For rule S2755, issues are not reported from initializer block

Hello,

We are using Sonarqube Server of version 6.7.6 with sonar java plugin (version-5.9.2.16552).

With the above environment, we found that for java rule “Untrusted XML should be parsed with a local, static DTD (squid:S2755)”, issues are not reporting when the method call is in static/non-static initializer blocks.

For example, the calls to saxParserFactory = SAXParserFactory.newInstance() in block/static block are not reported.

Below is the sample program.

import javax.xml.parsers.SAXParserFactory;

public class SAXHelper {
	private static SAXParserFactory saxParserFactory;
	
	
	static {
		saxParserFactory = SAXParserFactory.newInstance(); // issue is not reported here
	}

	{
		saxParserFactory = SAXParserFactory.newInstance();  // issue is not reported here
	}
	
	static SAXParserFactory getSAXParserInstance() {
		saxParserFactory = SAXParserFactory.newInstance(); // issue is reported here
		return saxParserFactory;
	}

	public void initSAXParser ( ) {
		saxParserFactory = SAXParserFactory.newInstance(); // issue is reported here
	}

}

We have also tried the latest java plugin of version 5.13.1.18282 and issues are not reported from initializer blocks.

Can you please take a look in to ?

With Regards,
Vara Prasad.

Hello,

Any further update on the above issue ?

With Regards,
Vara Prasad.

Hello Vara, and welcome in this community forum,

Sorry for the delay answering you, it’s indeed a case of False Negative (FN) from implementation of S2755.

Thanks for raising this, and for providing a perfectly self-contained reproducer, this is highly appreciated!
I created the following ticket to handle it, and eventually, fix the rule: SONARJAVA-3212

Finally, please note that latest LTS version of SonarQube is 7.9, and that the fix which will be done for this rule will only be available on the new LTS.

Cheers,
Michael

Thanks Michael for looking in to the issue.

As per my understanding, the fix is scheduled for version of java plugin 6.2.
Is version of java plugin 6.2 will not be compatible with SonarQube 7.9 LTS ?
Please confirm.

With Regards.
Vara Prasad.

Hello,

No

It will be compatible. All the future versions of SonarJava (and our other plugins) will always be compatible with latest LTS (in our case, SQ 7.9).

Michael

Thanks Michael for the confirmation.