Discrepancy result between SonarLint 5.9 vs Sonar-sanner-4.7

SonarLint Eclipse
1

Operating system
-Windows 10 Enterprise version 20H2
IDE flavor/version/OS.
-IBM RAD (IBM Rational Application Developer for WebSphere Software) on Windows, and all java code is auto-compiled into class file in RAD. Sourcecode is JAVA v1.8
SonarLint version
-SonarLint for Eclipse 5.9.0.31414
Are you using connected mode?
-yes
If you are using connected mode, what is the SonarQube server version (or say if it is SonarCloud)
-SonarQube server v7.7
If you are using connected mode, what are the installed analyzers. You can easily get a list by opening https:///api/plugins/installed in a Web browser.
-pls check attachment “SQ Server 7.7 Plugin List 20220415.txt”

description of the problem / question:
If we scan below originalcode using above ‘SonarLint for Eclipse 5.9.0.31414’, we cannot get any bug/vulnerability blocker
If we scan below originalcode using Sonarqube client: sonar-scanner-4.7.0-linux version,
we got vulnerability error → “Disable access to external entities in XML parsing.”

SAXReader saxReader = new SAXReader(); 
saxReader.setFeature(SAX_FEATURE_VALIDATION, false);
saxReader.setFeature(SAX_FEATURE_LOAD_EXTERNAL_DTD, false);
saxReader.setFeature(StoreLocatorDataLoadConstants.SAX_DISALLOW_DOC_TYPE, true);  
saxReader.setFeature(StoreLocatorDataLoadConstants.SAX_EXTERNAL_PARAMETER_ENTRY, false);
saxReader.setFeature(StoreLocatorDataLoadConstants.SAX_EXTERNAL_GENERAL, false);

Please help advise whether the discrepancy is caused, whether its related with the plugin installed?

PS: for your reference
we replace the constant variable with the plain text url, then use sonar client ’ sonar-scanner-4.7.0-linux’ to scan again, no error/vulnerability shown out

SAXReader saxReader = new SAXReader();
saxReader.setFeature(“[http://xml.org/sax/features/validation”](http://xml.org/sax/features/validation%E2%80%9D), false);
saxReader.setFeature(“[http://apache.org/xml/features/nonvalidating/load-external-dtd”](http://apache.org/xml/features/nonvalidating/load-external-dtd%E2%80%9D), false);
saxReader.setFeature(“[http://apache.org/xml/features/disallow-doctype-decl”](http://apache.org/xml/features/disallow-doctype-decl%E2%80%9D), true);
saxReader.setFeature(“[http://xml.org/sax/features/external-parameter-entities”](http://xml.org/sax/features/external-parameter-entities%E2%80%9D), false);
saxReader.setFeature(“[http://xml.org/sax/features/external-general-entities”](http://xml.org/sax/features/external-general-entities%E2%80%9D), false);
2

SQ server v7.7 plugin list 20220415.txt (11.5 KB)

3

Hi,

The current version of SonarLint for Eclipse is 7.3.1, and the current version of SonarQube is 9.4 (current LTS: 8.9.8).

You really need to look at upgrading. If you’re still on SonarLint 5.9 because 6.0 dropped support for SonarQube versions <7.9, well… SonarQube 7.7 is 3 years and more than 2 LTS versions behind. We’ve fixed a lot of bugs and vulnerabilities since then.

Please upgrade both your SonarQube server and then SonarLint. And come back to us if you’re still having problems after the upgrades.

 
Ann

4

Hi Ann,
JDK version of source code in my project is of JDK8
Sourcecode is of JAVA v1.8
pls help advise the update version of SonarQube server and SonarLint, thanks.

5

Hi,

I’m not sure I understand the question. The current SonarQube version is 9.4 and the current LTS is 8.9.8. You should upgrade to one of them.

Your upgrade path is:

7.7 → 7.9.6 → 8.9.8 → 9.4 (last step optional)

You may find the Upgrade Guide and the LTS-to-LTS Upgrade Notes helpful. If you have questions about upgrading, feel free to open a new thread for that here.

Note that there are rules that don’t run in SonarLint because they would impact performance and interfere with coding. So even after upgrade, you may not see the issue you’re expecting in SonarLint.

 
HTH,
Ann

6

HI Ann,
could u pls give more information about what rules don’t run in SonarLint, and what’s workaround solution for this?
Assuming we have upgrade SonarQube and SonarLint, we still cannot see the issue expected in SonarLine. Is there any other Sonar tool which could replace SonarLint, and can be used for Developers to integrated in IDE?
Thanks!

7

Hello, thanks for your interest in Sonar products!

Please check this section of the SonarLint FAQ.

In this particular case, “Disable access to external entities in XML parsing” is raised by rule java:S2755 which should run correctly in SonarLint.

I suggest you have a look at the SonarLint console view (Window > Show View > Console, Open Console > SonarLint Console), enable Verbose Output and Analysis Logs (see FAQ), and re-analyze the file where the issue should appear.

Please note that this rule is sensitive to classpath resolution, so if there is any issue with the project’s classpath in Eclipse, it won’t be detected.