False positive on OpenSAML DocumentBuilder

Clean Code Report False-positive / False-negative...
1

I got a false-positive on OpenSAMLs DocumentBuilder.

SonarQube 8.9.1 LTS
FindBugs 4.0.2

Rule: findsecbugs:XXE_DOCUMENT
description: Security - XML parsing vulnerable to XXE (DocumentBuilder)

Libs:
org.opensaml:opensaml-core:3.4.5
net.shibboleth.utilities:java-support:7.5.1

my code:

import static org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport.getParserPool;

    protected Object resolveRequestPayloadArgument(MethodParameter parameter, Source requestPayload) throws Exception {
        InputSource inputPayloadSource = sourceToInputSource(requestPayload);
        Document payloadDocument = getParserPool().getBuilder().parse(inputPayloadSource);
        Element messageElem = payloadDocument.getDocumentElement();
         ...
     }

Edit:
it triggers on the code line:

Document payloadDocument = getParserPool().getBuilder().parse(inputPayloadSource);

As you can see, I don’t create the DocumentBuilder, but use the OpenSAML’s lib to create one for me.
This lib returns a secured builder by default.
Maybe the scanning logic could be made a bit smarter into not triggering on this code?

2

Hi,

Welcome to the community!

We appreciate your reporting this. Unfortunately, we’re not responsible for FindBugs. You’ll need to report this to the current maintainers. I suggest you open an issue on that project.

 
:woman_shrugging:
Ann

3

Thanks for the reply.
SonarQube (the program) asked me to file an issue, so I did.
I see it is an FindBugSec rule, so I also posted this false positive at their issue tracking:

1 Like