From e9276085583f8d79064fb6967549c55630a64df2 Mon Sep 17 00:00:00 2001 From: dreads Date: Tue, 31 Dec 2024 12:11:40 -0600 Subject: [PATCH 1/5] add third repo --- .github/workflows/liquibase_pro_ci_action.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/liquibase_pro_ci_action.yml b/.github/workflows/liquibase_pro_ci_action.yml index f089eb4..b50239b 100644 --- a/.github/workflows/liquibase_pro_ci_action.yml +++ b/.github/workflows/liquibase_pro_ci_action.yml @@ -125,11 +125,11 @@ jobs: path: liquibase-sql # Check out the Liquibase Configuration Repo to a folder, "liquibase-process" -# - name: Checkout Liquibase Configuration repo -# uses: actions/checkout@v4 -# with: -# repository: adeelmalik78/Automations -# path: liquibase-process + - name: Checkout Liquibase Configuration repo + uses: actions/checkout@v4 + with: + repository: adeelmalik78/Automations + path: liquibase-process #################################################################### From 2a769ed5eef3d4e3a859f30ab08b0c383d3f0766 Mon Sep 17 00:00:00 2001 From: dreads Date: Tue, 31 Dec 2024 12:31:39 -0600 Subject: [PATCH 2/5] move flow files over --- flowfiles/liquibase-deploy.flowfile.yaml | 62 +++++++++++++++++++++ flowfiles/liquibase-postmerge.flowfile.yaml | 49 ++++++++++++++++ flowfiles/liquibase-premerge.flowfile.yaml | 23 ++++++++ flowfiles/liquibase-rollback.flowfile.yaml | 32 +++++++++++ 4 files changed, 166 insertions(+) create mode 100644 flowfiles/liquibase-deploy.flowfile.yaml create mode 100644 flowfiles/liquibase-postmerge.flowfile.yaml create mode 100644 flowfiles/liquibase-premerge.flowfile.yaml create mode 100644 flowfiles/liquibase-rollback.flowfile.yaml diff --git a/flowfiles/liquibase-deploy.flowfile.yaml b/flowfiles/liquibase-deploy.flowfile.yaml new file mode 100644 index 0000000..6fdf0c6 --- /dev/null +++ b/flowfiles/liquibase-deploy.flowfile.yaml @@ -0,0 +1,62 @@ +########## LIQUIBASE FLOWFILE ########## +########## learn more http://docs.liquibase.com/flow ########## + +## Note: Any command which fails in any stage below result in the command stopping, and endStage being run. +## A flow file can have one or more stages, each with multiple "actions", +## or your flow file can have multiple stages with fewer actions in each stage. + +## Call this flow using: liquibase flow --flow-file=flowfiles/liquibase-deploy.flowfile.yaml + +stages: + + Checks-Changelog: + actions: + - type: liquibase + command: checks run + cmdArgs: { + checks-scope: changelog, + checks-settings-file: "policychecks/liquibase.checks-settings.conf", + auto-update: "ON", + changeset-filter: "pending" + } + globalArgs: { + reports-name: "checks-report-deploy-changelog.html" + } + + Status: + actions: + - type: liquibase + command: status + cmdArgs: {verbose: true} + + Update-SQL: + actions: + - type: liquibase + command: update-sql + + Update: + actions: + - type: liquibase + command: update + + Checks-Database: + actions: + - type: liquibase + command: checks run + cmdArgs: { + checks-scope: database, + checks-settings-file: "policychecks/liquibase.checks-settings.conf", + auto-update: "ON" + } + globalArgs: { + reports-name: "checks-report-deploy-database.html" + } + +## The endStage ALWAYS RUNS. +## So put actions here which you desire to perform whether previous stages' actions succeed or fail. +## If you do not want any actions to ALWAYS RUN, simply delete the endStage from your flow file. + +endStage: + actions: + - type: liquibase + command: history \ No newline at end of file