TableCommentPatternCheck
The TableCommentPatternCheck
check triggers when specific user-supplied patterns are present in table comments.
About TableCommentPatternCheck |
|
---|---|
Liquibase version required | 4.12.0+ |
Scope (--checks-scope ) |
changelog , database |
Default status | disabled
|
Default severity (exit code) | 0 ("INFO ") |
Customizable settings | Yes (dynamic) |
Uses
You can use the check to look for the presence of specific patterns in their table comments. These patterns can directly affect security and velocity, so it is pertinent they have checks run against them. There are statements, patterns, and actions necessary to catch as early as possible because they can directly affect security and velocity.
Use TableCommentPatternCheck
check
Prerequisites
- Ensure that you have correctly specified your Liquibase Pro license key.
- Ensure that the
--checks-scope
parameter includes the scope of this check.
For example:
--license-key=<string>
--checks-scope=<string>
globalArgs: { license-key: "<string>" }
cmdArgs: { checks-scope: "<string>" }
liquibase.licenseKey: <string>
liquibase.command.checksScope: <string>
liquibase.licenseKey: <string>
liquibase.command.checks.run.checksScope: <string>
JAVA_OPTS=-Dliquibase.licenseKey=<string> -Dliquibase.command.checksScope=<string>
JAVA_OPTS=-Dliquibase.licenseKey=<string> -Dliquibase.command.checks.run.checksScope=<string>
LIQUIBASE_LICENSE_KEY=<string>
LIQUIBASE_COMMAND_CHECKS_SCOPE=<string>
LIQUIBASE_LICENSE_KEY=<string>
LIQUIBASE_COMMAND_CHECKS_RUN_CHECKS_SCOPE=<string>
Enable
This check is disabled by default. To enable it, run the enable
command:
liquibase checks enable --check-name=<string>
When you try to enable the check, Liquibase displays the following message:
This check can not be enabled directly because one or more fields does not have a default value. Create a copy of this check and initiate the customization workflow.
Liquibase then prompts you to specify a name for the new check. By default, the name of the copy is <CheckName>1
. You can use the default value by pressing Enter or you can specify a custom name.
Customize
This check is dynamic, meaning you can customize its settings. See the table on this page for more information.
- Once you've enabled the check, follow the steps in the CLI to set new values:
- Default values are shown in [brackets]. You can use these by pressing Enter. Alternatively, specify custom values.
- If a customization setting does not have a default value, you must specify custom values.
- When finished, verify that your configuration is correct by running the
show
command: - If you need to make any other changes, run the
customize
command:
liquibase checks show --check-name=<string>
liquibase checks customize --check-name=<string>
Note: If you want to create another variant of this check with different settings, use the copy
command to create a copy of the original check and then use the customize
command to customize it.
Run
To run the check, use the run
command:
liquibase checks run --check-name=<string>
stages:
Default:
actions:
- type: liquibase
command: checks run
cmdArgs: {check-name: <string>}
And then run the flow
command on your flow file:
liquibase flow
Customization settings
Attribute Name | Type | Description | Customization | Default Value |
---|---|---|---|---|
SEVERITY
|
String/enum |
Set the severity to return a code of 0–4 when the check is triggered. Default: |
|
|
OPERATOR
|
String/enum |
The location to look for the provided |
|
|
SEARCH_STRING
|
String/enum |
The substring or regular expression to match with the one in the changelog file. Cannot be empty. |
Must be |
-- |
MESSAGE
|
String/enum |
The output printed when the check detects a pattern match |
-- | A match for regular expression SEARCH_STRING was detected in IDENTIFIER.
|
Note: Liquibase uses the java.util.regex engine to match regular expressions.
The output displays the comment pattern credential match, if they exist.
liquibase checks enable --check-name=TableCommentPatternCheck
example output
Starting Liquibase at 08:53:06 (version [Core: //DAT-9298/2516/e42617/2022-05-11 19:02+0000, Pro: DAT-9298/1208/56ac6a/2022-05-11T18:56:15Z] #2516 built at 2022-05-11 19:02+0000)
Liquibase Version: [Core: //DAT-9298/2516/e42617/2022-05-11 19:02+0000, Pro: DAT-9298/1208/56ac6a/2022-05-11T18:56:15Z]
Liquibase Empire [Core: //DAT-9298/2516/e42617/2022-05-11 19:02+0000, Pro: DAT-9298/1208/56ac6a/2022-05-11T18:56:15Z] by Liquibase licensed to Dev until Sat Dec 30 21:59:59 MST 2023
This check can not be enabled directly because one or more fields does not have a default value. Creating a copy of this check and initiating the customization workflow.
