager-get-secrets, anchore/sbom-action,
actions/upload-artifact, aquasecurity/trivy-action, anchore/scan-action,
rtCamp/action-slack-notify, github/codeql-action/upload-sarif,
rsdmike/github-security-report-action, etc.); to fix, look up the latest stable
commit SHA for each action on its GitHub repo, replace the @version with
@<full-commit-sha> in this workflow, and commit the change (optionally add a
short comment linking to the SHA sources for future maintenance).

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 87216c3 and 8057d05.

📒 Files selected for processing (1)

• .github/workflows/test-enterprise.yml (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to **/Dockerfile* : When extending Community images, use `FROM liquibase/liquibase:latest` as the base and add database drivers using LPM (e.g., `lpm add mysql --global`)

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,docker-compose.yml} : Docker Community images should use distinct tagging strategy: Git tag format `v{version}` (e.g., `v5.0.1`), GitHub Release labeled `v{version}`, and Docker image tags `liquibase/liquibase:{version}`, `liquibase/liquibase:{major.minor}`, and `liquibase/liquibase:latest`

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Community Docker images should be published to Docker Hub as `liquibase/liquibase`, GitHub Container Registry as `ghcr.io/liquibase/liquibase*`, and Amazon ECR Public as `public.ecr.aws/liquibase/liquibase*`

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to DockerfileSecure : Docker Secure images should use distinct tagging strategy: Git tag format `v{version}-SECURE` (e.g., `v5.0.1-SECURE`), GitHub Release labeled `v{version}-SECURE`, and Docker image tags `liquibase/liquibase-secure:{version}`, `liquibase/liquibase-secure:{major.minor}`, and `liquibase/liquibase-secure:latest`

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Secure Docker images should be published to Docker Hub as `liquibase/liquibase-secure`, GitHub Container Registry as `ghcr.io/liquibase/liquibase-secure*`, and Amazon ECR Public as `public.ecr.aws/liquibase/liquibase-secure*`

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to Dockerfile : Community Liquibase versions should be sourced from GitHub releases and controlled via `LIQUIBASE_VERSION` ARG

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to **/Dockerfile* : When extending Secure images, use `FROM liquibase/liquibase-secure:latest` as the base and set `LIQUIBASE_LICENSE_KEY` environment variable

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Set working directory to `/liquibase` in all Docker images

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : When adding tools or runtime dependencies to images, switch to root user, run apt-get operations, and switch back to non-root `liquibase` user in multi-step processes

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Set `liquibase.docker.properties` default configuration file to enable headless mode in all images

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to docker-entrypoint.sh : Enable automatic changelog directory detection in `docker-entrypoint.sh`: detect `/liquibase/changelog` mount and change working directory for CLI-Docker compatibility, unless `SHOULD_CHANGE_DIR` environment variable explicitly overrides this behavior

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine,docker-entrypoint.sh} : Use `docker-entrypoint.sh` as the container entrypoint with automatic MySQL driver installation capability

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Validate Liquibase and LPM binary SHA256 checksums for security in Dockerfile builds

Applied to files:

• .github/workflows/test-enterprise.yml

🪛 GitHub Check: CodeQL

.github/workflows/test-enterprise.yml

[warning] 40-40: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Test Liquibase Enterprise Dockerfile' step Uses Step uses 'aws-actions/configure-aws-credentials' with ref 'v5', not a pinned commit hash

---

[warning] 47-47: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Test Liquibase Enterprise Dockerfile' step Uses Step: vault-secrets uses 'aws-actions/aws-secretsmanager-get-secrets' with ref 'v2', not a pinned commit hash

---

[warning] 61-61: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Test Liquibase Enterprise Dockerfile' step Uses Step uses 'douglascamata/setup-docker-macos-action' with ref 'v1.0.2', not a pinned commit hash

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (14)

• GitHub Check: Build & Test DockerfileSecure - ubuntu-latest
• GitHub Check: Build & Test DockerfileSecure - macos-15-intel
• GitHub Check: Build & Test Dockerfile.alpine - ubuntu-latest
• GitHub Check: Build & Test Dockerfile - ubuntu-latest
• GitHub Check: Build & Test Dockerfile - macos-15-intel
• GitHub Check: Build & Test Dockerfile.alpine - macos-15-intel
• GitHub Check: Scout Scan - Liquibase Enterprise
• GitHub Check: Trivy Scan - Liquibase Enterprise
• GitHub Check: Build & Test DockerfileEnterprise - ubuntu-latest
• GitHub Check: Build & Test DockerfileEnterprise - macos-15-intel
• GitHub Check: Trivy (Dockerfile.alpine, liquibase/liquibase, -alpine)
• GitHub Check: Scout (DockerfileSecure, liquibase/liquibase-secure)
• GitHub Check: Trivy (DockerfileSecure, liquibase/liquibase-secure)
• GitHub Check: Trivy (Dockerfile, liquibase/liquibase)

🔇 Additional comments (3)

.github/workflows/test-enterprise.yml (3)

72-72: Review soft error suppression that may mask real test failures.