diff --git a/flowfiles/liquibase-postmerge.flowfile.yaml b/flowfiles/liquibase-postmerge.flowfile.yaml new file mode 100644 index 0000000..dc1c5db --- /dev/null +++ b/flowfiles/liquibase-postmerge.flowfile.yaml @@ -0,0 +1,49 @@ +########## LIQUIBASE FLOWFILE ########## +########## learn more http://docs.liquibase.com/flow ########## + +## Note: Any command which fails in any stage below result in the command stopping, and endStage being run. +## A flow file can have one or more stages, each with multiple "actions", +## or your flow file can have multiple stages with fewer actions in each stage. + +## Call this flow using: liquibase flow --flow-file=flowfiles/liquibase-postmerge.flowfile.yaml + +stages: + + Status: + actions: + - type: liquibase + command: status + cmdArgs: {verbose: true} + + Update-SQL: + actions: + - type: liquibase + command: update-sql + + Update: + actions: + - type: liquibase + command: update + + PostDeploy-Checks: + actions: + - type: liquibase + command: checks run + cmdArgs: { + checks-scope: database, + checks-settings-file: "policychecks/liquibase.checks-settings.conf", + auto-update: "ON", + changeset-filter: "pending" + } + globalArgs: { + reports-name: "checks-report-database.html" + } + +## The endStage ALWAYS RUNS. +## So put actions here which you desire to perform whether previous stages' actions succeed or fail. +## If you do not want any actions to ALWAYS RUN, simply delete the endStage from your flow file. + +endStage: + actions: + - type: liquibase + command: history \ No newline at end of file diff --git a/flowfiles/liquibase-premerge.flowfile.yaml b/flowfiles/liquibase-premerge.flowfile.yaml new file mode 100644 index 0000000..aa45f02 --- /dev/null +++ b/flowfiles/liquibase-premerge.flowfile.yaml @@ -0,0 +1,23 @@ +########## LIQUIBASE FLOWFILE ########## +########## learn more http://docs.liquibase.com/flow ########## + +## Note: Any command which fails in any stage below result in the command stopping, and endStage being run. +## A flow file can have one or more stages, each with multiple "actions", +## or your flow file can have multiple stages with fewer actions in each stage. + +## Call this flow using: liquibase flow --flow-file=flowfiles/liquibase-premerge.flowfile.yaml + +stages: + + PreMerge-Checks: + actions: + - type: liquibase + command: checks run + cmdArgs: { checks-scope: changelog, + checks-settings-file: "policychecks/liquibase.checks-settings.conf", + auto-update: "ON", + changeset-filter: "pending" + } + globalArgs: { + reports-name: "checks-report-premerge.html" + } \ No newline at end of file diff --git a/flowfiles/liquibase-rollback.flowfile.yaml b/flowfiles/liquibase-rollback.flowfile.yaml new file mode 100644 index 0000000..abc891d --- /dev/null +++ b/flowfiles/liquibase-rollback.flowfile.yaml @@ -0,0 +1,32 @@ +########## LIQUIBASE FLOWFILE ########## +########## learn more http://docs.liquibase.com/flow ########## + +## Note: Any command which fails in any stage below result in the command stopping, and endStage being run. +## A flow file can have one or more stages, each with multiple "actions", +## or your flow file can have multiple stages with fewer actions in each stage. + +## Call this flow using: liquibase flow --flow-file=flowfiles/liquibase-rollback.flowfile.yaml + +stages: + + Rollback-SQL: + actions: + - type: liquibase + command: rollback-one-update-sql + + Rollback: + actions: + - type: liquibase + command: rollback-one-update + cmdArgs: { + force: true + } + +## The endStage ALWAYS RUNS. +## So put actions here which you desire to perform whether previous stages' actions succeed or fail. +## If you do not want any actions to ALWAYS RUN, simply delete the endStage from your flow file. + +endStage: + actions: + - type: liquibase + command: history \ No newline at end of file From faa519aab797eb9024fb6a74fd4fa5a369044f0b Mon Sep 17 00:00:00 2001 From: dreads Date: Tue, 31 Dec 2024 12:35:26 -0600 Subject: [PATCH 3/5] fix search path conflict for duplicate flowfiles --- .github/workflows/liquibase_pro_ci_action.yml | 12 +- policychecks/liquibase.checks-settings.conf | 312 ++++++------------ 2 files changed, 99 insertions(+), 225 deletions(-) diff --git a/.github/workflows/liquibase_pro_ci_action.yml b/.github/workflows/liquibase_pro_ci_action.yml index b50239b..d6bea8e 100644 --- a/.github/workflows/liquibase_pro_ci_action.yml +++ b/.github/workflows/liquibase_pro_ci_action.yml @@ -124,12 +124,12 @@ jobs: repository: liquibase/cs-impl-guide-examples-sql path: liquibase-sql - # Check out the Liquibase Configuration Repo to a folder, "liquibase-process" - - name: Checkout Liquibase Configuration repo - uses: actions/checkout@v4 - with: - repository: adeelmalik78/Automations - path: liquibase-process +# # Check out the Liquibase Configuration Repo to a folder, "liquibase-process" +# - name: Checkout Liquibase Configuration repo +# uses: actions/checkout@v4 +# with: +# repository: adeelmalik78/Automations +# path: liquibase-process #################################################################### diff --git a/policychecks/liquibase.checks-settings.conf b/policychecks/liquibase.checks-settings.conf index 7b66eec..86f51da 100644 --- a/policychecks/liquibase.checks-settings.conf +++ b/policychecks/liquibase.checks-settings.conf @@ -1,4 +1,4 @@ -## Policy Checks Settings File +## Quality Checks Settings File ########## IMPORTANT: NEVER EDIT THIS KEY ## id: 'some-l0ng-uni4ue-id3nt1fier-c0d3' @@ -9,9 +9,8 @@ ########## EDITABLE PARAMETERS ## Standard value options: ## ALLOWED_LIST: -## ATTRIBUTE: ## CASE_SENSITIVE: -## CHANGE_TYPE_LIST: +## CHANGE_TYPE_LIST: ## COLUMN_NAME: ## CONSTRAINT: ## CONSTRAINT_OPERATOR: @@ -33,28 +32,19 @@ ## OPERATOR: ## PASSWORD: ## PATH_FILTER_REGEX: -## PATTERN_A: -## PATTERN_B: ## PRIMARY_SEARCH_STRING: ## PRIVILEGE_LIST: ## PROJECT_DIR: -## REQUIRES_SNAPSHOT: ## RUN_IN_TRANSACTION_VALUE: ## SAMPLE_CHANGELOG_NAME: -## SCRIPT_ARGS: -## SCRIPT_DESCRIPTION: -## SCRIPT_MESSAGE: -## SCRIPT_PATH: -## SCRIPT_SCOPE: -## SCRIPT_TYPE: +## SCRIPT_NAME: ## SEARCH_STRING: -## SPLIT_STATEMENTS: ## STRIP_COMMENTS: ## TABLE_NAME: ## USERNAME: fileCreated: 2024-02-23T17:05:17.619Z -fileModified: 2024-11-06T19:40:03.654Z +fileModified: 2024-08-23T16:04:20.017Z rules: - description: This check warns a user when SQL contains 'GRANT' statements so that they can ensure that the privilege being granted won't lead to security issues. @@ -110,26 +100,7 @@ rules: shortName: SqlSelectStarWarn - description: This check scans SQL for the presence of specific patterns and warns the user when they are found. - enabled: true - id: '90d174dc-eec8-3ff6-bebf-2859b8e73c19' - name: Check for specific patterns in sql - parameters: - - parameter: SEARCH_STRING - value: (?is)(?=.*\b(create)\b)(?=.*\b(sequence)\b).