Disable XML external entity (XXE) processing

I have a vulnerability and I try to fix it like that :

DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setProperty(DocumentBuilderFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
documentBuilderFactory.setProperty(DocumentBuilderFactory.SUPPORT_DTD, Boolean.FALSE); 

try {
	String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
	documentBuilderFactory.setFeature(FEATURE, true);

	FEATURE = "http://xml.org/sax/features/external-general-entities";
	documentBuilderFactory.setFeature(FEATURE, false);
	FEATURE = "http://xml.org/sax/features/external-parameter-entities";
	documentBuilderFactory.setFeature(FEATURE, false);

	FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
	documentBuilderFactory.setFeature(FEATURE, false);
} catch (ParserConfigurationException e) {
	throw new RuntimeException("failed to instanciate documentBuilderFactory", e);


return documentBuilderFactory;

As follow indication in sonarQube

But it doesn’t know “IS_SUPPORTING_EXTERNAL_ENTITIES” and " SUPPORT_DTD" for DocumentBuilderFactory.

How I can fix this vulnaribilty in sonarQube ?

I just stumble into this topic, I know it’s an old one, but I want to add that we reworked completely this rule, both the description and the implementation. I invite anybody facing issues with this rule to test with a version of the Java Analyzer (>= 6.2), and read the latest description.

If something is still not clear, feel free to get back to us with more information on what needs clarification.