Multiple test steps use || true or set +e to suppress errors:

• Line 72: docker run ... || true — silently ignores failure
• Lines 191, 195: set +e before docker run, then set -e after — disables strict error checking

These patterns risk hiding genuine failures. If the entrypoint test at line 189–207 is meant to validate hammer execution, it should fail loudly on unexpected errors, not warn softly. Verify whether permissive error handling is intentional or should be tightened to catch regressions.

Also applies to: 191-191, 195-195

---

270-289: Clarify working directory change test expectations against entrypoint contract.

Lines 270–289 test whether the working directory changes to /liquibase/project when a project volume is mounted. However, line 286–289 only issues a warning if the directory does not change, suggesting the behavior is optional:

else
  echo "⚠️  Note: Working directory did not change (may be expected behavior)"
fi

Based on learnings about docker-entrypoint.sh, automatic directory change should be triggered when /liquibase/project is mounted. If that is the expected contract, this test should fail hard on mismatch. If it is optional or platform-dependent, clarify the entrypoint spec or gate the test to x86-64 only (as done in lines 323–346).

---

364-368: Strengthen cleanup to handle partial test failure scenarios.

The cleanup step (line 364–368) only removes test-license, which is safe because it will succeed even if the step that created it failed. However, inline cleanups at lines 268 and 306 depend on tests reaching those lines. If an earlier assertion fails, temporary directories may persist.

Consider adding a more robust cleanup:

      - name: Cleanup license file
        if: always()
        run: |
          rm -rf test-license
+         rm -rf test-project test-project-workdir
          echo "Temporary test files cleaned up"

This ensures all transient artifacts are removed regardless of which test fails.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

Pin Actions to immutable commit hashes for supply-chain security.

CodeQL flags three unpinned Actions:

• Line 40: aws-actions/configure-aws-credentials@v5
• Line 47: aws-actions/aws-secretsmanager-get-secrets@v2
• Line 61: douglascamata/setup-docker-macos-action@v1.0.2

Pinning to commit SHAs prevents accidental or malicious updates to Actions.

Also applies to: 47-47, 61-61

---

🏁 Script executed:

#!/bin/bash
# Check current commit hashes for each Action
echo "Fetching action commit hashes..."
curl -s "https://api.github.com/repos/aws-actions/configure-aws-credentials/commits?per_page=1&ref=v5" | jq '.[0].sha' | head -c 10
echo " (aws-actions/configure-aws-credentials@v5)"
curl -s "https://api.github.com/repos/aws-actions/aws-secretsmanager-get-secrets/commits?per_page=1&ref=v2" | jq '.[0].sha' | head -c 10
echo " (aws-actions/aws-secretsmanager-get-secrets@v2)"
curl -s "https://api.github.com/repos/douglascamata/setup-docker-macos-action/commits?per_page=1&ref=v1.0.2" | jq '.[0].sha' | head -c 10
echo " (douglascamata/setup-docker-macos-action@v1.0.2)"

Length of output: 205

---

Pin GitHub Actions to immutable commit hashes for supply-chain security.

Unpinned action versions introduce supply-chain risk. Pin the following to their commit hashes:

• Line 40: aws-actions/configure-aws-credentials@v5 → pin to c2d97f116
• Line 47: aws-actions/aws-secretsmanager-get-secrets@v2 → pin to 8d2df8d4e
• Line 61: douglascamata/setup-docker-macos-action@v1.0.2 → pin to 1a5b5b065

Using semantic version tags allows unauthorized code changes to run in your CI pipeline. Pinning prevents this.

🧰 Tools

🪛 GitHub Check: CodeQL

[warning] 40-40: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Test Liquibase Enterprise Dockerfile' step Uses Step uses 'aws-actions/configure-aws-credentials' with ref 'v5', not a pinned commit hash

🤖 Prompt for AI Agents

.github/workflows/test-enterprise.yml lines 40, 47 and 61: the workflow is using
floating action tags which create supply-chain risk; update the action
references to immutable commit SHAs by replacing
aws-actions/configure-aws-credentials@v5 with
aws-actions/configure-aws-credentials@c2d97f116 (line 40),
aws-actions/aws-secretsmanager-get-secrets@v2 with
aws-actions/aws-secretsmanager-get-secrets@8d2df8d4e (line 47), and
douglascamata/setup-docker-macos-action@v1.0.2 with
douglascamata/setup-docker-macos-action@1a5b5b065 (line 61); ensure the exact
commit hashes are used and run the workflow to verify no behavior changes.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Mitigate secrets leakage and use safe redirection for license file.