Give your check a short name for easier identification (up to 64 alpha-numeric characters only) [ConstraintMustExist1]:
ConstraintCheckShortName
New check 'ConstraintCheckShortName' created from 'ConstraintMustExist'
Set the Severity to return a code of 0-4 when triggered. (options: 'INFO'|0, 'MINOR'|1, 'MAJOR'|2, 'CRITICAL'|3, 'BLOCKER'|4)? [INFO]:
1
Set 'CONSTRAINT_OPERATOR' (options: STARTS_WITH, ENDS_WITH, CONTAINS, REGEXP, ALL) [STARTS_WITH]:
CONTAINS
Enter the table name string or regex to match (Note: Leave blank to check all tables for column name.):
PRIMARY_TABLE
Enter the column name string or regex to match:
NULLABLECOL
Enter the required constraint(s), separated by commas (options: NOT_NULL, UNIQUE, PRIMARYKEY, FOREIGNKEY, DEFAULT) [PRIMARYKEY]:
PRIMARYKEY
Set 'CASE_SENSITIVE' (options: true, false) [true]:
false
Set 'MESSAGE' [The specified table 'TABLE_NAME' does not contain the required 'CONSTRAINT' constraint.]:
Example Message
Customization complete. Review the table below to confirm your changes.
+-----+--------------------------------+----------------------------+--------------------------------+---------+--------------------------------+----------+------------+
| # | Check Name | Short Name | Description | Enabled | Customization | Severity | Scope |
+-----+--------------------------------+----------------------------+--------------------------------+---------+--------------------------------+----------+------------+
| 10 | Warn on Detection of 'GRANT' | SqlGrantWarn | This check warns a user when | false | None | 0 | changelog |
| | Statements | | SQL contains 'GRANT' | | | | |
| | | | statements so that they can | | | | |
| | | | ensure that the privilege | | | | |
| | | | being granted won't lead to | | | | |
| | | | security issues. | | | | |
+-----+--------------------------------+----------------------------+--------------------------------+---------+--------------------------------+----------+------------+
| 20 | Warn on Detection of 'REVOKE' | SqlRevokeWarn | This check warns a user when | false | None | 0 | changelog |
| | Statements | | SQL contains 'REVOKE' | | | | |
| | | | statements so that they can | | | | |
| | | | ensure that the privilege | | | | |
| | | | being revoked won't lead to | | | | |
| | | | data access and dependency | | | | |
| | | | issues. | | | | |
+-----+--------------------------------+----------------------------+--------------------------------+---------+--------------------------------+----------+------------+
| 30 | Warn when 'DROP TABLE' | ChangeDropTableWarn | This check warns a user when a | false | None | 0 | changelog |
| | detected | | table is being dropped so that | | | | |
| | | | they can ensure that dropping | | | | |
| | | | the table won't lead to | | | | |
| | | | unintentional loss of data. | | | | |
+-----+--------------------------------+----------------------------+--------------------------------+---------+--------------------------------+----------+------------+
| 40 | Warn when 'DROP COLUMN' | ChangeDropColumnWarn | This check warns a user when a | false | None | 0 | changelog |
| | detected | | column is being dropped so | | | | |
| | | | that they can ensure that | | | | |
| | | | dropping the column won't lead | | | | |
| | | | to unintentional loss of data. | | | | |
+-----+--------------------------------+----------------------------+--------------------------------+---------+--------------------------------+----------+------------+
| 50 | Warn when 'MODIFY column' | ModifyDataTypeWarn | This check warns a user when a | false | None | 0 | changelog |
| | detected | | change will result in | | | | |
| | | | modification of a data type so | | | | |
| | | | they can ensure that modifying | | | | |
| | | | the data type won't lead to | | | | |
| | | | unintentional loss of data | | | | |
+-----+--------------------------------+----------------------------+--------------------------------+---------+--------------------------------+----------+------------+
| 60 | Check for specific patterns in | SqlUserDefinedPatternCheck | This check scans raw SQL for | false | SEARCH_STRING = null | 0 | changelog |
| | sql | | the presence of specific | | MESSAGE = A match for regular | | |
| | | | patterns and warns the user | | expression SEARCH_STRING was | | |
| | | | when they are found. | | detected in Changeset | | |
| | | | | | CHANGESET. | | |
