Zip Bomb SQ analysis seems to be confusing

Must-share information (formatted with Markdown):

• which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)

Maven sonar scanner 3.7.0.1746

• what are you trying to achieve
  Based on the rule **Java static code analysis: Expanding archive files without controlling resour **;

The below code is flagged to be vulnerable to Zip Bomb attack…

  try (JarFile jarFile = jarConnection.getJarFile()) {
            Path srcJarFolder =  Paths.get(jarConnection.getJarEntry().getName());

            Enumeration<JarEntry> entries = jarFile.entries();
            while (entries.hasMoreElements()) {
                JarEntry jarEntry = entries.nextElement();
                Path jarEntryPath = Paths.get(jarEntry.getName());
...
...               
  

Re-writing the above code using a stream no longer flags the code as a security hotspot;
Why is using a stream to iterate over the .jar file make the Sonar scanner ignore Zip bomb attack security violation?

// New code, SQ scanner no longer identifies as suspectable to Zip Bomb attack.

 try (JarFile jarFile = jarConnection.getJarFile()) {
            Path srcJarFolder = Paths.get(jarConnection.getJarEntry().getName());
            jarFile.stream().map(jarEntry -> {
....
....            
}

Hi George and welcome to the community!

Thanks for the report. It is of course also a problem if streams are used. I have created an internal ticket to also raise an issue if streams are used.

Best regards,
Hendrik

Thanks very much, Hendrik. Would the fix be included in the next version?
A similar issue could happen if I use Files.walkFileTree .

It is hard for me to say when it will be integrated into the product as it involves multiple teams. It is not likely that it will be part of the next version as that will already come quite soon but maybe in the version after that.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.