Line 56 echoes a vault secret directly into a file. While GitHub Actions masks secrets in logs, this is risky; prefer using a temporary file with restricted permissions. Additionally, line 57 explicitly chmod 644 after creation is unnecessary overhead.

Consider using a safer pattern:

      - name: Write license file for testing
        run: |
          mkdir -p test-license
-         echo "${{ steps.vault-secrets.outputs.ENTERPRISE_LICENSE }}" > test-license/license.lic
-         chmod 644 test-license/license.lic
+         echo "${{ steps.vault-secrets.outputs.ENTERPRISE_LICENSE }}" > test-license/license.lic
+         chmod 600 test-license/license.lic

The default umask should create files with secure permissions; use 600 (owner read/write only) for sensitive license data instead of 644.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Write license file for testing
	run: |
	mkdir -p test-license
	echo "${{ steps.vault-secrets.outputs.ENTERPRISE_LICENSE }}" > test-license/license.lic
	chmod 644 test-license/license.lic
	- name: Write license file for testing
	run: |
	mkdir -p test-license
	echo "${{ steps.vault-secrets.outputs.ENTERPRISE_LICENSE }}" > test-license/license.lic
	chmod 600 test-license/license.lic

🤖 Prompt for AI Agents

.github/workflows/test-enterprise.yml lines 53-57: the workflow currently echoes
the vault secret directly which can leak to logs and creates a world-readable
file; instead write the secret using a safe redirection that does not print the
value (e.g. use a here-doc or redirected write that avoids expansion to stdout),
ensure the file is created with restrictive permissions (use umask or create the
file with mode 600) and remove the unnecessary chmod 644; implement creating the
test-license dir, write the license to test-license/license.lic with owner-only
read/write, and do not echo the secret to stdout.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (4)

README-enterprise.md (3)

34-43: Add a language identifier to the example output code fence (MD040).

The fenced block at Line 34 currently uses plain triple backticks. To satisfy markdownlint (MD040) and improve rendering, give it a language, e.g.:

-**Example output:**
-```
+**Example output:**
+```text
 Liquibase Enterprise CLI  8.10
   Component Versions:
   ...
-```
+```

---

325-344: Align Apple Silicon show version example with entrypoint semantics.

Earlier examples invoke subcommands directly (show version, statusDetails DEV, etc.), relying on the entrypoint to route to hammer. The Apple Silicon example switches to hammer show version (Line 334), which may confuse users and could behave differently depending on entrypoint logic.

For consistency, either:

• Use show version here as well, or
• Explicitly document why Apple Silicon requires hammer show version while other examples do not.

---

358-385: Convert emphasized “Example” labels to proper headings (MD036).

markdownlint flags Lines 358 and 370 for “emphasis used instead of a heading”. You can keep the same visual intent and satisfy MD036 by turning them into headings, e.g.:

-**Example: Adding PostgreSQL Client**
+#### Example: Adding PostgreSQL Client
...
-**Example: Adding SQL Server Tools**
+#### Example: Adding SQL Server Tools

DockerfileEnterprise (1)

2-10: Confirm choice of eclipse-temurin:21-jre-noble vs Jammy base image.

Both stages use FROM eclipse-temurin:21-jre-noble (Lines 2 and 54). Existing images in this repo standardize on Eclipse Temurin JRE 21 with Jammy as the base; switching Enterprise to Noble may be intentional, but it diverges from that pattern.

Please confirm:

• That Noble is the desired long‑term base for Enterprise, and
• That we’re comfortable having Enterprise on Noble while Community/Secure remain on Jammy (or plan to align them).

If the goal is consistency across images, consider using the Jammy-tagged base here as well.

As per coding guidelines and prior learnings about base image standardization.

Also applies to: 53-55

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between f27c4e0 and b98c632.

