SONARJAVA-6139 Fix FN on S5042 for Apache commons archives (#5524)

aurelien-coet-sonarsource · web-flow · commit 7fadf7e7ca60 · 2026-03-12T17:01:06.000+01:00
diff --git a/its/autoscan/src/test/resources/autoscan/autoscan-diff-by-rules.json b/its/autoscan/src/test/resources/autoscan/autoscan-diff-by-rules.json
@@ -1994,7 +1994,7 @@
   {
     "ruleKey": "S5042",
     "hasTruePositives": true,
-    "falseNegatives": 0,
+    "falseNegatives": 8,
     "falsePositives": 0
   },
   {
diff --git a/its/autoscan/src/test/resources/autoscan/diffs/diff_S5042.json b/its/autoscan/src/test/resources/autoscan/diffs/diff_S5042.json
@@ -1,6 +1,6 @@
 {
   "ruleKey": "S5042",
   "hasTruePositives": true,
-  "falseNegatives": 0,
+  "falseNegatives": 8,
   "falsePositives": 0
-}
+}
diff --git a/java-checks-test-sources/default/src/main/java/checks/security/ZipEntryCheck.java b/java-checks-test-sources/default/src/main/java/checks/security/ZipEntryCheck.java
@@ -4,14 +4,22 @@
 import java.io.BufferedOutputStream;
 import java.io.File;
 import java.io.FileOutputStream;
+import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.util.Enumeration;
+import java.util.List;
+import java.util.Optional;
 import java.util.jar.JarEntry;
 import java.util.jar.JarFile;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipFile;
 import java.util.zip.ZipInputStream;
+import org.apache.commons.compress.archivers.sevenz.SevenZArchiveEntry;
+import org.apache.commons.compress.archivers.sevenz.SevenZFile;
+import org.apache.commons.compress.archivers.tar.TarArchiveEntry;
+import org.apache.commons.compress.archivers.tar.TarArchiveInputStream;
+import org.apache.commons.compress.archivers.tar.TarFile;
 
 public class ZipEntryCheck {
 
@@ -93,3 +101,61 @@ public String compliant() throws java.lang.Exception {
   }
 
 }
+
+class TarUtilities {
+  private TarUtilities() {
+    /* This utility class should not be instantiated */
+  }
+
+  public static List<TarArchiveEntry> getAllEntries(TarFile file) {
+    return file.getEntries(); // Noncompliant {{Make sure that expanding this archive file is safe here.}}
+    //          ^^^^^^^^^^
+  }
+
+  public static Optional<TarArchiveEntry> getNext(TarArchiveInputStream stream) throws IOException {
+    return Optional.of(stream.getNextEntry()); // Noncompliant {{Make sure that expanding this archive file is safe here.}}
+    //                        ^^^^^^^^^^^^
+  }
+
+  public static long getEntrySize(TarArchiveEntry entry) {
+    return entry.getSize(); // Noncompliant {{Make sure that expanding this archive file is safe here.}}
+    //           ^^^^^^^
+  }
+}
+
+class SevenZUtilities {
+  private SevenZUtilities() {
+    /* This utility class should not be instantiated */
+  }
+
+  public static Iterable<SevenZArchiveEntry> getAllEntries(SevenZFile file) {
+    return file.getEntries(); // Noncompliant {{Make sure that expanding this archive file is safe here.}}
+    //          ^^^^^^^^^^
+  }
+
+  public static long getEntrySize(SevenZArchiveEntry entry) {
+    return entry.getSize(); // Noncompliant {{Make sure that expanding this archive file is safe here.}}
+    //           ^^^^^^^
+  }
+}
+
+class ApacheCommonsZipUtilities {
+  private ApacheCommonsZipUtilities() {
+    /* This utility class should not be instantiated */
+  }
+
+  public static Enumeration<org.apache.commons.compress.archivers.zip.ZipArchiveEntry> getAllEntries(org.apache.commons.compress.archivers.zip.ZipFile file) {
+    return file.getEntries(); // Noncompliant {{Make sure that expanding this archive file is safe here.}}
+    //          ^^^^^^^^^^
+  }
+
+  public static Optional<org.apache.commons.compress.archivers.zip.ZipArchiveEntry> getNext(org.apache.commons.compress.archivers.zip.ZipArchiveInputStream stream) throws IOException {
+    return Optional.of(stream.getNextEntry()); // Noncompliant {{Make sure that expanding this archive file is safe here.}}
+    //                        ^^^^^^^^^^^^
+  }
+
+  public static long getEntrySize(org.apache.commons.compress.archivers.zip.ZipArchiveEntry entry) {
+    return entry.getSize(); // Noncompliant {{Make sure that expanding this archive file is safe here.}}
+    //           ^^^^^^^
+  }
+}
diff --git a/java-checks/src/main/java/org/sonar/java/checks/security/ZipEntryCheck.java b/java-checks/src/main/java/org/sonar/java/checks/security/ZipEntryCheck.java
@@ -38,12 +38,19 @@ public class ZipEntryCheck extends IssuableSubscriptionVisitor {
       .addWithoutParametersMatcher()
       .build(),
     MethodMatchers.create()
-      .ofSubTypes("java.util.zip.ZipEntry")
+      .ofSubTypes("org.apache.commons.compress.archivers.tar.TarFile",
+        "org.apache.commons.compress.archivers.sevenz.SevenZFile",
+        "org.apache.commons.compress.archivers.zip.ZipFile")
+      .names("getEntries")
+      .addWithoutParametersMatcher()
+      .build(),
+    MethodMatchers.create()
+      .ofSubTypes("java.util.zip.ZipEntry", "org.apache.commons.compress.archivers.ArchiveEntry")
       .names("getSize")
       .addWithoutParametersMatcher()
       .build(),
     MethodMatchers.create()
-      .ofSubTypes("java.util.zip.ZipInputStream")
+      .ofSubTypes("java.util.zip.ZipInputStream", "org.apache.commons.compress.archivers.ArchiveInputStream")
       .names("getNextEntry")
       .addWithoutParametersMatcher()
       .build()

Original file line number	Diff line number	Diff line change
`@@ -1994,7 +1994,7 @@`
`1994`	`1994`	`{`
`1995`	`1995`	`"ruleKey": "S5042",`
`1996`	`1996`	`"hasTruePositives": true,`
`1997`		`- "falseNegatives": 0,`
	`1997`	`+ "falseNegatives": 8,`
`1998`	`1998`	`"falsePositives": 0`
`1999`	`1999`	`},`
`2000`	`2000`	`{`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"ruleKey": "S5042",`
`3`	`3`	`"hasTruePositives": true,`
`4`		`- "falseNegatives": 0,`
	`4`	`+ "falseNegatives": 8,`
`5`	`5`	`"falsePositives": 0`
`6`		`-}`
	`6`	`+}`