Must-share information (formatted with Markdown):
- which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
Maven sonar scanner 3.7.0.1746
- what are you trying to achieve
Based on the rule **Java static code analysis: Expanding archive files without controlling resour **;
The below code is flagged to be vulnerable to Zip Bomb attack…
try (JarFile jarFile = jarConnection.getJarFile()) {
Path srcJarFolder = Paths.get(jarConnection.getJarEntry().getName());
Enumeration<JarEntry> entries = jarFile.entries();
while (entries.hasMoreElements()) {
JarEntry jarEntry = entries.nextElement();
Path jarEntryPath = Paths.get(jarEntry.getName());
...
...
Re-writing the above code using a stream no longer flags the code as a security hotspot;
Why is using a stream to iterate over the .jar file make the Sonar scanner ignore Zip bomb attack security violation?
// New code, SQ scanner no longer identifies as suspectable to Zip Bomb attack.
try (JarFile jarFile = jarConnection.getJarFile()) {
Path srcJarFolder = Paths.get(jarConnection.getJarEntry().getName());
jarFile.stream().map(jarEntry -> {
....
....
}