| | | | | | STRIP_COMMENTS = true | | |
+-----+--------------------------------+----------------------------+--------------------------------+---------+--------------------------------+----------+------------+
| 70 | Check Table Column Count | TableColumnLimit | Ensures that no table has more | true | MAX_COLUMNS = 2 | 1 | changelog, |
| | | | than a threshold number of | | | | database |
| | | | columns. | | | | |
+-----+--------------------------------+----------------------------+--------------------------------+---------+--------------------------------+----------+------------+
| 80 | Object name pattern match | ObjectNameMustMatch | This check confirms the listed | false | OPERATOR = STARTS_WITH | 0 | changelog, |
| | | | object names conform to the | | SEARCH_STRING = null | | database |
| | | | supplied pattern. | | OBJECT_TYPES = null | | |
| | | | | | CASE_SENSITIVE = true | | |
+-----+--------------------------------+----------------------------+--------------------------------+---------+--------------------------------+----------+------------+
| 85 | Object name pattern not match | ObjectNameMustNotMatch | This check confirms the listed | false | OPERATOR = STARTS_WITH | 0 | changelog, |
| | | | object names do not match the | | SEARCH_STRING = null | | database |
| | | | supplied pattern. | | OBJECT_TYPES = null | | |
| | | | | | CASE_SENSITIVE = true | | |
+-----+--------------------------------+----------------------------+--------------------------------+---------+--------------------------------+----------+------------+
| 90 | Warn on Grant of Specific | SqlGrantSpecificPrivsWarn | This check warns a user when | false | PRIVILEGE_LIST = null | 0 | changelog |
| | Privileges | | changeset includes or | | | | |
| | | | generates sql that grants | | | | |
| | | | specific privileges to a user | | | | |
| | | | or role | | | | |
+-----+--------------------------------+----------------------------+--------------------------------+---------+--------------------------------+----------+------------+
| 100 | Warn when 'TRUNCATE TABLE' | ChangeTruncateTableWarn | This check warns a user when a | false | None | 0 | changelog |
| | detected | | table is being truncated so | | | | |
| | | | that they can ensure that | | | | |
| | | | truncating the table won't | | | | |
| | | | lead to unintentional loss of | | | | |
| | | | data. | | | | |
+-----+--------------------------------+----------------------------+--------------------------------+---------+--------------------------------+----------+------------+
| 110 | Warn on Detection of grant | SqlGrantOptionWarn | This check warns a user when | false | None | 0 | changelog |
| | that contains 'WITH GRANT | | SQL contains 'GRANT' | | | | |
| | OPTION' | | statements that include the | | | | |
| | | | 'WITH GRANT OPTION' clause so | | | | |
| | | | that they can ensure that the | | | | |
| | | | privilege being granted won't | | | | |
| | | | lead to security issues | | | | |
+-----+--------------------------------+----------------------------+--------------------------------+---------+--------------------------------+----------+------------+
| 130 | Warn on Detection of grant | SqlGrantAdminWarn | This check warns a user when | false | None | 0 | changelog |
| | that contains 'WITH ADMIN | | SQL contains 'GRANT' | | | | |
| | OPTION' | | statements that include the | | | | |
| | | | 'WITH ADMIN OPTION' clause so | | | | |
| | | | that they can ensure that the | | | | |
| | | | privilege being granted won't | | | | |
| | | | lead to security issues | | | | |
+-----+--------------------------------+----------------------------+--------------------------------+---------+--------------------------------+----------+------------+
| 160 | Rollback Required for | RollbackRequired | This check triggers when a | false | None | 0 | changelog |
| | Changeset | | changeset does not have a | | | | |
| | | | rollback defined. | | | | |
+-----+--------------------------------+----------------------------+--------------------------------+---------+--------------------------------+----------+------------+
| 170 | Changesets Must Have a Label | ChangesetLabelCheck | This check enforces the | false | None | 0 | changelog |
| | Assigned | | Liquibase recommendation that | | | | |
| | | | labels be assigned to each | | | | |
| | | | changeset to provide better | | | | |
