Merge remote-tracking branch 'origin/master' into dont-shade-all-apache

.github/workflows/build.yml

@@ -14,6 +14,8 @@ on:
       - master
       - main
       - github-action-*
+    paths-ignore:
+      - '**.md'
 
 jobs:
   setup:
@@ -330,7 +332,7 @@ jobs:
           cp liquibase-dist/target/liquibase-0-SNAPSHOT.jar artifacts-named/liquibase-${{ needs.setup.outputs.thisBranchFileName }}.jar
           cp liquibase-maven-plugin/target/liquibase-maven-plugin-0-SNAPSHOT.jar artifacts-named/liquibase-maven-plugin-${{ needs.setup.outputs.thisBranchFileName }}.jar
           cp liquibase-extension-testing/target/liquibase-extension-testing-0-SNAPSHOT.jar artifacts-named/liquibase-extension-testing-${{ needs.setup.outputs.thisBranchFileName }}.jar
-          cp liquibase-extension-testing/target/liquibase-extension-testing-0-SNAPSHOT-deps.jar artifacts-named/liquibase-extension-testing-${{ needs.setup.outputs.thisBranchFileName }}.jar
+          cp liquibase-extension-testing/target/liquibase-extension-testing-0-SNAPSHOT-deps.jar artifacts-named/liquibase-extension-testing-${{ needs.setup.outputs.thisBranchFileName }}-deps.jar
 
       - name: Archive Packages
         uses: actions/upload-artifact@v2

SECURITY.md

@@ -0,0 +1,36 @@
+
+# Responsible Disclosure Policy
+
+We encourage security researchers and users to share the details of any suspected vulnerabilities with the Liquibase Information Security Team by submitting the relevant information. Liquibase will review the submission to determine if the finding is valid and has not been previously reported. We require submitters to include detailed information with steps for us to reproduce the vulnerability.
+
+
+## Our Commitment:
+If you identify a valid security vulnerability in compliance with this Responsible Disclosure Policy, Liquibase commits to:
+* Working with you to understand and validate the issue
+* Addressing the risk (if deemed appropriate by Liquibase)
+
+## Noncompliance:
+
+Public disclosure of the submission details of any identified or alleged vulnerability without express written consent from Liquibase will deem the submission as noncompliant with this Responsible Disclosure Policy.
+
+In addition, to remain compliant you are prohibited from:
+* Accessing, downloading, or modifying data residing in an account that does not belong to you
+* Executing or attempting to execute any “Denial of Service” attack
+* Posting, transmitting, uploading, linking to, sending, or storing any malicious software
+* Testing in a manner that would result in the sending unsolicited or unauthorized junk mail, spam, pyramid schemes, or other forms of unsolicited messages
+* Testing in a manner that would degrade the operation of any Liquibase systems
+* Testing third-party applications, websites, or services that integrate with or link to Liquibase systems
+
+## How to Submit a Vulnerability
+
+While we are happy to receive vulnerability information in any form, we appreciate discrete submission via email to Liquibase's Information Security Team at infosec@liquibase.com with the following details about the security issue.
+
+### Submission Details:
+
+* Summary title (Help us get an idea of what this vulnerability is about)
+* Vulnerability details
+  * Description (Describe the vulnerability and its impact)
+  * Provide a proof of concept or replication steps
+* Submitter’s email
+
+While we greatly appreciate community reports regarding security issues, at this time Liquibase does not provide compensation for vulnerability reports.

liquibase-core/src/test/groovy/liquibase/resource/ClassLoaderResourceAccessorTest.groovy

@@ -171,7 +171,7 @@ class ClassLoaderResourceAccessorTest extends Specification {
         testAccessor.close()
 
         then:
-        2 * path1.close()
+        1 * path1.close()
         1 * path2.close()
     }
 }

liquibase-extension-testing/src/main/groovy/liquibase/extension/testing/command/CommandTests.groovy

@@ -362,6 +362,11 @@ Long Description: ${commandDefinition.getLongDescription() ?: "NOT SET"}
                 substring = (caseInsensitive && substring != null ? substring.toLowerCase() : substring)
                 assert !actual.contains(StringUtil.standardizeLineEndings(StringUtil.trimToEmpty(substring))): "$actual does not contain: '$substring'"
             }
+
+            @Override
+            String getExpected() {
+                return substring
+            }
         }
     }
 
@@ -382,6 +387,11 @@ Long Description: ${commandDefinition.getLongDescription() ?: "NOT SET"}
                     assert count == occurrences: "$actual does not contain '$substring' $occurrences times.  It appears $count times"
                 }
             }
+
+            @Override
+            String getExpected() {
+                return substring
+            }
         }
     }
 
@@ -458,7 +468,7 @@ Long Description: ${commandDefinition.getLongDescription() ?: "NOT SET"}
                     try {
                         ((OutputCheck) expectedOutputCheck).check(fullOutput)
                     } catch (AssertionError e) {
-                        Assert.fail("$fullOutput : ${e.getMessage()}")
+                        throw new ComparisonFailure(e.getMessage(), expectedOutputCheck.expected, fullOutput)
                     }
                 } else {
                     Assert.fail "Unknown $outputDescription check type: ${expectedOutputCheck.class.name}"
@@ -968,6 +978,10 @@ Long Description: ${commandDefinition.getLongDescription() ?: "NOT SET"}
 
     interface OutputCheck {
         def check(String actual) throws AssertionError
+        /**
+         * @return the expected value from this output check
+         */
+        String getExpected()
     }
 
     interface FileContentCheck {