📒 Files selected for processing (2)

• DockerfileEnterprise (1 hunks)
• README-enterprise.md (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/Dockerfile*

📄 CodeRabbit inference engine (CLAUDE.md)

**/Dockerfile*: When extending Community images, use FROM liquibase/liquibase:latest as the base and add database drivers using LPM (e.g., lpm add mysql --global)
When extending Secure images, use FROM liquibase/liquibase-secure:latest as the base and set LIQUIBASE_LICENSE_KEY environment variable

Files:

• DockerfileEnterprise

🧠 Learnings (15)

📓 Common learnings

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to **/Dockerfile* : When extending Community images, use `FROM liquibase/liquibase:latest` as the base and add database drivers using LPM (e.g., `lpm add mysql --global`)

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,docker-compose.yml} : Docker Community images should use distinct tagging strategy: Git tag format `v{version}` (e.g., `v5.0.1`), GitHub Release labeled `v{version}`, and Docker image tags `liquibase/liquibase:{version}`, `liquibase/liquibase:{major.minor}`, and `liquibase/liquibase:latest`

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Community Docker images should be published to Docker Hub as `liquibase/liquibase`, GitHub Container Registry as `ghcr.io/liquibase/liquibase*`, and Amazon ECR Public as `public.ecr.aws/liquibase/liquibase*`

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Secure Docker images should be published to Docker Hub as `liquibase/liquibase-secure`, GitHub Container Registry as `ghcr.io/liquibase/liquibase-secure*`, and Amazon ECR Public as `public.ecr.aws/liquibase/liquibase-secure*`

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to DockerfileSecure : Docker Secure images should use distinct tagging strategy: Git tag format `v{version}-SECURE` (e.g., `v5.0.1-SECURE`), GitHub Release labeled `v{version}-SECURE`, and Docker image tags `liquibase/liquibase-secure:{version}`, `liquibase/liquibase-secure:{major.minor}`, and `liquibase/liquibase-secure:latest`

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to **/Dockerfile* : When extending Secure images, use `FROM liquibase/liquibase-secure:latest` as the base and set `LIQUIBASE_LICENSE_KEY` environment variable

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to Dockerfile : Community Liquibase versions should be sourced from GitHub releases and controlled via `LIQUIBASE_VERSION` ARG

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Set working directory to `/liquibase` in all Docker images

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : When adding tools or runtime dependencies to images, switch to root user, run apt-get operations, and switch back to non-root `liquibase` user in multi-step processes

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Validate Liquibase and LPM binary SHA256 checksums for security in Dockerfile builds

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to docker-entrypoint.sh : Enable automatic changelog directory detection in `docker-entrypoint.sh`: detect `/liquibase/changelog` mount and change working directory for CLI-Docker compatibility, unless `SHOULD_CHANGE_DIR` environment variable explicitly overrides this behavior

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Set `liquibase.docker.properties` default configuration file to enable headless mode in all images

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to **/Dockerfile* : When extending Secure images, use `FROM liquibase/liquibase-secure:latest` as the base and set `LIQUIBASE_LICENSE_KEY` environment variable

Applied to files:

• README-enterprise.md
• DockerfileEnterprise

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to **/Dockerfile* : When extending Community images, use `FROM liquibase/liquibase:latest` as the base and add database drivers using LPM (e.g., `lpm add mysql --global`)

Applied to files:

• README-enterprise.md
• DockerfileEnterprise

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Community Docker images should be published to Docker Hub as `liquibase/liquibase`, GitHub Container Registry as `ghcr.io/liquibase/liquibase*`, and Amazon ECR Public as `public.ecr.aws/liquibase/liquibase*`

Applied to files:

• README-enterprise.md

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,docker-compose.yml} : Docker Community images should use distinct tagging strategy: Git tag format `v{version}` (e.g., `v5.0.1`), GitHub Release labeled `v{version}`, and Docker image tags `liquibase/liquibase:{version}`, `liquibase/liquibase:{major.minor}`, and `liquibase/liquibase:latest`

Applied to files:

• README-enterprise.md

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Secure Docker images should be published to Docker Hub as `liquibase/liquibase-secure`, GitHub Container Registry as `ghcr.io/liquibase/liquibase-secure*`, and Amazon ECR Public as `public.ecr.aws/liquibase/liquibase-secure*`

Applied to files:

• README-enterprise.md

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to Dockerfile : Community Liquibase versions should be sourced from GitHub releases and controlled via `LIQUIBASE_VERSION` ARG

Applied to files:

• README-enterprise.md
• DockerfileEnterprise

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : When adding tools or runtime dependencies to images, switch to root user, run apt-get operations, and switch back to non-root `liquibase` user in multi-step processes

Applied to files:

• README-enterprise.md
• DockerfileEnterprise

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to DockerfileSecure : Docker Secure images should use distinct tagging strategy: Git tag format `v{version}-SECURE` (e.g., `v5.0.1-SECURE`), GitHub Release labeled `v{version}-SECURE`, and Docker image tags `liquibase/liquibase-secure:{version}`, `liquibase/liquibase-secure:{major.minor}`, and `liquibase/liquibase-secure:latest`