| | | | deployment control and to | | | | |
| | | | enhance traceability of | | | | |
| | | | efforts across changesets. | | | | |
+-----+--------------------------------+----------------------------+--------------------------------+---------+--------------------------------+----------+------------+
| 173 | Changesets Must Have a Context | ChangesetContextCheck | This check enforces the | false | None | 0 | changelog |
| | Assigned | | Liquibase recommendation that | | | | |
| | | | contexts be assigned to each | | | | |
| | | | changeset to provide better | | | | |
| | | | deployment control and to | | | | |
| | | | enhance traceability of | | | | |
| | | | efforts across changesets. | | | | |
+-----+--------------------------------+----------------------------+--------------------------------+---------+--------------------------------+----------+------------+
| 176 | Changesets Must Have a Comment | ChangesetCommentCheck | This check enforces the | false | None | 0 | changelog |
| | Assigned | | Liquibase recommendation that | | | | |
| | | | comments be added to each | | | | |
| | | | changeset to document the | | | | |
| | | | purpose of a changeset for | | | | |
| | | | other/future consumers of this | | | | |
| | | | changelog | | | | |
+-----+--------------------------------+----------------------------+--------------------------------+---------+--------------------------------+----------+------------+
| 500 | Table must have a comment | TableCommentCheck | This check flags any Table | false | None | 0 | database |
| | | | described in a changelog or | | | | |
| | | | existing on a database target | | | | |
| | | | which does not have a Comment. | | | | |
| | | | (Note: This is not a check for | | | | |
| | | | a Liquibase changelog | | | | |
| | | | comment.) | | | | |
+-----+--------------------------------+----------------------------+--------------------------------+---------+--------------------------------+----------+------------+
| 510 | Table Comment Pattern Check | TableCommentPatternCheck | This check triggers when | false | OPERATOR = CONTAINS | 0 | changelog, |
| | | | specific user-supplied | | SEARCH_STRING = null | | database |
| | | | patterns are found in Table | | MESSAGE = A match for regular | | |
| | | | Comments. | | expression SEARCH_STRING was | | |
| | | | | | detected in IDENTIFIER. | | |
+-----+--------------------------------+----------------------------+--------------------------------+---------+--------------------------------+----------+------------+
| 570 | Constraint must exist | ConstraintCheckShortName | Check for and alert when | true | CONSTRAINT_OPERATOR = CONTAINS | 1 | database |
| | | | specified table does not | | TABLE_NAME = PRIMARY_TABLE | | |
| | | | contain the required | | COLUMN_NAME = NULLABLECOL | | |
| | | | constraint(s). | | CONSTRAINT = PRIMARYKEY | | |
| | | | | | CASE_SENSITIVE = false | | |
| | | | | | MESSAGE = Example Message | | |
+-----+--------------------------------+----------------------------+--------------------------------+---------+--------------------------------+----------+------------+
| 570 | Constraint must exist | ConstraintMustExist | Check for and alert when | false | CONSTRAINT_OPERATOR = | 0 | database |
| | | | specified table does not | | STARTS_WITH | | |
| | | | contain the required | | TABLE_NAME = null | | |
| | | | constraint(s). | | COLUMN_NAME = null | | |
| | | | | | CONSTRAINT = PRIMARYKEY | | |
| | | | | | CASE_SENSITIVE = true | | |
| | | | | | MESSAGE = The specified table | | |
| | | | | | 'TABLE_NAME' does not | | |
| | | | | | contain the required | | |
| | | | | | 'CONSTRAINT' constraint. | | |
+-----+--------------------------------+----------------------------+--------------------------------+---------+--------------------------------+----------+------------+
| 570 | Constraint must exist | ConstraintMustExistTEST | Check for and alert when | true | CONSTRAINT_OPERATOR = ALL | 0 | database |
| | | | specified table does not | | CONSTRAINT = Primarykey | | |
| | | | contain the required | | CASE_SENSITIVE = false | | |
| | | | constraint(s). | | MESSAGE = any | | |
+-----+--------------------------------+----------------------------+--------------------------------+---------+--------------------------------+----------+------------+
Liquibase command 'checks enable' was executed successfully.