tar.gz support

[arykov]

Would be good to add tar.gz support at least for scanning at least at the top level.

[xeraph]

Hmm.. Someone may implement this issue. However I don't want any additional dependency. Scanner will get complicated to support nested scanning and patching.

[pinacoelho]

Since tar.gz isn't usable by a java application, this would add complexity without identifying vulnerable applications. We should keep the focus on the directly usable formarts (JAR/EAR/WAR).

[arykov]

@pinacoelho, agreed on complexity(relative to zip). But disagree on value. There frequently are cases when software is distributed or backed up this way. So there is a risk of reintroduction of the problem. I assume you had the same rationale when implementing zip support and deciding not to limit "nesting" at 3 ear->war->jar

[pinacoelho]

So there is a risk of reintroduction of the problem.

There's always a risk, but while going down tar.gz's would cover that, it doesn't cover off-machine backups (Veritas NetBackup, IBM TSM, etc...).
Also, backups are sacred: as a sysadmin, whatever I've put in a backup, I expect to be there when I restore (for whatever reason), and that's non-negotiable from sysadmin and audit PoVs.

I assume you had the same rationale when implementing zip support and deciding not to limit "nesting" at 3 ear->war->jar

Not my rationale, but in my opinion a valid one. EARs/WARs are archives of archives, so to find the JAR that you're running, you have to go inside.

This is Xeraph's brainchild, it would be up to him to decide.