Java: Avoid low-confidence dispatch to InputStream methods

Also adds a neutral model for `InputStream.read`, which offers a high-confidence alternative for this method.

Author: atorralba

java/ql/lib/ext/java.io.model.yml

@@ -116,6 +116,7 @@ extensions:
       - ["java.io", "File", "isDirectory", "()", "summary", "manual"]
       - ["java.io", "File", "mkdirs", "()", "summary", "manual"]
       - ["java.io", "FileInputStream", "FileInputStream", "(File)", "summary", "manual"]
+      - ["java.io", "InputStream", "read", "()", "summary", "manual"]
       - ["java.io", "InputStream", "close", "()", "summary", "manual"]
       - ["java.io", "OutputStream", "flush", "()", "summary", "manual"]
       # The below APIs have numeric flow and are currently being stored as neutral models.

java/ql/lib/semmle/code/java/dispatch/VirtualDispatch.qll

@@ -102,6 +102,8 @@ private module Dispatch {
     or
     t instanceof Interface and not t.fromSource()
     or
+    t.hasQualifiedName("java.io", "InputStream")
+    or
     t.hasQualifiedName("java.io", "Serializable")
     or
     t.hasQualifiedName("java.lang", "Iterable")