False Positive: Rule java:S2755 – “Disable access to external entities in XML parsing”

Language: Java
Rule: java:S2755
Tooling:

• SonarQube Server: Enterprise Edition 9.9 (build 65466)
• Sonar Maven Plugin: 5.1.0.4751
• Java: JDK 17

Why this is a false positive

This rule is triggered on code that already follows the secure and compliant guidelines provided by OWASP and the rule documentation itself. Here is the exact snippet being flagged:

SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
schemaFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
Schema schema = schemaFactory.newSchema(schemaFileURL);

This matches exactly the compliant code shown in the “Why is this an issue” section and disables:

• DOCTYPE declarations
• External DTD and schema access

image681×624 33.1 KB

We are also observing the same false positive in other parts of our codebase, including for TransformerFactory usage. Despite applying the exact same compliant solution recommended by Sonar (see below), the issue is still incorrectly flagged:

TransformerFactory factory = TransformerFactory.newInstance();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = factory.newTransformer();

image1043×621 50.7 KB

image1061×614 48.8 KB

Hey @radziu2402

Thanks for the reports.

Your first case, I believe is already tracked at SONARJAVA-4548

And this one SONARJAVA-5110.

I will let you know that v9.9 is EOL and you should upgrade to 2025.1.2 LTA. However, both of these issues are still present.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.