Got vulnerability for constant declaration

xulina · March 21, 2022, 10:28am

Versions used
(SonarQube server is 8.9.7 version.
Sonarqube client is sonar-scanner-3.3.0.1492-linux version.
Development team is using “SonarLint for Eclipse 5.9” configured in their local IDE
Sourcecode is JAVA 1.8)
Error observed (
we got vulnerability error → “Disable access to external entities in XML parsing.” for below code

SAXReader saxReader = new SAXReader(); 
saxReader.setFeature(SAX_FEATURE_VALIDATION, false);
saxReader.setFeature(SAX_FEATURE_LOAD_EXTERNAL_DTD, false);
saxReader.setFeature(StoreLocatorDataLoadConstants.SAX_DISALLOW_DOC_TYPE, true);  saxReader.setFeature(StoreLocatorDataLoadConstants.SAX_EXTERNAL_PARAMETER_ENTRY, false);
saxReader.setFeature(StoreLocatorDataLoadConstants.SAX_EXTERNAL_GENERAL, false);

Steps to reproduce - None
Potential workaround
we replace the constant variable with the plain text url, then use sonar client ’ sonar-scanner-3.3.0.1492-linux’ to scan again, no error/vulnerability shown out

SAXReader saxReader = new SAXReader();
saxReader.setFeature(“[http://xml.org/sax/features/validation”](http://xml.org/sax/features/validation%E2%80%9D), false);
saxReader.setFeature(“[http://apache.org/xml/features/nonvalidating/load-external-dtd”](http://apache.org/xml/features/nonvalidating/load-external-dtd%E2%80%9D), false);
saxReader.setFeature(“[http://apache.org/xml/features/disallow-doctype-decl”](http://apache.org/xml/features/disallow-doctype-decl%E2%80%9D), true);
saxReader.setFeature(“[http://xml.org/sax/features/external-parameter-entities”](http://xml.org/sax/features/external-parameter-entities%E2%80%9D), false);
saxReader.setFeature(“[http://xml.org/sax/features/external-general-entities”](http://xml.org/sax/features/external-general-entities%E2%80%9D), false);

Scanner command used when applicable (private details masked)
in linux server command mode

/data/sonar-scanner-3.3.0.1492-linux/bin/sonar-scanner -Dsonar.login=xxxxxxxxxx -Dproject.settings=/data/sonar-scanner-3.3.0.1492-linux/conf/sonar-project.properties > /tmp/scanresult_03212022.logs

Problem description:
1-development team cannot get any error/vulnerability with SonarLint for Eclipse 5.9 in their IDE, for both original source code and workaround code.
2-In the potential workaround, in case of using hard code url instead of constant declaration it is violating coding standard. so we cannot use this workaround actually.
Please help/guide to resolve this scan result difference between sonar client ‘sonar-scanner-3.3.0.1492-linux’ and ‘SonarLint for Eclipse 5.9’, or fix the bug with coding standard. thanks.

Colin · March 21, 2022, 8:10pm

Hey there.

When analyzing Java code, it’s important that you use a scaner like the Scanner for Maven, Scanner for Gradle, or Scanner for Ant that automatically provides class files to the analysis and resolves false-positives like this. You aren’t facing issues in SonarLint for Eclipse because the semantic information is available to the analyzer.

Start using the right scanner, and you should see the discrepancy disappear.

xulina · March 24, 2022, 1:33am

hi Colin, thanks for your reply.
We are not using gradle/maven/.net/azure devops/jenkins/ or Ant…
we are using pure Java
so I upgrade our sonarscanner from v3.3 into the latest v4.7.2.
but still got same scan result.
We have no idea on what we could do now… plz help advise. thanks.

Colin · March 24, 2022, 3:17pm

Hey there.

What do you use to compile your code, if not Maven/Ant/Gradle?

xulina · March 25, 2022, 1:47am

hi Colin,
our dev team is using IBM RAD (IBM Rational® Application Developer for WebSphere® Software), and all java code is auto-compiled into class file in RAD.

xulina · March 25, 2022, 1:56am

xulina · March 25, 2022, 3:06am

Hi Colin,
Please find below JDK version in sonarqube server
id@sonarqubeserver[/data/]java -version
openjdk version “11.0.14” 2022-01-18 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.14+9-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.14+9-LTS, mixed mode, sharing)

xulina · March 25, 2022, 11:33am

Hi Colin,
two questions need your help

1> do you think whether above discrepancy result of constant variable is caused by classpath?

2> check JDK version
FYI: JDK8 in the source code of my project.

situation 1: When we use sonarqube server v7.7 + sonar-scanner-3.3.0, all are working well - got same result for SonarLint for Eclipse 5.9 and sonar-scanner-3.3.0.
--------this is the java version for sonar-scanner-3.3.0------------------------------

*id@sonarqubeserver* [/data/sonar-scanner-3.3.0.1492-linux/jre/bin]./java -version
java version "1.8.0_121"
Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)

As we know after SQ server v8.9, JDK11 is required.
situation 2 : when we use SonarQube server v 8.9.7 + sonar-scanner-4.7.0, we got discrepancy result between SonarLint for Eclipse 5.9 and sonar-scanner-4.7.
---------------this is the java version for sonar-scanner-4.7.0---------------------------------------

*id@sonarqubeserver* [/data/sonar-scanner-4.7.0.2747-linux/jre/bin]./java -version
openjdk version "11.0.14.1" 2022-02-08
OpenJDK Runtime Environment Temurin-11.0.14.1+1 (build 11.0.14.1+1)
OpenJDK 64-Bit Server VM Temurin-11.0.14.1+1 (build 11.0.14.1+1, mixed mode)

So we tried below solution from our side, pls suggest whether its ok.

find the java1.8 execution file in our linux server, which is
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/bin/java

alternatives --config java

There is 3 program that provides 'java'.

  Selection    Command
-----------------------------------------------
   1           java-1.7.0-openjdk.x86_64 (/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.261-2.6.22.2.el7_8.x86_64/jre/bin/java)
*  2           java-1.8.0-openjdk.x86_64 (/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/bin/java)
 + 3           java-11-openjdk.x86_64 (/usr/lib/jvm/java-11-openjdk-11.0.14.0.9-1.el7_9.x86_64/bin/java)

modify file /sonar-scanner-4.7.0.2747-linux/bin/sonar-scanner

from

exec "$java_cmd" \
  -Djava.awt.headless=true \
  $SONAR_SCANNER_OPTS \
  $SONAR_SCANNER_DEBUG_OPTS \
  -classpath  "$jar_file" \
  -Dscanner.home="$sonar_scanner_home" \
  -Dproject.home="$project_home" \
  org.sonarsource.scanner.cli.Main "$@"

into

exec "/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/bin/java" \
  -Djava.awt.headless=true \
  $SONAR_SCANNER_OPTS \
  $SONAR_SCANNER_DEBUG_OPTS \
  -classpath  "$jar_file" \
  -Dscanner.home="$sonar_scanner_home" \
  -Dproject.home="$project_home" \
  org.sonarsource.scanner.cli.Main "$@"

run sonar-scanner-4.7 to scan our source code
/data/sonar-scanner-4.7.0.2747-linux/bin/sonar-scanner -Dsonar.login=xxxxx -Dproject.settings=/data/sonar-scanner-4.7.0.2747-linux/conf/sonar-scanner.properties

But we still got discrepancy result between SonarLint for Eclipse 5.9 and modified sonar-scanner-4.7