Applied to files:

• README-enterprise.md
• DockerfileEnterprise

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to DockerfileSecure : Secure Liquibase versions should be sourced from repo.liquibase.com and controlled via `LIQUIBASE_PRO_VERSION` ARG

Applied to files:

• README-enterprise.md
• DockerfileEnterprise

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Set working directory to `/liquibase` in all Docker images

Applied to files:

• README-enterprise.md
• DockerfileEnterprise

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Create and use non-root `liquibase` user with UID/GID 1001 for running the container

Applied to files:

• DockerfileEnterprise

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Set `liquibase.docker.properties` default configuration file to enable headless mode in all images

Applied to files:

• DockerfileEnterprise

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Validate Liquibase and LPM binary SHA256 checksums for security in Dockerfile builds

Applied to files:

• DockerfileEnterprise

📚 Learning: 2025-11-24T16:48:37.150Z

Learnt from: CR
Repo: liquibase/docker PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:48:37.150Z
Learning: Applies to {Dockerfile,DockerfileSecure,Dockerfile.alpine} : Base image must use Eclipse Temurin JRE 21 (Jammy) as the foundation

Applied to files:

• DockerfileEnterprise

🪛 markdownlint-cli2 (0.18.1)

README-enterprise.md

34-34: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

358-358: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

---

370-370: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

🔇 Additional comments (1)

DockerfileEnterprise (1)

12-23: Good use of SHA256 verification and build‑time secret for the license.

The builder stage correctly:

• Pins the installer via ENT_JAR_SHA256 and validates it with sha256sum -c (Lines 12–19).
• Uses a BuildKit secret for the license (--mount=type=secret,id=license) and keeps the license ephemeral while running hammer installDrivers (Lines 47–51).

This aligns well with the security guidance around checksum validation and secret handling.

Also applies to: 45-51

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Fix local build instructions: missing license secret and multi‑arch build syntax.

Two issues in the “Building the Image Locally” section:

1. Builds require a license secret but examples omit --secret.
   DockerfileEnterprise uses RUN --mount=type=secret,id=license,target=/tmp/license.lic ... in the builder stage; without passing that secret, hammer installDrivers will fail. Please update all build examples to include a license secret, e.g.:

-docker build -f DockerfileEnterprise \
-  --build-arg ENTERPRISE_VERSION=8.10.479 \
-  -t liquibase/liquibase-enterprise:local \
-  .
+DOCKER_BUILDKIT=1 docker build \
+  --secret id=license,src=/path/to/license.lic \
+  -f DockerfileEnterprise \
+  --build-arg ENTERPRISE_VERSION=8.10.479 \
+  -t liquibase/liquibase-enterprise:local \
+  .

and similarly for the docker buildx build AMD64/ARM64 and multi‑platform examples.

2. Multi‑platform example is syntactically broken.
   In the “Build Multi‑Platform Image” snippet, the final . is on a new line but the preceding line (Line 219) is missing a trailing \, so . runs as a separate shell command instead of the build context:

   --build-arg ENTERPRISE_VERSION=8.10.479 \
-  -t liquibase/liquibase-enterprise:multiarch
-  .
+  -t liquibase/liquibase-enterprise:multiarch \
+  .

Consider also adding --push or --load so users get a usable image from buildx.

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In README-enterprise.md around lines 174 to 221, the local build examples omit
the license secret and the multi-platform snippet has a broken line
continuation; update every docker build and docker buildx build example to
include the secret flag referencing the license used by DockerfileEnterprise
(e.g. add --secret id=license,src=/path/to/license.lic or the buildx
equivalent), fix the multi-platform example so the final tag line ends with a
trailing backslash before the context dot (so the dot stays on the same command
line), and add either --load or --push to the buildx multi-arch command so the
produced image is usable locally or pushed to a registry.

[coderabbitai]

Actionable comments posted: 6

🤖 Fix all issues with AI agents

In @.github/workflows/test-enterprise.yml:
- Around line 72-74: The GitHub Actions build step "Build Enterprise image from
DockerfileEnterprise" fails because DockerfileEnterprise uses RUN
--mount=type=secret,id=license to provide a license for hammer installDrivers;
modify that workflow step to pass the secret via --secret
id=license,src=<path-to-license-file> (or reference GitHub Actions secrets with
actions/setup-docker/secret mechanism) so the secret mount is populated during
docker build, ensuring hammer installDrivers can access the license; target the
build step that runs docker build -f DockerfileEnterprise and add the
appropriate --secret argument.
- Around line 204-214: The docker run volume mounts in the test workflow use
unquoted $(pwd) which can break on paths with spaces; update each docker run -v
invocation (the ones that set RESULT via docker run and any other runs in this
file) to use a quoted working directory like "$(pwd)" in the -v argument so the
shell preserves spaces (e.g., change -v $(pwd)/test-license:/liquibase/license
to -v "$(pwd)"/test-license:/liquibase/license), and apply the same quoting to
all similar occurrences that set RESULT or run containers (ensure EXIT_CODE
handling remains unchanged).

