We are getting bug in sonar scan while using url in constant but if using url in set feature then bug not exist in scan. In case of using hard code url instead of constant declaration it is violating coding standard.
Please help/guide to resolve this bug with coding standard.
SAXReader saxReader = new SAXReader();
saxReader.setFeature(“http://xml.org/sax/features/validation”, false);
saxReader.setFeature(“http://apache.org/xml/features/nonvalidating/load-external-dtd”, false);
saxReader.setFeature(“http://apache.org/xml/features/disallow-doctype-decl”, true);
saxReader.setFeature(“http://xml.org/sax/features/external-parameter-entities”, false);
saxReader.setFeature(“http://xml.org/sax/features/external-general-entities”, false);

Thanks
Kamal K sharma

Hi,

Welcome to the community!

I guess this is Java, right? What version of SonarQube are you using?

Also, it’s not quite clear to me what the complaint is. Are you said an issue is raised when it shouldn’t be?

 
HTH,
Ann

Hi G,
SQ is using 8.9.6 LTS - specifically the patched for log4j vulnerability version of it. We are looking for solution if we use parameter by constant then how can remove bugs .

Thanks

Yes, its for JAVA code.
SonarQube server is 8.9.6 LTS version.
Sonarqube client is sonar-scanner-3.3.0.1492-linux version.
Development team is using “SonarLint for Eclipse 5.9” configured in their local IDE.

We met scan result difference between SonarLint and sonarqube client. Please help resolve or suggest.

Java source code example

    SAXReader saxReader = new SAXReader(); 
    saxReader.setFeature(SAX_FEATURE_VALIDATION, false);
    saxReader.setFeature(SAX_FEATURE_LOAD_EXTERNAL_DTD, false);
    saxReader.setFeature(StoreLocatorDataLoadConstants.SAX_DISALLOW_DOC_TYPE, true);
    saxReader.setFeature(StoreLocatorDataLoadConstants.SAX_EXTERNAL_PARAMETER_ENTRY, false);
    saxReader.setFeature(StoreLocatorDataLoadConstants.SAX_EXTERNAL_GENERAL, false);

comment:
the first 2 constant variables are set in the java file itself.
the last 3 constant variables are set from StoreLocatorDataLoadConstants.java outside

for above source code, scan result for SonarLint 5.9 is PASS, but show vulnerability in sonarqube client ‘sonar-scanner-3.3.0.1492-linux’.

then we change the code into below. Scan results for both SonarLint and sonarclient are PASS. But it’s NOT comply to the coding standard to use the plain URL of strings instead of using java constant variables. It would violate coding standard .

========code after change=========
SAXReader saxReader = new SAXReader();
saxReader.setFeature(“http://xml.org/sax/features/validation”, false);
saxReader.setFeature(“http://apache.org/xml/features/nonvalidating/load-external-dtd”, false);
saxReader.setFeature(“http://apache.org/xml/features/disallow-doctype-decl”, true);
saxReader.setFeature(“http://xml.org/sax/features/external-parameter-entities”, false);
saxReader.setFeature(“http://xml.org/sax/features/external-general-entities”, false);

=================

SQ support team, Any update on this, plz ?

Hi @xulina ,

To clarify, do you work with the OP? Because at second glance, you seem to be reporting an entirely different problem…?

 
Ann

HI Ann, what’s OP standing for? open source or object oriented programming?

by the way, we are using Java1.8

Hi,

OP = Original Post/Poster

And under the assumption that you are working together…

You should replace that “patched” version with the standard one. There’s no need to patch the latest versions of SonarQube; they’re upgraded past vulnerability.

Please replace your patched version with a standard download and come back to us if the problem persists.

 
Ann

Hi Ann,
We upgrade our SQ server from 8.9.6 LTS into 8.9.7. and still got vulnerability for constant variable
If we use plain text URL in code, the scan is pass.
Please advise, thanks.

SQ 8_9_7 scan result1092×690 250 KB

Hi @xulina,

I really don’t understand what you’re trying to communicate, but at this point it doesn’t seem to have much to do with the original post. Please open a new thread and start from the beginning.

 
Ann