Operating system
-Windows 10 Enterprise version 20H2
IDE flavor/version/OS.
-IBM RAD (IBM Rational Application Developer for WebSphere Software) on Windows, and all java code is auto-compiled into class file in RAD. Sourcecode is JAVA v1.8
SonarLint version
-SonarLint for Eclipse 5.9.0.31414
Are you using connected mode?
-yes
If you are using connected mode, what is the SonarQube server version (or say if it is SonarCloud)
-SonarQube server v7.7
If you are using connected mode, what are the installed analyzers. You can easily get a list by opening https:///api/plugins/installed in a Web browser.
-pls check attachment “SQ Server 7.7 Plugin List 20220415.txt”
description of the problem / question:
If we scan below originalcode using above ‘SonarLint for Eclipse 5.9.0.31414’, we cannot get any bug/vulnerability blocker
If we scan below originalcode using Sonarqube client: sonar-scanner-4.7.0-linux version,
we got vulnerability error → “Disable access to external entities in XML parsing.”
SAXReader saxReader = new SAXReader();
saxReader.setFeature(SAX_FEATURE_VALIDATION, false);
saxReader.setFeature(SAX_FEATURE_LOAD_EXTERNAL_DTD, false);
saxReader.setFeature(StoreLocatorDataLoadConstants.SAX_DISALLOW_DOC_TYPE, true);
saxReader.setFeature(StoreLocatorDataLoadConstants.SAX_EXTERNAL_PARAMETER_ENTRY, false);
saxReader.setFeature(StoreLocatorDataLoadConstants.SAX_EXTERNAL_GENERAL, false);
Please help advise whether the discrepancy is caused, whether its related with the plugin installed?
PS: for your reference
we replace the constant variable with the plain text url, then use sonar client ’ sonar-scanner-4.7.0-linux’ to scan again, no error/vulnerability shown out
SAXReader saxReader = new SAXReader();
saxReader.setFeature(“[http://xml.org/sax/features/validation”](http://xml.org/sax/features/validation%E2%80%9D), false);
saxReader.setFeature(“[http://apache.org/xml/features/nonvalidating/load-external-dtd”](http://apache.org/xml/features/nonvalidating/load-external-dtd%E2%80%9D), false);
saxReader.setFeature(“[http://apache.org/xml/features/disallow-doctype-decl”](http://apache.org/xml/features/disallow-doctype-decl%E2%80%9D), true);
saxReader.setFeature(“[http://xml.org/sax/features/external-parameter-entities”](http://xml.org/sax/features/external-parameter-entities%E2%80%9D), false);
saxReader.setFeature(“[http://xml.org/sax/features/external-general-entities”](http://xml.org/sax/features/external-general-entities%E2%80%9D), false);