We are using Sonarqube Server of version 6.7.6 with sonar java plugin (version-5.9.2.16552).
With the above environment, we found that for java rule “Untrusted XML should be parsed with a local, static DTD (squid:S2755)”, issues are not reporting when the method call is in static/non-static initializer blocks.
For example, the calls to saxParserFactory = SAXParserFactory.newInstance() in block/static block are not reported.
Below is the sample program.
import javax.xml.parsers.SAXParserFactory;
public class SAXHelper {
private static SAXParserFactory saxParserFactory;
static {
saxParserFactory = SAXParserFactory.newInstance(); // issue is not reported here
}
{
saxParserFactory = SAXParserFactory.newInstance(); // issue is not reported here
}
static SAXParserFactory getSAXParserInstance() {
saxParserFactory = SAXParserFactory.newInstance(); // issue is reported here
return saxParserFactory;
}
public void initSAXParser ( ) {
saxParserFactory = SAXParserFactory.newInstance(); // issue is reported here
}
}
We have also tried the latest java plugin of version 5.13.1.18282 and issues are not reported from initializer blocks.
Sorry for the delay answering you, it’s indeed a case of False Negative (FN) from implementation of S2755.
Thanks for raising this, and for providing a perfectly self-contained reproducer, this is highly appreciated!
I created the following ticket to handle it, and eventually, fix the rule: SONARJAVA-3212
Finally, please note that latest LTS version of SonarQube is 7.9, and that the fix which will be done for this rule will only be available on the new LTS.
As per my understanding, the fix is scheduled for version of java plugin 6.2.
Is version of java plugin 6.2 will not be compatible with SonarQube 7.9 LTS ?
Please confirm.