Hi,
We are experiencing an issue with SonarQube not detecting XXE (XML External Entity) vulnerabilities in some of our files. We have scanned our repositories for security vulnerabilities, and while SonarQube identified many instances of XXE in various files, it has ignored some files despite the XML parser calls being the same.
Example
In the following code snippet, SonarQube did not identify the vulnerability whereas the same code has been highlighted as vulnerable in other files.
final TransformerFactory transfac = TransformerFactory.newInstance(); // NOT IDENTIFIED AS VULNERABLE BY SQ
The quality gate rule related to XXE vulnerabilities is java:S2755, but there is limited information available about the pattern matching criteria for this rule.
Could you please provide guidance on why SonarQube might be missing these vulnerabilities and how we can ensure that all instances of XXE vulnerabilities are detected? Any insights into the pattern matching criteria for rule java:S2755 would be greatly appreciated.
Thank you for your assistance.