Fix for vulnerability not picked up by scan

  • versions used: Developer Edition Version 7.3 (build 15553) [LGPL v3]
  • error observed: Got critical vulnerability reported for Disable external entity (XXE) processing. Developer fixed the issue with the exact suggested code but the issue still remains open. Fix is seen within sonarqube so we know correct version is being scanned. Please suggest if this is known issue or if there is something that can be done to correct this. Thanks in advance for your help


Welcome to the community!

We’ll need more information before this can be answered:

  • langauge
  • rule
  • reproducing code snippet
  • analyzer version for the relevant language (found in Administration->Marketplace)

Also, I should note that 7.3 has some age on it at this point and is past EOL. Newer versions include updated analyzers, which may or may not address this issue.


  • langauge - Java

  • rule - Untrusted XML should be parsed with a local, static DTD

  • reproducing code snippet:
    factory.setAttribute(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
    factory.setAttribute(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);

  • analyzer version for the relevant language: SonarJava

Code Analyzer for Java * 5.6.1 (build 15064) installed


Thanks for responding with the details so quickly. In fact, you’re 15 versions behind the current version. I realize that you can’t upgrade to the latest analyzer version in such an old version of SonarQube. Your best bet at this point is to upgrade SonarQube at your earliest convenience and come back to us if the problem persists.