In `@docker-entrypoint-enterprise.sh`:
- Around line 17-26: The current startup logic uses type "$1" to decide whether
to exec the OS command which can misroute hammer subcommands (e.g., diff, test)
to system binaries; replace the type-based test with an explicit allowlist check
and a check for absolute/path-invocation: build an array (e.g., ALLOWED_CMDS) of
real shell commands that should bypass hammer (bash, sh, cat, ls, tail,
/bin/..., etc.), test membership of "$1" against that list, and also treat
arguments starting with "/" as direct executables; keep the special-case for
"history" and the existing handling for a leading "hammer" (shift + exec hammer
"$@") so only allowlisted or absolute paths are exec'd directly and all other
first-args are forwarded to hammer.

In `@DockerfileEnterprise`:
- Around line 20-22: Add an ARG for the expected SHA256 of the
DaticalDBCompositeRepo zip (similar to the installer JAR arg), download the zip
as currently done (DaticalDBCompositeRepo-${ENTERPRISE_VERSION}.zip) and
immediately verify it with sha256sum -c using the ARG value; if the checksum
fails, ensure the build exits non‑zero (mirror the existing installer validation
pattern) so the composite repo download cannot proceed without matching the
provided SHA256.

In `@README-enterprise.md`:
- Line 582: The sentence fragment ending "...such as Bash, etc from the base
distribution" is missing the period after the abbreviation "etc"; update that
exact text to read "etc. from the base distribution" so the abbreviation follows
American English punctuation conventions (modify the line containing "such as
Bash, etc from the base distribution, along with any direct or indirect
dependencies..." to insert the period after "etc").
- Around line 34-43: The README-enterprise.md example output shows "Java
11.0.15" which conflicts with the Dockerfile base image
(eclipse-temurin:21-jre-noble); update the README by adding a single-sentence
clarification after the "hammer show version" example stating that the
Enterprise runtime bundles its own JRE 11 internally while the container image
uses Java 21 for the host, and change the fenced code block to specify a
language (e.g., ```text) to satisfy markdownlint MD040; reference the "hammer
show version" output block and the Dockerfile base image name when making the
edit.

🧹 Nitpick comments (3)

mssql_driver.properties (1)

4-5: trustServerCertificate=true weakens TLS guarantees in production.

With encrypt=true and trustServerCertificate=true, connections use TLS but skip server certificate validation, making them vulnerable to MITM attacks. This is a pragmatic default for getting started, but the README and comments should more prominently warn users to override this with trustServerCertificate=false (and a proper trust store) for production deployments.

DockerfileEnterprise (1)

67-68: safe.directory '*' grants git trust to every directory on the system.

While this is a common Docker pattern, it disables git's ownership safety check entirely. If the container is ever used in a context where untrusted directories could be mounted, this could allow git operations on adversary-controlled repos. Consider scoping to just the known mount points:

-RUN git config --system --add safe.directory '*' && \
+RUN git config --system --add safe.directory /liquibase/project && \

docker-entrypoint-enterprise.sh (1)

11-14: SSH known_hosts population runs on every container start.

ssh-keyscan makes network calls to github.com, gitlab.com, bitbucket.org, and ssh.dev.azure.com on every container startup when SSH_AUTH_SOCK is set and known_hosts doesn't yet exist. Since the volume is ephemeral by default, this will run on nearly every invocation, adding latency and a network dependency to startup. The || true means a network failure is silent, but the user gets no known_hosts and SSH will fail later with a confusing host-key error.

Consider baking the known host keys into the image at build time instead, so there's no runtime network dependency.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Build will fail: --secret not passed but required by DockerfileEnterprise.

DockerfileEnterprise line 47 uses RUN --mount=type=secret,id=license,... for driver installation. Without --secret id=license,src=... in the build command, the mount will be empty and hammer installDrivers will fail.

-          docker build -f DockerfileEnterprise -t liquibase/liquibase-enterprise:${{ github.sha }} .
+          DOCKER_BUILDKIT=1 docker build \
+            --secret id=license,src=$(pwd)/test-license/license.lic \
+            -f DockerfileEnterprise \
+            -t liquibase/liquibase-enterprise:${{ github.sha }} \
+            .

