FN Sonar not recognizing XXE vulnerability with slf4j logging

  • Operating system: Alma Linux 8.10
  • SonarQube for IntelliJ plugin version: 10.15.0.80347
  • IntelliJ version: 2024.3.1
  • Programming language you’re coding in: Java 21
  • Is connected mode used: Yes, SonarQube Community Build v24.12.0.100206

A XXE vulnerability in a used XML-SchemaFactory is not detected if the surrounding class is annotated with @ Slf4j (using the Spring framework) and the function itself calls the logger at least once. The mentioned vulnerability should be detected via rule Java:2755. Neither SonarQube for IDE nor the SonarScanner inside our build pipeline issues a warning.

The following minimal code doesn’t issue a Sonar warning:

import javax.xml.XMLConstants;
import javax.xml.transform.stream.StreamSource;
import javax.xml.validation.Schema;
import java.io.File;
import java.io.IOException;
import lombok.extern.slf4j.Slf4j;
import org.xml.sax.SAXException;

import static javax.xml.validation.SchemaFactory.newInstance;

@Slf4j
public class XmlConfigurationReader {

    public void validateXml(File xmlFile, File schemaFile) {
        log.info("Validating XML file...");
        try {
            Schema schema = newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI).newSchema(schemaFile);
            schema.newValidator().validate(new StreamSource(xmlFile));
            log.info("Validation successfull");
        } catch (SAXException | NullPointerException | IOException e) {
            log.error("XML file could not be validated", e);
        }
    }

}

The instantiation of a SchemaFactory via newInstance without disabling features to mitigate XXE vulnerabilities should be non compliant. Removing the logger calls in beforementioned example let SonarQube issues appropriate warnings.