fix(cli): validate --fail-on severity and improve changed-file matching

sj-robert · sj-robert · commit da3703f2ab70 · 2026-02-10T22:39:09.000+01:00
- Reject unknown severity values in --fail-on instead of silently
  disabling the threshold (e.g. --fail-on crtical now errors)
- Require directory component in suffix path matching to prevent bare
  filenames from matching across unrelated directories
- Warn on stderr when source files cannot be read for suppression
  comments instead of silently skipping all suppressions

fix(liquibase): report errors for missing required XML attributes
diff --git a/src/input/liquibase_xml.rs b/src/input/liquibase_xml.rs
@@ -263,7 +263,12 @@ fn handle_start_tag(
             match tag_name {
                 "sql" => Ok(ParseState::InSqlTag(cs, String::new())),
                 "createTable" => {
-                    let table_name = get_attr(attrs, "tableName").unwrap_or_default();
+                    let Some(table_name) = get_attr(attrs, "tableName") else {
+                        eprintln!(
+                            "Warning: <createTable> missing required 'tableName' attribute, skipping"
+                        );
+                        return Ok(ParseState::InChangeSet(cs));
+                    };
                     let schema_name = get_attr(attrs, "schemaName");
                     Ok(ParseState::InCreateTable(
                         cs,
@@ -275,7 +280,12 @@ fn handle_start_tag(
                     ))
                 }
                 "addColumn" => {
-                    let table_name = get_attr(attrs, "tableName").unwrap_or_default();
+                    let Some(table_name) = get_attr(attrs, "tableName") else {
+                        eprintln!(
+                            "Warning: <addColumn> missing required 'tableName' attribute, skipping"
+                        );
+                        return Ok(ParseState::InChangeSet(cs));
+                    };
                     let schema_name = get_attr(attrs, "schemaName");
                     Ok(ParseState::InAddColumn(
                         cs,
@@ -288,7 +298,12 @@ fn handle_start_tag(
                 }
                 "createIndex" => {
                     let index_name = get_attr(attrs, "indexName").unwrap_or_default();
-                    let table_name = get_attr(attrs, "tableName").unwrap_or_default();
+                    let Some(table_name) = get_attr(attrs, "tableName") else {
+                        eprintln!(
+                            "Warning: <createIndex> missing required 'tableName' attribute, skipping"
+                        );
+                        return Ok(ParseState::InChangeSet(cs));
+                    };
                     let schema_name = get_attr(attrs, "schemaName");
                     let unique = get_attr(attrs, "unique")
                         .map(|v| v == "true")
@@ -305,7 +320,12 @@ fn handle_start_tag(
                     ))
                 }
                 "dropTable" => {
-                    let table_name = get_attr(attrs, "tableName").unwrap_or_default();
+                    let Some(table_name) = get_attr(attrs, "tableName") else {
+                        eprintln!(
+                            "Warning: <dropTable> missing required 'tableName' attribute, skipping"
+                        );
+                        return Ok(ParseState::InChangeSet(cs));
+                    };
                     let schema_name = get_attr(attrs, "schemaName");
                     let qualified = qualify_name(&schema_name, &table_name);
                     cs.sql_parts.push(format!("DROP TABLE {};", qualified));
@@ -324,6 +344,12 @@ fn handle_start_tag(
                     Ok(ParseState::InChangeSet(cs))
                 }
                 "addPrimaryKey" => {
+                    if get_attr(attrs, "tableName").is_none() {
+                        eprintln!(
+                            "Warning: <addPrimaryKey> missing required 'tableName' attribute, skipping"
+                        );
+                        return Ok(ParseState::InChangeSet(cs));
+                    }
                     let sql = generate_add_pk_sql(attrs);
                     cs.sql_parts.push(sql);
                     Ok(ParseState::InChangeSet(cs))
diff --git a/src/main.rs b/src/main.rs
@@ -121,9 +121,12 @@ fn run(args: Args) -> Result<bool> {
                 .unwrap_or_else(|_| unit.source_file.clone());
             changed_files_set.contains(&canonical)
                 || changed_files_set.contains(&unit.source_file)
-                || changed_files_set
-                    .iter()
-                    .any(|cf| cf.ends_with(&unit.source_file) || unit.source_file.ends_with(cf))
+                || changed_files_set.iter().any(|cf| {
+                    // Only allow suffix matching when the shorter path includes a directory
+                    // component, to prevent bare filenames from matching across directories.
+                    (cf.ends_with(&unit.source_file) && unit.source_file.components().count() > 1)
+                        || (unit.source_file.ends_with(cf) && cf.components().count() > 1)
+                })
         };
 
         if is_changed {
@@ -168,7 +171,17 @@ fn run(args: Args) -> Result<bool> {
 
             // Parse suppressions from source file and filter findings.
             // Read the raw SQL source for suppression comments.
-            let source = std::fs::read_to_string(&unit.source_file).unwrap_or_default();
+            let source = match std::fs::read_to_string(&unit.source_file) {
+                Ok(s) => s,
+                Err(e) => {
+                    eprintln!(
+                        "Warning: could not read '{}' for suppression comments: {}",
+                        unit.source_file.display(),
+                        e
+                    );
+                    String::new()
+                }
+            };
             let suppressions = parse_suppressions(&source);
 
             unit_findings.retain(|f| !suppressions.is_suppressed(&f.rule_id, f.start_line));
@@ -224,7 +237,17 @@ fn run(args: Args) -> Result<bool> {
     eprintln!("pg-migration-lint: {} finding(s)", all_findings.len());
 
     let fail_on_str = args.fail_on.as_deref().unwrap_or(&config.cli.fail_on);
-    let fail_on = Severity::parse(fail_on_str);
+    let fail_on = if fail_on_str.eq_ignore_ascii_case("none") {
+        None
+    } else {
+        match Severity::parse(fail_on_str) {
+            Some(s) => Some(s),
+            None => anyhow::bail!(
+                "Unknown severity '{}' for --fail-on. Valid values: critical, major, minor, info, none",
+                fail_on_str
+            ),
+        }
+    };
     if let Some(threshold) = fail_on
         && all_findings.iter().any(|f| f.severity >= threshold)
     {