* - - parameter: MESSAGE - value: Creation of Sequences is not permitted. - - parameter: STRIP_COMMENTS - value: true - - parameter: PATH_FILTER_REGEX - value: null - - parameter: SPLIT_STATEMENTS - value: false - parentRuleId: '6fe07581-c90d-3add-9057-1547a1439727' - severity: '4' - shortName: NoCreateSequences -- description: This check scans SQL for the presence of specific patterns and warns - the user when they are found. - enabled: true + enabled: false id: '6fe07581-c90d-3add-9057-1547a1439727' name: Check for specific patterns in sql parameters: @@ -142,31 +113,9 @@ rules: value: true - parameter: PATH_FILTER_REGEX value: null - - parameter: SPLIT_STATEMENTS - value: false parentRuleId: null severity: '0' shortName: SqlUserDefinedPatternCheck -- description: This check triggers when a changeset contains the supplied pattern - string or regex, but does not have an end delimiter set specifically in the changeset - or via options such as 'pro-global-end-delimiter' or 'endDelimiter' attribute - in a modifyChangesets tag. - enabled: false - id: 'd2fc6f01-8ddd-35f3-bc03-f516a8f611ac' - name: End delimiter exists when pattern exists - parameters: - - parameter: SEARCH_STRING - value: null - - parameter: CASE_SENSITIVE - value: true - - parameter: STRIP_COMMENTS - value: true - - parameter: MESSAGE - value: The pattern '' was found without an end delimiter in Changeset - ''. - parentRuleId: null - severity: '0' - shortName: EndDelimiterExistsWhenPatternExists - description: Check triggers if the user-supplied regex pattern A is followed by the user-supplied regex pattern B enabled: false @@ -184,13 +133,6 @@ rules: in Changeset ''''.' - parameter: STRIP_COMMENTS value: true - - parameter: PATTERN_A - value: null - - parameter: PATTERN_B - value: null - - parameter: MESSAGE - value: 'Match found: '''' is followed by '''' in Changeset - ''''.' parentRuleId: null severity: '0' shortName: PatternAFollowedByPatternB @@ -211,13 +153,6 @@ rules: in Changeset ''''.' - parameter: STRIP_COMMENTS value: true - - parameter: PATTERN_A - value: null - - parameter: PATTERN_B - value: null - - parameter: MESSAGE - value: 'Match found: '''' is preceded by '''' in Changeset - ''''.' parentRuleId: null severity: '0' shortName: PatternAPrecededByPatternB @@ -238,13 +173,6 @@ rules: in Changeset ''''.' - parameter: STRIP_COMMENTS value: true - - parameter: PATTERN_A - value: null - - parameter: PATTERN_B - value: null - - parameter: MESSAGE - value: 'Match found: '''' is NOT followed by '''' in Changeset - ''''.' parentRuleId: null severity: '0' shortName: PatternANotFollowedByPatternB @@ -265,13 +193,6 @@ rules: in Changeset ''''.' - parameter: STRIP_COMMENTS value: true - - parameter: PATTERN_A - value: null - - parameter: PATTERN_B - value: null - - parameter: MESSAGE - value: 'Match found: '''' is NOT preceded by '''' in Changeset - ''''. ' parentRuleId: null severity: '0' shortName: PatternANotPrecededByPatternB @@ -285,51 +206,6 @@ rules: parentRuleId: null severity: '0' shortName: TableColumnLimit -- description: This checks triggers when the Max Affected Rows Allowed value is exceeded - by the number of rows DELETED by a SQL statement. The SQL statement is executed - against the database, and then rolled back. - enabled: false - id: '99b1c0d2-6dda-3acb-85f3-68002c3b07c1' - name: Check Affected Rows Count on Delete - parameters: - - parameter: MAX_ROWS - value: 50 - - parameter: MESSAGE - value: rows will be affected, which is more than the allowed '' - rows. The SQL statement is '' in ''. - parentRuleId: null - severity: '0' - shortName: MaxAffectedRowsAllowedDelete -- description: This checks triggers when the Max Affected Rows Allowed value is