Got vulnerability for constant declaration

  • Versions used
    (SonarQube server is 8.9.7 version.
    Sonarqube client is sonar-scanner- version.
    Development team is using “SonarLint for Eclipse 5.9” configured in their local IDE
    Sourcecode is JAVA 1.8)
  • Error observed (
    we got vulnerability error → “Disable access to external entities in XML parsing.” for below code

SAXReader saxReader = new SAXReader(); 
saxReader.setFeature(SAX_FEATURE_VALIDATION, false);
saxReader.setFeature(SAX_FEATURE_LOAD_EXTERNAL_DTD, false);
saxReader.setFeature(StoreLocatorDataLoadConstants.SAX_DISALLOW_DOC_TYPE, true);  saxReader.setFeature(StoreLocatorDataLoadConstants.SAX_EXTERNAL_PARAMETER_ENTRY, false);
saxReader.setFeature(StoreLocatorDataLoadConstants.SAX_EXTERNAL_GENERAL, false);

  • Steps to reproduce - None
  • Potential workaround
    we replace the constant variable with the plain text url, then use sonar client ’ sonar-scanner-’ to scan again, no error/vulnerability shown out

SAXReader saxReader = new SAXReader();
saxReader.setFeature(“[”](, false);
saxReader.setFeature(“[”](, false);
saxReader.setFeature(“[”](, true);
saxReader.setFeature(“[”](, false);
saxReader.setFeature(“[”](, false);

  • Scanner command used when applicable (private details masked)
    in linux server command mode

/data/sonar-scanner- -Dsonar.login=xxxxxxxxxx -Dproject.settings=/data/sonar-scanner- > /tmp/scanresult_03212022.logs

Problem description:
1-development team cannot get any error/vulnerability with SonarLint for Eclipse 5.9 in their IDE, for both original source code and workaround code.
2-In the potential workaround, in case of using hard code url instead of constant declaration it is violating coding standard. so we cannot use this workaround actually.
Please help/guide to resolve this scan result difference between sonar client ‘sonar-scanner-’ and ‘SonarLint for Eclipse 5.9’, or fix the bug with coding standard. thanks.

Hey there.

When analyzing Java code, it’s important that you use a scaner like the Scanner for Maven, Scanner for Gradle, or Scanner for Ant that automatically provides class files to the analysis and resolves false-positives like this. You aren’t facing issues in SonarLint for Eclipse because the semantic information is available to the analyzer.

Start using the right scanner, and you should see the discrepancy disappear.

hi Colin, thanks for your reply.
We are not using gradle/maven/.net/azure devops/jenkins/ or Ant…
we are using pure Java
so I upgrade our sonarscanner from v3.3 into the latest v4.7.2.
but still got same scan result.
We have no idea on what we could do now… plz help advise. thanks.

Hey there.

What do you use to compile your code, if not Maven/Ant/Gradle?

hi Colin,
our dev team is using IBM RAD (IBM Rational® Application Developer for WebSphere® Software), and all java code is auto-compiled into class file in RAD.

Hi Colin,
Please find below JDK version in sonarqube server
id@sonarqubeserver[/data/]java -version
openjdk version “11.0.14” 2022-01-18 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.14+9-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.14+9-LTS, mixed mode, sharing)

Hi Colin,
two questions need your help

1> do you think whether above discrepancy result of constant variable is caused by classpath?

2> check JDK version
FYI: JDK8 in the source code of my project.

situation 1: When we use sonarqube server v7.7 + sonar-scanner-3.3.0, all are working well - got same result for SonarLint for Eclipse 5.9 and sonar-scanner-3.3.0.
--------this is the java version for sonar-scanner-3.3.0------------------------------

*id@sonarqubeserver* [/data/sonar-scanner-]./java -version
java version "1.8.0_121"
Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)

As we know after SQ server v8.9, JDK11 is required.
situation 2 : when we use SonarQube server v 8.9.7 + sonar-scanner-4.7.0, we got discrepancy result between SonarLint for Eclipse 5.9 and sonar-scanner-4.7.
---------------this is the java version for sonar-scanner-4.7.0---------------------------------------

*id@sonarqubeserver* [/data/sonar-scanner-]./java -version
openjdk version "" 2022-02-08
OpenJDK Runtime Environment Temurin- (build
OpenJDK 64-Bit Server VM Temurin- (build, mixed mode)

So we tried below solution from our side, pls suggest whether its ok.

  1. find the java1.8 execution file in our linux server, which is
alternatives --config java

There is 3 program that provides 'java'.

  Selection    Command
   1           java-1.7.0-openjdk.x86_64 (/usr/lib/jvm/java-1.7.0-openjdk-
*  2           java-1.8.0-openjdk.x86_64 (/usr/lib/jvm/java-1.8.0-openjdk-
 + 3           java-11-openjdk.x86_64 (/usr/lib/jvm/java-11-openjdk-
  1. modify file /sonar-scanner-


exec "$java_cmd" \
  -Djava.awt.headless=true \
  -classpath  "$jar_file" \
  -Dscanner.home="$sonar_scanner_home" \
  -Dproject.home="$project_home" \
  org.sonarsource.scanner.cli.Main "$@"


exec "/usr/lib/jvm/java-1.8.0-openjdk-" \
  -Djava.awt.headless=true \
  -classpath  "$jar_file" \
  -Dscanner.home="$sonar_scanner_home" \
  -Dproject.home="$project_home" \
  org.sonarsource.scanner.cli.Main "$@"
  1. run sonar-scanner-4.7 to scan our source code
    /data/sonar-scanner- -Dsonar.login=xxxxx -Dproject.settings=/data/sonar-scanner-

But we still got discrepancy result between SonarLint for Eclipse 5.9 and modified sonar-scanner-4.7