Update library/liquibase to 4.29.2

[liquibot]

Update library/liquibase with latest commit and version

[jandroav]

This PR fixes CVE-2024-34158

[github-actions]

Diff for d5fb9a1:

diff --git a/_bashbrew-cat b/_bashbrew-cat
index a3ecdcc..c344054 100644
--- a/_bashbrew-cat
+++ b/_bashbrew-cat
@@ -4,9 +4,9 @@ GitRepo: https://github.com/liquibase/docker.git
 
 Tags: 4.29, 4.29.2, latest
 GitFetch: refs/heads/main
-GitCommit: 079c4169361e913b9477fc1fd93692974d4f10c5
+GitCommit: 13d063767623e282539b232a3a9ed19f4b3d7bbd
 
 Tags: 4.29-alpine, 4.29.2-alpine, alpine
 GitFetch: refs/heads/main
-GitCommit: 079c4169361e913b9477fc1fd93692974d4f10c5
+GitCommit: 13d063767623e282539b232a3a9ed19f4b3d7bbd
 File: Dockerfile.alpine
diff --git a/liquibase_alpine/Dockerfile.alpine b/liquibase_alpine/Dockerfile.alpine
index 4c841af..8ec506f 100644
--- a/liquibase_alpine/Dockerfile.alpine
+++ b/liquibase_alpine/Dockerfile.alpine
@@ -26,9 +26,9 @@ RUN set -x && \
     ln -s /liquibase/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh && \
     liquibase --version
 
-ARG LPM_VERSION=0.2.7
-ARG LPM_SHA256=e831120c566c76a427c6d3489cd62d5447322444399393e3ef304db0c036c4a1
-ARG LPM_SHA256_ARM=720afb6bafb987ab502b86682f410d0e19da45fdf0119d947ed7bfa4e6a02665
+ARG LPM_VERSION=0.2.8
+ARG LPM_SHA256=ad46e7f0ca67e39ddbf1435c0bd2879be8a43340c7b627a2da45c07787574200
+ARG LPM_SHA256_ARM=2a2e46f2260f46ccd39f487dca161b4e04d97664160925c5e415bd9b54a23e1a
 
 # Download and Install lpm
 RUN mkdir /liquibase/bin && \
diff --git a/liquibase_latest/Dockerfile b/liquibase_latest/Dockerfile
index d12fa00..6b4c6bd 100644
--- a/liquibase_latest/Dockerfile
+++ b/liquibase_latest/Dockerfile
@@ -25,9 +25,9 @@ RUN wget -q -O liquibase-${LIQUIBASE_VERSION}.tar.gz "https://github.com/liquiba
     ln -s /liquibase/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh && \
     liquibase --version
 
-ARG LPM_VERSION=0.2.7
-ARG LPM_SHA256=e831120c566c76a427c6d3489cd62d5447322444399393e3ef304db0c036c4a1
-ARG LPM_SHA256_ARM=720afb6bafb987ab502b86682f410d0e19da45fdf0119d947ed7bfa4e6a02665
+ARG LPM_VERSION=0.2.8
+ARG LPM_SHA256=ad46e7f0ca67e39ddbf1435c0bd2879be8a43340c7b627a2da45c07787574200
+ARG LPM_SHA256_ARM=2a2e46f2260f46ccd39f487dca161b4e04d97664160925c5e415bd9b54a23e1a
 
 # Download and Install lpm
 RUN apt-get update && \

Relevant Maintainers:

• liquibase: @jnewton03

[tianon]

This PR fixes CVE-2024-34158

I'm confused - does liquibase parse Go code?

[jnewton03]

hi @tianon, no but a dependency (lpm) does. Here is the PR to update LPM:
liquibase/liquibase-package-manager#435

And the PR that updated LPM in our Image:
liquibase/docker#334

[tianon]

I'm still missing something -- LPM doesn't appear to parse Go code either, so wasn't and isn't vulnerable to CVE-2024-34158. 🤔

I ran govulncheck against v0.2.7's source (which required me to delete one or the other of cmd/lpm/darwin.go or cmd/lpm/windows.go because otherwise the code as-is is redeclaring main which isn't ideal and there are Go native ways to solve whatever problem that redefinition exists for, like build tags), and it confirmed that none of the code there was vulnerable.

I also ran it with -mode=binary on the release binaries from https://github.com/liquibase/liquibase-package-manager/releases/tag/v0.2.7 and got the same result ("Your code is affected by 0 vulnerabilities.").

The update looks fine, but I want to be very clear that CVE-2024-34158 is not something this was/is vulnerable to.

[jnewton03]

hey @tianon, all great questions. Anytime there are issues in our Image highlighted by Scout or Trivy we can pretty much guarantee customers are going to reach out and ask us to fix it even if it's not vulnerable. So we've found it's easier to just go ahead and patch it, run E2E, and if it's green we'll apply the fix and re-ship the Image. Here's where we saw the golang alert:
https://github.com/liquibase/docker/actions/runs/10825809551/job/30035496105