Disable access to external entities in XML parsing not be able resolve on Android API 31 (Java 11)

Language: Java 11 on Android API 31

Rule: Disable access to external entities in XML parsing.

Why: Because not working setFeature with DocumentBuilderFactory on Android.

Using: Enterprise Edition - Version 9.9.4 with sonarqube server

Reproduce: Yes reproduced is simple. All Android platform can report this error

My code simply:

DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();

factory.setExpandEntityReferences(false);

factory.setXIncludeAware(false);

factory.setNamespaceAware(true);

DocumentBuilder docBuilder= factory.newDocumentBuilder();

Document doc = docBuilder.parse(new InputSource(xmlStream));

If i using (one rule or all rules) this security command i took ParsingException. I don’t want only using try catch. Because sonar can’t report error but not secured.

factory.setFeature(“http://apache.org/xml/features/disallow-doctype-decl”, true);
factory.setFeature(“http://xml.org/sax/features/external-general-entities”, false);
factory.setFeature(“http://xml.org/sax/features/external-parameter-entities”, false);
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

Can i take your advice? What is your solution?

Hi,

Welcome to the community!

Your version is past EOL. You should upgrade to either the latest version or the current LTA (long-term active version) at your earliest convenience. Your upgrade path is:

9.9.4 → 2025.1.1 → 2025.2 (last step optional)

You may find these resources helpful:

• Upgrade Guide
• LTA to LTA release upgrade notes for 9.9 to 2025.1

If you have questions about upgrading, feel free to open a new thread for that here.

If your error persists after upgrade, please come back to us.

 
Ann