Bug in "XML parsers should not be vulnerable to XXE attacks (java:S2755)"

I have followed the guide to fix it for a TransformerFactory, but SonarQube isn’t satisfied, yet.
Am I missing something?

SonarQube server 10.0.0.68432
SonarScanner 4.8.0.2856

This is what SonarQube shows in the “Why …”-tab:

TransformerFactory factory = javax.xml.transform.TransformerFactory.newInstance();
// to be compliant, prohibit the use of all protocols by external entities:
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

Hi @avl,

Thank you for reporting.
Unfortunately, I could not reproduce your case.

Can you please create a small project containing a minimal reproducer?
It should include the build configuration and source file to reproduce this issue. Please also share the command you use to analyze the reproducer project and trigger the FP.

All the best,

Irina

Unfortunately I cannot provide a reproducer in this case…

I had a total of 63 issues of that rule on first scan, and maybe 10 of them were about
TransformerFactory but this one was the only one of them that “persisted” after fixing.

I didn’t see anything that would have explained the difference.

I’ve since ticked it off as false positive and my SQ-related job on that codebase
is done.

I’ll watch for questions here, anyway, but chances of being able to answer will
vane over time - until I get new “SQ-work” assigned to me.

I believe, only a source-code review of these rules’ implementation could give
hints about what circumstances might matter here. I still have access to the
codebase, so, if you have questions like “do you do XXXX nearby?” I 'll likely
be able to answer those.

Can you please create a separate minimal reproducer and provide me with the information mentioned above?

All the best,

Irina

I also found this problem with TransformerFactory, here is example code for reproduction
Is the issue on my side? Can this be reproduced?

import org.w3c.dom.Document;
import org.w3c.dom.Element;

import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import java.io.File;

public class test {
  public static void main(String[] args) {
    try {
      // Create a simple XML Document
      DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
      DocumentBuilder dBuilder = dbFactory.newDocumentBuilder();
      Document doc = dBuilder.newDocument();
      Element rootElement = doc.createElement("root");
      doc.appendChild(rootElement);

      // Use TransformerFactory without changing any settings
      TransformerFactory taFactory = TransformerFactory.newInstance();
      taFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
      taFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");

      Transformer transformer = taFactory.newTransformer();
      DOMSource source = new DOMSource(doc);
      StreamResult result = new StreamResult(new File("test.xml"));
      transformer.transform(source, result);

      System.out.println("XML file created successfully.");
    } catch (Exception e) {
      e.printStackTrace();
    }
  }
}

I found the issue myself, my TransformerFactory does not support http://apache.org/xml/features/disallow-doctype-decl
So these attributes are needed to fulfill the requirement of SonarQube

taFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
taFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

Glad you could fix it @Alexander-P. Let us know if you encounter any problem with this rule in the future.

Cheers,

Dorian