False positive on OpenSAML DocumentBuilder

I got a false-positive on OpenSAMLs DocumentBuilder.

SonarQube 8.9.1 LTS
FindBugs 4.0.2

Rule: findsecbugs:XXE_DOCUMENT
description: Security - XML parsing vulnerable to XXE (DocumentBuilder)


my code:

import static org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport.getParserPool;

    protected Object resolveRequestPayloadArgument(MethodParameter parameter, Source requestPayload) throws Exception {
        InputSource inputPayloadSource = sourceToInputSource(requestPayload);
        Document payloadDocument = getParserPool().getBuilder().parse(inputPayloadSource);
        Element messageElem = payloadDocument.getDocumentElement();

it triggers on the code line:

Document payloadDocument = getParserPool().getBuilder().parse(inputPayloadSource); 

As you can see, I don’t create the DocumentBuilder, but use the OpenSAML’s lib to create one for me.
This lib returns a secured builder by default.
Maybe the scanning logic could be made a bit smarter into not triggering on this code?


Welcome to the community!

We appreciate your reporting this. Unfortunately, we’re not responsible for FindBugs. You’ll need to report this to the current maintainers. I suggest you open an issue on that project.


Thanks for the reply.
SonarQube (the program) asked me to file an issue, so I did.
I see it is an FindBugSec rule, so I also posted this false positive at their issue tracking:

1 Like