exceeded - by the number of rows INSERTED by a SQL statement. The SQL statement is executed - against the database, and then rolled back. - enabled: false - id: 'bbd74a72-77d4-3517-9125-c771f790178b' - name: Check Affected Rows Count on Insert - parameters: - - parameter: MAX_ROWS - value: 50 - - parameter: MESSAGE - value: rows will be affected, which is more than the allowed '' - rows. The SQL statement is '' in ''. - parentRuleId: null - severity: '0' - shortName: MaxAffectedRowsAllowedInsert -- description: This checks triggers when the Max Affected Rows Allowed value is exceeded - by the number of rows UPDATED by a SQL statement. The SQL statement is executed - against the database, and then rolled back. - enabled: false - id: 'e9e2055d-e837-3418-96ac-352416cd43ee' - name: Check Affected Rows Count on Update - parameters: - - parameter: MAX_ROWS - value: 50 - - parameter: MESSAGE - value: rows will be affected, which is more than the allowed '' - rows. The SQL statement is '' in ''. - parentRuleId: null - severity: '0' - shortName: MaxAffectedRowsAllowedUpdate - description: This check confirms the listed object names conform to the supplied pattern. enabled: false @@ -347,28 +223,6 @@ rules: parentRuleId: null severity: '0' shortName: ObjectNameMustMatch -- description: Executes a custom check script. - enabled: false - id: '68592fc1-8c79-3026-990f-da80c1c6d6e0' - name: Custom Check Template - parameters: - - parameter: SCRIPT_DESCRIPTION - value: Custom check - - parameter: SCRIPT_SCOPE - value: CHANGELOG - - parameter: SCRIPT_MESSAGE - value: The message to display when the check is triggered - - parameter: SCRIPT_TYPE - value: PYTHON - - parameter: SCRIPT_PATH - value: null - - parameter: SCRIPT_ARGS - value: null - - parameter: REQUIRES_SNAPSHOT - value: false - parentRuleId: null - severity: '0' - shortName: CustomCheckTemplate - description: This check confirms the listed object names do not match the supplied pattern. enabled: false @@ -399,21 +253,6 @@ rules: parentRuleId: null severity: '0' shortName: SqlGrantSpecificPrivsWarn -- description: ' This check triggers when a changeset contains the user-specified - runInTransactions value of ''true'' or ''false''. Note: Changesets without a runInTransactions - value are not checked.' - enabled: false - id: '1fdc2bbb-67a4-3d45-baad-09e69f1108cd' - name: Check Changeset runInTransaction value - parameters: - - parameter: RUN_IN_TRANSACTION_VALUE - value: false - - parameter: MESSAGE - value: A match for regular expression was detected in Changeset - . - parentRuleId: null - severity: '0' - shortName: CheckRunInTransactionValue - description: This check warns a user when a table is being truncated so that they can ensure that truncating the table won't lead to unintentional loss of data. enabled: true @@ -636,19 +475,6 @@ rules: name: Table must have a comment severity: '0' shortName: TableCommentCheck -- description: This check triggers when specified attributes do not match TRUE or - FALSE, as configured by the user. - enabled: false - id: '8339bc72-ae9e-3678-8a86-2af1b8aa2d1c' - name: Changeset attributes set true or false - parameters: - - parameter: ATTRIBUTE - value: null - - parameter: SEARCH_STRING - value: null - parentRuleId: null - severity: '0' - shortName: ChangesetAttributesSetTrueOrFalse - description: This check triggers when specific user-supplied patterns are found in Table Comments. enabled: false @@ -664,32 +490,6 @@ rules: parentRuleId: null severity: '0' shortName: TableCommentPatternCheck -- description: This check triggers when specified attributes do not match the user-supplied - string or regex pattern. - enabled: false - id: '84092e22-894a-3452-a778-5bfae8ba03ca' - name: Changeset attributes and value - parameters: - - parameter: ATTRIBUTE - value: null - - parameter: SEARCH_STRING - value: null - parentRuleId: null - severity: '0' - shortName: ChangesetAttributesAndValue -- description: This check triggers when the logic conditional evaluates to true - enabled: false - id: 'b3fc0c29-7070-345d-acdd-761e28e99766' - name: Chained checks template - parameters: - - parameter: LOGIC_CONDITIONAL - value: null - - parameter: MESSAGE - value: The conditions in '' were met for ''. The - chained checks include . - parentRuleId: null - severity: '0' - shortName: ChainedChecksTemplate - description: Check for and alert when specified table does not contain the required constraint(s). enabled: false @@ -719,23 +519,97 @@ rules: name: Require Changeset ID is valid UUID severity: '0' shortName: RequireChangesetIDisUUID -- description: This check scans SQL for the presence of specific patterns and warns - the user when they are found. - enabled: true - id: '6605a50c-045e-366e-a640-320b76b0ef1d' - name: Check for specific patterns in sql +- description: This check triggers when a changeset contains the supplied pattern + string or regex, but does not have an end delimiter set specifically in the changeset + or via options such as 'pro-global-end-delimiter' or 'endDelimiter' attribute + in a modifyChangesets tag. + enabled: false + id: 'd2fc6f01-8ddd-35f3-bc03-f516a8f611ac' + name: End delimiter exists when pattern exists parameters: - parameter: SEARCH_STRING - value: (?is)(?=.*\b(create)\b)(?=.*\b(sequence)\b).* - - parameter: MESSAGE - value: No sequences allowed + value: null + - parameter: CASE_SENSITIVE + value: true - parameter: STRIP_COMMENTS value: true - - parameter: PATH_FILTER_REGEX - value: null - - parameter: SPLIT_STATEMENTS + - parameter: MESSAGE + value: The pattern '' was found without an end delimiter in Changeset + ''. + parentRuleId: null + severity: '0' + shortName: EndDelimiterExistsWhenPatternExists +- description: ' This check triggers when a changeset contains the user-specified + runInTransactions value of ''true'' or ''false''. Note: Changesets without a runInTransactions + value are not checked.' + enabled: false + id: '1fdc2bbb-67a4-3d45-baad-09e69f1108cd' + name: Check Changeset runInTransaction value + parameters: + - parameter: RUN_IN_TRANSACTION_VALUE value: false - parentRuleId: '6fe07581-c90d-3add-9057-1547a1439727' - severity: '3' - shortName: NoSequences + - parameter: MESSAGE + value: A match for regular expression was detected in Changeset + . + parentRuleId: null + severity: '0' + shortName: CheckRunInTransactionValue +- description: This check triggers when the logic conditional evaluates to true + enabled: false + id: 'b3fc0c29-7070-345d-acdd-761e28e99766' + name: Chained checks template + parameters: + - parameter: LOGIC_CONDITIONAL + value: null + - parameter: MESSAGE + value: The conditions in '' were met for ''. The + chained checks include . + parentRuleId: null + severity: '0' + shortName: ChainedChecksTemplate +- description: This checks triggers when the Max Affected Rows Allowed value is exceeded + by the number of rows DELETED by a SQL statement. The SQL statement is executed + against the database, and then rolled back. + enabled: false + id: '99b1c0d2-6dda-3acb-85f3-68002c3b07c1' + name: Check Affected Rows Count on Delete + parameters: + - parameter: MAX_ROWS + value: 50 + - parameter: MESSAGE + value: rows will be affected, which is more than the allowed '' + rows. The SQL statement is '' in ''. + parentRuleId: null + severity: '0' + shortName: MaxAffectedRowsAllowedDelete +- description: This checks triggers when the Max Affected Rows Allowed value is exceeded + by the number of rows INSERTED by a SQL statement. The SQL statement is executed + against the database, and then rolled back. + enabled: false + id: 'bbd74a72-77d4-3517-9125-c771f790178b' + name: Check Affected Rows Count on Insert + parameters: + - parameter: MAX_ROWS + value: 50 + - parameter: MESSAGE + value: rows will be affected, which is more than the allowed '' + rows. The SQL statement is '' in ''. + parentRuleId: null + severity: '0' + shortName: MaxAffectedRowsAllowedInsert +- description: This checks triggers when the Max Affected Rows Allowed value is exceeded + by the number of rows UPDATED by a SQL statement. The SQL statement is executed + against the database, and then rolled back. + enabled: false + id: 'e9e2055d-e837-3418-96ac-352416cd43ee' + name: Check Affected Rows Count on Update + parameters: + - parameter: MAX_ROWS + value: 50 + - parameter: MESSAGE + value: rows will be affected, which is more than the allowed '' + rows. The SQL statement is '' in ''. + parentRuleId: null + severity: '0' + shortName: MaxAffectedRowsAllowedUpdate version: '1.1' From 66188964e430c743839c7db4e9a4d53a51717fc1 Mon Sep 17 00:00:00 2001 From: dreads Date: Tue, 31 Dec 2024 12:39:43 -0600 Subject: [PATCH 4/5] fix the sql path --- liquibase.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/liquibase.properties b/liquibase.properties index 1f7c5f5..b6f0e80 100644 --- a/liquibase.properties +++ b/liquibase.properties @@ -3,7 +3,7 @@ # https://docs.liquibase.com/parameters/home.html # Specifies the root changelog file to execute. -liquibase.command.changelogFile: sqlcode_by_objects_schema/rootchangelog.yaml +liquibase.command.changelogFile: liquibase-sql/sqlcode_by_objects_schema/rootchangelog.yaml #Name of the default schema to use for the database connection. If defaultSchemaName # is set, then objects do not have to be fully qualified. From 87f52822b8ecdbf288b0f39a6fea4c86eec152b4 Mon Sep 17 00:00:00 2001 From: dreads Date: Tue, 31 Dec 2024 12:43:10 -0600 Subject: [PATCH 5/5] Upgrade the policychecks file to 4.30 --- policychecks/liquibase.checks-settings.conf | 96 ++++++++++++++++++++- 1 file changed, 92 insertions(+), 4 deletions(-) diff --git a/policychecks/liquibase.checks-settings.conf b/policychecks/liquibase.checks-settings.conf index 86f51da..e0641e6 100644 --- a/policychecks/liquibase.checks-settings.conf +++ b/policychecks/liquibase.checks-settings.conf @@ -1,4 +1,4 @@ -## Quality Checks Settings File +## Policy Checks Settings File ########## IMPORTANT: NEVER EDIT THIS KEY ## id: 'some-l0ng-uni4ue-id3nt1fier-c0d3' @@ -9,8 +9,9 @@ ########## EDITABLE PARAMETERS ## Standard value options: ## ALLOWED_LIST: +## ATTRIBUTE: ## CASE_SENSITIVE: -## CHANGE_TYPE_LIST: +## CHANGE_TYPE_LIST: ## COLUMN_NAME: ## CONSTRAINT: ## CONSTRAINT_OPERATOR: @@ -32,19 +33,28 @@ ## OPERATOR: ## PASSWORD: ## PATH_FILTER_REGEX: +## PATTERN_A: +## PATTERN_B: ## PRIMARY_SEARCH_STRING: ## PRIVILEGE_LIST: ## PROJECT_DIR: +## REQUIRES_SNAPSHOT: ## RUN_IN_TRANSACTION_VALUE: ## SAMPLE_CHANGELOG_NAME: -## SCRIPT_NAME: +## SCRIPT_ARGS: +## SCRIPT_DESCRIPTION: +## SCRIPT_MESSAGE: +## SCRIPT_PATH: +## SCRIPT_SCOPE: +## SCRIPT_TYPE: ## SEARCH_STRING: +## SPLIT_STATEMENTS: ## STRIP_COMMENTS: ## TABLE_NAME: ## USERNAME: fileCreated: 2024-02-23T17:05:17.619Z -fileModified: 2024-08-23T16:04:20.017Z +fileModified: 2024-12-31T18:40:26.141Z rules: - description: This check warns a user when SQL contains 'GRANT' statements so that they can ensure that the privilege being granted won't lead to security issues. @@ -113,6 +123,8 @@ rules: value: true - parameter: PATH_FILTER_REGEX value: null + - parameter: SPLIT_STATEMENTS + value: false parentRuleId: null severity: '0' shortName: SqlUserDefinedPatternCheck @@ -133,6 +145,13 @@ rules: in Changeset ''''.' - parameter: STRIP_COMMENTS value: true + - parameter: PATTERN_A + value: null + - parameter: PATTERN_B + value: null + - parameter: MESSAGE + value: 'Match found: '''' is followed by '''' in Changeset + ''''.' parentRuleId: null severity: '0' shortName: PatternAFollowedByPatternB @@ -153,6 +172,13 @@ rules: in Changeset ''''.' - parameter: STRIP_COMMENTS value: true + - parameter: PATTERN_A + value: null + - parameter: PATTERN_B + value: null + - parameter: MESSAGE + value: 'Match found: '''' is preceded by '''' in Changeset + ''''.' parentRuleId: null severity: '0' shortName: PatternAPrecededByPatternB @@ -173,6 +199,13 @@ rules: in Changeset ''''.' - parameter: STRIP_COMMENTS value: true + - parameter: PATTERN_A + value: null + - parameter: PATTERN_B + value: null + - parameter: MESSAGE + value: 'Match found: '''' is NOT followed by '''' in Changeset + ''''.' parentRuleId: null severity: '0' shortName: PatternANotFollowedByPatternB @@ -193,6 +226,13 @@ rules: in Changeset ''''.' - parameter: STRIP_COMMENTS value: true + - parameter: PATTERN_A + value: null + - parameter: PATTERN_B + value: null + - parameter: MESSAGE + value: 'Match found: '''' is NOT preceded by '''' in Changeset + ''''. ' parentRuleId: null severity: '0' shortName: PatternANotPrecededByPatternB @@ -612,4 +652,52 @@ rules: parentRuleId: null severity: '0' shortName: MaxAffectedRowsAllowedUpdate +- description: Executes a custom check script. + enabled: false + id: '68592fc1-8c79-3026-990f-da80c1c6d6e0' + name: Custom Check Template + parameters: + - parameter: SCRIPT_DESCRIPTION + value: Custom check + - parameter: SCRIPT_SCOPE + value: CHANGELOG + - parameter: SCRIPT_MESSAGE + value: The message to display when the check is triggered + - parameter: SCRIPT_TYPE + value: PYTHON + - parameter: SCRIPT_PATH + value: null + - parameter: SCRIPT_ARGS + value: null + - parameter: REQUIRES_SNAPSHOT + value: false + parentRuleId: null + severity: '0' + shortName: CustomCheckTemplate +- description: This check triggers when specified attributes do not match TRUE or + FALSE, as configured by the user. + enabled: false + id: '8339bc72-ae9e-3678-8a86-2af1b8aa2d1c' + name: Changeset attributes set true or false + parameters: + - parameter: ATTRIBUTE + value: null + - parameter: SEARCH_STRING + value: null + parentRuleId: null + severity: '0' + shortName: ChangesetAttributesSetTrueOrFalse +- description: This check triggers when specified attributes do not match the user-supplied + string or regex pattern. + enabled: false + id: '84092e22-894a-3452-a778-5bfae8ba03ca' + name: Changeset attributes and value + parameters: + - parameter: ATTRIBUTE + value: null + - parameter: SEARCH_STRING + value: null + parentRuleId: null + severity: '0' + shortName: ChangesetAttributesAndValue version: '1.1'