Bug in "XML parsers should not be vulnerable to XXE attacks (java:S2755)"

Bildschirmfoto vom 2023-11-29 10-46-18

I have followed the guide to fix it for a TransformerFactory, but SonarQube isn’t satisfied, yet.
Am I missing something?

SonarQube server

This is what SonarQube shows in the “Why …”-tab:

TransformerFactory factory = javax.xml.transform.TransformerFactory.newInstance();
// to be compliant, prohibit the use of all protocols by external entities:
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

Hi @avl,

Thank you for reporting.
Unfortunately, I could not reproduce your case.

Can you please create a small project containing a minimal reproducer?
It should include the build configuration and source file to reproduce this issue. Please also share the command you use to analyze the reproducer project and trigger the FP.

All the best,


Unfortunately I cannot provide a reproducer in this case…

I had a total of 63 issues of that rule on first scan, and maybe 10 of them were about
TransformerFactory but this one was the only one of them that “persisted” after fixing.

I didn’t see anything that would have explained the difference.

I’ve since ticked it off as false positive and my SQ-related job on that codebase
is done.

I’ll watch for questions here, anyway, but chances of being able to answer will
vane over time - until I get new “SQ-work” assigned to me.

I believe, only a source-code review of these rules’ implementation could give
hints about what circumstances might matter here. I still have access to the
codebase, so, if you have questions like “do you do XXXX nearby?” I 'll likely
be able to answer those.

Can you please create a separate minimal reproducer and provide me with the information mentioned above?

All the best,