False negative XXE rule for SchemaFactory (java:S2755)

Hello everyone,

I would like to report a false negative detection we got on a Java code project with our SonarQube developer instance ( I will really appreciate if someone can take a look.

Rule : XML parsers should not be vulnerable to XXE attacks (java:S2755).

Snippet :

private DummyDocumentType getDummyDocumentType(String xmlEventIn) throws JAXBException, SAXException {
  DummyDocumentType dummyDocumentType;
  try {
    final JAXBContext jaxbContext = JAXBContext.newInstance(DummyDocumentType.class);
    Unmarshaller unmarshaller = jaxbContext.createUnmarshaller();
    SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
    Schema schema = schemaFactory.newSchema(resourceToString(SRC_MAIN_RESOURCES_XSD_EPCGLOBAL_EPCIS_1_2_XSD));
    dummyDocumentType = unmarshaller.unmarshal(new StreamSource(new StringReader(xmlEventIn)), DummyDocumentType.class).getValue();

  } catch (SAXException | JAXBException e) {
    log.error("Error parsing XML with XSD Exception : {}", e);
    throw e;
  return dummyDocumentType;

private URL resourceToString(String filePath) {
  return this.getClass().getClassLoader().getResource(filePath);

Don’t hesitate if you need more info.

Hey @S0obi ,

Thanks for the report and your long patience! It indeed seems to me like a False Negative from our implementation of S2755.

I created the following ticket to tackle it: SONARJAVA-4577


1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.