I have a vulnerability and I try to fix it like that :
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setProperty(DocumentBuilderFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
documentBuilderFactory.setProperty(DocumentBuilderFactory.SUPPORT_DTD, Boolean.FALSE);
try {
String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
documentBuilderFactory.setFeature(FEATURE, true);
FEATURE = "http://xml.org/sax/features/external-general-entities";
documentBuilderFactory.setFeature(FEATURE, false);
FEATURE = "http://xml.org/sax/features/external-parameter-entities";
documentBuilderFactory.setFeature(FEATURE, false);
FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
documentBuilderFactory.setFeature(FEATURE, false);
} catch (ParserConfigurationException e) {
throw new RuntimeException("failed to instanciate documentBuilderFactory", e);
}
documentBuilderFactory.setXIncludeAware(false);
documentBuilderFactory.setExpandEntityReferences(false);
return documentBuilderFactory;
As follow indication in sonarQube
But it doesn’t know “IS_SUPPORTING_EXTERNAL_ENTITIES” and " SUPPORT_DTD" for DocumentBuilderFactory.
How I can fix this vulnaribilty in sonarQube ?
Thanks