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Build Enterprise image from DockerfileEnterprise
	run: |
	docker build -f DockerfileEnterprise -t liquibase/liquibase-enterprise:${{ github.sha }} .
	- name: Build Enterprise image from DockerfileEnterprise
	run: |
	DOCKER_BUILDKIT=1 docker build \
	--secret id=license,src=$(pwd)/test-license/license.lic \
	-f DockerfileEnterprise \
	-t liquibase/liquibase-enterprise:${{ github.sha }} \
	.

🤖 Prompt for AI Agents

In @.github/workflows/test-enterprise.yml around lines 72 - 74, The GitHub
Actions build step "Build Enterprise image from DockerfileEnterprise" fails
because DockerfileEnterprise uses RUN --mount=type=secret,id=license to provide
a license for hammer installDrivers; modify that workflow step to pass the
secret via --secret id=license,src=<path-to-license-file> (or reference GitHub
Actions secrets with actions/setup-docker/secret mechanism) so the secret mount
is populated during docker build, ensuring hammer installDrivers can access the
license; target the build step that runs docker build -f DockerfileEnterprise
and add the appropriate --secret argument.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Quote $(pwd) to prevent word splitting with paths containing spaces.

Multiple docker run -v $(pwd)/... invocations throughout the workflow are unquoted. This is flagged by shellcheck (SC2046). Use "$(pwd)" consistently.

-            -v $(pwd)/test-license:/liquibase/license \
+            -v "$(pwd)/test-license":/liquibase/license \

This applies to all similar occurrences at lines 212, 249, 273, 299, 314, and 352.

🧰 Tools

🪛 actionlint (1.7.10)

[error] 205-205: shellcheck reported issue in this script: SC2046:warning:7:6: Quote this to prevent word splitting

(shellcheck)

🤖 Prompt for AI Agents

In @.github/workflows/test-enterprise.yml around lines 204 - 214, The docker run
volume mounts in the test workflow use unquoted $(pwd) which can break on paths
with spaces; update each docker run -v invocation (the ones that set RESULT via
docker run and any other runs in this file) to use a quoted working directory
like "$(pwd)" in the -v argument so the shell preserves spaces (e.g., change -v
$(pwd)/test-license:/liquibase/license to -v
"$(pwd)"/test-license:/liquibase/license), and apply the same quoting to all
similar occurrences that set RESULT or run containers (ensure EXIT_CODE handling
remains unchanged).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Command routing can misroute hammer subcommands that match OS command names.

type "$1" succeeds for any shell builtin or OS binary. Besides the already-special-cased history, hammer subcommands like diff, test, or snapshot could collide with /usr/bin/diff, shell builtin test, etc., and be executed as OS commands instead of being forwarded to hammer.

A safer approach is to maintain an explicit allowlist of commands that should bypass hammer (e.g., bash, sh, cat, ls, etc.) or check whether $1 starts with a / or is in a known set of OS utilities.

Example: allowlist approach

-if [[ "$1" != "history" ]] && type "$1" > /dev/null 2>&1; then
-    # First argument is an actual OS command. Run it directly
-    exec "$@"
+# Commands that should bypass hammer and execute directly
+PASSTHROUGH_CMDS="bash sh cat ls env printenv id whoami pwd java git ssh"
+
+is_passthrough() {
+    for cmd in $PASSTHROUGH_CMDS; do
+        [ "$1" = "$cmd" ] && return 0
+    done
+    return 1
+}
+
+if is_passthrough "$1"; then
+    exec "$@"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if [[ "$1" != "history" ]] && type "$1" > /dev/null 2>&1; then
	# First argument is an actual OS command. Run it directly
	exec "$@"
	else
	# Default to hammer commands for Liquibase Enterprise
	# If first argument is 'hammer', remove it since we're calling hammer anyway
	if [ "$1" = "hammer" ]; then
	shift
	fi
	exec hammer "$@"
	# Commands that should bypass hammer and execute directly
	PASSTHROUGH_CMDS="bash sh cat ls env printenv id whoami pwd java git ssh"
	is_passthrough() {
	for cmd in $PASSTHROUGH_CMDS; do
	[ "$1" = "$cmd" ] && return 0
	done
	return 1
	}
	if is_passthrough "$1"; then
	exec "$@"
	else
	# Default to hammer commands for Liquibase Enterprise
	# If first argument is 'hammer', remove it since we're calling hammer anyway
	if [ "$1" = "hammer" ]; then
	shift
	fi
	exec hammer "$@"

