- Versions used
(SonarQube server is 8.9.7 version.
Sonarqube client is sonar-scanner-3.3.0.1492-linux version.
Development team is using “SonarLint for Eclipse 5.9” configured in their local IDE
Sourcecode is JAVA 1.8) - Error observed (
we got vulnerability error → “Disable access to external entities in XML parsing.” for below code
SAXReader saxReader = new SAXReader();
saxReader.setFeature(SAX_FEATURE_VALIDATION, false);
saxReader.setFeature(SAX_FEATURE_LOAD_EXTERNAL_DTD, false);
saxReader.setFeature(StoreLocatorDataLoadConstants.SAX_DISALLOW_DOC_TYPE, true); saxReader.setFeature(StoreLocatorDataLoadConstants.SAX_EXTERNAL_PARAMETER_ENTRY, false);
saxReader.setFeature(StoreLocatorDataLoadConstants.SAX_EXTERNAL_GENERAL, false);
- Steps to reproduce - None
- Potential workaround
we replace the constant variable with the plain text url, then use sonar client ’ sonar-scanner-3.3.0.1492-linux’ to scan again, no error/vulnerability shown out
SAXReader saxReader = new SAXReader();
saxReader.setFeature(“[http://xml.org/sax/features/validation”](http://xml.org/sax/features/validation%E2%80%9D), false);
saxReader.setFeature(“[http://apache.org/xml/features/nonvalidating/load-external-dtd”](http://apache.org/xml/features/nonvalidating/load-external-dtd%E2%80%9D), false);
saxReader.setFeature(“[http://apache.org/xml/features/disallow-doctype-decl”](http://apache.org/xml/features/disallow-doctype-decl%E2%80%9D), true);
saxReader.setFeature(“[http://xml.org/sax/features/external-parameter-entities”](http://xml.org/sax/features/external-parameter-entities%E2%80%9D), false);
saxReader.setFeature(“[http://xml.org/sax/features/external-general-entities”](http://xml.org/sax/features/external-general-entities%E2%80%9D), false);
- Scanner command used when applicable (private details masked)
in linux server command mode
/data/sonar-scanner-3.3.0.1492-linux/bin/sonar-scanner -Dsonar.login=xxxxxxxxxx -Dproject.settings=/data/sonar-scanner-3.3.0.1492-linux/conf/sonar-project.properties > /tmp/scanresult_03212022.logs
Problem description:
1-development team cannot get any error/vulnerability with SonarLint for Eclipse 5.9 in their IDE, for both original source code and workaround code.
2-In the potential workaround, in case of using hard code url instead of constant declaration it is violating coding standard. so we cannot use this workaround actually.
Please help/guide to resolve this scan result difference between sonar client ‘sonar-scanner-3.3.0.1492-linux’ and ‘SonarLint for Eclipse 5.9’, or fix the bug with coding standard. thanks.