SONARJAVA-6139 Fix FN on S5042 for Apache commons archives

its/autoscan/src/test/resources/autoscan/autoscan-diff-by-rules.json

@@ -1994,7 +1994,7 @@
   {
     "ruleKey": "S5042",
     "hasTruePositives": true,
-    "falseNegatives": 0,
+    "falseNegatives": 8,
     "falsePositives": 0
   },
   {

its/autoscan/src/test/resources/autoscan/diffs/diff_S5042.json

@@ -1,6 +1,6 @@
 {
   "ruleKey": "S5042",
   "hasTruePositives": true,
-  "falseNegatives": 0,
+  "falseNegatives": 8,
   "falsePositives": 0
-}
+}

java-checks-test-sources/default/src/main/java/checks/security/ZipEntryCheck.java

@@ -4,14 +4,22 @@
 import java.io.BufferedOutputStream;
 import java.io.File;
 import java.io.FileOutputStream;
+import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.util.Enumeration;
+import java.util.List;
+import java.util.Optional;
 import java.util.jar.JarEntry;
 import java.util.jar.JarFile;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipFile;
 import java.util.zip.ZipInputStream;
+import org.apache.commons.compress.archivers.sevenz.SevenZArchiveEntry;
+import org.apache.commons.compress.archivers.sevenz.SevenZFile;
+import org.apache.commons.compress.archivers.tar.TarArchiveEntry;
+import org.apache.commons.compress.archivers.tar.TarArchiveInputStream;
+import org.apache.commons.compress.archivers.tar.TarFile;
 
 public class ZipEntryCheck {
 
@@ -93,3 +101,61 @@ public String compliant() throws java.lang.Exception {
   }
 
 }
+
+class TarUtilities {
+  private TarUtilities() {
+    /* This utility class should not be instantiated */
+  }
+
+  public static List<TarArchiveEntry> getAllEntries(TarFile file) {
+    return file.getEntries(); // Noncompliant {{Make sure that expanding this archive file is safe here.}}
+    //          ^^^^^^^^^^
+  }
+
+  public static Optional<TarArchiveEntry> getNext(TarArchiveInputStream stream) throws IOException {
+    return Optional.of(stream.getNextEntry()); // Noncompliant {{Make sure that expanding this archive file is safe here.}}
+    //                        ^^^^^^^^^^^^
+  }
+
+  public static long getEntrySize(TarArchiveEntry entry) {
+    return entry.getSize(); // Noncompliant {{Make sure that expanding this archive file is safe here.}}
+    //           ^^^^^^^
+  }
+}
+
+class SevenZUtilities {
+  private SevenZUtilities() {
+    /* This utility class should not be instantiated */
+  }
+
+  public static Iterable<SevenZArchiveEntry> getAllEntries(SevenZFile file) {
+    return file.getEntries(); // Noncompliant {{Make sure that expanding this archive file is safe here.}}
+    //          ^^^^^^^^^^
+  }
+
+  public static long getEntrySize(SevenZArchiveEntry entry) {
+    return entry.getSize(); // Noncompliant {{Make sure that expanding this archive file is safe here.}}
+    //           ^^^^^^^
+  }
+}
+
+class ApacheCommonsZipUtilities {
+  private ApacheCommonsZipUtilities() {
+    /* This utility class should not be instantiated */
+  }
+
+  public static Enumeration<org.apache.commons.compress.archivers.zip.ZipArchiveEntry> getAllEntries(org.apache.commons.compress.archivers.zip.ZipFile file) {
+    return file.getEntries(); // Noncompliant {{Make sure that expanding this archive file is safe here.}}
+    //          ^^^^^^^^^^
+  }
+
+  public static Optional<org.apache.commons.compress.archivers.zip.ZipArchiveEntry> getNext(org.apache.commons.compress.archivers.zip.ZipArchiveInputStream stream) throws IOException {
+    return Optional.of(stream.getNextEntry()); // Noncompliant {{Make sure that expanding this archive file is safe here.}}
+    //                        ^^^^^^^^^^^^
+  }
+
+  public static long getEntrySize(org.apache.commons.compress.archivers.zip.ZipArchiveEntry entry) {
+    return entry.getSize(); // Noncompliant {{Make sure that expanding this archive file is safe here.}}
+    //           ^^^^^^^
+  }
+}

java-checks/src/main/java/org/sonar/java/checks/security/ZipEntryCheck.java

@@ -38,12 +38,19 @@ public class ZipEntryCheck extends IssuableSubscriptionVisitor {
       .addWithoutParametersMatcher()
       .build(),
     MethodMatchers.create()
-      .ofSubTypes("java.util.zip.ZipEntry")
+      .ofSubTypes("org.apache.commons.compress.archivers.tar.TarFile",
+        "org.apache.commons.compress.archivers.sevenz.SevenZFile",
+        "org.apache.commons.compress.archivers.zip.ZipFile")
+      .names("getEntries")
+      .addWithoutParametersMatcher()
+      .build(),
+    MethodMatchers.create()
+      .ofSubTypes("java.util.zip.ZipEntry", "org.apache.commons.compress.archivers.ArchiveEntry")
       .names("getSize")
       .addWithoutParametersMatcher()
       .build(),
     MethodMatchers.create()
-      .ofSubTypes("java.util.zip.ZipInputStream")
+      .ofSubTypes("java.util.zip.ZipInputStream", "org.apache.commons.compress.archivers.ArchiveInputStream")
       .names("getNextEntry")
       .addWithoutParametersMatcher()
       .build()