- Operating system: Alma Linux 8.10
- SonarQube for IntelliJ plugin version: 10.15.0.80347
- IntelliJ version: 2024.3.1
- Programming language you’re coding in: Java 21
- Is connected mode used: Yes, SonarQube Community Build v24.12.0.100206
A XXE vulnerability in a used XML-SchemaFactory is not detected if the surrounding class is annotated with @ Slf4j (using the Spring framework) and the function itself calls the logger at least once. The mentioned vulnerability should be detected via rule Java:2755. Neither SonarQube for IDE nor the SonarScanner inside our build pipeline issues a warning.
The following minimal code doesn’t issue a Sonar warning:
import javax.xml.XMLConstants;
import javax.xml.transform.stream.StreamSource;
import javax.xml.validation.Schema;
import java.io.File;
import java.io.IOException;
import lombok.extern.slf4j.Slf4j;
import org.xml.sax.SAXException;
import static javax.xml.validation.SchemaFactory.newInstance;
@Slf4j
public class XmlConfigurationReader {
public void validateXml(File xmlFile, File schemaFile) {
log.info("Validating XML file...");
try {
Schema schema = newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI).newSchema(schemaFile);
schema.newValidator().validate(new StreamSource(xmlFile));
log.info("Validation successfull");
} catch (SAXException | NullPointerException | IOException e) {
log.error("XML file could not be validated", e);
}
}
}
The instantiation of a SchemaFactory via newInstance without disabling features to mitigate XXE vulnerabilities should be non compliant. Removing the logger calls in beforementioned example let SonarQube issues appropriate warnings.