🤖 Prompt for AI Agents

In `@docker-entrypoint-enterprise.sh` around lines 17 - 26, The current startup
logic uses type "$1" to decide whether to exec the OS command which can misroute
hammer subcommands (e.g., diff, test) to system binaries; replace the type-based
test with an explicit allowlist check and a check for absolute/path-invocation:
build an array (e.g., ALLOWED_CMDS) of real shell commands that should bypass
hammer (bash, sh, cat, ls, tail, /bin/..., etc.), test membership of "$1"
against that list, and also treat arguments starting with "/" as direct
executables; keep the special-case for "history" and the existing handling for a
leading "hammer" (shift + exec hammer "$@") so only allowlisted or absolute
paths are exec'd directly and all other first-args are forwarded to hammer.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

CompositeRepo zip download lacks SHA256 verification.

The installer JAR is checksum-verified (line 18), but the DaticalDBCompositeRepo.zip is downloaded without any integrity check. This is inconsistent and leaves a gap where a tampered driver bundle could be injected.

Add a ARG + sha256sum -c check mirroring the pattern used for the installer JAR.

Proposed fix

+ARG COMPOSITE_REPO_SHA256=<insert_hash_here>
+
 # Download CompositeRepo containing database drivers
 RUN wget -q -O DaticalDBCompositeRepo.zip \
-    "https://software.datical.com/Datical_DB_Software/Datical_DB_${ENTERPRISE_VERSION}/DaticalDBCompositeRepo-${ENTERPRISE_VERSION}.zip"
+    "https://software.datical.com/Datical_DB_Software/Datical_DB_${ENTERPRISE_VERSION}/DaticalDBCompositeRepo-${ENTERPRISE_VERSION}.zip" && \
+    echo "$COMPOSITE_REPO_SHA256 *DaticalDBCompositeRepo.zip" | sha256sum -c -

Based on learnings: "Validate Liquibase and LPM binary SHA256 checksums for security in Dockerfile builds"

🤖 Prompt for AI Agents

In `@DockerfileEnterprise` around lines 20 - 22, Add an ARG for the expected
SHA256 of the DaticalDBCompositeRepo zip (similar to the installer JAR arg),
download the zip as currently done
(DaticalDBCompositeRepo-${ENTERPRISE_VERSION}.zip) and immediately verify it
with sha256sum -c using the ARG value; if the checksum fails, ensure the build
exits non‑zero (mirror the existing installer validation pattern) so the
composite repo download cannot proceed without matching the provided SHA256.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Example output shows Java 11 but the image ships Java 21 — potentially confusing.

The example version output shows Java 11.0.15, but the Dockerfile uses eclipse-temurin:21-jre-noble. Users may wonder why java -version reports 21 but hammer show version reports Java 11. If the Enterprise runtime bundles its own JRE 11 internally, add a brief note clarifying this distinction. Also, the fenced code block at line 34 should specify a language (e.g., text) per markdownlint MD040.

🧰 Tools

🪛 markdownlint-cli2 (0.20.0)

[warning] 34-34: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

In `@README-enterprise.md` around lines 34 - 43, The README-enterprise.md example
output shows "Java 11.0.15" which conflicts with the Dockerfile base image
(eclipse-temurin:21-jre-noble); update the README by adding a single-sentence
clarification after the "hammer show version" example stating that the
Enterprise runtime bundles its own JRE 11 internally while the container image
uses Java 21 for the host, and change the fenced code block to specify a
language (e.g., ```text) to satisfy markdownlint MD040; reference the "hammer
show version" output block and the Dockerfile base image name when making the
edit.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Minor: missing period after "etc".

Per American English conventions, abbreviations like "etc." require a period.

-(such as Bash, etc from the base distribution,
+(such as Bash, etc. from the base distribution,

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	As with all Docker images, these likely also contain other software which may be under other licenses (such as Bash, etc from the base distribution, along with any direct or indirect dependencies of the primary software being contained).
	As with all Docker images, these likely also contain other software which may be under other licenses (such as Bash, etc. from the base distribution, along with any direct or indirect dependencies of the primary software being contained).

🧰 Tools

🪛 LanguageTool

[style] ~582-~582: In American English, abbreviations like “etc.” require a period.
Context: ... be under other licenses (such as Bash, etc from the base distribution, along with ...

(ETC_PERIOD)

🤖 Prompt for AI Agents

In `@README-enterprise.md` at line 582, The sentence fragment ending "...such as
Bash, etc from the base distribution" is missing the period after the
abbreviation "etc"; update that exact text to read "etc. from the base
distribution" so the abbreviation follows American English punctuation
conventions (modify the line containing "such as Bash, etc from the base
distribution, along with any direct or indirect dependencies..." to insert the
period after "etc").